Upload
leonard-moustacchis
View
31
Download
1
Embed Size (px)
Citation preview
FIDO: LE FUTUR DE
L’AUTHENTIFICATION ?
23 Mars 2017
SAFRAN IDENTITY AND SECURITY RESTRICTED
SAFRAN IDENTITY AND SECURITY
Safran Identity and Security / 15-07-2016 / Direction2
R&DInvestment equal to nearly
7% of revenue
Workforce
8,700+
EMPLOYEES
in 57
COUNTRIES
€1.9 BILLION of revenue
#1 worldwide in biometric
IDENTITY
SOLUTIONS (fingerprint, iris and face)
Systems deployed in
MORE THAN
100 COUNTRIES
A GLOBAL LEADER
IN IDENTITY
AND SECURITY
SAFRAN IDENTITY AND SECURITY RESTRICTED
Intro
Safran Identity & Security / 23 Mars 20173
1. FIDO en bref
2. Les cas d’usages FIDO UAF, U2F, 2.0
SAFRAN IDENTITY AND SECURITY RESTRICTED
Safran Identity & Security / 23 Mars 20174
FIDO EN BREF
1
SAFRAN IDENTITY AND SECURITY RESTRICTED
The FIDO Alliance is an open industry
association of over 250 organizations
with a focused mission:
authentication standards
5
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
FIDO Alliance Mission
Develop Specifications
Operate Adoption Programs
Pursue Formal Standardization
1 2 3
define an open, scalable, interoperable set of
mechanisms that supplant reliance on passwords
to authenticate users of online services
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
Board Members
7
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
HOW “Shared Secrets” WORK
ONLINE
The user authenticates themselves online by presenting a human-readable “shared
secret”
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates “locally” to their device (by
various means)
The device authenticates the user online using public key
cryptography
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No (*new*) Link-ability Between Services
No (*new*) Link-ability Between Accounts
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
Certification Growth
An open competitive market
Ensures interoperability
Sign of mature FIDO ecosystem250+
FIDO® Certified
products available
today
230
74
32
6274
108
162
216
253
304
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17
TOTAL
11
All Rights Reserved | FIDO Alliance | Copyright 2017.
SAFRAN IDENTITY AND SECURITY RESTRICTED
Safran Identity & Security / 23 Mars 201712
LES CAS D’USAGEFIDO UAFFIDO U2FFIDO 2.0
2
SAFRAN IDENTITY AND SECURITY RESTRICTED
UAF (Universal Authentication Framework)
• Specifications
• V1.0 : Final
• V1.1 : implementation draft
U2F (Universal Second Factor)
• Specifications
• V1.0 : Final
• V1.1 : implementation draft
FIDO 2.0 (ex UFS)
• Technical improvement
• CTAP : interfaces with Authenticator
• WebAuthn : Browser API defined by W3C
• Specifications
• Draft
FIDO Specifications
13
SAFRAN IDENTITY AND SECURITY RESTRICTED
ATTENTION : FIDO = AUTHENTIFICATION (et non identité)
14
=(site.com)
jdoe ->
Phase 1: l’enregistrement Phase 2: l’authentification
01001…
10110…
SAFRAN IDENTITY AND SECURITY RESTRICTED
A Fido Server is the backend service that cryptographically authenticate an application
user through a FIDO authenticator.
Main features
• Compliance with FIDO protocol (U2F/UAF/Fido 2.0)
• Authenticator policy management
• API with the user Agent (Registration)
FIDO Server
Safran Identity & Security / 23 Mars 201715
SAFRAN IDENTITY AND SECURITY RESTRICTED
FIDO Standard : Compatibility Aspects
U2F
FIDO “Gold” Server
FIDO2
FIDO2
FIDO2
UAF
U2F
Interoperability still to finalize
Roaming Authenticator through CTAP
bound authenticator
WebAuthn/U2F
U2F JS API
UAF JS API
UAF
WebAuthn/CTAP
Safran Identity & Security / 23 Mars 201716
SAFRAN IDENTITY AND SECURITY RESTRICTED
Fido 2.0 (WebAuthn + CTAP)
Safran Identity & Security / 23 Mars 201719
IDP
User Device
Browser
Roaming
Authenticators
with transport
channels and
CTAP payload
Relying PartyW
eb
Ap
plic
atio
n
FIDO
Server
HTTPS
Registration,
Authentication &
Transaction
Confirmation
FIDO
Alliance
Metadata
Service
BLE USB NFC
Mobile Apps
OS
Bound
authenticators
SAFRAN IDENTITY AND SECURITY RESTRICTED
• Technical:
• UAF: decreasing to almost stalled activity, trying to bring keystore as level 2 authenticators and bridging to WebAuthn
• U2F: most of the work bridging to WebAuthn
• CTAP: stalled waiting for a final status on WebAuthn
• Related: WebAuthn very active development effort on Chrome, Edge and Mozilla
• Working Groups
• SRWG: Move initial levels 1=>4 to 2=>5 with an initial level for compliance and high level security overview (include
software and TouchID authenticators)
• CWG: Continue the biometric certification without PAD, rely upon TEE certification levels for 2+ levels
• P3WG: Influence US NIST, EU for identity and banking standards
Status update
Safran Identity & Security / 23 Mars 201720
SAFRAN IDENTITY AND SECURITY RESTRICTED
Safran Identity & Security / 23 Mars 201721