“Identity Standards Updates – FIDO”

Brett McDowell, Executive Director, FIDO Alliance [email protected]

1 AGENDA

The Problem The Solution The Alliance Updates

2 Data Breaches…

783 data breaches in 2014 >1 billion records since 2012 $3.5 million cost/breach 3 “76% of 2012 network intrusions exploited weak or stolen credentials” 2013 Data Breach Investigations Report 4 The world has a PASSWORD PROBLEM

5 ONE-TIME PASSCODES Improve security but aren’t easy enough to use

SMS Token User Still Reliability Necklace Confusion Phishable

6 WE NEED A NEW MODEL

7 WE CALL OUR NEW MODEL Fast IDentity Online online authentication using public key cryptography

8 AGENDA

The Problem The Solution The Alliance Updates

9 THE OLD PARADIGM

SECURITY USABILITY

10

™ SECURITY THE FIDO Strong

PARADIGM

Weak

Poor Easy USABILITY

11 HOW OLD AUTHN WORKS

The user authenticates themselves online by presenting a human-readable secret

ONLINE

12 HOW FIDO AUTHN WORKS

The user authenticates The device authenticates “locally” to their device the user online using by various means public key cryptography

LOCAL ONLINE

AUTHENTICATOR

13 online authentication using public key cryptography

14 Passwordless Experience (UAF Standards) 1 2 3 ?

Authentication Challenge Biometric Verification* Authenticated Online Second Factor Experience (U2F Standards)

1 2 3

Second Factor Challenge Insert Dongle* / Press Button Authenticated Online *There are other types of authenticators 15 FIDO Registration

1 2 3

Invitation Sent New Keys Created

User is in a Session User Approval Or New Account Flow 4

Registration Complete Pubic Key Registered With Online Server

16 FIDO Authentication

1 2 3

FIDO Challenge Key Selected & Signs

User needs to login or User Approval authorize a transaction 4

Login Complete Signed Response verified using Public Key Cryptography

17 FIDO UAF UNIVERSAL AUTHENTICATION FRAMEWORK

Same User Same Authenticator as enrolled before? as registered before?

AUTHENTICATOR

18 THE BUILDING BLOCKS FIDO USER DEVICE RELYING PARTY BROWSER/APP WEB SERVER

TLS Server Key FIDO CLIENT

FIDO SERVER ASM FIDO UPDATE FIDO AUTHENTICATOR

Cryptographic Authenticator Authentication Metadata Authentication Attestation Public & Attestation Private Keys Private Keys Keys DB Trust Store

19 ATTESTATION & METADATA

Verify Trust Anchor Signed (Available from Attestation Metadata Service or Object Other Source)

FIDO FIDO Server Metadata Authenticator Understand Authenticator Characteristic (Using Info From Metadata or Other Source)

20 STEP 1 UAF AUTHENTICATION DEMO EXAMPLE

21 STEP 2 UAF AUTHENTICATION DEMO EXAMPLE

22 STEP 3 UAF AUTHENTICATION DEMO EXAMPLE

23 STEP 4 UAF AUTHENTICATION DEMO EXAMPLE

24 FIDO U2F UNIVERSAL 2ND FACTOR

Same user Is a user as enrolled present? before?

USER VERIFICATION FIDO AUTHENTICATION

AUTHENTICATOR

Same authenticator as registered before?

25 Step 1 U2F AUTHENTICATION DEMO EXAMPLE

26 Step 2 U2F AUTHENTICATION DEMO EXAMPLE

27 Step 3 U2F AUTHENTICATION DEMO EXAMPLE

28 Step 4 U2F AUTHENTICATION DEMO EXAMPLE

+Bob

29 USABILITY, SECURITY and PRIVACY 30 No 3rd Party in the Protocol

No Secrets on the Server side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services

No Link-ability Between Accounts

31 Better Security for online services Reduced cost for the enterprise Simpler and Safer for consumers

32 AGENDA

The Problem The Solution The Alliance Updates

33 The Fast IDentity Online (FIDO) Alliance is an open industry association of over 220 global member organizations

34  Services/Networks  Devices/Platforms  Vendors/Enablers

Board Members

35 35 35 FIDO Alliance Mission

1 2 3

Develop Operate Pursue Formal Specifications Adoption Programs Standardization

36

FIDO SCOPE

Single Sign-On MODERN AUTHENTICATION Federation

Passwords Strong Risk-Based Authentication

User Management

Physical-to-digital identity

37 AGENDA

The Problem The Solution The Alliance Updates

38 FIDO TIMELINE

Broad New U2F Adoption Certification Transports Program FIDO 1.0 First FINAL Specification Deployments Review Draft FIDO Ready Program Alliance Announced

FEB DEC FEB FEB-OCT DEC 9 MAY JUNE TODAY 2013 2013 2014 2014 2014 2015 2015 >220 6 Members Members 39 2014 FIDO ADOPTION

“Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5”, September 17, 2014

“Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication”, October 21, 2014 “PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5”, Feb 24, 2014

40 2015 FIDO ADOPTION “Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015

“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”, April 21, 2015

“Qualcomm launches Snapdragon fingerprint “As part of the bank’s scanning technology”, ongoing commitment March 2, 2015 “Largest mobile network in Japan becomes to staying ahead of first wireless carrier to enhance customer advancements in experience with natural, simple and strong mobile device ways to authenticate to DOCOMO’s authentication, the services using FIDO standards” technology May 26, 2015 supporting fingerprint sign-in was built according to FIDO “Microsoft Announces FIDO Support (Fast IDentity Online) Coming to Windows 10” standards.” Feb 23, 2015 September 15, 2015 41 42 Deployments are enabled by FIDO Certified™ Products available today

43 44  Available to anyone  Ensures interoperability  Promotes the FIDO ecosystem

Steps to certification: 1. Conformance Self-Validation 2. Interoperability Testing 3. Certification Request 4. Trademark License (optional)

NEXT EVENT: October 5th (U2F) fidoalliance.org/certification

45 Announced June 9 FIDO Alliance Announces Government Membership Program – US and UK Government Agencies are First to Join

Government Agencies to Participate in Development of FIDO Standards for Universal Strong Authentication

“The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.”

Government Members

46 46 46 What’s Next?

47 FIDO Alliance Mission

FIDO 2.0 Technology Working Group 1 The mission of the new FIDO 2.0 Specification Technology Working Group is to consider future requirements, and to ensure widespread Develop interoperability within the authentication ecosystem among devices, clients, and servers. Specifications

48 FIDO Alliance Mission

FIDO Certification™ Program Investigating the need/feasibility of adding “security” and “biometrics” testing 2 FIDO UAF Metadata Service Formal launch of the UAF Metadata Service following current “soft launch” FIDO Alliance Liaison Program Operate Launched new program with streamlined process to foster collaboration Adoption Programs FIDO Marketing & Education Programs More webinars, seminars, conference talks, and targeted outreach – esp. in APAC 49 FIDO Alliance Mission

Submit mature technical Specification(s) to recognized SDO’s… • We will evaluate maturity for this purpose after more deployments 3 • We will use the Liaison Program to collaborate with SDO’s ongoing

Pursue Formal Standardization

50 JOIN THE FIDO ECOSYSTEM

51 JOIN THE FIDO ALLIANCE

52 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

53