strong authentication trends in government

All Rights Reserved. FIDO Alliance. Copyright 2017.

STRONG AUTHENTICATION

TRENDS IN GOVERNMENT

2All Rights Reserved. FIDO Alliance. Copyright 2017.

Featuring

Brett McDowell, Executive Director, FIDO Alliance

Jeremy Grant, Managing Director, The Chertoff Group

Adam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service

Elaine Newton, Standards Lead for Applied Cybersecurity, National Institute of Standards and Technology (NIST)

All Rights Reserved. FIDO Alliance. Copyright 2017. 3

• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A


Formed in 2012 to Solve the Password Problem

63% of data breaches in 2015 involved weak,

default, or stolen

passwords-Verizon Data Breach

Report

1,093 data breaches in the US

in 2016 up ~40% from 2015-Identity Theft Resource

Center

Each data breach costs

$3.8 million on average

up 23% from 2013-Ponemon Institute


The FIDO Alliance is an open industry association of over 250 organizations with a focused mission: authentication standards


FIDO Alliance Mission

Develop Specifications

Operate Adoption Programs

Pursue Formal Standardization

1 2 3

define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to authenticate users of online services


Board Members

HOW “Shared Secrets” WORK

ONLINE

The user authenticates themselves online by presenting a human-

readable “shared secret”


HOW FIDO WORKS

AUTHENTICATOR

LOCAL ONLINE

The user authenticates

“locally” to their device (by various

means)

The device authenticates the user online using

public key cryptography


OPEN STANDARDS R.O.I.FIDO-ENABLE ONCEGAIN EVERY DEVICE YOU

TRUSTNO MORE ONE-OFF

INTEGRATIONSAll Rights Reserved. FIDO Alliance. Copyright 2017. 10

USABILITY, SECURITY, R.O.I. and

PRIVACYAll Rights Reserved. FIDO Alliance. Copyright 2017. 11

No 3rd Party in the Protocol

No Secrets on the Server Side

Biometric Data (if used) Never Leaves Device

No (*new*) Link-ability Between Services

No (*new*) Link-ability Between Accounts

All Rights Reserved | FIDO Alliance | Copyright 2016.All Rights Reserved. FIDO Alliance. Copyright 2017. 12


FIDO Authentication:

Adoption & Ecosystem


Global Leaders Deploy FIDO Standards


Certification Growth An open competitive market Ensures interoperability Sign of mature FIDO

ecosystem

250+

FIDO® Certified products available today

Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17

230

7432

62 74108

162

216253

304 TOTAL

16

FIDO Certified – Jan`17



The Road Ahead

W3C Web Authentication Specification

Standards Effort with

EMVCo

Client-to-Authenticator

Protocol (CTAP)

FIDO Universal

Server + New Certification

Programs


STRONG AUTHENTICATION TRENDS IN GOVERNMENTJeremy Grant

Managing DirectorThe Chertoff Group


Authentication is Important to Government

1. Protects access to government assets2. Enables more high-value citizen-facing services3. Empowers private sector to provide a wider range of

high value services to consumers4. Secures critical assets and infrastructure5. Promotes good security practices in the private sector

Governments seek identity solutions that can deliver not just improved Security – but also Privacy,

Interoperability, and better Customer Experiences


FIDO Is Impacting How Governments Think

About Authentication• Enables support for “BYOC” (Bring Your Own

Credential) • Take advantage of the growing ecosystem of FIDO solutions

and standards• No requirement to issue a separate token or app for MFA• No need to create passwords for digital government services

• Better Security, Privacy + Interoperability

• Better Customer Experiences – simpler and safer

• Reduced Cost for the Government Enterprise

FIDO Is Impacting How Governments Think About Authentication

U.S. Commission on Enhancing National Cybersecurity• Bipartisan commission established by the White House in April – charged with crafting recommendations for the next President

• Major focus on Authentication



U.S. Commission on Enhancing National Cybersecurity

Focus on non-PIV solutions for USG Authentication

“The next Administration should provide agencies with updated policies and guidance that continue to focus on increased adoption of strong authentication solutions, including but, importantly, not limited to personal identity verification (PIV) credentials.

“To ensure adoption of strong, secure authentication by federal agencies, the requirements should be made performance based (i.e., strong) so they include other (i.e., non-PIV) forms of authentication, and should mandate 100 percent adoption within a year.”


U.S. Commission on Enhancing National Cybersecurity

“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry standard public key cryptography. Windows 10 has deployed FIDO specifications (known as Windows Hello), and numerous financial institutions have adopted FIDO for consumer banking. Today, organizations complying with FIDO specifications are able to deliver secure authentication technology on a wide range of devices, including mobile phones, USB keys, and near-field communications (NFC) and Bluetooth low energy (BLE) devices and wearables. This work, other standards activities, and new tools that support continuous authentication provide a strong foundation for opt-in identity management for the digital infrastructure.”


FIDO Is Impacting How Governments Think About Authentication

Priorities:• Ensuring that future online products and

services coming into use are “secure by default”

• Empowering consumers to “choose products and services that have built-in security as a default setting.”

“[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.”


A Note on Policy

FIDO specifications offer governments newer, better options for strong authentication – but governments may

need to update some policies to support the ways in which FIDO is different.

As technology evolves, policy needs to evolve with it.


1. Multi-factor authentication no longer brings higher burdens or costs

• While this statement was true of most “old” MFA technology, FIDO specifically addresses these cost and usability issues.

• FIDO enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale.


European Banking Authority (EBA) Draft Regulatory Technical Standards on PSD2 Strong Authentication

2. Technology is now mature enough to enable two

secure, distinct AuthN factors in a single device




• Recognized by the US government (NIST) in 2014…

• “OMB (White House) to update guidance on remote electronic authentication” to remove requirements that one factor be separate from the device accessing the resource

• The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token


• Reflected in new NIST Draft Digital Identity Guidelines (SP 800-63B)




3. Local-match biometrics has matured and is an important authentication factor

• New guidance from Taiwan’s Financial Supervisory Commission (FSC)

• Previously guidance forbid local biometric match as an authentication factor; new guidance allows it, as part of a FIDO solution


FIDO Delivers on Key Government Priorities

Security•Authentication using strong asymmetric Public Key cryptography

•Superior to old “shared secrets” model – there is nothing to steal on the server

•Biometrics as second factor

Privacy•Privacy architected in up front; No linkability or tracking

•Designed to support Privacy Principles of the European Data Protection Directive

•Biometric data never leaves device

•Consumer control and consent

Interoperability•Open standards: FIDO 2.0 specs are in W3C standardization process

•FIDO compliance/ conformance testing to ensure interoperability of “FIDO certified” products

Usability•Designed with the user experience (UX) first – with a goal of making authentication as easy as possible.

•Security built to support the user’s needs, not the other way around


SAFER, FASTER, SIMPLER:

A UK PERSPECTIVEAdam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service

GDSGOV.UK Verify

GOV.UK Verify is the new way to prove who you are online.

[insert new logo]

GDSGOV.UK Verify

A certified company verifies you on behalf of government

GDSGOV.UK Verify *

There are a range of high quality companies certified to verify identity for GOV.UK Verify

GDSGOV.UK Verify

Adopting outcome based standards has led to innovation, choice and opportunity.

GDSGOV.UK Verify

We publish them on GOV.UK…

https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions

GDSGOV.UK Verify

eIDAS Regulation – promoting the use of national eID internationally

GDSGOV.UK Verify

Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (aka eIDAS).

Mutual acceptance of eID cross-border

Interoperability standards

Encourages cooperation between Member States

Huge potential: e.g. PSD2, AML4D

GDSGOV.UK Verify

Building a more secure internet

GDSGOV.UK Verify

“Objective 5.2.3. The majority of online productsand services coming into use become ‘secure by default’ by 2021.”- National Cyber Security Strategy 2016-2021

GDSGOV.UK Verify

To achieve this goal the Government will…Lead by exampleExplore options for collaboration with industryAdopt challenging new cyber security technologies in government

GDSGOV.UK Verify

“invest in… emerging industry standards such as Fast Identity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate.”

GDSGOV.UK Verify

For more information visit the blog at identityassurance.blog.gov.ukor go to gov.uk/verify

https://identityassurance.blog.gov.uk/


DEVELOPMENTS IN BIOMETRIC GUIDANCE

Elaine Newton, PhD, Standards Lead for Applied Cybersecurity, National Institute of Standards and

Technology (NIST)


The SOFA Project• NIST is exploring a framework around Strength of Function for Authenticators - Biometrics (SOFA-B) for measuring and evaluating the strength of a biometric authentication on mobile devices to:

• Determine how effectively they mitigate different levels of transactional risk

• Understand how such biometric factors can be combined with, or substituted for, other authentication factors


System and Attack Analysis

Data Capture Signal Processing Comparison Decision

Data Storage

Override Capture Device

Extract/Modify Biometric

SampleOverride Signal

Processor

Modify Probe

Override Comparator

Modify Score

Override DecisionEngine

Override Database

Modify Biometric Reference

Presentation Attack

Modify Decision1 2

3

4

5

6

9

10

11

7

8

Many attacks can be mitigated by core security controls: e.g., encryption, mutual authentication, limiting of unsuccessful attempts

Some areas require specific focus in biometrics: e.g., template protection


Recommendation: Analyze and quantify factors specific to biometric systems.

Data Capture Signal Processing Comparison Decision

Data Storage

Override Capture Device

Extract/Modify Biometric

SampleOverride Signal

Processor

Modify Probe

Override Comparator

Modify Score

Override DecisionEngine

Override Database

Modify Biometric Reference

Presentation Attack

Modify Decision1 2

3

4

5

6

9

10

11

7

8

PAD Error Rate: Shorthand for Probability of a successful presentation attack*

FMR: Probability of a false match occurring

Matching Performance

Two aspects stood out as unique to biometric authN: Presentation Attacks and the Matching Performance; each carries potential metrics to contribute to strength.


Zero-Information and Targeted Attacks

• “Zero-information” and “targeted” attacks should be considered, as both scenarios may affect Effort, as well as PADER and FMR.

Password/Pin BiometricsSample size and

complexity

Access to sensor/device

Computational complexity of matching

Length and complexity

Zero

Info

.Ta

rget

ed Shoulder surf Retrieve biometric

Create artefactNotepads


Recommendation: Quantify SOFA for Zero Information Attacks

• Goal is to move towards developing metrics that can be compared and combined to better understand authentication systems

• Ultimately, we would be able to determine the same type of measure for most authentication systems

αSOFAZero Info (Biometrics) FMR x PADER

Effort

αSOFAZero Info (PIN/PW)

NL Effort x


Overview of Draft NIST SP 800-63-3 Biometric Requirements

• FMR less than or equal to 1 in 1000 or better.• False non-match rate is left to applications to

determine their needs.• To deal with presentation attacks (aka spoofs or fakes at the sensor):

• Strict rate limiting is required OR• Rate limiting plus PAD (demonstrating at least

90% resistance to presentation attacks for each relevant attack type (aka species)).

• Must authenticate something you have (always 2 factor).

• Protected channel required prior to capturing biometric sample.

• Additional requirements for server/central matching.• Memory wipe requirement.

Revocability

Something you are,

Distinctiveness

Something you are,

Liveness

Other Security &

Privacy Measures


Questions for our Experts?

Brett McDowell, Executive Director, FIDO Alliance

Jeremy Grant, Managing Director, The Chertoff Group

Adam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service

Elaine Newton, Standards Lead for Applied Cybersecurity, National Institute of Standards and Technology (NIST)


THANK YOUfidoalliance.org@fidoalliance