fido alliance: year in review webinar slides from january 20 2016

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

AGENDAThe ProblemThe SolutionThe AllianceUpdates

781 data breaches in 2015

Data Breaches…

170m records in 2015 (up 50%)$3.8m/breach (up 23% f/2013)

“95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”2015 Data Breach Investigations Report

“A look through the details of these incidents shows a common sequence of

phish customer ≥ get credentials ≥ abuse web application ≥ empty bank/bitcoin account.”

2015 Data Breach Investigations Report

The world has a PASSWORD PROBLEM

ONE-TIME PASSCODESImprove security but aren’t easy enough to use

Still Phishable

User Confusion

TokenNecklace

SMS Reliability

WE NEED A NEW MODEL

WE CALL OURNEW MODEL

Fast IDentity Onlineonline authentication usingpublic key cryptography

THE OLDPARADIGM

USABILITYSECURITY

THE FIDO PARADIGM

Poor EasyW

eak

Stro

ngUSABILITY

SECU

RITY

HOW OLD AUTHN WORKS

ONLINE

The user authenticates themselves online by presenting a human-

readable secret

HOW FIDO AUTHN WORKS

AUTHENTICATOR

LOCAL ONLINE

The user authenticates

“locally” to their device by various

means

The device authenticates the user online using

public key cryptography

Introduction to FIDO 1.0 standardsUniversal Authentication Framework (UAF)

Universal 2nd Factor (U2F)

Passwordless Experience (UAF Standards)

Second Factor Experience (U2F Standards)

*There are other types of authenticators Second Factor Challenge

1

Authenticated Online

3

Insert Dongle* / Press Button

2

Biometric Verification*

2

Authentication Challenge

1

?Authenticated

Online

3

FIDO Registration

Invitation Sent New Keys Created

Pubic Key RegisteredWith Online Server

User is in a Session Or

New Account Flow

1 2 3

4

Registration Complete

User Approval

Login Complete

FIDO Authentication

FIDO Challenge Key Selected & Signs

Signed Response verified usingPublic Key Cryptography

User needs to login or authorize a transaction

1 2 3

4User Approval

FIDO UAFUNIVERSAL AUTHENTICATION FRAMEWORK

AUTHENTICATOR

Same users as enrolled before?

Same authenticator as

registered before?

FIDO ServerFIDO Authenticator

Metadata

Signed Attestation Object

Verify Trust Anchor

Understand Authenticator Characteristic

ATTESTATION & METADATA

UAF AUTHENTICATIONDEMO EXAMPLE

STEP 1


STEP 2


STEP 3


STEP 4

FIDO U2FUNIVERSAL 2ND FACTOR

AUTHENTICATOR

USER VERIFICATION FIDO AUTHENTICATION

Same authenticator as

registered before?

Is a user present?

Step 1U2F AUTHENTICATION DEMO EXAMPLE


+Bob

USABILITY, SECURITY and

PRIVACY by Design

Privacy by Design History

31

• Ann Cavoukian, the former Information and Privacy Commissioner of Ontario/Canada, coined the term “Privacy by Design” back in the late 90’s.

• Idea was to take privacy into account already early in the design process.

• Cavoukian went a step further and developed 7 principles.

• It took years to investigate the idea further and to become familiar with privacy as an engineering concept.

Privacy Principles

32https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf

https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf

No 3rd Party in the Protocol

No Secrets generated/stored on the Server side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services and Accounts

De-register at any time

No release of information without consent

FIDO & Privacy

AUTHENTICATOR

USER VERIFICATION FIDO AUTHENTICATION

Prepare0

STEP 1FIDO

AuthenticatorFIDO Server

App WebApp

FIDO REGISTRATION

FIDO REGISTRATION

Prepare0

STEP 2FIDO


App WebApp

TLS Channel Establishment

1

No 3rd Party in the Protocol

FIDO REGISTRATION

Prepare0

STEP 2FIDO Authenticator

FIDO Server

App WebApp

User is invited by Online Service to register their FIDO device(Specific to Online Service Providers)

Legacy Auth.+ Initiate Reg.

Reg. Request+ Policy

1

2

No release of information without consent

FIDO REGISTRATION

Prepare0

STEP 3FIDO


App WebApp

38

3


Reg. Request[Policy]

1

2

Verify User & Generate New Key Pair(Specific to Account with Online Service Provider)

No Secrets generated/stored on the Server side

FIDO REGISTRATION

Prepare0

STEP 4FIDO


App WebApp

3

Register public key with FIDO Server for verifying signed challenges(Specific to Account with Online Service Provider)


Reg. Request+ Policy

1

2

Reg. Response4

Biometric Data (if used) Never Leaves Device

No Link-ability Between Accounts and Services

Website A

Website B

FIDO REGISTRATION(On Multiple Sites)

PERSONAL DATAApplication-specific Data

Depending on the service(e.g., shipping address, credit card details)

User Verification DataBiometric data

(e.g., fingerprint or voice template, heart-rate variation data)

FIDO-related Data

Identifiers used by the FIDO authenticator

protocols(e.g., public key, key handle)

Data Minimization

, Purpose

Limitationand

protectionagainst

unauthorized

access

Outside the scope of FIDO

Better security for online servicesReduced cost for the enterprise

Simpler and safer for consumers

The FIDO Alliance is an open industry association of over 250 global member organizations

Physical-to-digital identity

User Management

Authentication

Federation

SingleSign-On

Passwords Risk-BasedStrong

MODERNAUTHENTICATION

FIDO SCOPE

FIDO Alliance Mission

DevelopSpecifications

OperateAdoption Programs

Pursue Formal Standardization

1 2 3

Board Members

47 47 4747

Services/Apps

Vendors/Enablers Devices/Platforms

Government Members

49

Public Sector

49 4949

“The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.” -- Mike Garcia, NSTIC NPO

Liaison Program

50

Industry Partners

50 5050

Our mission is highly complementary to many other associations around the world. We welcome the opportunity to collaborate with this growing list of industry partner organizations.

“Microsoft Announces FIDO Support Coming to Windows 10”Feb 23, 2015

“Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015

“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”,April 21, 2015

“Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO’s services using FIDO standards”May 26, 2015

2015 FIDO ADOPTION

“Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015

“the technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards.”September 15, 2015

“GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification”October 1, 2015

Deployments are enabled by FIDO Certified™ Productsavailable today

54

Available to anyone Ensures interoperability Promotes the FIDO ecosystem

Steps to certification:1. Conformance Self-Validation2. Interoperability Testing3. Certification Request4. Trademark License (optional)

fidoalliance.org/certification

http://www.fidoalliance.org/certification

20-NOV-2015FIDO Authentication Poised for Continued Growth as Alliance Submits FIDO 2.0 Web API to W3C• W3C has accepted our submission • Specifications required to define a FIDO-compliant Web API • Designed to extend FIDO’s existing reach to all platforms• OEM community should begin to plan their support now• RP community should deploy FIDO 1.x now knowing FIDO

standards are “future proof” --strategically positioned as the de facto authentication scheme for the Web & OS Platforms

FIDO in 2015

FEB MAYMAR APR MAY NOVJUNE AUG SEP OCTJUN OCT

Relying Parties – deploy FIDO 1.X nowOEMs – plan for FIDO 2.x now

Vendors – get FIDO Certified™

JOIN THE FIDO ECOSYSTEM

JOIN THE FIDO ALLIANCE

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

fido alliance: year in review webinar slides from january 20 2016

Technology