Identity Tech Talks #3 FIDO futur of authentication

FIDO: LE FUTUR DE

L’AUTHENTIFICATION ?

23 Mars 2017

SAFRAN IDENTITY AND SECURITY RESTRICTED

SAFRAN IDENTITY AND SECURITY

Safran Identity and Security / 15-07-2016 / Direction2

R&DInvestment equal to nearly

7% of revenue

Workforce

8,700+

EMPLOYEES

in 57

COUNTRIES

€1.9 BILLION of revenue

#1 worldwide in biometric

IDENTITY

SOLUTIONS (fingerprint, iris and face)

Systems deployed in

MORE THAN

100 COUNTRIES

A GLOBAL LEADER

IN IDENTITY

AND SECURITY


Intro

Safran Identity & Security / 23 Mars 20173

1. FIDO en bref

2. Les cas d’usages FIDO UAF, U2F, 2.0



FIDO EN BREF

1


The FIDO Alliance is an open industry

association of over 250 organizations

with a focused mission:

authentication standards

5

All Rights Reserved | FIDO Alliance | Copyright 2017.


FIDO Alliance Mission

Develop Specifications

Operate Adoption Programs

Pursue Formal Standardization

1 2 3

define an open, scalable, interoperable set of

mechanisms that supplant reliance on passwords

to authenticate users of online services



Board Members

7



HOW “Shared Secrets” WORK

ONLINE

The user authenticates themselves online by presenting a human-readable “shared

secret”



HOW FIDO WORKS

AUTHENTICATOR

LOCAL ONLINE

The user authenticates “locally” to their device (by

various means)

The device authenticates the user online using public key

cryptography



No 3rd Party in the Protocol

No Secrets on the Server Side

Biometric Data (if used) Never Leaves Device

No (*new*) Link-ability Between Services

No (*new*) Link-ability Between Accounts



Certification Growth

An open competitive market

Ensures interoperability

Sign of mature FIDO ecosystem250+

FIDO® Certified

products available

today

230

74

32

6274

108

162

216

253

304

Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17

TOTAL

11




LES CAS D’USAGEFIDO UAFFIDO U2FFIDO 2.0

2


UAF (Universal Authentication Framework)

• Specifications

• V1.0 : Final

• V1.1 : implementation draft

U2F (Universal Second Factor)

• Specifications

• V1.0 : Final

• V1.1 : implementation draft

FIDO 2.0 (ex UFS)

• Technical improvement

• CTAP : interfaces with Authenticator

• WebAuthn : Browser API defined by W3C

• Specifications

• Draft

FIDO Specifications

13


ATTENTION : FIDO = AUTHENTIFICATION (et non identité)

14

=(site.com)

jdoe ->

Phase 1: l’enregistrement Phase 2: l’authentification

01001…

10110…


A Fido Server is the backend service that cryptographically authenticate an application

user through a FIDO authenticator.

Main features

• Compliance with FIDO protocol (U2F/UAF/Fido 2.0)

• Authenticator policy management

• API with the user Agent (Registration)

FIDO Server



FIDO Standard : Compatibility Aspects

U2F

FIDO “Gold” Server

FIDO2

FIDO2

FIDO2

UAF

U2F

Interoperability still to finalize

Roaming Authenticator through CTAP

bound authenticator

WebAuthn/U2F

U2F JS API

UAF JS API

UAF

WebAuthn/CTAP



Fido 2.0 (WebAuthn + CTAP)


IDP

User Device

Browser

Roaming

Authenticators

with transport

channels and

CTAP payload

Relying PartyW

eb

Ap

plic

atio

n

FIDO

Server

HTTPS

Registration,

Authentication &

Transaction

Confirmation

FIDO

Alliance

Metadata

Service

BLE USB NFC

Mobile Apps

OS

Bound

authenticators


• Technical:

• UAF: decreasing to almost stalled activity, trying to bring keystore as level 2 authenticators and bridging to WebAuthn

• U2F: most of the work bridging to WebAuthn

• CTAP: stalled waiting for a final status on WebAuthn

• Related: WebAuthn very active development effort on Chrome, Edge and Mozilla

• Working Groups

• SRWG: Move initial levels 1=>4 to 2=>5 with an initial level for compliance and high level security overview (include

software and TouchID authenticators)

• CWG: Continue the biometric certification without PAD, rely upon TEE certification levels for 2+ levels

• P3WG: Influence US NIST, EU for identity and banking standards

Status update




Internet

Identity Tech Talks #3 FIDO futur of authentication