What's new with sign up and sign in on the web (Google I/O '18)
Management, API behind, the scenes if the, browser supports it and there. Is a sort password, for the website. If. You want to retrieve, an existing past, at Google or Oh ID and password, it. Will give you a username. And password instead of an ID token so, you can use that information to authenticate, the user. When. He when a user clicks the sign up button the. User probably wants, to keep, signed out in. That case called. Google, reload disable. Auto sign, in that. Way Google, euros retrieve, will stop returning ID token until. The user explicitly. Signs. Back in. So. That's the one tap sign up let. Me recap. One. That sign up is secure, because, it's, Google's, identity, Federation, it. Provides. A great user experience, for. User to. Sign up with just one tap and auto, sign. It's, easy to implement with sibling. Simple, api's. To. Learn more about want to sign up, please. Visit developers.google.com, slash. Identity. And you'll. Find more detailed documentation. Ok. So far I've been talking about identity, Federation but. I guess that many of you might, be interested in, some. Solutions, about when. You are using password, a username, and password. Earlier. In this session I talked, about challenges with passwords. What. Can you do if an attacker already. Knows your, users, password, and tries to hijack. Account. And. In. Many cases, account. Hijacking, is done, by BOTS. This. Means if you could filter out both, the, number of account, hijacks, should, decrease, and. That's. What we captured us. Six. Years ago it. Asks users to read a distorted. But. We knew we could do better. We. Then developed, recaptured, v2. Where, users. Can simply tap a check box to verify. V2. Is smart. Enough to determine, if an interaction. Is abuse, just. With that simple gesture. And if. ReCAPTCHA, is still uncertain, it asks. An additional, challenge, like. Select all images with, a street sign. This. Is an example this. Is an example question, many. BOTS can not answer easily, and, we. Are protecting, over, two million websites, every week from spam and abuse. But. What. Evolve also. The. Attacks against, reCAPTCHA over the last few, years last.
New API is coming, to major browsers, and, be available on both mobile and desktop platforms. And in. Fact I'm delighted, to announce that, you can already try out the initial feature set with the latest chrome beta, so. Let's see what makes this API so great. First. Its, backwards, compatible, with existing YouTube security, keys the. Very same key that you registered, through the YouTube API can. Now be used through, the web authentication, API, that. Means that you can migrate your site from, u2f, to web often without, any user visible changes, but. Web Alton is much, more than just a new API. Web. Ulsan also, enables, authenticators. That, come in a variety of form factors much. More exciting, than USB hardware tokens, so if hardware tokens are not your cup of tea don't fall asleep just yet. Webathon, also brings many, new features that, enable exciting. New use cases the. Single, most important, feature is probably. That, authenticators. Can now perform user. Verification. This. Means that, the Authenticator, can, locally, verify the user if jane drops, her. Authenticator, on the street, you, cannot just pick it up and use, it it, only responds, to jane, user. Verification, can take many forms it. Can be done using biometrics. Such as a fingerprint, scan or, an easy to remember, pin code and. We. Are not only talking about external, hardware tokens with. Weber then the. Built-in fingerprint, reader in your notebook or phone, can. Also become a user verifying, Authenticator. Regardless. The phone form, factor, what, makes user, verifying, authenticators. So interesting, is that, they do not need to be combined, with passwords, to, implement two-factor. Authentication, there. Is already something, that you have and something. That, you are so. You get great security and you, also get a great user experience, you, no longer have to type your password which. Is especially frustrating on mobile, devices. So. Let me show you what I'm talking about. Can. We switch the demo device please. Suppose. That, I'm browsing the web and I find something I want to buy I have, with me here a picture to phone with a fingerprint, sensor, so. Suppose I have this camera, cleaning, quit that's really nice that's a really good deal for just 10 cents so. I add it to my cart. Then. I go to, checkout. And. Then. I choose to complete my checkout with PayPal, I. Get. Redirected to PayPal and. Because. PayPal. Supports the web authentication API, I can, easily verify my, identity using. Just my fingerprint. Sorry. Select. The credit-card. Shipping. Address. Then. I get redirected back to the merchant. And there, my, order is confirmed, so.
I Didn't have to type a password and, it was still secure and it, was so much better user, experience. Back. To the slides please. So. How, does that all work, first. Let's, take a look at how, authenticators. Work in the first place all. Web, FN authenticators. Use, public, key cryptography, there. Is a one-time, setup flow during, which the user registers. An Authenticator, with an account during. Registration, the Authenticator, generates. A new public/private. Key pair the. Private, key is stored, locally and, cannot, be extracted, from the Authenticator, the, public key is sent, to the server then. Every time the user wants, to authenticate, they, have to prove to the website that they possess the private key this. Is done through, a challenge. Response based protocol, the. Web server sends a challenge to the Authenticator, which, in turn uses the private, key to provide a cryptographic signature. For this challenge the, signature, is sent to the web server which. Verifies it against the public key and the challenge, with. User verifying, authenticators. Releasing. This signature is also, gated on successful. User verification such. As a fingerprint, scan so. Your fingerprint, never leaves the device it's, only used to, locally, unlock, the Authenticator. Now. Let me walk you through the one type setup flow in more detail you did not seen you did not see this in the demo because I already did this last week, there. Are three important, participants, in this flow the, Authenticator, itself, the, web application, running in the browser and the, web server. Suppose. That it is once again Jane, who, is now setting, up the fingerprint, reader in her phone as an Authenticator. To. Kick off the registration, flow the, server first, generates, a challenge a large, random, number that will be only used for the registration, process and thrown, away later, the. Server stores. A challenge in association. With the user account, and transmits. It along with user information to, the web app running, in the browser the. Web app then calls the web authentication, API, this. Is what it looks like in codes as AG. Mentioned webathon. Extends, the credential, management, API so, it's available under. Navigator, dot credentials, to. Create a new public, key credential, you call create with, the public key option you. Specify, the challenge, you received from the server user. Information that. Will be displayed on the Authenticator, if it has a display and the. Crypto algorithms, that you wish to use. In. Addition, to these parameters that, we just specified, the, browser also extracts. The authoritative, domain, name of the calling web application, then. All, this information, is sent to the Authenticator, which, asks, for user consent. This. Is required so, that malicious websites. Cannot use the API to track the user this. Protects, the user's privacy. Once. User consent, is given, the. Authenticator, generates. A new, public/private. Key pair it stores, the private key internally, along, with the credential, ID user, information and importantly. The, domain name this credential belongs, to then. The, API call is resolved, resolved. With the public key credential, which contains, the unique identifier, the, public key and the signature calculated. Over the challenge the, domain name the public key the credential, ID and some other parameters the. Web app then, forwards, these values to the server there. You need to validate the signature, and is, the last step, if. The signature checks out the, server has, stored the, credential. ID and the public key in association. With the user account and don't. Forget to invalidate the challenge it's only valid for one transaction, this. Concludes the registration, flow and remember. You, only have to do this once. Now. Let's take a closer look at how, Jain can, use the Authenticator, to, log in without a password, the next time, the. Starting, state here is that, the Authenticator, already. Has a private, key and, server has, a corresponding, public key in association. With Jane's account remember. That, authentication, is performed, using a challenge response based protocol, where, Jane calculates, a cryptographic signature. To prove possession, of the private key so. Once again the, flow starts with, the server generating. A challenge a large, random, number which is used to prevent replay attacks, then.
The, Server's transmits, the credential, ID and the challenge to the web application, which, in turn calls the web authentication, API. Again. To. Create a cryptographic signature, you, need to call navigator, credentials. That get with the public key option you, specify, the challenge, that you received from the server the. Credential, for, which you want to get a cryptographic signature. And here. You see that we also ask the Authenticator, to, locally verify the user. In. Addition, to these parameters, that we just specified, once, again the, browser extracts. The authoritative domain, name of the calling web application, and sends, all this information, to the Authenticator. The. Authenticator, looks, up information stored, for this credential ID next. And this, is very important, the, Authenticator, checks, that, the domain name of the calling website, matches, the one that was provided, at the time the credential, was created, this. Is what makes these, authenticators. Resistant. To phishing if Jane. Is on a phishing page with, a slightly, different URL, the, Authenticator, will, notice the discrepancy. So. Next if it, is R indeed through a web site the Authenticator, performs. Local verification, using the fingerprint, reader if the. Fingerprint checks out the, Authenticator, uses, the private key to generate a cryptographic signature. Over, the domain name and the challenge the, API call is done resolved, with this signature which is sent to the server there. Once, again it is verified, that, it corresponds, to the challenge and the public key and if. It does then. The server consider, Jane's. Authentication. Are, successful, and. Last step again don't forget to invalidate the challenge this. Concludes, the registration, sorry the authentication, flow but. If you have dealt with a large user base you, know that you cannot just replace your Identity Management overnight, what's. Also great about web FN is that, it enables to you to adopt it one, step at a time you. Can use more and more of the API to, get more and more of the security, and usability, benefits. First. You, can use it as a drop-in replacement, for the u2f, api for, second factor authentication, then. With. Minimal changes you can implement password. That's real and occasion before, sensitive, operations, such, as making a purchase, for. Instance this can be done using the fingerprint, reader built-in. To a phone or a mobile device and, finally. Once. Your users warm up to the idea of, signing, in using, a fingerprint, or a hardware token you. Might even consider making, it their primary, login mechanism. To. Summarize we, talked about the, web authentication, API, which, provides, strong, authentication on, the web using, public key cryptography it, brings, new features, and form factors that, enable a password, S login experience, making, it very easy for your users to sign in to your site securely, and it, all comes in the form of a simple to use standardized. Open, web platform API. Which. Is available across, all platforms and, browsers, with. That let, me hand it back to AG to wrap it up. Okay. Thank. You bash so, we've been walking through three. New exciting features to the web one. Top sign up and the auto sign game for, ultimately, low-friction. Signing, up and sending, in. Recapture. V3 for zero friction bots, prevention, and, web. Authentication for, stronger authentication with, open standard API I have. Just tweeted, with hashtag, IO 18, but we have published, an article, about, it. By. Now you, should have understood, what makes good, sign up and good sign name. Great. Security. Great. User experience, and, great. Developer, experience. If. You have any questions, please. Visit us, the, web sandbox, which is right next door, and. Finally, we'd, love your feedback on, our session, today at. Google.com, slash IO schedule. With. That we. Hope you enjoyed our talk thank. You very much.