Upload
fido-alliance
View
803
Download
0
Embed Size (px)
Citation preview
EXPERIENCE SIMPLER, STRONGER AUTHENTICATION
AGENDAThe ProblemThe SolutionThe AllianceUpdates
781 data breaches in 2015
Data Breaches…
170m records in 2015 (up 50%)$3.8m/breach (up 23% f/2013)
“95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”2015 Data Breach Investigations Report
“A look through the details of these incidents shows a common sequence of
phish customer ≥ get credentials ≥ abuse web application ≥ empty bank/bitcoin account.”
2015 Data Breach Investigations Report
The world has a PASSWORD PROBLEM
ONE-TIME PASSCODESImprove security but aren’t easy enough to use
Still Phishable
User Confusion
TokenNecklace
SMS Reliability
WE NEED A NEW MODEL
WE CALL OURNEW MODEL
Fast IDentity Onlineonline authentication usingpublic key cryptography
AGENDAThe ProblemThe SolutionThe AllianceUpdates
THE OLDPARADIGM
USABILITYSECURITY
THE FIDO PARADIGM
Poor EasyW
eak
Stro
ngUSABILITY
SECU
RITY
HOW OLD AUTHN WORKS
ONLINE
The user authenticates themselves online by presenting a human-
readable secret
HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device by various
means
The device authenticates the user online using
public key cryptography
Introduction to FIDO 1.0 standardsUniversal Authentication Framework (UAF)
Universal 2nd Factor (U2F)
Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
*There are other types of authenticators Second Factor Challenge
1
Authenticated Online
3
Insert Dongle* / Press Button
2
Biometric Verification*
2
Authentication Challenge
1
?Authenticated
Online
3
FIDO Registration
Invitation Sent New Keys Created
Pubic Key RegisteredWith Online Server
User is in a Session Or
New Account Flow
1 2 3
4
Registration Complete
User Approval
Login Complete
FIDO Authentication
FIDO Challenge Key Selected & Signs
Signed Response verified usingPublic Key Cryptography
User needs to login or authorize a transaction
1 2 3
4User Approval
FIDO UAFUNIVERSAL AUTHENTICATION FRAMEWORK
AUTHENTICATOR
Same users as enrolled before?
Same authenticator as
registered before?
FIDO ServerFIDO Authenticator
Metadata
Signed Attestation Object
Verify Trust Anchor
Understand Authenticator Characteristic
ATTESTATION & METADATA
UAF AUTHENTICATIONDEMO EXAMPLE
STEP 1
UAF AUTHENTICATIONDEMO EXAMPLE
STEP 2
UAF AUTHENTICATIONDEMO EXAMPLE
STEP 3
UAF AUTHENTICATIONDEMO EXAMPLE
STEP 4
FIDO U2FUNIVERSAL 2ND FACTOR
AUTHENTICATOR
USER VERIFICATION FIDO AUTHENTICATION
Same authenticator as
registered before?
Is a user present?
Step 1U2F AUTHENTICATION DEMO EXAMPLE
Step 2U2F AUTHENTICATION DEMO EXAMPLE
Step 3U2F AUTHENTICATION DEMO EXAMPLE
Step 4U2F AUTHENTICATION DEMO EXAMPLE
+Bob
USABILITY, SECURITY and
PRIVACY by Design
Privacy by Design History
31
• Ann Cavoukian, the former Information and Privacy Commissioner of Ontario/Canada, coined the term “Privacy by Design” back in the late 90’s.
• Idea was to take privacy into account already early in the design process.
• Cavoukian went a step further and developed 7 principles.
• It took years to investigate the idea further and to become familiar with privacy as an engineering concept.
Privacy Principles
32https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf
No 3rd Party in the Protocol
No Secrets generated/stored on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services and Accounts
De-register at any time
No release of information without consent
FIDO & Privacy
AUTHENTICATOR
USER VERIFICATION FIDO AUTHENTICATION
Prepare0
STEP 1FIDO
AuthenticatorFIDO Server
App WebApp
FIDO REGISTRATION
FIDO REGISTRATION
Prepare0
STEP 2FIDO
AuthenticatorFIDO Server
App WebApp
TLS Channel Establishment
1
No 3rd Party in the Protocol
FIDO REGISTRATION
Prepare0
STEP 2FIDO Authenticator
FIDO Server
App WebApp
User is invited by Online Service to register their FIDO device(Specific to Online Service Providers)
Legacy Auth.+ Initiate Reg.
Reg. Request+ Policy
1
2
No release of information without consent
FIDO REGISTRATION
Prepare0
STEP 3FIDO
AuthenticatorFIDO Server
App WebApp
38
3
Legacy Auth.+ Initiate Reg.
Reg. Request[Policy]
1
2
Verify User & Generate New Key Pair(Specific to Account with Online Service Provider)
No Secrets generated/stored on the Server side
FIDO REGISTRATION
Prepare0
STEP 4FIDO
AuthenticatorFIDO Server
App WebApp
3
Register public key with FIDO Server for verifying signed challenges(Specific to Account with Online Service Provider)
Legacy Auth.+ Initiate Reg.
Reg. Request+ Policy
1
2
Reg. Response4
Biometric Data (if used) Never Leaves Device
No Link-ability Between Accounts and Services
Website A
Website B
FIDO REGISTRATION(On Multiple Sites)
PERSONAL DATAApplication-specific Data
Depending on the service(e.g., shipping address, credit card details)
User Verification DataBiometric data
(e.g., fingerprint or voice template, heart-rate variation data)
FIDO-related Data
Identifiers used by the FIDO authenticator
protocols(e.g., public key, key handle)
Data Minimization
, Purpose
Limitationand
protectionagainst
unauthorized
access
Outside the scope of FIDO
Better security for online servicesReduced cost for the enterprise
Simpler and safer for consumers
AGENDAThe ProblemThe SolutionThe AllianceUpdates
The FIDO Alliance is an open industry association of over 250 global member organizations
Physical-to-digital identity
User Management
Authentication
Federation
SingleSign-On
Passwords Risk-BasedStrong
MODERNAUTHENTICATION
FIDO SCOPE
FIDO Alliance Mission
DevelopSpecifications
OperateAdoption Programs
Pursue Formal Standardization
1 2 3
Board Members
47 47 4747
Services/Apps
Vendors/Enablers Devices/Platforms
AGENDAThe ProblemThe SolutionThe AllianceUpdates
Government Members
49
Public Sector
49 4949
“The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.” -- Mike Garcia, NSTIC NPO
Liaison Program
50
Industry Partners
50 5050
Our mission is highly complementary to many other associations around the world. We welcome the opportunity to collaborate with this growing list of industry partner organizations.
“Microsoft Announces FIDO Support Coming to Windows 10”Feb 23, 2015
“Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015
“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”,April 21, 2015
“Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO’s services using FIDO standards”May 26, 2015
2015 FIDO ADOPTION
“Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015
“the technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards.”September 15, 2015
“GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification”October 1, 2015
Deployments are enabled by FIDO Certified™ Productsavailable today
53
54
Available to anyone Ensures interoperability Promotes the FIDO ecosystem
Steps to certification:1. Conformance Self-Validation2. Interoperability Testing3. Certification Request4. Trademark License (optional)
fidoalliance.org/certification
20-NOV-2015FIDO Authentication Poised for Continued Growth as Alliance Submits FIDO 2.0 Web API to W3C• W3C has accepted our submission • Specifications required to define a FIDO-compliant Web API • Designed to extend FIDO’s existing reach to all platforms• OEM community should begin to plan their support now• RP community should deploy FIDO 1.x now knowing FIDO
standards are “future proof” --strategically positioned as the de facto authentication scheme for the Web & OS Platforms
FIDO in 2015
FEB MAYMAR APR MAY NOVJUNE AUG SEP OCTJUN OCT
Relying Parties – deploy FIDO 1.X nowOEMs – plan for FIDO 2.x now
Vendors – get FIDO Certified™
JOIN THE FIDO ECOSYSTEM
JOIN THE FIDO ALLIANCE
EXPERIENCE SIMPLER, STRONGER AUTHENTICATION