fido – Page 9 – WindowsTechs.com

It’s time to put multi-factor authentication in the NIST Cyber Framework

Posted on May 1, 2017 by Brett McDowell

Many private and public sector organizations rightly look to NIST’s Cybersecurity Framework as a how-to guide for building a solid foundation for a cybersecurity strategy. But after a long public consultation and drafting process, one critical piece of any such strategy was missing from the original framework when it was published in February 2014: the use of multi-factor identity authentication. MFA, also often called two-factor authentication, means using some method beyond a simple username/password combination to prove who you are — another “factor” like a FIDO security keystick or a biometric, such as a fingerprint. Excluding MFA from the framework, according to NIST at the time, was necessary because there weren’t any widely accepted, interoperable standards for ensuring secure identity and because of usability problems with the technologies then available. NIST has drafted an update of the framework, but even though the section on identity and access management has been expanded and overhauled, there’s still no mention of MFA. We in the FIDO […]

The post It’s time to put multi-factor authentication in the NIST Cyber Framework appeared first on Cyberscoop.

Continue reading It’s time to put multi-factor authentication in the NIST Cyber Framework→

MITM attacks on FIDO UAF and U2F [on hold]

Posted on April 20, 2017 by weaver

In Section 6 of the Universal 2nd Factor (U2F) Overview, where MITM attacks are discussed – near the end of the section, it reads:

It is still possible to MITM a user's authentication to a site if the MITM is 

a. able to get a server cert for the actual origin name issued by a valid CA, and 
b. ChannelIDs are NOT supported by the browser. 

But this is quite a high bar.

I’m not convinced that this is such a high bar. We’ve seen more than a few cases where attackers have been able to obtain fake-but-trusted CA-signed certs. And, TLS ChannelID has not been widely adopted by most browsers and servers (in fact, the RFC draft proposal expired in 2013). Moreover, even if TLS ChannelID is supported by both endpoints, an active MITM attacker could prevent TLS ChannelID from being used by way of a downgrade attack during the ClientHello message.

I applaud the leap that FIDO has made to reduce our reliance on passwords, and to make authentication more secure and less cumbersome for users. But, it seems that it has done little to protect against an MITM attack where an attacker is able to get his hands on a fake-but-trusted certificate, and we must continue to put our full faith and trust in CA’s, which have a history of letting us down. Of course, even the most secure authentication protocol is useless if the connection can be compromised by an active MITM attacker.

Other key-based authentication protocols (such as SSH) protect against MITM attacks by way of public key pinning built-in to the protocol. With SSH, for instance, clients store the public keys of servers that they’ve connected to. Immediately after a connection is made, during key exchange and before any client authentication is attempted – the client verifies that it is indeed connected to the intended server, by checking that the public key that the server is using is the same as the one on file for that server, and ensuring that the server is in possession of the private key associated with the public key via some cryptographic operation requiring the private key.

Of course, HPKP (without FIDO) can be used to pin sites’ SSL/TLS certificates in the browser, but this has its own set of problems.

I’m curious why the architects of FIDO UAF and U2F did not take the protocol a step further, and embed a method of public key pinning within the protocol (perhaps using different keypairs than the ones used for the SSL/TLS connection), so that clients could ensure that they are connecting to the legitimate server before attempting to authenticate, a la SSH. Would anyone care to hypothesize?

Continue reading MITM attacks on FIDO UAF and U2F [on hold]→

How should I implement FIDO UAF architecture?

Posted on March 15, 2017 by anonImos

I’m new to FIDO (Fast IDentity Online), and want to add FIDO UAF (Universal Authentication Framework) support to my website. I’ve few queries:

Suppose, I’ve built my own FIDO Client. Is there any test server where I can tes… Continue reading How should I implement FIDO UAF architecture?→

Why is FIDO U2F an entirely different standard from FIDO UAF instead of just a subset?

Posted on February 21, 2017 by Ajedi32

As you may already be aware, the Universal 2nd Factor (U2F) standard is a standard for 2nd-factor authentication which allows users to authenticate to web applications using a USB hardware token.

While reading up on this sta… Continue reading Why is FIDO U2F an entirely different standard from FIDO UAF instead of just a subset?→

In the context of FIDO U2F, when is a new ephemeral key reused, or cached?

Posted on February 18, 2017 by LamonteCristo

I’m reading this paper from Yubico on Universal Second Factor
and OpenID Connect and see the description about ephemeral keys

I’m confused on when a ephemeral key is used, and under what conditions they are cached.

From the Yubico document.

Page 7:

U2F does have a trust chain similar to the certificate authorities found in traditional PKI, but this
is not tied directly to the key pairs issued by the U2F device. Instead, this trust chain is tied the
device’s identifier certificates. These device certificates are used alongside the ephemeral keys
to identify the device itself (or a batch of devices), allowing knowledgeable RPs to make
informed decisions about which device manufacturers they are willing to accept.

Page 9

Why would such caching systems be widely used when they clearly subvert a fundamental
aspect of the security components? A system that constantly prompts a user for the same PIN
again and again is likely to be ignored or rejected by users annoyed at the constant prompting.
The use of a credential cache is often considered a reasonable tradeoff. However, the U2F
design avoids having to make this tradeoff decision in the first place by explicitly declaring that
the ephemeral keys are used to identify the device alone.

Continue reading In the context of FIDO U2F, when is a new ephemeral key reused, or cached?→

In the context of FIDO U2F, when is a new ephemeral key reused, or cached?

Posted on February 18, 2017 by LamonteCristo

I’m reading this paper from Yubico on Universal Second Factor
and OpenID Connect and see the description about ephemeral keys

I’m confused on when a ephemeral key is used, and under what conditions they are cached.

From th… Continue reading In the context of FIDO U2F, when is a new ephemeral key reused, or cached?→

Using Fido U2F or similar as primary authentication method?

Posted on February 1, 2017 by redShadow

I’ve been wondering about this for a while, but couldn’t find much on the web, so I hope that someone could point me in the right direction for better understanding about this topic.

Would it be viable / safe to use somethin… Continue reading Using Fido U2F or similar as primary authentication method?→

Can counter-based OTPs instantly be reused at multiple services?

Posted on January 9, 2017 by bers

I am reading about hardware-based 2FA and wonder about counter-based OTPs generated from, for example, a Yubikey. I have read that in these cases, a push of a button generates a string composed of a public key, a counter, and… Continue reading Can counter-based OTPs instantly be reused at multiple services?→

Fully Integrated Defense Operation (FIDO) – Automated Incident Response

Posted on June 14, 2016 by Darknet

FIDO is an orchestration layer which enables an automated incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today’s security stack and the large number of alerts generated by them. As an orchestration platform FIDO can…

Read the full post at darknet.org.uk

Continue reading Fully Integrated Defense Operation (FIDO) – Automated Incident Response→

From a credential flow perspective, whats the difference between FIDO UAF and FIDO 2.0 Web Services?

Posted on May 31, 2016 by LamonteCristo

The FIDO Standard allows for devices and authentication schemes to be certified as UAF or U2F. This allows for flexible unified authentication, and optional second factor enrollment and registration.

Deployment:

Chrome ha… Continue reading From a credential flow perspective, whats the difference between FIDO UAF and FIDO 2.0 Web Services?→