Authenticating users with userid/passwords is simple, easy and well-understood. It is also notoriously vulnerable to attack. Most authentication schemes in use today such as passwords, OTP, KBA, biometrics have a fundamental flaw in their paradigm: shared-secrets. As long as the user and the server share a secret to authenticate the user, the user and the application are vulnerable to password-breaches and phishing attacks. The FIDO Alliance - a consortium of 250 companies worldwide - has been attempting to address the password-problem for the last two years and has created the Universal 2nd Factor (U2F) protocol Specifically designed for human authentication to web-applications, its goals were to eliminate password-based authentication and phishing attacks while using asymmetric-key cryptography coupled with hardware-based authenticators simple enough to use for consumers. A web-application, taking advantage of the U2F protocol and its Authenticators/Servers can protect itself the from attacks mentioned above. This training session will cover the following:
- An overview of the FIDO Alliance, its mission and protocols;
- The differences between the U2F, UAF and FIDO 2.0 protocols;
- The differences between FIDO and PKI;
- An in-depth presentation of the FIDO U2F protocol and its mechanics;
- A step-by-step tutorial on how to FIDO-enable a simple web-application using the simplest of the three protocols: U2F;
- A discussion of issues related FIDO-enablement: application design, performance, security, supporting users without FIDO Authenticators, dealing with lost/stolen Authenticators, etc.
All attendees of this session will be given a FIDO Certified U2F Authenticator as part of the training session. The course will be based on the use of a FIDO Certified open-source U2F server, and other open-source tools.
Some FIDO related information from the author of this training:
https://alesa.website/ https://www.linkedin.com/pulse/all-biometric-authentication-equal-arshad-noor
