“Identity Standards Updates – FIDO”
Brett McDowell, Executive Director, FIDO Alliance [email protected]
1 AGENDA
The Problem The Solution The Alliance Updates
2 Data Breaches…
783 data breaches in 2014 >1 billion records since 2012 $3.5 million cost/breach 3 “76% of 2012 network intrusions exploited weak or stolen credentials” 2013 Data Breach Investigations Report 4 The world has a PASSWORD PROBLEM
5 ONE-TIME PASSCODES Improve security but aren’t easy enough to use
SMS Token User Still Reliability Necklace Confusion Phishable
6 WE NEED A NEW MODEL
7 WE CALL OUR NEW MODEL Fast IDentity Online online authentication using public key cryptography
8 AGENDA
The Problem The Solution The Alliance Updates
9 THE OLD PARADIGM
SECURITY USABILITY
10
™ SECURITY THE FIDO Strong
PARADIGM
Weak
Poor Easy USABILITY
11 HOW OLD AUTHN WORKS
The user authenticates themselves online by presenting a human-readable secret
ONLINE
12 HOW FIDO AUTHN WORKS
The user authenticates The device authenticates “locally” to their device the user online using by various means public key cryptography
LOCAL ONLINE
AUTHENTICATOR
13 online authentication using public key cryptography
14 Passwordless Experience (UAF Standards) 1 2 3 ?
Authentication Challenge Biometric Verification* Authenticated Online Second Factor Experience (U2F Standards)
1 2 3
Second Factor Challenge Insert Dongle* / Press Button Authenticated Online *There are other types of authenticators 15 FIDO Registration
1 2 3
Invitation Sent New Keys Created
User is in a Session User Approval Or New Account Flow 4
Registration Complete Pubic Key Registered With Online Server
16 FIDO Authentication
1 2 3
FIDO Challenge Key Selected & Signs
User needs to login or User Approval authorize a transaction 4
Login Complete Signed Response verified using Public Key Cryptography
17 FIDO UAF UNIVERSAL AUTHENTICATION FRAMEWORK
Same User Same Authenticator as enrolled before? as registered before?
AUTHENTICATOR
18 THE BUILDING BLOCKS FIDO USER DEVICE RELYING PARTY BROWSER/APP WEB SERVER
TLS Server Key FIDO CLIENT
FIDO SERVER ASM FIDO UPDATE FIDO AUTHENTICATOR
Cryptographic Authenticator Authentication Metadata Authentication Attestation Public & Attestation Private Keys Private Keys Keys DB Trust Store
19 ATTESTATION & METADATA
Verify Trust Anchor Signed (Available from Attestation Metadata Service or Object Other Source)
FIDO FIDO Server Metadata Authenticator Understand Authenticator Characteristic (Using Info From Metadata or Other Source)
20 STEP 1 UAF AUTHENTICATION DEMO EXAMPLE
21 STEP 2 UAF AUTHENTICATION DEMO EXAMPLE
22 STEP 3 UAF AUTHENTICATION DEMO EXAMPLE
23 STEP 4 UAF AUTHENTICATION DEMO EXAMPLE
24 FIDO U2F UNIVERSAL 2ND FACTOR
Same user Is a user as enrolled present? before?
USER VERIFICATION FIDO AUTHENTICATION
AUTHENTICATOR
Same authenticator as registered before?
25 Step 1 U2F AUTHENTICATION DEMO EXAMPLE
26 Step 2 U2F AUTHENTICATION DEMO EXAMPLE
27 Step 3 U2F AUTHENTICATION DEMO EXAMPLE
28 Step 4 U2F AUTHENTICATION DEMO EXAMPLE
+Bob
29 USABILITY, SECURITY and PRIVACY 30 No 3rd Party in the Protocol
No Secrets on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts
31 Better Security for online services Reduced cost for the enterprise Simpler and Safer for consumers
32 AGENDA
The Problem The Solution The Alliance Updates
33 The Fast IDentity Online (FIDO) Alliance is an open industry association of over 220 global member organizations
34 Services/Networks Devices/Platforms Vendors/Enablers
Board Members
35 35 35 FIDO Alliance Mission
1 2 3
Develop Operate Pursue Formal Specifications Adoption Programs Standardization
36
FIDO SCOPE
Single Sign-On MODERN AUTHENTICATION Federation
Passwords Strong Risk-Based Authentication
User Management
Physical-to-digital identity
37 AGENDA
The Problem The Solution The Alliance Updates
38 FIDO TIMELINE
Broad New U2F Adoption Certification Transports Program FIDO 1.0 First FINAL Specification Deployments Review Draft FIDO Ready Program Alliance Announced
FEB DEC FEB FEB-OCT DEC 9 MAY JUNE TODAY 2013 2013 2014 2014 2014 2015 2015 >220 6 Members Members 39 2014 FIDO ADOPTION
“Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5”, September 17, 2014
“Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication”, October 21, 2014 “PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5”, Feb 24, 2014
40 2015 FIDO ADOPTION “Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015
“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”, April 21, 2015
“Qualcomm launches Snapdragon fingerprint “As part of the bank’s scanning technology”, ongoing commitment March 2, 2015 “Largest mobile network in Japan becomes to staying ahead of first wireless carrier to enhance customer advancements in experience with natural, simple and strong mobile device ways to authenticate to DOCOMO’s authentication, the services using FIDO standards” technology May 26, 2015 supporting fingerprint sign-in was built according to FIDO “Microsoft Announces FIDO Support (Fast IDentity Online) Coming to Windows 10” standards.” Feb 23, 2015 September 15, 2015 41 42 Deployments are enabled by FIDO Certified™ Products available today
43 44 Available to anyone Ensures interoperability Promotes the FIDO ecosystem
Steps to certification: 1. Conformance Self-Validation 2. Interoperability Testing 3. Certification Request 4. Trademark License (optional)
NEXT EVENT: October 5th (U2F) fidoalliance.org/certification
45 Announced June 9 FIDO Alliance Announces Government Membership Program – US and UK Government Agencies are First to Join
Government Agencies to Participate in Development of FIDO Standards for Universal Strong Authentication
“The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.”
Government Members
46 46 46 What’s Next?
47 FIDO Alliance Mission
FIDO 2.0 Technology Working Group 1 The mission of the new FIDO 2.0 Specification Technology Working Group is to consider future requirements, and to ensure widespread Develop interoperability within the authentication ecosystem among devices, clients, and servers. Specifications
48 FIDO Alliance Mission
FIDO Certification™ Program Investigating the need/feasibility of adding “security” and “biometrics” testing 2 FIDO UAF Metadata Service Formal launch of the UAF Metadata Service following current “soft launch” FIDO Alliance Liaison Program Operate Launched new program with streamlined process to foster collaboration Adoption Programs FIDO Marketing & Education Programs More webinars, seminars, conference talks, and targeted outreach – esp. in APAC 49 FIDO Alliance Mission
Submit mature technical Specification(s) to recognized SDO’s… • We will evaluate maturity for this purpose after more deployments 3 • We will use the Liaison Program to collaborate with SDO’s ongoing
Pursue Formal Standardization
50 JOIN THE FIDO ECOSYSTEM
51 JOIN THE FIDO ALLIANCE
52 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION
53