FIDO and PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies

FIDO AND PAYMENTS AUTHENTICATION Philip Andreae Vice President Oberthur Technologies

781 data breaches in 2015 170 million records in 2015 (up 50%) $3.8 million cost/breach (up 23% f/2013)

SECURITY USABILITY

The user authenticates The device “locally” to their authenticates the user device by various online using public key means cryptography

LOCAL ONLINE

AUTHENTICATOR

Authentication Challenge Biometric Verification* Authenticated Online Second Factor Experience (U2F Standards) 1 2 3

Second Factor Challenge Insert Dongle* / Press Button Authenticated Online *There are other types of authenticators

Same User Same Authenticator as enrolled before? as registered before?

AUTHENTICATOR

Is a user present?

USER VERIFICATION FIDO AUTHENTICATION

AUTHENTICATOR

Same authenticator as registered before?

No Secrets on the Server Side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services

No Link-ability Between Accounts

Single Sign-On MODERN AUTHENTICATION Federation

Passwords Strong Risk-Based Authentication

User Management

Physical-to-digital identity FIDO Alliance Mission

1 2 3

Develop Operate Pursue Formal Specifications Adoption Programs Standardization Associate Members

The image part with relationship ID rId57 was not found in the ﬁle.

• Our mission is highly complementary to many other associations around the world. We welcome the opportunity to collaborate with this growing list of industry partner organizations.

• “The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.” -- Mike Garcia, NSTIC NPO

Broad New U2F Adoption Certification Transports Program FIDO 1.0 First FINAL Specification Deployments Review Draft FIDO Ready Program Alliance Announced

FEB DEC FEB FEB-OCT DEC 9 MAY JUNE TODAY 2013 2013 2014 2014 2014 2015 2015 >250 6 Members Members

2014 FIDO ADOPTION

“Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5” September 17, 2014

“Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication” October 21, 2014 “PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5” Feb 24, 2014 2015 FIDO ADOPTION

“Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015 “Google for Work announced Enterprise admin support for FIDO® U2F ‘Security Key’” April 21, 2015

“Qualcomm launches Snapdragon fingerprint “[T]he technology scanning technology” supporting fingerprint “GitHub says it March 2, 2015 sign-in was built will now handle according to FIDO “Largest mobile network in what is called (Fast IDentity Online) Japan becomes first the FIDO standards.” wireless carrier to enhance Universal 2nd September 15, 2015 customer experience with Factor, or U2F, natural, simple and strong specification.” ways to authenticate to October 1, 2015 “Microsoft Announces FIDO DOCOMO’s services using Support Coming to Windows 10” FIDO standards.” Feb 23, 2015 May 26, 2015 2016 FIDO ADOPTION

“FIDO Universal 2nd Factor (U2F) authentication is now being used to allow all UK citizens to easily and securely access GOV.UK Verify digital public services. Mar 23, 2016

“BC Card provides Token and FIDO services to strengthen security and safety of Samsung Pay” March 1, 2016

“NTT DOCOMO is now offering FIDO-enabled biometric authentication for customers using Apple iOS devices” Mar 7, 2016 “RSA Via Access Server is now FIDO Certified” March 1, 2016 Deployments are enabled by FIDO Certified™ products available today

Samsung

S5, Mini Alpha Note 4, 5 Note Edge Tab S, Tab S2 S6, S6 Edge

LG Sharp Aquos Sony Experia Z5 Fujitsu Arrows V10 & G5 Zeta SO-01H, Fit F-01H, SH-01H, SH-03G Compact SO-02H, NX F-02H, Premium SO-03H NX F-04G

iPhone 5s iPhone 6, 6+ iPhone 6s, 6s+

iPad Air 2, Mini 3 iPad Mini 4 iPad Pro

November 2015 February 2016

FIDO Authentication Poised for Continued Growth W3C Launches New Standards Effort as Alliance Submits FIDO 2.0 Web API to W3C Based on FIDO 2.0 Web APIs • W3C has accepted our submission • W3C announces the chartering of the • Specifications required to define a FIDO-compliant Web Authentication Working Group Web API • Designed to extend FIDO’s existing reach to all • Standardizing the submitted FIDO Web platforms APIs can ensure standards-based strong • OEM community should begin to plan their support authentication across all Web browsers now and related Web platform infrastructure • RP community should deploy FIDO 1.x now knowing • The first meeting of the Working group FIDO standards are “future proof” -- strategically was early March positioned as the de facto authentication scheme for the Web & OS Platforms

www.fidoalliance.org www.linkedin.com/company/the-fido-alliance