Evidian

FIDO in DirX Access

Enables enterprises to face contemporary cybersecurity threats and enhance their security

The recent, rapid rise of data breaches and changed all the time. As recognition based authentication internally with its sophisticated cyberattacks has exposed the technologies are introduced, the use of other product features, such as single current state of security information and tokens in medium-risk use sign-on, identity federation, and risk- technology systems, forcing system cases will drop, encouraging companies to based authentication. Support for a wide providers to search for an innovative and look for products that focus on developing range of other authentication methods more secure authentication mechanism. an environment of continuous trust with a and high configurability makes DirX Standards issued by the Fast Identity Online good user experience. Access a mature solution that can be (FIDO) Alliance represent the next generation successfully deployed in a variety of in authentication technologies by addressing FIDO standards concentrate on improving demanding scenarios. the general need for stronger authentication. the major aspects of mature security-related This paper provides a brief introduction These technologies mitigate the issues solutions: strong security, better user to the FIDO-based standards (in the connected with legacy authentication experience, and reduced costs. The security section “What is FIDO?”) and their methods and stand up to contemporary aspect is achieved (among other things) by benefits (in the section “Benefits”). The cyberthreats by shifting the authentication employing public key cryptography, while section “FIDO-based Authentication with model from traditional -based the user experience and cost-effectiveness of DirX Access” describes how DirX Access authentication to easy-to-use multi-factor the solution stem from using FIDO integrates the FIDO standards into its rich authentication. , which typically use different and extensive feature set. DirX Access, part of Atos’ DirX product suite, factors of user authentication such as is a comprehensive solution for hardware tokens (something you have) or What is FIDO? authentication and authorization for identity (something you are). Issued by The FIDO Alliance was formed in 2012 as federation. Beginning with version 8.7, DirX the FIDO Alliance, the overall solution has a response to the need for better and Access has been extended with FIDO-based strong support from major market players, stronger authentication methods. Its authentication mechanisms. including , , , MasterCard, mission is to change the nature of online , and PayPal. authentication by developing technical Motivation specifications that define an open, There is a good reason for this DirX Access incorporates a FIDO server scalable and interoperable set of authentication model shift in modern implementation that supports all of the FIDO- mechanisms that reduce the reliance on enterprise applications: passwords have based standards: Universal Authentication passwords. FIDO standards define both been one of the weakest links in IT security Framework (UAF), Universal Second Factor the authentication protocols and the for a long time. Generally, stolen credentials (U2F), and W3C Web Authentication. As a (security) requirements for the and phishing take up the first slots of the top result, it can address any customer’s infrastructure in which these protocols 20 actions in breaches. Passwords are infrastructure parameters and provides for operate. clumsy, hard to remember and need to be easy integration with other enterprise systems. DirX Access integrates the FIDO-

Trusted partner for your Digital Journey Benefits The main ideas behind FIDO are ease of use, privacy, security and standardization. Thanks to its design, FIDO brings a number of benefits into the world of authentication mechanisms:  End users benefit from improved user experience.  Enterprises and organizations benefit from stronger security and reduced costs.

Improved User Experience Stronger Security Reduced Costs

No need to remember passwords Identity cannot be stolen Little or no provisioning costs This primary security vulnerability can finally Identity cannot be stolen when server-side Provisioning system users with a new be removed from the authentication process. credentials are stolen. kind of authentication selection typically The relying party stores only the public key involves completing two tasks: procuring Simple action to sign in part of each related FIDO credential. This part a (hardware) for each user To perform local authentication on a device, does not provide the attacker with any and registering related credentials at the a user can simply swipe a finger, look into the means of impersonating the user. server side. FIDO decreases costs in both camera, plug in a USB stick, or similar. of these cases: the former with the Client-side credentials cannot be stolen possibility to reuse a user’s personal authenticator (BYOD) and the latter with Transferable user experience FIDO’s intention is to leverage authenticators the enablement of auto-registration – capable of storing user credentials (private The same authenticator device can be users can typically use self-service key) in a hardware-backed trusted securely used for multiple services, providing credential management portals. a consistent user experience across multiple environment such as Trusted Platform services. Module, Trusted Execution Environments or Secure Elements. These environments Lower breach risks and potential damages Fast and convenient ensure that even if the attacker steals the device, the stored credentials are prevented The protocol design itself mitigates the The nature of FIDO enables authentication from abuse. Specific authentication methods costs connected with attack damages by methods that are faster and more (such as biometrics) keep credentials from solely preventing the possibility of an convenient than contemporary strong being stolen and also prevent the attacker attack or by allowing an inexpensive authentication methods to be brought to from using the authenticator. remedy process. market. For example, compare a PIN-based FIDO authenticator to the OTP method: in Broad choice of authenticators for the former case, the challenge is hidden from Protection against phishing, man-in-the- users the user; in the latter case, the user needs to middle and replay attacks process it manually. The challenge-response aspect of the FIDO standardization allows vendors to protocol in connection with the public key offer a wide variety of authenticators, cryptography protects against phishing and both embedded and pluggable. Biometrics, if used, never leave the device replay attacks. Each protocol run is bound to Biometrics used during the authentication a (server) origin and a (communication) process are stored on the user’s device, channel which allows the server to detect typically in a secure storage. The user’s MITM attacks. biometric data are only compared in the FIDO authenticator; the proof of identity is Services and accounts cannot be linked then communicated to the requesting third party using public key cryptography. This The authenticator produces a unique key approach has two beneficial consequences: pair for each server; as a result, even if an the user does not need to worry about entity possesses all the public keys from identity theft, and the FIDO server provider multiple servers, it cannot link these public does not need to worry about the credentials keys to a single user. theft in the sense that they do not contain any personal data.

2 FIDO Authentication in DirX Access ---- White Paper FIDO Infrastructure

To enable FIDO-based authentication, two Registration Authentication Flow components are necessary: a FIDO The registration process enrolls a new FIDO Figure 1 depicts the authentication authenticator connected to or built into a credential (public and private key) binding an process using the FIDO protocol. client device possessed by the user to be authenticator held by the user with the user’s  The user accesses a protected authenticated, and a FIDO server that account at the server side. It enables easy resource (web page, mobile provides the authenticated state to the and cost-free user credentials provisioning. application) and wants to sign in. application it protects.  The protected resource informs the Although it is solely under the user’s control, Authentication FIDO server component of the server- the FIDO authenticator that provides proof of Authentication via the FIDO protocol is, from side application, which in turn sends a the user’s identity is trusted by the server the user’s perspective, a simple and challenge to the user’s device with the side. This relationship stems from transparent task leading to a state in which built-in/connected FIDO authenticator. employment of the authenticator attestation, the server side obtains the user’s identity.  The authenticator locally verifies the one of the main principles on which FIDO is user’s identity based on something the built. Transaction Confirmation user has (a device), something the user The FIDO infrastructure can consist of An extension to the authentication action is (biometrics, such as , iris components manufactured by different scan or voice pattern), or something vendors whose cooperation is ensured by provided by the FIDO UAF is represented by a transaction confirmation use case. When the user knows (a PIN). Any data that the interoperability aspects of the issued originates in the verification process standards. dealing with sensitive transactions (like banking), the transaction data can be bound (such as the digitalized fingerprint) do to a FIDO authentication request and not leave the device. Instead, if subsequently credibly displayed to the user. successful, the authenticator signs the FIDO Protocols This process makes both sides indisputably server-issued challenge with a private Topologically, FIDO-based protocols belong aware of the entire action. key relevant to that given server and to a group of protocols based on the user account.  The signed response is sent back to challenge-response model. This model Deregistration ensures that each protocol run differs the FIDO server, which verifies it using To provide the user with complete credential sufficiently from all the other runs. the corresponding public key. management possibilities, FIDO covers the Asymmetric (public key) cryptography deregistration protocol flow. serves as the identity proof-providing Different standards from the FIDO suite mechanism. focus on different authentication use Typically, the protocols from the FIDO suite cases. FIDO UAF, Windows Hello and enable the following actions: Web Authentication standards provide a password-free user experience represented predominantly by biometric- based authentication methods (but not limited to them). A second-factor user experience is then provided by FIDO U2F, which enables the addition of the second- factor authentication aspect to the existing infrastructure.

Figure 1: Authentication Flow

FIDO Authentication in DirX Access ---- White Paper 3 FIDO-based Authentication with DirX Access

DirX Access acts as an identity provider to third-party applications, making it the perfect system component to contain a FIDO server implementation. Therefore, its rich suite of supported authentication methods has been extended with all of the currently issued FIDO standards.

Authentication Application Configurability This design helps to establish a trust In DirX Access, the authentication methods One of the main principles that DirX Access between an authenticator model and are typically made accessible through the follows is high configurability. Applying this DirX Access as the authenticators listed in Authentication Application web application. principle to the FIDO server implementation the metadata service have been certified This deployment-ready application is highly means that the administrator is able to set up by the FIDO Alliance. To fulfill the customizable via the standard web the entire system according to the requirements calling for employment of technologies to combine the possibility of company’s security policies. The custom authenticators or authenticators out-of-box deployment with the ability for configuration allows the administrator to which for some reason haven’t been adaptation to any customer’s requirements. It choose which FIDO standards will be certified, DirX Access provides a way to now provides a front end to FIDO operations supported and in addition allows for the supply custom certificates that enable the and workflows that both enables the assignment of fine-grained policies to each use of these authenticators. authentication process and acts as a self- supported standard. The configuration of each respective service credential-management portal FIDO UAF defines a vocabulary of FIDO authentication method is completed by providing self-registration/deregistration of policies that determines the supported setting up the assurance level parameter. FIDO credentials. authenticators (for example, by exact This parameter reflects the denomination or according to some administrator’s trust in the configured authenticator properties). DirX Access method and helps in defining step-up and extends the employment of this risk-based authentication mechanisms. standardized mechanism to all the other FIDO standards. The policies are evaluated against the corresponding authenticator’s properties – a metadata statement – that are distributed via the FIDO Alliance metadata service (Figure 2).

Figure 2: Authenticator Attestation

4 FIDO Authentication in DirX Access ---- White Paper Integration with Single Sign-on Integration with Identity Federation Integration with Risk-based and Step- Single sign-on (SSO) is a property of an Identity federation in DirX Access is a process up Authentication access control mechanism ensuring that the which extends SSO to the multi-domain DirX Access was one of the first products sign-on process is performed only once per environment. Identity federation to employ the machine learning and single session and enabling access to technologies enable authentication and pattern recognition techniques in its multiple applications typically within the authorization across applications from process of user authentication. Internally same domain. This property creates a different domains that share trust with DirX called risk-based authentication convenient user experience as switching Access. Nowadays, this is the easiest (sometimes referred to as adaptive from one application to the next appears to approach to protect online applications and authentication), this mechanism assesses be seamless to the user. DirX Access services, as these packages do not need to risks connected with a real-time context supports SSO in the web environment, where be altered and need only to communicate of a user session and compares them the FIDO authentication methods can be via standardized means to an identity with the assurances given by the user, used during the initial authentication process provider which informs them about the typically the authentication methods to harden the security and simplify the user’s authenticated session. The more already performed. If the risks are too process. secure the authentication process is on the high, the mechanism requires the user to side of the identity provider, the more provide stronger proof of its identity to guarantees can be given to the relying balance the risks. The FIDO server services, which again pinpoints the implementation widely extends the range importance of supporting FIDO standards. As of possible proofs as the FIDO DirX Access supports SAML, OAuth 2.0- authentication methods provide a high based (OpenID Connect, UMA 2.0), and WS- degree of security. Federation standards, it is a complete tool implementing a strong and reliable identity provider.

FIDO Authentication in DirX Access ---- White Paper 5 Highlights and Conclusion

By implementing DirX Access, new authentication options based on FIDO2 and W3C standards enable businesses and users to move beyond passwords for stronger, simpler authentication leveraging devices they use every day. Integrated with its other product features, such as single sign- on, identity federation, and risk-based authentication, DirX Access provides a mature solution that can be successfully deployed in demanding access management scenarios in all industries. Security based on FIDO specifications makes online security a simpler and better user experience while providing stronger security and reducing risks for the enterprise.

6 FIDO Authentication in DirX Access ---- White Paper DirX_Access_FIDO-White-Paper-en2 A For moreinformation:www.evidian.com/dirx ap r A t he Atosgroup. e About Atos Paper White Let’s adiscussiontogether start atos.net/careers atos.net Find outmore aboutus in theinformation technology space. work anddevelop andconfidently sustainably and members ofsocietiesatlarge to live, customers, employees andcollaborators, Across theworld, thegroup enablesits to scientificandtechnological excellence. approaches to research thatcontribute as well asmulticultural andpluralistic development ofknowledge, education the support expertiseandservices Its future oftheinformation technology space. The purpose ofAtos isto helpdesignthe listed ontheCAC40 Paris stockindex. and Unify. Atos Europaea), isaSE(Societas operates underthebrands Atos, Atos Syntel, for theOlympic&Paralympic Gamesand Worldwide Information Technology Partner Digital Workplace solutions.Thegroup isthe and Cloud, BigData,BusinessApplications provides Orchestrated end-to-end Hybrid and High-Performance Computing,theGroup European numberoneinCloud,Cybersecurity and annualrevenue ofover €11billion. with over 110,000 employees in73 countries Atos indigitaltransformation isagloballeader t t produced, copied,circula o o pr s, tobeu s, theAtoslogo o va l fromAtos. sed A by t ugust 201 ,

A he rec t o s Syn 9. ©2019AtosC i t pient only.Th e t d el, Unify,andWorldline

an d/or dist i s r

ibuted norquotedwithout priorwritten d ocument, oranypartofit, maynotbe onfidential informationownedby

are regi

s t e r ed trademarksof