UAF Tutorial How Secure is ? Cloud Authentication Issues

Password might be Password could be stolen entered into untrusted from the server App / Web-site (“phishing”)

Inconvenient to type password on phone

Too many to remember re-use / cart abandonment OTP Issues

OTP vulnerable to real- time MITM and MITB attacks

Inconvenient to type OTP on phone

OTP HW tokens are expensive and people don’t want another device SMS security questionable, especially when Device is the phone

Attack Classes

5 6

Physical attacks Physically attacking user possible on lost or Physically attacking user devices devices stolen devices misuse them for (3% in the US in 2013) steal data for impersonation impersonation

2 3 4

Remotely attacking Remotely attacking Remotely attacking lots of user devices lots of user devices lots of user devices

misuse steal data for misuse them for authenticated Scalable attacks impersonation impersonation sessions

1 Remotely attacking central servers steal data for impersonation Summary

1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don‘t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision How does FIDO work?

Device How does FIDO UAF work?

… … SE How does FIDO UAF work?

Same Authenticator Same User as as registered before? enrolled before?

Can recognize the user (i.e. user verification), but doesn’t have an identity proof of the user. How does FIDO UAF work? Identity binding to be done outside FIDO: This this “John Doe with customer ID X”.

Same Authenticator Same User as as registered before? enrolled before?

Can recognize the user (i.e. user verification), but doesn’t have an identity proof of the user. How does FIDO UAF work?

How is the key protected (TPM, SE, TEE, …)? What user verification method is used?

… … SE Attestation & Metadata

FIDO AUTHENTICATOR FIDO SERVER Signed Attestation Object

Verify using trust anchor included in Metadata

Understand Authenticator security characteristic by looking into Metadata (and potentially other sources) Metadata How does FIDO UAF work?

2. Define policy 3. Store public keys of acceptable on the server 4. Provide Authenticators 6. Use site-specific (no secrets) cryptographic proof of keys in order to authenticator model protect privacy

8. Use channel binding to protect against MITM

5. Generate key pair in 7. Verify user Authenticator to protect before signing against phishing authentication response 1. Use Metadata to understand Authenticator model security characteristic FIDO Building Blocks Registration Overview

Send Registration Request: - Policy - Random Challenge FIDO CLIENT FIDO SERVER

Verify signature Start Check AAID against policy registration FIDO AUTHENTICATOR Store public key

Authenticate user Generate key pair Sign attestation object: • Public key • AAID • Random Challenge • Name of relying party Signed by attestation key AAID = Authenticator Attestation

ID, i.e. model ID

Registration Overview (2)

Relying Party foo.com

WEB Application “Know Your Customer” rules Physical Identity { userid=1234, [email protected], known since 03/05/04, payment history=xx, … } Legacy Authentication

FIDO AUTHENTICATOR FIDO SERVER Virtual Identity Registration AAID y key for foo.com: 0xfa4731

{ userid=1234, Link new pubkey=0x43246, AAID=x +pubkey=0xfa4731, AAID=y Authenticator to } existing userid UAF Authentication UAF Authentication UAF Authentication UAF Authentication UAF Authentication UAF Authentication UAF Authentication

Pat Johnson [email protected] UAF Authentication

SignedData: • SignatureAlg • Hash(FinalChallenge) • Authenticator random Pat Johnson 650• CastroSignature Street Counter Mountain View, CA 94041 United• StatesSignature

FinalChallenge=AppID | FacetID | channelBinding | challenge UAF Authentication

Pat Johnson [email protected]

Payment complete!

Return to the merchant’s web site to continue shopping

Return to the merchant Transaction Confirmation

SignedData: • SignatureAlg • Hash(FinalChallenge) • Authenticator random • Signature Counter • Hash(Transaction Text) • Signature

FinalChallenge=AppID | FacetID | channelBinding | challenge The FIDO Authenticator Concept

Injected at manufacturing, doesn’t change

FIDO Authenticator

User Verification / Attestation Key Presence

Transaction Confirmation Authentication Key(s) Display

Optional Generated at Components runtime (on Registration) Using Secure Hardware

FIDO Authenticator in SIM Card

SIM Card User Verification (PIN) Attestation Key

Authentication Key(s) Client Side

Trusted Execution Environment (TEE)

FIDO Authenticator as Trusted Application (TA)

User Verification / Presence Attestation Key

Store at Enrollment

Authentication Key(s)

Compare at Authentication Unlock after comparison Combining TEE and SE

Trusted Execution Environment (TEE)

FIDO Authenticator as Trusted Application (TA)

Secure Element User Verification / Presence Attestation Key e.g. GlobalPlatform Trusted UI Transaction Confirmation Authentication Key(s) Display FIDO & Federation

First Mile Second Mile FIDO ReadyTM Products Shipping today

OEM Enabled: Samsung Galaxy S5 & Galaxy Tab S OEM Enabled: Lenovo ThinkPads with tablets Fingerprint Sensors

Clients available for these operating systems:

Software Authenticator Examples: Aftermarket Hardware Authenticator Examples: Speaker/Face recognition, PIN, QR Code, etc. USB fingerprint scanner, MicroSD Secure Element FIDO is used Today Conclusion • Different authentication use-cases lead to different authentication requirements • Today, we have authentication silos • FIDO separates user verification from authentication protocol and hence supports all user verification methods • FIDO supports scalable security and convenience • User verification data is known to Authenticator only • FIDO complements federation Consider developing or piloting FIDO-based authentication solutions

Dr. Rolf Lindemann, Nok Nok Labs, [email protected] UAF Registration UAF Registration UAF Registration UAF Registration UAF Registration UAF Registration UAF Registration

Pat Johnson [email protected]

Link your fingerprint UAF Registration

Pat Johnson [email protected]

Link your fingerprint UAF Registration

Pat Johnson [email protected]

KeyLink Registration your fingerprint Data: • Hash(FinalChallenge) • AAID • Public key • KeyID • Registration Counter • Signature Counter • Signature (attestation key)

FinalChallenge=AppID | FacetID | channelBinding | challenge UAF Registration

Pat Johnson [email protected]