Dr. Andrea HöllerInfineon Technologies Austria AG

FIDO and the Future of Simpler and Stronger Authentication

RISE Spring School29 March 2018

Copyright © Infineon Technologies AG 2018. All rights reserved. 2

Agenda

Introduction

The FIDO Standard

The FIDO Ecosystem

The Future of FIDO

1

2

3

4

2018-03-29

Copyright © Infineon Technologies AG 2018. All rights reserved. 3

Agenda

Introduction

The FIDO Standard

The FIDO Ecosystem

The Future of FIDO

1

2

3

4

2018-03-29

User authentication

Three possible factors of user authentication

42017-10-25 Copyright © Infineon Technologies AG 2017. All rights reserved.

› Password

› PIN code

› …

Something

you KNOW

› SmartCard

› USB token

› Smartphone

› Wearables

› …

Something

you HAVE

› Fingerprint

› Voice recognition

› Face recognition

› …

Something

you ARE

Remote Server

Copyright © Infineon Technologies AG 2018. All rights reserved. 5

User authentication to a remote server

2018-03-29

Device

Something Authentication

Remote Server

Copyright © Infineon Technologies AG 2018. All rights reserved. 6

The password problem

2018-03-29

Device

Something Authentication

Password could be stolen

from the server

1

Password might be entered

into untrusted Websites/Apps

(“phishing”)

2

Inconvenient to type

password on some devices

(e.g. phone)

3

Too many passwords

to remember

4

The idea of FIDO

› Fast IDentiy Online

› The core ideas of the FIDO Alliance are

– ease of use

– high security

– good privacy

USABILITY

Poor Easy

Weak

Str

ong

SEC

UR

IT

Y

Copyright © Infineon Technologies AG 2018. All rights reserved. 8

Basic working principle of FIDO

2018-03-29

Remote Server

Device

Authenticator

Challenge

(Signed)Response

Require user gesture

before private key

can be used

User

verification

Platform (e.g. TPM) or

removable token

What’s new?

92018-03-29 Copyright © Infineon Technologies AG 2018. All rights reserved.

Ecosystem Standardization

Copyright © Infineon Technologies AG 2018. All rights reserved. 10

Agenda

Introduction

The FIDO Standard

The FIDO Ecosystem

The Future of FIDO

1

2

3

4

2018-03-29

Copyright © Infineon Technologies AG 2018. All rights reserved. 11

FIDO 1.0

2018-03-29

Passwordless Experience (UAF Standards)

Biometric User

Verification*

21

?Authentication

Challenge

Authenticated Online

3

*There are other types of authenticators

Authenticated

Online

3

Second Factor

Challenge

Insert Dongle* / Press

Button

Second Factor Experience (U2F Standards)

21

https://www.slideshare.net/FIDOAlliance/getting-to-know-the-fido-specifications-technical-tutorial

Copyright © Infineon Technologies AG 2018. All rights reserved. 12

U2F registration

2018-03-29

Relying

Party

AppID, challenge

a

generate:

key kpub

key kpriv

handle h

fc, kpub, h, attestation cert, s

store:

key kpub

handle h

kpub, h, attestation cert, signature(a,fc,kpub,h)

s

U2F

Authenticator

a; challenge, origin, channel id,etc.

fc

FIDO Client /

Browser

Copyright © Infineon Technologies AG 2018. All rights reserved. 13

U2F authentication

2018-03-29

U2F

Authenticator

FIDO Client /Browser

Relying

Party

retrieve: key kpriv

from handle h;

cntr++

cntr, fc, s

check

signature using

key kpub

cntr, signature(a,fc,cntr)

s

h, a; challenge, origin, channel id, etc.

fc

handle, AppID, challenge

h a

Copyright © Infineon Technologies AG 2018. All rights reserved. 14

FIDO authenticator concept

2018-03-29

FIDO Authenticator

UserVerification /

Presence

Attestation Key

Authentication Key(s)Transaction

Confirmation Display

Injected at manufacturing, doesn’t change

Generated at runtime (on Registration)

APDU-like commands

Security-critical operations

Key generation

Key storage

Cryptographic calculations

Copyright © Infineon Technologies AG 2018. All rights reserved. 15

Agenda

Introduction

The FIDO Standard

The FIDO Ecosystem

The Future of FIDO

Ongoing Research

1

2

3

4

5

2018-03-29

Copyright © Infineon Technologies AG 2018. All rights reserved. 16

The FIDO History

– 2012: Foundation of the FIDO Alliance

https://fidoalliance.org/about/history

FIDO Alliance board members

17June 2016 Copyright © Infineon Technologies AG 2016. All rights reserved.

https://fidoalliance.org/about/board

FIDO certification

182016-09-08 restricted Copyright © Infineon Technologies AG 2016. All rights reserved.

› Available to everyone

› Ensures interoperability

› Promotes the FIDO ecosystem

https://fidoalliance.org/certification

Copyright © Infineon Technologies AG 2018. All rights reserved. 19

FIDO U2F adoption

2018-03-29

"Microsoft Announces FIDO Support Coming to Windows 10"Feb 23, 2015

"Qualcomm launches Snapdragon fingerprint scanning technology" March 2, 2015

"Google for Work announced Enterprise admin support for FIDO® U2F 'Security Key'"April 21, 2015

"Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO's services using FIDO standards."May 26, 2015

"Today, we're adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection." August 12, 2015

"[T]he technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards."September 15, 2015

"GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification."October 1, 2015

“Well, today, a

HUGE thumbs

up has

happened —

Facebook has

upgraded the

login security for

its 1.8 billion

users by

integrating

…FIDO U2F

Security Key into

its social

platform.”

January 26, 2017

The U2F user experience

202016-09-08 restricted Copyright © Infineon Technologies AG 2016. All rights reserved.

Copyright © Infineon Technologies AG 2018. All rights reserved. 21

Agenda

Introduction

The FIDO Standard

The FIDO Ecosystem

The Future of FIDO

1

2

3

4

2018-03-29

Copyright © Infineon Technologies AG 2018. All rights reserved. 22

FIDO 2.0

2018-03-29

https://fidoalliance.org/events/rsac-2018/

› Developed since February 2016

› Official announcement at April 16, 2018 at the RSA Conference

Copyright © Infineon Technologies AG 2018. All rights reserved. 23

Authentication for industrial applications

2018-03-29

› FIDO for industry

› Robotic security

› Contactless user/device authentication

Copyright © Infineon Technologies AG 2018. All rights reserved. 24

Open PhD Position

2018-03-29

https://www.infineon.com/cms/en/careers/jobsearch/jobsearch/24752-PhD-Thesis-Secure-Industrial-IoT/

Contact: andrea.hoeller@infineon.com

Contact:andrea.hoeller@infineon.com

Copyright © Infineon Technologies AG 2018. All rights reserved. 25

Summary

› An ecosystem and standardization are essential

› The goals of FIDO are

– good usability

– high privacy and security

– standardization

› FIDO 2.0 will be presented at the RSA conference, April 16 2018

2018-03-29

USABILITY

Poor EasyW

eak

Str

ong

SEC

UR

IT

Y