cis14: filling the “authentication goes here” hole in identity
DESCRIPTION
Michael Barrett, FID O Alliance A report on the headway the FIDO Alliance is making in establishing standards that enable easily interoperable authentication, covering the high-level technical architecture of these new authentication protocols and giving an update on progress.TRANSCRIPT
![Page 1: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/1.jpg)
Michael Barrett, president of the FIDO Alliance
Cloud Iden*ty Summit July, 2014
www.fidoalliance.org Copyright 2014, The FIDO Alliance
All Rights Reserved 1
![Page 2: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/2.jpg)
Problems, problems, problems
![Page 3: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/3.jpg)
Rampant online attacks
3
• Major hacks have been targeted at password databases within Online Gaming, Financial Services, Social Media organizations
• Password Re-use is a
significant problem – technical analysis of data breaches have shown that 76% of passwords used across multiple sites.
![Page 4: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/4.jpg)
Opportunity for Better Authentication is Upon Us
For Users For Organiza0ons
Painful to Use
• 25 Accounts • 8 Logins / Day • 6.5 Passwords
Difficult to Secure
• $5.5M / Data Breach • $15M / PWD Reset • $60+ / Token
For the Ecosystem
Impossible to Scale
• Fragmented • Inflexible • Slow to Adopt
3
![Page 5: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/5.jpg)
JUST EASY
“BETTER AUTHENTICATION”
JUST BAD
Hig
h Se
curit
y Lo
w
UNPLEASANT
Low High Usability
Authentication is not a Continuum…
5
![Page 6: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/6.jpg)
What is FIDO?
![Page 7: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/7.jpg)
Common authentication plumbing
Users
Cloud/Enterprise
Devices
Federation
Open Standard Plug-In Approach
Interoperable Ecosystem
Usable Authentication
WHAT IS NEEDED
![Page 8: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/8.jpg)
FIDO -‐ Unique Approach Any Device. Any Application. Any Authenticator.
Standardized Protocols
Local authentication unlocks app specific key
Key used to authenticate to server
![Page 9: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/9.jpg)
Improved security
Unique cryptographic secret created per user account + device + site
• Protection against brute force attacks • Segmentation of risk • Protection against unintentional disclosure
![Page 10: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/10.jpg)
FIDO’s Explosive growth
Industry Standard
Feb 2013 May 2014 Next
6 118
Companies Companies
Public Launch
Public Review Spec
Companies
![Page 11: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/11.jpg)
TODAY
![Page 12: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/12.jpg)
Marrying FIDO to IdenGty
With thanks to Paul Madsen (whose slides I stole…)
![Page 13: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/13.jpg)
Generic federaGon flow diagram
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
![Page 14: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/14.jpg)
Complementary
. 14
• FIDO • Insulates authentication
server from specific authenticators
• Focused solely on primary authentication
• Does not support attribute sharing
• Can communicate details of authentication from device to server
• Federation – Insulates application from
specific identity providers
– Does not address primary authentication
– Does enable secondary authentication & attribute sharing
– Can communicate details of authentication from IdP to SP
![Page 15: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/15.jpg)
High
Low
High
Low Frequency
of login
Assurance
status quo
![Page 16: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/16.jpg)
High
Low
High Low Frequency
of login
Assurance
status quo
federa0on
SSO slide
No more ‘Passsword123’ bump
![Page 17: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/17.jpg)
High
Low
High
Low Frequency
of login
Assurance
status quo
federa0on
FIDO
Con0nuum
![Page 18: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/18.jpg)
FIDO implicaGons
• FIDO supports a range of assurance – determined by the specifics of the local authentication
• Recall – “Unique cryptographic secret created per user account + device + site”
• Implication is multiple registrations & authentications – which may be sub-optimal from the user’s PoV
![Page 19: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/19.jpg)
High
Low
High
Low Frequency
of login
Assurance
status quo
federa0on
FIDO + federa0on
FIDO
![Page 20: CIS14: Filling the “authentication goes here” Hole in Identity](https://reader036.vdocuments.us/reader036/viewer/2022062511/54b6bba64a79593e4f8b4706/html5/thumbnails/20.jpg)
CALL TO ACTION • AUTHENTICATION IS A FUNDAMENTAL PROBLEM AND
IT IS AN INDUSTRY PROBLEM • NO ONE COMPANY CAN FIX THIS PROBLEM • JOIN FIDO ALLIANCE – HELP FIX • OPPORTUNITY TO CREATE NEW SERVICES, NEW
MARKETS, NEW INNOVATIONS, NEW BUSINESSES AND NEW REVENUE MODELS
• TAKE THE LEADERSHIP, INCLUDE FIDO SUPPORT AT THE SOURCE ON YOUR DEVICES
• FIDO READY COMMERCIAL PRODUCTS ARE AVAILABLE IN THE MARKET
• MAKE THE CONNECTED WORLD SECURE, PRIVATE, FRAUD FREE , EASY TO USE AND STAY CONNECTED