Identiy Authentication White Paper

Identity Authentication In A World Of BOPS and FIDO. ©Copyright 2015 Hoyos Labs Corp.

1

IDENTITY AUTHENTICATION IN A WORLD OF BOPS AND FIDO

10/9/15 Beyond PINs and Passwords

Fundamental changes are needed to evolve iden3ty authen3ca3on beyond the

current PIN and password model in order to strengthen the security of transac!ons,

reduce fraud and associated costs, and improve the user experience by elimina5ng

the need to manage mul-ple passwords. Biometrics in and of themselves are of no

inherent value, unless they are part of a comprehensive end-‐to-‐end solu)on/pla%orm

which protects the integrity and security of all biometrics and their owners.

Hector T Hoyos-‐Aliff, Founder, Chairman, and CEO-‐ HOYOS LABS


2

Table of Contents

The Identity Problem: PIN and Password Model Is Antiquated and Flawed ................ 3

Different Approaches to Biometric Identity Authentication ........................................ 4

The Fast IDentity Alliance ............................................................................................ 5

The Biometric Open Protocol Standard ....................................................................... 6 How It Works ............................................................................................................................................................... 7

Comparison: FIDO vs. BOPS ......................................................................................... 8 Standardization .......................................................................................................................................................... 8 Security ........................................................................................................................................................................... 8 Convenience .............................................................................................................................................................. 10

Combining Solutions .................................................................................................. 11

Conclusion ................................................................................................................. 11


3

The Identity Problem: PIN and Password Model Is Antiquated and Flawed It seems as if every time you turn around these days, there is news of yet another cyber attack involving a well-known brand or government entity. In the last 12 months, companies like Home Depot, Sony, Staples Anthem, Premera Blue Cross and Ashley Madison have had sensitive customer or employee data stolen to the tune of more than 230 million records, including bank account and credit card numbers, email and physical addresses, social security numbers, and employment and salary information. The U.S. Office of Personnel Management reported two separate breaches in the past year during which 21.5 million people had their Social Security numbers and other sensitive information taken, and 5.6 million federal employees – many with secret clearances – had their fingerprints stolen.1 Cyber espionage attacks are expected to continue to increase in frequency as long-term players become stealthier information gatherers and newcomers look for ways to steal money and disrupt adversaries.2 These incidents point to fundamental challenges with the identity authentication solutions that exist today, which are largely based on PINs and passwords. The explosion of websites and devices in recent years means that consumers must now manage numerous usernames and passwords. This leads people to re-use passwords across multiple sites, which in turn increases the risk of a breach. Adding to these challenges is the exponential growth in the number and increasing variety of Internet of Things connected devices, which also require security. At the same time, cybercrime is becoming more sophisticated with criminals exploiting vulnerabilities in password-based authentication models, aging technology and infrastructures, and new IoT devices for which strong security isn’t top-of-mind. This means that yesterday’s world of desktop authentication, where the user consumed locally installed applications on a single device, has moved well beyond that to an ecosystem where

Source: Informationisbeautiful.net

FPO


4

people own several devices and are externally authenticating their identities significantly more often. This new ecosystem requires authentication models to evolve beyond the PIN and password to immutably link people to transactions and to secure the growing number of connected devices. One such authentication model leverages biometrics and biometric technologies, which have taken front-and-center stage for consumers and enterprises looking to explore new and better ways to secure their customers’ identities and data. Yet, even as the use of biometrics has rapidly expanded and become more mainstream – thanks to companies like Apple and the development of TouchID – there is still much to understand about the technology. While it has the potential to offer significant value, the industry as a whole is not yet mature, as is evidenced by the glut of misinformation, hype and lack of certification seen in the market today.

Much of this stems from the proliferation of vendors who purport themselves to be biometrics experts, touting their products in order to grab a share of the global biometrics market that is expected to generate more than $30 billion in annual revenue by 2020.3

Each vendor claims to solve the identity management problem by using biometrics to replace or reduce reliance on passwords, which are universally acknowledged as difficult and costly to manage, and prone to hacks and data breaches. Each has also created a surfeit of marketing materials to support these claims. For consumers and enterprises, wading through the sheer volume of marketing information to understand the technology is a daunting prospect. So how does one cut through the vendor bias to understand the science of the biometrics, and select a secure and robust identity authentication solution capable of supporting business requirements?

Different Approaches to Biometric Identity Authentication Today, vendors have utilized vastly different approaches when building biometric technology solutions to address

DID YOU KNOW… • Analysts have predicted that

by 2020 there will be 4.8 billion biometrically enabled smart mobile devices generating $6.2 billion in biometric sensor revenue5

• The global biometrics market is expected to generate more than $30 billion in annual revenue by 20206

• Over 50 billion Internet

connected devices are predicted to be in use globally by 20197

• 5.4 billion biometric app

downloads will generate $21.7 billion in annual revenues by 2020 from direct purchase and software development fees8

• 807 billion biometrically secured payment and non-payment transactions will generate $6.7 billion in authentication fees by 20209

• The majority of identity theft

victims (86%) experienced the fraudulent use of existing account information, such as credit card or bank account information.10

• 81% of health care executives

say their organizations have been compromised by some form of cyber attack at least once in the last two years, yet only 66% of executives at health plans and 53% of providers said they were prepared to handle an attack. In addition, 25% of executives said they either don’t have or don’t know if they have the capability to detect a cyber attack in real time.11

The global biometrics market

is expected to generate more than $30 billion in annual revenue

by 2020.


5

identity and access problems. Some have gone the way of vendor alliances where members band together to create guidelines that advance common goals and interests. The Fast IDentity Alliance (FIDO) is one example of this approach. A different approach to identity authentication is to eliminate reliance on any one vendor or group of vendors by creating technology that can be openly and freely shared and developed upon by anyone who wishes to use it. The Biometric Open Protocol Standard (BOPS) is an example of this type of approach. Both approaches address the needs of consumers who have difficulty managing multiple passwords and enterprises who not only must offer their customers great user experiences but must also protect against hacks and data breaches, as well as deal with the high cost of password management. Both approaches also seek to solve the lack of interoperability of existing PIN and password based authentication solutions, which has long been regarded as an industry-wide problem that stretches beyond the biometrics space, and which directly relates to increasing instances of fraud across many sectors. However, there are fundamental differences in the design of these approaches that must be considered when evaluating a biometric identity authentication solution.

The Fast IDentity Alliance The FIDO Alliance was formed with the objective of “changing the nature of online authentication” by:

o Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users

o Operating industry programs to help ensure successful worldwide adoption of the specifications, and

o Submitting mature technical specification(s) to recognized standards development organization(s) for formal standardization. 4

To date, FIDO has developed two sets of technical specifications for dealing with Internet services: the Universal Authentication Framework (UAF) and the Universal Second Factor (U2F). The Universal Authentication Framework (UAF) allows online services to offer “passwordless” and multi-factor methods (biometrics and other) to authorize access to the service. The 1.0 specification defines a common client interface using FIDO authenticators such as a PIN, password or fingerprint. It requires the user to have a client device with the UAF stack installed. However, the user must go through an authenticator-specific enrollment process that is outside the scope of the FIDO UAF protocols before being able to access any online services or websites. For example, in the case of a fingerprint sensing authenticator, the user must first register his or her fingerprint(s) with the authenticator in a separate enrollment transaction. When that transaction is complete and the FIDO UAF authenticator acquires the fingerprint, the authenticator can then be registered with FIDO UAF enabled online services and websites. During registration, the client device creates a public/private key pair unique to the client device, online service and user account. The public key is sent to the online service and associated with the user account while the private key is retained and stored on the client device. During subsequent login challenges, the calling application unlocks the private key stored on the client device using the FIDO authenticator used on initial registration, and matches it against the public key generated at registration. If they match, the user is grant access to the service.


6

One thing to note: the UAF specification calls for the local device to house the certificate, which is uniquely encrypted to the physical device. This design leaves the door open to the vendor solution being hacked if the local device is compromised. The second factor authentication (U2F) 1.0 specification allows online services to augment the security of their existing password infrastructure by adding a second factor – a FIDO supported physical “key” such as a USB or NFC-enabled device – to the user login process. The same physical key can also be used to sign in to multiple services that support the protocol. The idea behind UAF is to “fill in the gaps” across the member vendors’ architectures using a common set of protocols and APIs. This is an important distinction. Since the architecture is based on a Vendor Consortium Standard, there is little specificity on the exact architecture. For instance, instrumentation may call for a central server or a distributed legacy design such as SAML. The point being that any transactions tracked from a biometric request on an end-device can – in some cases – travel from one vendor solution to a second solution across many or no central servers. The argument can be made that this elevates the complexity and leaves the solution open to future attacks.

The Biometric Open Protocol Standard The Biometric Open Protocol was developed by Hoyos Labs as part of its mission to develop an identity authentication solution specifically designed for biometrics that is open, sharable, scalable, and that enables interoperability between biometric products. At its core, it is a biometric-neutral protocol that allows for pluggable and interchangeable modules, including those that provide identification, access control, authentication, role gathering and auditing. The protocol defines an end-to-end identity authentication platform and access control infrastructure, integrating front and backend systems and including rules that govern secure communications within those environments, as well as the protection of digital assets and identities – all of which are necessary to perform server-based enhanced biometric security. It is fundamentally based on biometrics as the outset, unlike other identity frameworks or protocols in existence today. Its open-source RESTFul API and modular components enable integration with third-party biometric solutions, and it can also plum into existing non-biometric authentication protocols, functioning as a seamless bridge from legacy to new technology without requiring new hardware purchases or lengthy implementation schedules. This essentially enables any device to be controlled with biometrics, as well as solutions that can be developed and deployed in a cost-effective manner. Ensuing interoperability, however, was only one of the goals behind creating the research. It was also very important that the technology be open, shareable and scalable. To accomplish that, Hoyos Labs submitted the protocol to the Institute of Electrical and Electronics Engineers (IEEE) in early 2014 for consideration as an industry standard. On Sept. 2, 2015, the Biometric Open Protocol Standard (BOPS 2410-2015) was officially approved by the IEEE, making it the only global industry standard that provides a functional framework for the implementation of biometrics in end-to-end identity authentication platforms. This

The IEEE officially approved the Biometric Open Protocol Standard (BOPS) on September 2 – making it the only global

industry standard that provides a

functional framework for the implementation of

biometrics in end-‐to-‐end identity

authentication platforms.


7

milestone is important in that it marks the first time that any vendor has opened up their biometric algorithms to be ratified by an international organization. In addition, the biometric algorithms will be managed by a centrally recognized compliance organization moving forward, making it vendor independent and allowing anyone to contribute to improvements.

How It Works BOPS delivers an end-to-end infrastructure utilizing three core components: client software, a BOPS-compliant server and an Intrusion Detection System. The client software was designed to work on mobile devices, which millions of people already own and use on a daily basis. This was a key design principle aimed at fostering widespread adoption and ease of implementation. The BOPS server utilizes an open source framework that leverages existing hardware, and has built-in classifying algorithms that search large stores of data in polynomial time to support faster and more accurate responses – especially important for biometric systems whose databases grow with time. (See sidebar.) The Intrusion Detection System (IDS) identifies and tracks attempts to forge two-way SSL/TLS certificates impersonation, session replay, forged packets and a variety of other attempts to circumvent the BOPS server. It also blacklists a subject or device that makes malicious access attempts and has full audit capabilities that can be set up per user, group, action or role. Behind the scenes, BOPS processes the information needed to perform a visual decryption of the person’s biometric data: access to the server, receipt of the biometric vector and the source code. All user data and a unique client certificate are stored on the device for secure communication that works only with a BOPS-compliant server, which means that even if the pieces are compromised, the net authentication will not allow access. In addition to the behind-the-scenes processes, BOPS allows different levels of security to be configured to balance the convenience of the user experience against risks that are associated with a transaction. Levels are based on the combination of identity attributes that are linked to a user. For example, Level 1 may consist of the verification of ownership of one asset – such as a user who is being verified through SMS – while Level 4 may consist of physical verification of a document that provides identity along with the user (e.g. a driver’s license or passport). Each level can also be defined based on the risk of a transaction or group of transactions, with simpler transactions utilizing Level 1 and high-risk transactions utilizing Level 4, which provides the

Types of Biometric Systems

There are two types of biometric systems: Identification and Verification. The differences between the two types affect how quickly the system operates and how accurate it is as the size of a biometric database increases.

Verification is a one-to-one matching system where the biometric vector is presented by a person, and compared against a specific biometric that is already in the database and linked to the person’s information. Verification systems only need to compare the presented biometric vector to the stored biometric, which generates results more quickly and accurately than Identification systems, even when the size of the database increases. An access control system is an example of verification since employees must be enrolled before being issued credentials. Identification is a one-to-many (1:n) matching system, where n is the total number of biometrics in the database. Identification is different from verification because it seeks to identify an unknown person or unknown biometric vector – without having any reference indexing information for that biometric vector. The system tries to answer the questions “Who is this person?” or “Who generated this biometric?” and must check the biometric that is presented against all others already in the database. Most law enforcement and forensic systems use a biometric identification system.


8

highest assurance in the binding between the entity (user) and the identity that is presented for authentication. This allows a business to customize its solution per the unique requirements, as well as design the appropriate balance between convenience and security.

Comparison: FIDO vs. BOPS The primary goal of both FIDO and BOPS is to perform identity authentication using biometrics. Remember that biometrics tell us that a person is who he or she claims to be with a high degree of assurance by utilizing a person’s unique physical characteristics, e.g. Voice, Fingerprint, Iris, Face. To achieve this authentication assurance at scale, and for any type of transaction and industry, a solution must offer three things:

• Standardization to ensure interoperability between vendors and an open set of protocols on top of which a robust ecosystem of products and services can be developed by anyone who wishes to do so

• Security of the solution and the biometric vector itself to prevent hackers from accessing and using a person’s data

• Convenience to ensure widespread adoption and continued use

Standardization Both Hoyos Labs and FIDO have worked to “standardize” their solutions. As previously mentioned, Hoyos Labs’ Biometric Open Protocol has been certified by the IEEE, a globally recognized standards organization whose mission is foster technological innovation and excellence for the benefit of humanity. Its technical community is universally recognized for the contributions of technology and of technical professionals in improving global conditions. Having such a well-respected and globally recognized organization handling central management and distribution is a tremendous advantage for BOPS customers. In addition, opening up the biometric algorithms to the entire technical community ensures vendor neutrality, allowing anyone to use and improve upon the algorithms. This is in contrast to FIDO, which has tiered membership levels that define degrees of participation and a multi-vendor architecture. FIDO “standardizes” by delivering common specifications across its membership. To date, neither IEEE nor any other global standards organization has formally certified these specifications. Instead, FIDO runs its own certification program that allows members and non-members to measure compliance with UAF and U2F specifications to make sure their products and services are compatible with the FIDO environment.

Security Clearly, security is top of mind for both BOPS and FIDO given the requirements for performing strong authentication. BOPS integrates the security protocol into a single layer that incorporates automatically managed certificates and strong encryption. In contrast, FIDO allows each participant vendor to manage their certificates and instrument variant protocols to encrypt data in transit and at rest. The two approaches present a better security model than legacy password and pin, although managing fewer layers is the more desirable approach as this provides more transparency and less complexity. Additionally, the FIDO model is only as good as the weakest link, meaning that each company using the framework is dependent on the APIs, communications and security measures – good or bad – of the other members of the alliance.


9

Also, while FIDO has created specifications that can be adopted by different vendors, they essentially “glue” the vendor frameworks together using multiple API layers to handle both biometric and non-biometric technologies. The FIDO protocols utilize SAML and other frameworks, which don’t have the ability to identify the person in a single transaction layer. Also,

as mentioned earlier, the authenticator specific enrollment process is outside the scope of the FIDO protocols. Thus, multiple layers must be configured to process the non-biometric authentication method and create the biometric identity, and separate transaction layer(s) link the biometric identity to the authorization scheme. This type of approach introduces multiple fault points throughout the process, adds complexity and increases the security attack surface.

In contrast, BOPs is architected as one transaction layer inclusive of other biometric solutions as well as non-biometric technologies. Central to this architecture is the distinction between authentication and authorization (see sidebar), and the belief that a true biometrics identity authentication solution MUST bind the person to the role that he or she is authorized to perform, the location and/or resources that he or she is given access to and the device(s) that he or she is authorized to use. BOPS is also different from FIDO in that its Genesis process is within scope of its protocols. Genesis identifies a subject irrespective of any downstream processing. BOPS binds directly to the biometric during registration, and carries that biometric throughout the entire transaction of creating the biometric identity (Genesis) and linking it to the devices and resources that the person is authorized to access (Enrollment). This includes authorization to devices, physical spaces, systems, sites, networks, assets, transactions and environments. BOPS supports enrollment of one person to many devices, multiple biometrics to one device and one device to many people, as needed. Another difference between the two solutions is the security of the biometric vector itself. BOPS splits the initial biometric vector that is supplied during registration between the client and the server, which is an important security feature in that a user’s data and the private key are never stored together. An enhancement to the Standard, known as BOPS2, encrypts each piece using visual cryptography and generates the private key that is specific to a security certificate issued by the BOPS compliant server and to a user identity. This allows a person to maintain

Authentication vs. Authorization The term “authentication” is often confused or used synonymously with the term “authorization”, yet they mean very different things when designing a secure biometrics technology solution.

Authorization refers to rules that determine who is allowed to perform an operation and at what location/with what resources that person is allowed to perform it.

Authentication is the process of ascertaining that people are who they say they are. Once a person’s identity is validated, that person can then be linked to the role that he or she is authorized to perform.

This distinction is critical.

Passwords and PINs are means of providing access, NOT means to authenticate a person’s identity. Passwords are easily shared, and there is no reliable method to ensure that the person entering a user credential or swiping a badge or credit card is the person who is authorized to use it.

With the FIDO approach, security is only as strong as the weakest link in the trusted chain of vendors.

A security attack or hole in just one vendor infects the rest of the FIDO

ecosystem.


10

multiple devices linked to his/her identity without creating duplicate identities on the server, and it also guarantees the security of the biometric vector. FIDO UAF and U2Fspecification do not specifically handle the ability to link between devices without incurring the penalty of multiple entries and layers. This is a key difference since recent research shows that the average online adult in the U.S. uses more than four connected devices, with 70% using a smartphone.4 The inability to handle links between devices means that multiple user accounts per individual must to be created, requiring a costly management structure. Lastly, the completeness of each solution must be examined. The FIDO specifications do not define a true end-to-end authentication infrastructure as the focus is on vendor inclusion through API specification. Whilst one can argue this approach allows a continuum of vendors to participate toward a complete biometric solution, the cost becomes significant due to its multiple layers, certificates and increased security attach surface – all of which require a higher degree of management and communication. This approach also speaks to the “weakest link” theorem, which is that security is only as strong as the weakest link in the trusted chain of vendors. A security attack or hole in just one vendor infects the rest of the FIDO solution.

Convenience Technology today must be convenient and easy to use to facilitate widespread adoption. The desire for simple, intuitive interfaces and robust feature sets will continue to need to be balanced against the requirement for strong security, especially in the financial services and mobile payments sectors. One way to achieve this balance is to utilize technology solutions that allow for seamless integration into existing products and features so that authentication is secure and accurate, yet is largely transparent to the user after implementation and initial registration. Both BOPS and FIDO provide this advantage, albeit in different ways. For FIDO, a key factor to ensuring widespread adoption is the participation of vendors in the Alliance. The multi-vendor solution architecture encompasses client devices, authenticators, and relying party applications and associated deployment environments. This architectural approach allows for the creation of similar user experiences across vendors, online services and authenticators, if that is desired. However, adoption is also reliant on the continued willingness of members to stay with the Alliance, despite often-competing business interests and dependencies that may shift over time as the global market changes. This is a cause for concern given the growth potential of the multi-

billion dollar biometrics market, and the competition this will engender. After all, history has proven that an ally today may be an adversary tomorrow. For BOPS, the key to adoption is making the framework universal and easy to manage from both the enterprise and consumer perspective. Recently, HOYOS was able to deliver on this promise by achieving IEEE standardization. This type of

The multi-‐vendor FIDO solution comes at a significant cost due to its multiple layers, certificates and increased security attack surface –

all of which require a higher degree of management and communication than a single layer, one vendor solution.

For BOPS, the key to adoption is making the framework

universal and easy to manage for both the enterprise and the

consumer.


11

standardization offers value by ensuring the framework is: o Open to the public to scrutinize and cooperatively add value o All changes to the standards and APIs are managed by the IEEE, which ensures the

customer’s best interest is always put first o Minimizes vendor back doors o Minimizes the complexity of the solution to one layer / one source

Additionally, the BOPS framework includes all necessary APIs and protocols to handle multiple use cases, such as:

o Enterprise and public customer clients o Both Enterprise and public customers who consume the entire framework from a single

mobile application instance (1uApp) o Completeness of all permutations of biometrics are included in the solution. This

includes all native biometrics available on any mobile device, all FIDO architecture and custom BOPS biometrics

o Integration into any enterprise and public solution including any third party solutions through a central server making it easy to deploy

o From the perspective of the customer and the end-user, all integration is instrumented behind the scenes and deployed through a simple mobile application and a central portal on the BOPS server.

Combining Solutions For existing FIDO customers, it is possible and beneficial to pair the FIDO solutions API with the BOPS framework to leverage the strengths of each. The integration is straightforward: it requires the FIDO authenticators to be integrated into a BOPS Server. After integration, BOPS then manages all certificates and cross platform security transactions under a central Platform IDE. Once completed, customers can extend the accounting life cycle invested in FIDO and the central management offered by the BOPS Framework whilst adding the following security benefits:

o Remove the need to rotate / replace certificates o Add end-to-end security from end-device to authentication seamlessly o Include a comprehensive biometric genesis which removes a separate process to glue

the “Enterprise Back-End Security” such as Active Directory, SAML and LDAP o Removes the need to add / manage multiple vendor applications on end-devices. All

FIDO implementations are then extended through HOYOS 1uAPP

Conclusion The threat of cyber attacks and the explosive growth of mobile and connected devices have precipitated the need for robust, highly secure authentication solutions. There is tremendous opportunity to use biometric technologies to protect and authenticate digital identities, and it is critical for people who are using and evaluating biometric technologies to educate themselves on the fundamentals – and ask questions – to knowledgably select the biometrics solution that best meets business requirements. Not all biometrics are equal. Each biometric has differing degrees of freedom/entropy. Thus making each one completely distinct with respect to the transactional risk/metrics-based applicability. The biometrics industry has also been on the verge of “breaking out” for many years. Now that the dawn of that era is upon us, along with it are also coming a number of fraudsters, criminals, and grossly misrepresented solutions finding themselves into the marketplace. Standards and their implementation is the best way to ensure that the biometrics-based solutions chosen don’t end up being worse than the problem they set out to solve.


12

Footnotes:

1. Office of Personnel Management. https://www.opm.gov/cybersecurity/cybersecurity-

incidents/. Sept 2015

2. McAfee Labs. 2015 Threat Predictions. Dec 2014

3. Goode Intelligence. Biometrics for Banking: Market and Technology Analysis, Adoption

Strategies and Forecasts 2015-2020. June 2015

4. FIDO Alliance. Sept 2015. https://fidoalliance.org/about/overview/

5. Acuity Market Intelligence. The Global Biometrics and Mobility Report. June 2015

6. Industry Experts. Biometrics – A Global Market Overview. Jan 2015.

7. McAfee Labs. 2015 Threat Predictions. Dec 2014



10. U.S. Department of Justice. 2014 Identity Theft Supplement to the National Crime

Victimization Survey. September 27, 2015.

11. KPMG. 2015 Healthcare Cybersecurity Survey. Aug 2015

Documents

Identiy Authentication White Paper