FIDOs place in the eID ecosystem

Maarten Wegdam, managing partner

PIMN Seminar on FIDO Alliance

23 January 2015

Identity, privacy

& trust

Strategy

realization

Business

models

Digitalization in networks of organizations

Research-based advice & software

Without FIDO

Separate authenticators for every websites/identity

No choice between authenticators

Rarely use the embedded authenticators of your mobile (e.g., fingerprint sensor)

With FIDO

Select own authenticator at registration time

Less passwords and/or more 2nd factors

End-user perspective

Without FIDO

Costs and user friction for non-password/2nd factor authentication

Vendor lock-in to authenticator

Often use one-time-password like 2nd factors (SMS, TOTP app etc)

With FIDO

No biometric data on premise

Flexibility & easy integration

Allow wide range of authenticators

No (?) branding on authenticators

Relying party perspective

BYOId vs BYOAuthn

FIDO is about BYOAuthn, not BYOId

(trusted ?)attributes

authenti-cation

BYOId

verication/

issuing process

authenti-cation means

level of assurance

[STORK, ISO29115]

BYOId – e.g. OpenID, eID Framework NL, SAML federations, trust frameworks etc

FIDO vs social login

Social login is often associated with BYOId, but is more BYOAuthn in reality

FIDO may reduce usage of social logins

But not very popular in NL anyway …

FIDO vs eID Framework NL

FIDO can be used by Authentication providers

Potentially easier to adopt new authentication means

NO impact on service providers (websites): they simply use SAML

FIDO vs Oath

OATH - Initiative for Open Authentication

TOTP is often used, e.g., Google authenticator

Aimed at one-time passwords

FIDO a hype?

Gartner (17 nov 2014): “beyondSamsung Galaxy S5-Paypal no significant implementations yet”

Kuppinger Cole (10 dec 2014): frommore skeptical to “the initiative is gaining more traction”

A perspective on FIDO

What it does offer

• For relying parties: flexibility, ease of integration, less vendor lock-in

• For users: re-use of authentication means aka BYOAuthn

• Easier to move to non-password

• No ‘spillover’ of hacks (anti-phishing, MITM, mutual authn)

What it doesn’t offer

• No attributes, no identity: no BYOId

• No cross device authentication (yet ? USB + NFC), re-registration needed

• No passwords, no one-time-passwords

• No context-based or continuous authentication

What remains to be seen

• Will it confuse people? One authenticator for many identities?

• Adoption is key: chicken-egg, especially browser and smartphone vendors

Take aways

FIDO is about BYOAuthn, not BYOId

FIDO enables non-password, non-OTP authenticationfactors

As always, adoption is key, especially by browser and smartphone vendors

maarten.wegdam@innovalor.nl | +31 6 51993485 | @maartenwegdam | http://innovalor.nl |

http://www.linkedin.com/in/wegdam