strong authentication trends in government
TRANSCRIPT
All Rights Reserved. FIDO Alliance. Copyright 2017.
STRONG AUTHENTICATION
TRENDS IN GOVERNMENT
2All Rights Reserved. FIDO Alliance. Copyright 2017.
Featuring
Brett McDowell, Executive Director, FIDO Alliance
Jeremy Grant, Managing Director, The Chertoff Group
Adam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service
Elaine Newton, Standards Lead for Applied Cybersecurity, National Institute of Standards and Technology (NIST)
All Rights Reserved. FIDO Alliance. Copyright 2017. 3
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
4All Rights Reserved. FIDO Alliance. Copyright 2017.
Formed in 2012 to Solve the Password Problem
63% of data breaches in 2015 involved weak,
default, or stolen
passwords-Verizon Data Breach
Report
1,093 data breaches in the US
in 2016 up ~40% from 2015-Identity Theft Resource
Center
Each data breach costs
$3.8 million on average
up 23% from 2013-Ponemon Institute
5All Rights Reserved. FIDO Alliance. Copyright 2017.
The FIDO Alliance is an open industry association of over 250 organizations with a focused mission: authentication standards
6All Rights Reserved. FIDO Alliance. Copyright 2017.
FIDO Alliance Mission
Develop Specifications
Operate Adoption Programs
Pursue Formal Standardization
1 2 3
define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to authenticate users of online services
7All Rights Reserved. FIDO Alliance. Copyright 2017.
Board Members
HOW “Shared Secrets” WORK
ONLINE
The user authenticates themselves online by presenting a human-
readable “shared secret”
All Rights Reserved. FIDO Alliance. Copyright 2017. 8
HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device (by various
means)
The device authenticates the user online using
public key cryptography
All Rights Reserved. FIDO Alliance. Copyright 2017. 9
OPEN STANDARDS R.O.I.FIDO-ENABLE ONCEGAIN EVERY DEVICE YOU
TRUSTNO MORE ONE-OFF
INTEGRATIONSAll Rights Reserved. FIDO Alliance. Copyright 2017. 10
USABILITY, SECURITY, R.O.I. and
PRIVACYAll Rights Reserved. FIDO Alliance. Copyright 2017. 11
No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No (*new*) Link-ability Between Services
No (*new*) Link-ability Between Accounts
All Rights Reserved | FIDO Alliance | Copyright 2016.All Rights Reserved. FIDO Alliance. Copyright 2017. 12
All Rights Reserved. FIDO Alliance. Copyright 2017. 13
FIDO Authentication:
Adoption & Ecosystem
14All Rights Reserved. FIDO Alliance. Copyright 2017.
Global Leaders Deploy FIDO Standards
15All Rights Reserved. FIDO Alliance. Copyright 2017.
Certification Growth An open competitive market Ensures interoperability Sign of mature FIDO
ecosystem
250+
FIDO® Certified products available today
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17
230
7432
62 74108
162
216253
304 TOTAL
16
FIDO Certified – Jan`17
All Rights Reserved. FIDO Alliance. Copyright 2017.
All Rights Reserved. FIDO Alliance. Copyright 2017. 17
The Road Ahead
W3C Web Authentication Specification
Standards Effort with
EMVCo
Client-to-Authenticator
Protocol (CTAP)
FIDO Universal
Server + New Certification
Programs
All Rights Reserved. FIDO Alliance. Copyright 2017. 18
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
All Rights Reserved. FIDO Alliance. Copyright 2017.
STRONG AUTHENTICATION TRENDS IN GOVERNMENTJeremy Grant
Managing DirectorThe Chertoff Group
All Rights Reserved. FIDO Alliance. Copyright 2017. 20
Authentication is Important to Government
1. Protects access to government assets2. Enables more high-value citizen-facing services3. Empowers private sector to provide a wider range of
high value services to consumers4. Secures critical assets and infrastructure5. Promotes good security practices in the private sector
Governments seek identity solutions that can deliver not just improved Security – but also Privacy,
Interoperability, and better Customer Experiences
All Rights Reserved. FIDO Alliance. Copyright 2017. 21
FIDO Is Impacting How Governments Think
About Authentication• Enables support for “BYOC” (Bring Your Own
Credential) • Take advantage of the growing ecosystem of FIDO solutions
and standards• No requirement to issue a separate token or app for MFA• No need to create passwords for digital government services
• Better Security, Privacy + Interoperability
• Better Customer Experiences – simpler and safer
• Reduced Cost for the Government Enterprise
FIDO Is Impacting How Governments Think About Authentication
U.S. Commission on Enhancing National Cybersecurity• Bipartisan commission established by the White House in April – charged with crafting recommendations for the next President
• Major focus on Authentication
All Rights Reserved. FIDO Alliance. Copyright 2017. 22
All Rights Reserved. FIDO Alliance. Copyright 2017. 23
U.S. Commission on Enhancing National Cybersecurity
Focus on non-PIV solutions for USG Authentication
“The next Administration should provide agencies with updated policies and guidance that continue to focus on increased adoption of strong authentication solutions, including but, importantly, not limited to personal identity verification (PIV) credentials.
“To ensure adoption of strong, secure authentication by federal agencies, the requirements should be made performance based (i.e., strong) so they include other (i.e., non-PIV) forms of authentication, and should mandate 100 percent adoption within a year.”
All Rights Reserved. FIDO Alliance. Copyright 2017. 24
U.S. Commission on Enhancing National Cybersecurity
“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry standard public key cryptography. Windows 10 has deployed FIDO specifications (known as Windows Hello), and numerous financial institutions have adopted FIDO for consumer banking. Today, organizations complying with FIDO specifications are able to deliver secure authentication technology on a wide range of devices, including mobile phones, USB keys, and near-field communications (NFC) and Bluetooth low energy (BLE) devices and wearables. This work, other standards activities, and new tools that support continuous authentication provide a strong foundation for opt-in identity management for the digital infrastructure.”
All Rights Reserved. FIDO Alliance. Copyright 2017. 25
FIDO Is Impacting How Governments Think About Authentication
Priorities:• Ensuring that future online products and
services coming into use are “secure by default”
• Empowering consumers to “choose products and services that have built-in security as a default setting.”
“[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.”
All Rights Reserved. FIDO Alliance. Copyright 2017. 26
A Note on Policy
FIDO specifications offer governments newer, better options for strong authentication – but governments may
need to update some policies to support the ways in which FIDO is different.
As technology evolves, policy needs to evolve with it.
All Rights Reserved. FIDO Alliance. Copyright 2017. 27
1. Multi-factor authentication no longer brings higher burdens or costs
• While this statement was true of most “old” MFA technology, FIDO specifically addresses these cost and usability issues.
• FIDO enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale.
All Rights Reserved. FIDO Alliance. Copyright 2017. 28
European Banking Authority (EBA) Draft Regulatory Technical Standards on PSD2 Strong Authentication
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
All Rights Reserved. FIDO Alliance. Copyright 2017. 29
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
• Recognized by the US government (NIST) in 2014…
• “OMB (White House) to update guidance on remote electronic authentication” to remove requirements that one factor be separate from the device accessing the resource
• The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token
All Rights Reserved. FIDO Alliance. Copyright 2017. 30
• Reflected in new NIST Draft Digital Identity Guidelines (SP 800-63B)
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
All Rights Reserved. FIDO Alliance. Copyright 2017. 31
3. Local-match biometrics has matured and is an important authentication factor
• New guidance from Taiwan’s Financial Supervisory Commission (FSC)
• Previously guidance forbid local biometric match as an authentication factor; new guidance allows it, as part of a FIDO solution
All Rights Reserved. FIDO Alliance. Copyright 2017. 32
FIDO Delivers on Key Government Priorities
Security•Authentication using strong asymmetric Public Key cryptography
•Superior to old “shared secrets” model – there is nothing to steal on the server
•Biometrics as second factor
Privacy•Privacy architected in up front; No linkability or tracking
•Designed to support Privacy Principles of the European Data Protection Directive
•Biometric data never leaves device
•Consumer control and consent
Interoperability•Open standards: FIDO 2.0 specs are in W3C standardization process
•FIDO compliance/ conformance testing to ensure interoperability of “FIDO certified” products
Usability•Designed with the user experience (UX) first – with a goal of making authentication as easy as possible.
•Security built to support the user’s needs, not the other way around
All Rights Reserved. FIDO Alliance. Copyright 2017. 33
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
All Rights Reserved. FIDO Alliance. Copyright 2017.
SAFER, FASTER, SIMPLER:
A UK PERSPECTIVEAdam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service
GDSGOV.UK Verify
GOV.UK Verify is the new way to prove who you are online.
[insert new logo]
GDSGOV.UK Verify
A certified company verifies you on behalf of government
GDSGOV.UK Verify *
There are a range of high quality companies certified to verify identity for GOV.UK Verify
GDSGOV.UK Verify
Adopting outcome based standards has led to innovation, choice and opportunity.
GDSGOV.UK Verify
We publish them on GOV.UK…
https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions
GDSGOV.UK Verify
eIDAS Regulation – promoting the use of national eID internationally
GDSGOV.UK Verify
Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (aka eIDAS).
Mutual acceptance of eID cross-border
Interoperability standards
Encourages cooperation between Member States
Huge potential: e.g. PSD2, AML4D
GDSGOV.UK Verify
Building a more secure internet
GDSGOV.UK Verify
“Objective 5.2.3. The majority of online productsand services coming into use become ‘secure by default’ by 2021.”- National Cyber Security Strategy 2016-2021
GDSGOV.UK Verify
To achieve this goal the Government will…Lead by exampleExplore options for collaboration with industryAdopt challenging new cyber security technologies in government
GDSGOV.UK Verify
“invest in… emerging industry standards such as Fast Identity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate.”
GDSGOV.UK Verify
For more information visit the blog at identityassurance.blog.gov.ukor go to gov.uk/verify
All Rights Reserved. FIDO Alliance. Copyright 2017. 47
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
All Rights Reserved. FIDO Alliance. Copyright 2017.
DEVELOPMENTS IN BIOMETRIC GUIDANCE
Elaine Newton, PhD, Standards Lead for Applied Cybersecurity, National Institute of Standards and
Technology (NIST)
All Rights Reserved. FIDO Alliance. Copyright 2017. 49
The SOFA Project• NIST is exploring a framework around Strength of Function for Authenticators - Biometrics (SOFA-B) for measuring and evaluating the strength of a biometric authentication on mobile devices to:
• Determine how effectively they mitigate different levels of transactional risk
• Understand how such biometric factors can be combined with, or substituted for, other authentication factors
50All Rights Reserved. FIDO Alliance. Copyright 2017.
System and Attack Analysis
Data Capture Signal Processing Comparison Decision
Data Storage
Override Capture Device
Extract/Modify Biometric
SampleOverride Signal
Processor
Modify Probe
Override Comparator
Modify Score
Override DecisionEngine
Override Database
Modify Biometric Reference
Presentation Attack
Modify Decision1 2
3
4
5
6
9
10
11
7
8
Many attacks can be mitigated by core security controls: e.g., encryption, mutual authentication, limiting of unsuccessful attempts
Some areas require specific focus in biometrics: e.g., template protection
51All Rights Reserved. FIDO Alliance. Copyright 2017.
Recommendation: Analyze and quantify factors specific to biometric systems.
Data Capture Signal Processing Comparison Decision
Data Storage
Override Capture Device
Extract/Modify Biometric
SampleOverride Signal
Processor
Modify Probe
Override Comparator
Modify Score
Override DecisionEngine
Override Database
Modify Biometric Reference
Presentation Attack
Modify Decision1 2
3
4
5
6
9
10
11
7
8
PAD Error Rate: Shorthand for Probability of a successful presentation attack*
FMR: Probability of a false match occurring
Matching Performance
Two aspects stood out as unique to biometric authN: Presentation Attacks and the Matching Performance; each carries potential metrics to contribute to strength.
52All Rights Reserved. FIDO Alliance. Copyright 2017.
Zero-Information and Targeted Attacks
• “Zero-information” and “targeted” attacks should be considered, as both scenarios may affect Effort, as well as PADER and FMR.
Password/Pin BiometricsSample size and
complexity
Access to sensor/device
Computational complexity of matching
Length and complexity
Zero
Info
.Ta
rget
ed Shoulder surf Retrieve biometric
Create artefactNotepads
All Rights Reserved. FIDO Alliance. Copyright 2017. 53
Recommendation: Quantify SOFA for Zero Information Attacks
• Goal is to move towards developing metrics that can be compared and combined to better understand authentication systems
• Ultimately, we would be able to determine the same type of measure for most authentication systems
αSOFAZero Info (Biometrics) FMR x PADER
Effort
αSOFAZero Info (PIN/PW)
NL Effort x
54All Rights Reserved. FIDO Alliance. Copyright 2017.
Overview of Draft NIST SP 800-63-3 Biometric Requirements
• FMR less than or equal to 1 in 1000 or better.• False non-match rate is left to applications to
determine their needs.• To deal with presentation attacks (aka spoofs or fakes at the sensor):
• Strict rate limiting is required OR• Rate limiting plus PAD (demonstrating at least
90% resistance to presentation attacks for each relevant attack type (aka species)).
• Must authenticate something you have (always 2 factor).
• Protected channel required prior to capturing biometric sample.
• Additional requirements for server/central matching.• Memory wipe requirement.
Revocability
Something you are,
Distinctiveness
Something you are,
Liveness
Other Security &
Privacy Measures
All Rights Reserved. FIDO Alliance. Copyright 2017. 55
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
56All Rights Reserved. FIDO Alliance. Copyright 2017.
Questions for our Experts?
Brett McDowell, Executive Director, FIDO Alliance
Jeremy Grant, Managing Director, The Chertoff Group
Adam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service
Elaine Newton, Standards Lead for Applied Cybersecurity, National Institute of Standards and Technology (NIST)
All Rights Reserved. FIDO Alliance. Copyright 2017.
THANK YOUfidoalliance.org@fidoalliance