 Tom here from Orange Systems and I've talked a lot of times on this channel and it's been repeated very frequently recently when it comes to authentication, multi-factor authentication that FIDL will save us. And I have a UB key and a trust key. Both of these have FIDL support. We're gonna talk about what that means and why we think it is a solution. We collectively the security community. Not everyone agrees, but I'm on the side of agreeing that FIDL would help. Now let's talk about the current problem and some of the reasons why I'm saying this. First we have MFAPE fatigue. We've used that word a couple of times such as an ASISCO breach, the Microsoft breach, the Uber breach. Now these are all related to Lapsis and the threats are real when it comes to a particular APT specifically advanced persistent teenager. What this is, is a push authentication system which was a compromise in security. No one really wanted to deal with rolling numbers and TOTP which is one of them I think is a really good authentication method. Instead we've got companies out there, Duo is an example of them that do push MFA. So someone compromises your credentials, your username and password and then the user gets prompted to say yes or no to logging in. And if you have a, well, teenager who's willing to mash that button enough times and improper throttling of how many times that can come up, you eventually have a phone that's going off so much someone will press yes just to make it stop. And that's essentially MFA fatigue. Whether they press yes to make it stop or press yes because it just came up so many times and they accidentally hit one of those buttons. This was a security and convenience trade-off and why I've never been a big fan of that authentication method. It is better than not having it but it still creates a problem. Cause obviously if they didn't have it at all username and credential would have been how they got in and we figure pushing it to their phone is good because most end users aren't likely to lose their phone. It's generally close to them. So it seems pretty convenient because boy this thing is easy to lose. That is something that's obviously a concern. But here we are, if you are a person of high value or a target of value to one of these APTs to one of these threat actors and they are able in some way to get your credentials this is what stands in between you stopping them. Now the push notifications will work and if you're well trained, you'll say no every time and you'll contact IT and say, hey, this thing's going off quite a bit and there's probably a problem because I'm not the one logging in right now but let's dive into exactly how Fido solves this problem. The site right here at the top says crafted by Auth0. Never used the product, just Googled web auth and demo and this had some cool animation. So don't know much about the Auth0 product but hey, thanks for putting up this demo back to the web auth and how it works and let's talk about how you register a user and register a key and what the process is that happens behind the scenes and why it's so secure. We're gonna put in some user here we're gonna click register. The key pair created by the UTF device during registration is origin specific. During the registration the browser sends U2F device a hash of the origin combination of protocol, host name and port. The U2F device then returns a public key and key handle which is very important because U2F device encodes the request and origin into that key handle and that's the process we're watching happen right here. This origin check ensures that the public keys and key handles issued by a U2F device to a particular online service or website cannot be exercised by a different online service or a website such as a site with the same name but a valid SSL cert. And what you're seeing is the whole relaying back and forth process. This is built into the browsers on Windows, Mac and Linux. It's talking through to the USB. This actually does work with phones well over NFC. The FIDO protocols covered all the major bases in terms of making sure that this is very interoperable and being able to talk to and just causing my key to blink is a really simple way to make this authentication system work. So it comes up with a public key, let's me know the algorithm that was used. They store it on their backend, a challenge that only my key can respond to. So my authentication key that I registered for this MFA. So we'll go ahead and click next and let's actually try what a login looks like. It already has the username and it's just gonna make my 2FA device blink again. So we're gonna go here and touch it. And now it confirmed that those challenging signatures are matched. So someone still has to get my username and password, but they have to be at my computer for my key to blink. My key does not blink if they're at their computer with it. This is the flaw, so to speak, with your standard push. And this is quite the challenge for people because well, getting all these UB keys out to people is really why we don't see this everywhere. It's just not built into many websites yet and getting everyone using it has been kind of slow, but I think the world's about to change a little bit. And what I mean by that is these are becoming less expensive. I chose the trust key because this is less than $20. The UB keys were first, they were one of the most popular ones. I don't know if they were the first Fido key, but they're obviously an extremely popular one. Everyone's heard of UB key. And UB key, one of the things they did to make this more popular was there is the UB key protocol that is well documented open source and you can implement. And because they made it fairly easy to implement, a lot of people went with UB key type of protocols, but the UB key also supports Fido. Now, this specific trust key, which trust key is part of the Fido Alliance, so it's something I trust. And I think these are pretty good. I've been using this for several months. I picked it up on Amazon around March of this year. And, like I said, for less than $20, it only supports Fido. It's not gonna support the UB key format, but Fido's all I really am looking for for the testing I'm doing. Now, slowly, as I said, the world's changing cause we're gonna get Fido in more places because this really stops the attacks mentioned on these large companies. These large companies can certainly afford it. Their fear, of course, is that they're going to lose that little key. Either one of these keys, both the UB key and the trust key are quite durable. They will probably hold up to quite a bit of abuse. I don't know where their limit is, but I've seen some people put some keys through some rough times and still work, hanging them on their key chain and whatnot. Now, one other problem though, resetting MFA. If you're using something like a push notification, IT has usually a way and a methodology to do that and re-register a new device to push to, but it's a little bit more challenging with these because to my knowledge, and as of right now in September of 2022, there's no way to duplicate this key. There are no known attacks to extract the private key out of here so you can duplicate this key. But most places, and I'll use Bitwarden as an example because it's one of the places I love using the FIDO key, Bitwarden offers registration of multiple keys. And it's now become a little bit more inconvenient as you can imagine to keep one key handy and another key in a safe, but every time I register for a new service I have another key that I register. It's annoying, but that's life. Now, another good thing many services offer is they'll offer use of FIDO key and TOTP. So having both of those gives you a backup plan just in case. So I'll have my TOTP registered and I may not use it all the time, but it's a nice backup registration. And then I'll also set up one of these type of keys because this is a convenient registration that I can just touch. Every time I need to log the website, yeah, I'll be prompted with our username password and a blinking key to touched and a test that you're there. That's actually a big function of these is not just that the keys are plugged in but they're designed for attestation or, hey, it blinks touch it. That way you know something's happening. Now, as I said, man in the middle of this, not gonna be easy once it changes to domain. It's proxy through something because it's that combination of the host name and everything else. There's not a way to spoof it. There's not a way to bring that over. And the browser is authenticating that you're at the proper host name that all of that matches, though the browser won't prompt either. So there's not any easy way to man in the middle of it. There's a real edge case under a very specific set of circumstances where part of the registration could be hijacked. I'll leave a link to that in the entire FIDO write up where there's obviously more technical details than I took the time to go into. But these are the source of where I understand how they work is from the FIDO Alliance and their write up. And for anyone who wants to go deeply technical, I'll leave links to some of their talks they've given and a whole, you know, this is a very well documented protocol that you can read through online so you get a better understanding of it. So my hopes are that more and more companies will realize that they should all support this and you're seeing more support growing every day, especially as more and more companies get in the news and breached and we talk about MFA fatigue, they're gonna go, all right, the push MFA was probably a stop cap better than text, more convenient than TOTP, but ultimately this is where we have to go to is these type of keys. That's my opinion on it. Let me know what you think down in the comments and hey, for a more depth of discussion, head over to my forums, thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally our forums, forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.