U2F & UAF Tutorial

Total Page:16

File Type:pdf, Size:1020Kb

U2F & UAF Tutorial U2F & UAF Tutorial How Secure is Authentication? 2014 1.2bn? 2013 397m Dec. 2013 145m Oct. 2013 130m May 2013 22m April 2013 50m March 2013 50m Cloud Authentication Password Issues 1 2 Password might be Password could be stolen entered into untrusted from the server App / Web-site (“phishing”) 4 Inconvenient to type password on phone 3 Too many passwords to remember à re-use / cart abandonment OTP Issues 1 OTP vulnerable to real- time MITM and MITB attacks 4 Inconvenient to type OTP on phone 3 OTP HW tokens are expensive and people 2 don’t want another device SMS security questionable, especially when Device is the phone Implementation Challenge A Plumbing Problem User Verification Methods Applications Organizations Silo 1 Silo 2 App 1 Silo 3 App 2 Silo N ? ? New App Authentication Needs Do you want to login? Do you want to transfer $100 to Frank? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Authentication today: Ask user for a password (and perhaps a one time code) Authentication & Risk Engines Purpose Geolocation … (from IP addr.) Explicit Authentication Authentication Risk Engine Server Summary 1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don‘t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision How does FIDO work? Device FIDO Experiences ONLINE AUTH REQUEST Local USER Verification SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric or PIN Done SECOND FACTOR EXPERIENCE (U2F standards) Login & Password Insert Dongle, Press button Done FIDO Universal 2nd Factor (U2F) How does FIDO U2F work? Verify user … presence How does FIDO U2F work? Is a user Same Authenticator present? as registered before? Can verify user presence How does FIDO UAF work? Identity binding to be done outside FIDO: This this “John Doe with customer ID X”. Same Authenticator Same User as as registered before? enrolled before? Can recognize the user (i.e. user verification), but doesn’t have an identity proof of the user. How does FIDO U2F work? How is the key protected? Verify user … presence U2F Protocol • Core idea: Standard public key cryptography: o User's device mints new key pair, gives public key to server o Server asks user's device to sign data to verify the user. o One device, many services, "bring your own device" enabled • Lots of refinement for this to be consumer facing: o Privacy: Site specific keys, No unique ID per device o Security: No phishing, man-in-the-middles o Trust: Verify who made the device o Pragmatics: Affordable today, ride hardware cost curve down o Speed for user: Fast crypto in device (Elliptic Curve) Think "Smartcard re-designed for modern consumer web" U2F Registration FIDO Client / Relying U2F Authenticator Browser Party AppID, challenge check AppID a a; challenge, origin, channel id, etc. generate: key k pub fc key kpriv handle h kpub, h, attestation cert, signature(a,fc,kpub,h) s fc, kpub, h, attestation cert, s cookie store: key kpub handle h U2F Authentication FIDO Client / Relying U2F Authenticator Browser Party handle, AppID, challenge check AppID h a h, a; challenge, origin, channel id, etc. retrieve retrieve: key kpub key kpriv fc from from handle h handle h; cntr++ cntr, signature(a,fc,cntr) s cntr, fc, s check signature using key kpub set cookie User Presence API: Registration {"typ":"register", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" navigator.handleRegistrationRequest }, ({ "origin":"https://accounts.google.com" } ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, ‘app_id’: ‘https://www.google.com/facets.json’}, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; User Presence API: Auth. { "typ":"authenticate", "challenge":"KSDJsdASAS-AIS_AsS", "cid_pubkey": { "kty":"EC", "crv":"P-256", navigator.handleAuthenticationRequest "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8", ({ "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4" ‘challenge’: ‘KSDJsdASAS-AIS_AsS’, }, " origin‘app_id":"https://accounts.google.com" ’: ‘https://www.google.com/facets.json’, } ‘key_handle’: ‘JkjhdsfkjSDFKJ_ld-sadsAJDKLSAD’}, callback); callback = function(response) { sendToServer( response[‘clientData’], response[‘tokenData’]); }; Authentication Example Authentication Example Authentication Example Authentication Example FIDO Universal Authentication Framework (UAF) FIDO Experiences ONLINE AUTH REQUEST Local USER Verification SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric or PIN Done SECOND FACTOR EXPERIENCE (U2F standards) Login & Password Insert Dongle, Press button Done How does FIDO UAF work? … … SE How does FIDO UAF work? Same Authenticator Same User as as registered before? enrolled before? Can recognize the user (i.e. user verification), but doesn’t have an identity proof of the user. How does FIDO UAF work? Identity binding to be done outside FIDO: This this “John Doe with customer ID X”. Same Authenticator Same User as as registered before? enrolled before? Can recognize the user (i.e. user verification), but doesn’t have an identity proof of the user. How does FIDO UAF work? How is the key protected (TPM, SE, TEE, …)? What user verification method is used? … … SE Attestation & Metadata FIDO AUTHENTICATOR FIDO SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata UAF Registration Device Relying Party FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Registration FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Registration FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Registration FIDO App Web FIDO Authenticator App Server 0 Prepare Legacy Auth + 1 Initiate Reg. UAF Registration FIDO App Web FIDO Authenticator App Server 0 Prepare Legacy Auth + 1 Initiate Reg. UAF Registration FIDO App Web FIDO Authenticator App Server 0 Prepare Legacy Auth + 1 Initiate Reg. Reg. Request + Policy 2 UAF Registration Pat Johnson [email protected] FIDO App Web FIDO Authenticator App Server 0 Link your fingerprint Prepare Legacy Auth + 1 Initiate Reg. Reg. Request + Policy 2 UAF Registration Pat Johnson [email protected] FIDO App Web FIDO Authenticator App Server 0 Link your fingerprint Prepare Legacy Auth + 1 Initiate Reg. Reg. Request + Policy 2 UAF Registration Pat Johnson [email protected] FIDO App Web FIDO Authenticator App Server 0 Link your fingerprint Prepare Legacy Auth + 1 Initiate Reg. Reg. Request + Policy 2 3 Verify User & Generate New Key Pair (specific to RP Webapp) UAF Registration Pat Johnson [email protected] FIDO App Web FIDO Authenticator App Server 0 Link your fingerprint Prepare Legacy Auth + 1 Initiate Reg. Reg. Request + Policy 2 Reg. 4 Response 3 Verify User & Generate New Key Pair (specific to RP Webapp) UAF Registration Pat Johnson [email protected] FIDO App Web FIDO Authenticator App Server 0 Prepare KeyLink Registration your fingerprint Data: Legacy Auth + • Hash(FinalChallenge) 1 • AAID Initiate Reg. • Public key Reg. Request • KeyID + Policy 2 • Registration Counter Reg. 4 • Signature Counter Response • Signature (attestation key) FinalChallenge=Hash(AppID | FacetID | tlsData | challenge) 3 Verify User & Generate New Key Pair (specific to RP Webapp) UAF Registration Pat Johnson [email protected] FIDO App Web FIDO Authenticator App Server 0 Prepare Legacy Auth + 1 Initiate Reg. Reg. Request + Policy 2 Reg. 4 Response Success 5 3 Verify User & Generate New Key Pair (specific to RP Webapp) FIDO Building Blocks FIDO USER DEVICE TLS Server Key RELYING PARTY BROWSER / APP UAF Protocol WEB SERVER FIDO CLIENT Cryptographic FIDO SERVER authentication key reference DB ASM Authentication keys FIDO AUTHENTICATOR Attestation key Update Authenticator Metadata & attestation trust store Metadata Service AAID & Attestation FIDO Authenticator Using HW based crypto AAID 1 Based on FP Sensor X Attestation Key 1 FIDO Authenticator Pure SW based implementation AAID 2 Based on Face Recognition alg. Y Attestation Key 2 AAID: Authenticator Attestation ID (=model name) Privacy & Attestation FIDO SERVER RP1 Model A Bob’s FIDO Authenticator Using HW based crypto Serial # Model A Based on FP Sensor X FIDO SERVER RP2 Model A Attestation & Metadata FIDO AUTHENTICATOR FIDO SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata Facet ID / AppID UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare Initiate 1 Authentication UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare Initiate 1 Authentication Auth. Request with Challenge 2 UAF Authentication FIDO App Web FIDO Authenticator App Server 0 Prepare Initiate 1 Authentication Auth. Request with Challenge 2 Just a sec – our secure payment technology is working its
Recommended publications
  • Infineon Technologies AG TPM Professional Package
    Infineon Technologies AG TPM Professional Package RSA SecurID Ready Implementation Guide Last Modified: June 16th, 2010 Partner Information Product Information Partner Name Infineon Technologies AG Web Site www.infineon.com Product Name TPM Professional Package Version & Platform 3.6 for XP/Vista/Windows 7 The Infineon TPM Professional Package 3.6 provides many unique management and policy features for business owner, IT managers and end user in supporting different platform types, operating systems and Product Description multiple languages. The user friendly interface utilizing the TPM security chip allows easy use of trusted computing functions such as authentication, data integrity, system integrity, confidentiality and availability. Product Category Smart Cards, Tokens & Authenticators Page: 1 Solution Summary Using the Infineon TPM Professional Package in conjunction with the RSA SecurID® Software Token 4.1 for Microsoft® Windows® combines the security of a hardware token with the cost effectiveness and convenience of a software token. In order to provide support for TPM devices, RSA has released the RSA SecurID Trusted Platform Module/Smart Card Plug-In 1.0. The TPM/smart card plug-in allows users to store a software token seed on a supported Trusted Platform Module (TPM) or smart card and retrieve a tokencode generated by the seed for RSA SecurID authentication. Deploying software tokens to TPMs allows users to securely store tokens in a hardware container on their computer and use them with the major VPN clients and/or web applications.
    [Show full text]
  • NYS-S14-006 Authentication Tokens Standard
    State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State No: NYS-S14-006 Information Technology Standard IT Standard: Updated: 12/01/2020 Issued By: NYS Office of Information Authentication Tokens Technology Services Owner: Chief Information Security Office 1.0 Purpose and Benefits The purpose of this standard is to list the appropriate authentication tokens that can be used with systems developed or operated for New York State (NYS) that require authenticated access depending on the Authenticator Assurance Level (AAL). This document also provides the requirements for management of those authentication devices. 2.0 Authority Section 103(10) of the State Technology Law provides the Office of Information Technology Services (ITS) with the authority to establish statewide technology policies, including technology and security standards. Section 2 of Executive Order No. 117, established January 2002, provides the State Chief Information Officer with the authority to oversee, direct and coordinate the establishment of information technology policies, protocols and standards for State government, including hardware, software, security and business re-engineering. Details regarding this authority can be found in NYS ITS Policy, NYS-P08-002 Authority to Establish State Enterprise Information Technology (IT) Policy, Standards and Guidelines. 3.0 Scope This standard applies to all SE, defined as “State Government” entities as defined in Executive Order 117, established January 2002, or “State Agencies” as defined in Section 101 of the State Technology Law. This includes employees and all third parties (such as local governments, consultants, vendors, and contractors) that use or access any IT resource for which the SE has administrative responsibility, including systems managed or hosted by third parties on behalf of the SE.
    [Show full text]
  • Unpleasant Secure & Easy Just Bad Just Easy
    Overview of the FIDO Alliance Overview of the FIDO Alliance: For the overwhelming majority of organizations, user-ID and password authentication has proven to be the path of least resistance in terms of initial deployment. Countless experiences over the last decade have taught organizations that login credentials are not particularly secure. For consumers, it’s not easy either, considering that it’s virtually impossible for each of us to remember the numerous passwords we’re now required to use in our daily lives. According to Microsoft, the average internet user with 25 accounts, performs 8 logins using 6.5 passwords daily. Organizations cannot adequately secure password and PIN authentication and their risk and costs are mounting at $5.5M per data breach, $15M yearly in password resets, and $60 per token replacement. Information Security professionals tend to believe that authentication is a continuum – it could be described as easy to use, if insecure at one end, and hard to use, but secure at the other. You simply pick your level of security and then dial up the corresponding level of pain that you will inflict on your users. The FIDO Alliance believes that authentication can best be represented by a quadrant chart with ease of use on one axis and security on the other. The top right quadrant represents solutions that are simultaneously more secure and easier to use. Authentication is not a Continuum High Unpleasant Secure & Easy Security Just Bad Just Easy Low Low High Usability Today, it’s estimated that there are more than 100 proprietary authentication vendors, a number that historically has increased at a rate of about a dozen a year for the last several years.
    [Show full text]
  • Functional Certification Program Policy January 2019
    Functional Certification Program Policy January 2019 Version 1.3.7 FIDO Functional Certification Program Policy Table of Contents 1 Introduction0B 10 1.1 Audience11B 10 2 Overall1B Functional Certification Policies 11 2.1 FIDO12B First Implementer 11 2.2 Universal Server 12 2.3 Specification13B Version Retirement (Sunset Dates for Specifications) 12 2.4 PolicyB Version Retirement (Sunset Dates for Policy) 13 2.4.1 Functional39B Certification Policy Sunset Dates 13 3 Functional2B Certification Process Overview 15 4 Conformance3B Self-Validation 17 4.1 FIDO15B Test Tools 17 4.1.1 Test40B Tool Maintenance 18 4.2 Reference16B Implementations 18 4.2.1 FIDO2 Reference Implementations 19 5 Interoperability4B Testing 20 5.1 Informal17B (Non-Certification) Testing 21 5.2 Interoperability18B Testing Events 21 5.2.1 Remote41B Interoperability Testing 22 5.2.2 Event42B Logistics 22 5.2.3 Event43B Registration 22 5.2.3.1 Confidential Certification 23 5.2.4 Pre44B -Interop Event Testing 23 5.2.5 Re45B -Testing 23 5.2.6 Interoperability46B Testing Event Criteria 24 5.3 On19B Demand Testing 25 5.3.1 New47B Technology 26 5.3.2 Reference48B Implementation Library 26 5.3.2.1 Donating Implementations 26 5.3.2.2 Reference Implementation Library Management 27 5.3.3 49B On Demand Testing Options 27 ©2018 | FIDO Alliance – All Rights Reserved. Page | 2 FIDO Functional Certification Program Policy 5.3.3.1 Virtual 28 5.3.3.2 Shipped 28 5.3.3.3 In-Person 29 5.3.4 50B Registration 30 5.3.4.1 Book a Testing Slot 30 5.3.5 51B Pre-Testing 31 5.3.6 52B Test Facilitation
    [Show full text]
  • Deutsche Bank Introduces DB Secure Authenticator
    Deutsche Bank Global Transaction Banking Deutsche Bank introduces DB Secure Authenticator Due to new regulations such as General Data Protection Regulation (GDPR) and Payment Service Directive 2 (PSD2), Deutsche Bank will be introducing DB Secure Authenticator to ensure it is strengthening the security around clients’ data online. What is DB Secure Authenticator? DB Secure Authenticator is a new app available on iOS and Android which allows users of Global Transaction Banking online systems (e.g. the Autobahn App Market) to perform secure log-in and authorising transactions. Using DB Secure Authenticator, users can key in their username on the usual autobahn.db.com/login website and complete the log-in action with a One Time Password (OTP) which is generated on their smartphone. Generating the OTP requires a PIN code and as a result the log-in is secured by the 2-Factor Authentication standard, the PIN code being a knowledge factor, and the ownership of the registered smartphone app being a possession factor. To authorise a transaction, the DB Secure Authenticator makes use of the smartphone’s built in camera to scan the transaction details displayed online as cryptographic QR code. The app then displays the transaction details on the phone as well as a respective OTP to sign the specific transaction. A PIN code is needed before starting this process, ensuring the 2-Factor Authentication standard is met. Why is Deutsche Bank introducing DB Secure Authenticator? Global regulations and in particular PSD2 within the EU seeks to strengthen the protection of sensitive payment data. PSD2 seeks to upgrade security at the point of log-in to online banking apps and at the point that transactions are authorised.
    [Show full text]
  • How to Log Into My Account Using MS Authenticator My IDB Operations Portal
    User Guide How to log into my account using MS Authenticator My IDB Operations Portal OBJECTIVE How to login into my account to access the IDB Extranet and the information about my operations with the IDB Group. Recommended Browsers: Google Chrome version 85.0.4183.121 and above Microsoft Edge version 85.0.564.63 and above Need help? Contact [email protected] to report issues and please include the following information: 1. Description of the issue 2. Screenshots User Guide How to Log in to the Extranet Site using Microsoft Authenticator STEP 1 Go to the system you are trying to Sign-in to, find the screen you see on the right and enter the following: a. Enter your username and password b. Click the button Sign-in STEP 2 Proof your identity by using the one of the 2- factor authentication of your choice. Note: Your preferred authentication method will be selected by default, but you can change your preference at any point. Your options are: OPTION 1 OPTION 2 OPTION 3 Microsoft Authenticator App Email Login SMS Login See steps on page 2 See steps on page3 See steps on page 4 The following instructions explain the dierent steps for each options. Please note that you only have to use ONE of these options. 1 Option 1 How to Log in to the Extranet Site using Microsoft Authenticator STEP 1 If your preferred authentication method is MS Authenticator verification code, you will see the screen on your right. To continue, please have your smartphone available. STEP 2 Go to your mobile device, and open Microsoft Authenticator App Select your account and get the one-time 6-digit password code.
    [Show full text]
  • Implementing a Web Application for W3C Webauthn Protocol Testing †
    proceedings Proceedings Implementing a Web Application for W3C WebAuthn Protocol Testing † Martiño Rivera Dourado 1,* , Marcos Gestal 1,2 and José M. Vázquez-Naya 1,2 1 Grupo RNASA-IMEDIR, Departamento de Computación, Facultade de Informática, Universidade da Coruña, Elviña, 15071 A Coruña, Spain; [email protected] (M.G.); [email protected] (J.M.V.-N.) 2 Centro de Investigación CITIC, Universidade da Coruña, Elviña, 15071 A Coruña, Spain * Correspondence: [email protected] † Presented at the 3rd XoveTIC Conference, A Coruña, Spain, 8–9 October 2020. Published: 18 August 2020 Abstract: During the last few years, the FIDO Alliance and the W3C have been working on a new standard called WebAuthn that aims to substitute the obsolete password as an authentication method by using physical security keys instead. Due to its recent design, the standard is still changing and so are the needs for protocol testing. This research has driven the development of a web application that supports the standard and gives extensive information to the user. This tool can be used by WebAuthn developers and researchers, helping them to debug concrete use cases with no need for an ad hoc implementation. Keywords: WebAuthn; authentication; testing 1. Introduction Authentication is one of the most critical parts of an application. It is a security service that aims to guarantee the authenticity of an identity. This can be done by using several security mechanisms but currently, without a doubt, the most common is the username and password method. Although this method is easy for a user to conceptually understand, it constitutes many security problems.
    [Show full text]
  • Install Multifactor Authentication in 3 Minutes
    How to use your secure token Whenever you log into VPN, MyApps, or Mosaic/HR SuccessFactors with your BCM username and password, you will then be prompted for a verification code. Open your Google Install Authenticator app to see the latest code, and type that code into the field prompting for the code. NOTE: A new code is generated by your app every 30 seconds, so be sure to enter your code and Multifactor click OK/Enter before a new code is generated. Authentication in 3 minutes Video, documentation, and more If you have colleagues who need to install multi-factor authentication, or if you want to learn more about MFA, visit the IT Service Portal at it.bcm.edu and search for MFA. The Multi- factor Authentication page includes more information about Office of Information Technology MFA, printable documentation, and a step-by-step installation Visit the IT Service Portal online at it.bcm.edu video. and search for MFA. For personal assistance from the Help Desk, send an email to [email protected] or call 713-798-8737. What is Multi-factor Authentication, and Step 1: Request your MFA secure token why do I need it? 1. On your Baylor-connected computer, navigate to the Multi-factor authentication (MFA) confirms your identity when Defender website at mytoken.bcm.edu, log in with your logging into an MFA-enabled system, asking for your username BCM username and password, then click Sign in. and password (something you know) and an MFA secure token 2. Click the Request a software token button, then click (something you have) generated on your phone.
    [Show full text]
  • Updates & Overview
    FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR 1 All Rights Reserved | FIDO Alliance | Copyright 2017 250+ MEMBER & PARTNER ORGANIZATIONS GLOBALLY FIDO board members include leading global brands and technology providers + SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS 2 All Rights Reserved | FIDO Alliance | Copyright 2017 THE WORLD HAS A PASSWORD PROBLEM 81% Data breaches in 65% 2016 that involved Increase in 1,093 weak, default, or phishing attacks Breaches in 2016, 1 stolen passwords over the number of a 40% increase attacks recorded over 20153 in 20152 CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME 1Verizon 2017 Data Breach Report |2Anti-Phishing Working Group | 3Identity Theft Resource Center 2016 3 All Rights Reserved | FIDO Alliance | Copyright 2017 HOW OLD AUTHENTICATION WORKS ONLINE CONNECTION The user authenticates themselves online by presenting a human-readable “shared secret” 4 All Rights Reserved | FIDO Alliance | Copyright 2017 THE NEW MODEL Fast IDentity Online open standards for simpler, stronger authentication using public key cryptography 5 All Rights Reserved | FIDO Alliance | Copyright 2017 HOW FIDO AUTHENTICATION WORKS LOCAL CONNECTION The user authenticates “locally” to their device (by various means) The device authenticates the user online using public key cryptography ONLINE CONNECTION 6 All Rights Reserved | FIDO Alliance | Copyright 2017 SIMPLER AUTHENTICATION Reduces reliance on Single gesture Works with commonly Same authentication Fast and convenient complex passwords
    [Show full text]
  • FIDO Certification Program Policy Authenticator Certification
    FIDO Certification Program Policy Authenticator Certification Version 1.3 September 2020 ©2020 | FIDO Alliance - All Rights Reserved 2 Revision History Date Version Description Sunset Date 2017-04-20 1.0.0 Approved by CWG. 2017-08-10 Update to Confidentiality section to clarify that anonymized N/A information must be approved by the Vendor prior to being 2017-08-10 1.0.1 shared outside of the Security Secretariat. Approved by CWG. First draft of 1.1.0 to add L4 and L5 to the Policy. 2017-11-02 1.1.0r01 Shared with CWG. Updated to reflect the approved level naming scheme and 2018-04-23 1.1.1 FIDO2 Certification. Updated to reflect the FIAR process for Derivative, Delta and 2019-10-10 1.2 Recertification. Updates related mainly to the introduction of the new L3 TBD 1.3 companion program ©2020 | FIDO Alliance - All Rights Reserved 3 Contents 1 Introduction ................................................................................................................................................... 8 1.1 FIDO Certification Program .................................................................................................................. 8 1.2 FIDO Authenticator Certification ......................................................................................................... 8 1.3 FIDO Functional Certification Prerequisite ......................................................................................... 8 1.4 Audience ...............................................................................................................................................
    [Show full text]
  • FIDO UAF Webauthentication Assertion Format
    FIDO UAF WebAuthentication Assertion Format FIDO Alliance Proposed Standard 20 October 2020 This version: https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-webauthn-v1.2-ps-20201020.html Editor: Dr. Rolf Lindemann, Nok Nok Labs, Inc. The English version of this specification is the only normative version. Non-normative translations may also be available. Copyright © 2013-2020 FIDO Alliance All Rights Reserved. Abstract This document defines the assertion format "WAV1CBOR" in order to use Web Authentication assertions through the FIDO UAF protocol. Status of This Document This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current FIDO Alliance publications and the latest revision of this technical report can be found in the FIDO Alliance specifications index at https://fidoalliance.org/specifications/. This document was published by the FIDO Alliance as a Proposed Standard. If you wish to make comments regarding this document, please Contact Us. All comments are welcome. Implementation of certain elements of this Specification may require licenses under third party intellectual property rights, including without limitation, patent rights. The FIDO Alliance, Inc. and its Members and any other contributors to the Specification are not, and shall not be held, responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights. THIS FIDO ALLIANCE SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTY OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
    [Show full text]
  • FIDO Security Reference
    REVIEW DRAFT FIDO Security Reference FIDO Alliance Review Draft 25 May 2021 This version: https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-rd-20210525.html Previous version: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html Editor: Rolf Lindemann, Nok Nok Labs, Inc. Contributors: Davit Baghdasaryan, Nok Nok Labs, Inc. Brad Hill, PayPal, Inc. Dr. Joshua E. Hill, InfoGard Laboratories Douglas Biggs, InfoGard Laboratories Copyright © 2013-2021 FIDO Alliance All Rights Reserved. Abstract This document analyzes the security properties of FIDO UAF, FIDO U2F and FIDO 2 (i.e. CTAP and Web Authentication) specifications. Status of This Document This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current FIDO Alliance publications and the latest revision of this technical report can be found in the FIDO Alliance specifications index at https://fidoalliance.org/specifications/. This document was published by the FIDO Alliance as a Review Draft. This document is intended to become a FIDO Alliance Proposed Standard. If you wish to make comments regarding this document, please Contact Us. All comments are welcome. This is a Review Draft Specification and is not intended to be a basis for any implementations as the Specification may change. Permission is hereby granted to use the Specification solely for the purpose of reviewing the Specification. No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce portions of this Specification for other uses must contact the FIDO Alliance to determine whether an appropriate license for such use is available.
    [Show full text]