Introducing FIDO2 WebAuthn and Password Spray Attack Defense

0:01:08.1 Staci Endres: Thanks, Dusan. Today we’re gonna be talking about the SecureAuth Identity Platform summer 2020 release, that includes the new biometric-based MFA and passwordless login with FIDO2 WebAuthn and a new powerful password spraying attack defence. My name is Staci Endres and I’m the Product Manager for SecureAuth Identity Platform. The SecureAuth Identity Platform version 20.06, is generally available for customers today. The release focuses on SecureAuth’s mission to balance security and user experience for both admins and end users, and you’ll see how these two highlighted features show that.

0:01:43.9 DV: Our first feature is our support for FIDO2, which uses the new modern protocol WebAuthn to enable passwordless access, by providing a strong authenticator that securely removes the needs for passwords. It’s easy to use for end users, because they can employ devices that they already know and understand, and they don’t have to memorise passwords anymore. FIDO2 WebAuthn is the vision of passwordless, making the process of removing passwords easy, with a simple deployment and standardised access across all resources. Your users will benefit from the easy self-enrolment that can be added to your secure portal or access directly, and they’ll love the rapid login using biometrics, seamlessly blending the security and user experience.

0:02:28.2 SE: FIDO2 WebAuthn uses public key cryptography, creating a more secure relationship than a password. Users register a device with their profile using SecureAuth, and the private key is stored on the user’s device where the public key is shared with SecureAuth. Once that device is registered and the connection is made, the user can now use that device for authentication in any of your SecureAuth workflows. Going passwordless with FIDO2 WebAuthn is incredibly easy, as many vendors have already adopted the WebAuthn protocol. All major browsers support WebAuthn workflows and users can employ bound or platform authenticators, such as Windows Hello, macOS and Android OS or roaming authenticators like YubiKey or Google Titan security keys via USB, NFC, or Bluetooth to validate their identity. And this list constantly grows as more authenticators continue to support WebAuthn.

0:03:25.7 SE: Setting up FIDO2 in SecureAuth is very simple. In the Web Admin, go to the multi-factor methods page and select the FIDO2 WebAuthn option from the list. Toggle the methods to on to enable it globally, and then set up the workflow for your end users to access the device registration page. Next, go to your policy that defines your workflow to your resources and enable FIDO2 devices as an option. When end users log into the resource, they’ll see their registered FIDO2 device option that they can then use to authenticate.

0:04:00.4 SE: So now, I’m gonna give you a demo of the end user experience for FIDO2 device enrolment and authentication using WebAuthn. To use FIDO2 as an authentication method in SecureAuth workflows, the user must first enrol a device to their profile. To do that they log into the FIDO2 device registration page that the admin configures when they enable FIDO2 as an option. So they’ll undergo any required authentication, before they can hit this page. Now, this page here is the FIDO2 device registration page, if I had any existing devices, they would be listed here, but I don’t, so I am viewing the empty state. To add a new device, it’s really easy. You click add new device, you give your device a friendly name that’s easy for you to know, so that you can manage it and maybe a small description if you want. Again, this is purely for the end user to make their management of their devices easier. So when they see them all listed, they’ll know exactly which one it is. It’s only shared on this page to that specific user.

0:05:05.7 SE: Once you have that, you click register and here’s where you’re prompted with the browser and WebAuthn piece of the FIDO2 security, so this is out of SecureAuth, now we’re validating with the services. So earlier I talked about the bound or roaming authenticator type. So if I had a roaming like a USB, I could plug that into my computer, click this and then it would register that device. But today, I’m gonna show you using the bound authenticator of my Macbook using my built-in sensor. So it is asking me now that I’ve selected that to use Touch ID, I’m gonna use my fingerprint, and now you’ll see my device was successfully enrolled. It’s listed here, so I know when it was created, when it was modified; modification is purely just on the device name or device description, and again, I see that here.

0:05:55.1 SE: So imagine if I have five different devices, I don’t have to memorise some device ID or anything, it’s purely the name that I give it. To change any of that, it’s very simple to edit it. If you wanna delete a device, also really simple, you can do that. So that is the device enrolment. Now that I have a device, I am able to use FIDO2 as an authentication method in workflows where my admin has enabled it, so I’ll show you that now.

0:06:24.8 SE: So when this workflow, this one has FIDO2 enabled, and because I have a device registered, it is going to show up, so I’ll select Use registered FIDO2 device, hit submit. And once again, the browser is telling me to use Touch ID, use my finger print, and now I’m in. So that is the experience for FIDO2 enrolment, and now finally with the authentication. So just like our other authentication methods, it fits in, it’s really user-friendly, and it’s very secure, backed by the WebAuthn protocol and the FIDO2 project.

0:07:00.1 SE: Another new feature included in the summer release is dynamic IP blocking that protects against passwords spraying and other online password attacks. In a password spray attack, attackers attempt to log into resources using various combinations of usernames and passwords until they find a match. Traditional solutions will block access to the user name, but that does not stop the attacker from trying passwords against a different account and can also create a help desk mess for the actual user whose account is not locked. Dynamic IP blocking, blocks the IP address, rather than the user name, so the security expands beyond single user account attacks. No matter how many user names the attacker tries, once they hit the limit of attempts, which is configurable, any access attempt from that IP address is blocked. This feature can be implemented in various user workflow types, including Legacy WS-Trust logins, and fits neatly as a new rule in your policies.

0:08:01.6 SE: Configuring dynamic IP blocking is simple and flexible for various use cases. In the Web Admin, go to the IP filtering section and create the blocking rule, dating for how long the IP is blocked and how many failed attempts are allowed before we block the IP. You can create a global allowed IP list as well to ensure that known or internal IPs are never blocked, no matter how many times your users enter the wrong password, any policy that you include this rule in we’ll look at this global IP list. After you create the global rule, you go into your policy and add dynamic IP blocking as a blocking rule. The settings that you just configured, will apply to this policy, like I said, as well as the allowed IP list, but you can create a policy specific allowed IP list that creates additional flexibility.

0:08:51.6 SE: Maybe you have contractors or partners that access certain resources, but you don’t wanna add their IP to the global list, so instead you can create a policy specific to them and have their IP addresses here, to ensure that they are not blocked. Or maybe you don’t wanna use the global IP list at all, and instead do a very policy-specific allowed list for all of your workflows.

0:09:14.5 SE: So now I’m going to demo the IP blocking feature in action. The dynamic IP blocking feature fits into your policy, so you’ll have your users log in as they normally do for our resources. Here, I’ll do my user name but the wrong password. First one, invalid user id or password, that’s the first count. I’ll try another password, second attempt. Now I’ll try a different username. So now I’ve been blocked. So this, again, fits into your policy. I’ve been hard stopped by the analyze engine because I am coming from the same IP and I’ve hit the limit of how many attempts I can have using bad passwords.

0:10:02.5 SE: Now, my IP is blocked for 24, 36, 48 however many hours that you set. Okay. The SecureAuth Identity Platform, version 20.06, as I said, is now generally available for all customers. We do have it supported for all deployment models, and if you are an upgrading customer, the only requirement is that you must be on version 9.2 to or above to do a straight upgrade to version 20.06. If you’re on an earlier version, then work with the support and they’ll upgrade you to 9.2 first and then upgrade you to this new version. Regardless of what version you are on, please contact SecureAuth support to schedule your upgrade. And for virtual appliances, we do currently support Windows Server 2016 as well as Amazon AWS images, and coming soon, we will have support for Windows Server 2019 as well as Google Cloud Images and those will be for all supported versions of SecureAuth IdP which is 9.2 and above.

0:11:06.2 DV: Thank you, Staci. That was awesome. I see that our chat has been pretty busy during this webinar, so let’s get to our questions. We’re also joined today by Bil Harmer, our chief evangelist and CISO. So I’ll have Staci and Bill work our way through your questions. And we’re seeing a few here today, so it looks like covering both topics. So I’ll pick the first one. How does the dynamic IP blocking work with your existing password throttling? Is this a replacement or a new generation, or is this something different?

0:11:58.3 SE: So I can take that. So our current password throttling as well as MFA throttling features will work in tandem with the dynamic IP blocking. So dynamic IP blocking, again, really focuses on the IP address, so it doesn’t matter what user names you’re using, and it doesn’t lock out the user account, it just blocks that IP address. If you’re talking about our password throttling or MFA throttling, it is very specific to that user account, and if you hit that limit, we will lock out the user account, so they’re not able to log in, so they actually can work together, so it’s basically just a different feature, but yeah, they all can work together to ensure that you have as many layers protecting your login as possible.

0:12:43.1 DV: Alright. Thank you. Very cool. Let’s pick this one. This one’s from Robert Conrad. Will the IP blocking and FIDO2 be accessible to Legacy Realms configured with classic experience, or will I need to migrate to new experience?

0:13:05.9 SE: So these settings currently are part of the new experience to use it in kind of your legacy we do have some kind of work-around options that we can help to enable you if you are sort of not ready for that migration yet. And then our upcoming release, the following release, we’re really working on focusing on that as well for you guys to migrate you in a much easier experience, so you can use all of these without sort of having to choose between the two. But for this release, the FIDO2 and dynamic IP blocking are both part of the new web admin experience.

0:13:45.9 DV: Very cool, thank you. And again, to all listeners, feel free to use the chat window or the Q&A icon at the bottom of your Zoom webinar window and ask those questions. So let’s get to the next one. And I think this one pertains to WebAuthn again, so when a user switches laptops do they have to re-enrol?

0:14:17.7 SE: Yeah, so the WebAuthn enrolment is truly based on the device itself, and because we are using that public and private key, you do need to create that connection with a new device. So if you change devices or you lose one or you wanna change something about it, you revoke it from your profile, you would need to go through the registration process again, with either that new device or a replacement device, whatever it is. It is a one to one, so you have to make sure that it enrols with your username so that you can use it. Yeah, if you change devices that you still technically, as a user, have devices on hand that are FIDO2-enabled, you would need to actually start over with that new device, to make sure it’s registered and that connection is made.

0:15:13.7 DV: Alright. Next question, did I see here you mentioned Touch ID a few times. Are there any differences in how Touch ID is enrolled on an iPhone versus on Macbook?

0:15:29.7 SE: So right now, the way that Apple support for WebAuthn is is that iPhone actually cannot be used as a bound authenticator just yet, I believe that they’ve announced that iOS 14 will have that capability. So if you take like an Android mobile device, for example, that actually does have the WebAuthn FIDO2 capabilities built in, so you can actually register your Android mobile device using the OS as your authenticator. IPhone does not support that yet. Currently, it does support WebAuthn using a roaming authenticator. So if you had like a YubiKey or something that you could use with your device, and it’s only I believe on Safari browsers, so again, that’s a really good example of how SecureAuth supporting WebAuthn and FIDO2, we have what we support today, but it will continually grow as more providers start to support the WebAuthn protocol.

0:16:27.8 SE: So right now it’s Android OS, macOS, and Windows Hello for the FIDO2 WebAuthn is a bound authenticator, but again, iPhone is supposedly coming out with that as well, and again, more providers will have that. So at this point, the Touch ID specifically is just on a macOS experience, but I would assume that when iPhone does support the WebAuthn protocol you can use it as a bound authenticator, it would support both touch ID and Face ID, would be my guess at this point.

0:17:07.9 DV: Thank you. I think we’ve gotten through all the questions that we’ve received today, If there are any that you would like to ask us directly, just reach out to us directly. As a reminder, all of the functionality we covered today is included in our summer 2020 release, and it is available immediately in our cloud-based offering, and customers who are hosting SecureAuth in their own data center can upgrade to version 20.06 to enjoy both WebAuthn and dynamic IP blocking. This webinar was recorded, so if you joined late or want to send a link to a colleague, just let us know, or reach your SecureAuth contact person. With that I want to thank you all, and I look forward to welcoming you in one of our upcoming webinars. Thank you and have an awesome day.