cis14: fido 101 (what, why and wherefore of fido)
DESCRIPTION
Rajiv Dholakia, Nok Nok Labs Basics of how FIDO protocols work, how they fit into the broader identity ecosystem, the benefits of the design and the state of implementation/deployment in the market; appropriate for both technical and non-technical individuals, giving orientation before diving into the details of the specific FIDO protocols.TRANSCRIPT
© 2014 FIDO Alliance
Standards for Simpler Stronger Authentication
Rajiv Dholakia – VP Products & Business Development , Nok Nok Labs
Context & Aspirations
I.T. HAS SCALED: IT’S A HETEROGENEOUS WORLD
$$$
Technological capabilities: (1971 ! 2013) Clock speed x4700 #transistors x608k Structure size /450
Price: (1980 ! 2013) HDD $/MB /12k
NV RAM $/MB /1.3m
Ubiquity: More than 7bn mobile
connected devices by end of 2013
Connectivity: (2013) 34% of all people ww have internet access
Relevance: (2012) $1 trillion eCommerce
Social media: (2013) >10% of all people ww active
NOK NOK LABS
The Authentication Tower of Babel
Silos, proprietary, privacy, reliance on 3rd party, tolls NOK NOK LABS
?
4
IMPLEMENTOR’s PERSPECTIVE: A CHALLENGE A plumbing problem: Shades of Rube Goldberg…
NOK NOK LABS
App 2 !
New !App!
?
RP 1 RP 1 App 1!
?
Applications Authentication Methods Organizations
Silo 1
Silo 2
Silo N
Silo 3
5
Taking lessons from History
6
Authentication!
SSL
Communication!
???
Common authentication plumbing
7
Users
Cloud/Enterprise
Devices
Federation
Open Standard Plug-In Approach
Interoperable Ecosystem
Usable Authentication
WHAT IS NEEDED
FIDO 101
Goal: Simpler, Stronger Authentication
(a) Developing unencumbered Specifications that define
interoperable mechanisms that supplant reliance on
passwords
(b) Operating programs to help ensure industry adoption
(c) Submitting mature Specifications for formal
standardization
Mission: To Change Authentication Online by:
Identity & Authentication Building Blocks
NOK NOK LABS 10
Physical-to-digital identity
User Management
Authentication
Federation
Single Sign-On
E-Gov Payments Security
Passwords Risk-Based Strong
MODERN!AUTHENTICATION!
Personalization
User Authentication Online Do you want to login?
Do you want to transfer $100 to Frank?
Do you want to ship to a new address?
Do you want to delete all of your emails?
Do you want to share your dental record?
Authentication today: Ask user for a password
(and perhaps a one time code)
Today’s Passwords
REUSED PHISHED KEYLOGGED
Today’s Password Alternatives One Time Codes with SMS or Device
SMS USABILITY
DEVICE USABILITY
USER EXPERIENCE
STILL PHISHABLE
Coverage | Delay | Cost One per site | $$ | Fragile User find it hard Known attacks today
Megatrend Simpler, Stronger Local Device Auth
PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY
Carry Personal Data Pins & Patterns today Simpler, Stronger local auth
Putting It Together
The problem: Simpler, Stronger online The trend: Simpler, Stronger local device auth
Why not: Use local device auth for online auth? This is the core idea behind FIDO standards!
FIDO Experiences LOCAL DEVICE AUTH SUCCESS ONLINE AUTH REQUEST
PASSWORDLESS EXPERIENCE (UAF standards)
SECOND FACTOR EXPERIENCE (U2F standards) Show a biometric Transaction Detail Done
Login & Password Insert Dongle, Press button Done
FIDO Registration REGISTRATION BEGINS USER APPROVAL
REGISTRATION COMPLETE NEW KEY CREATED
USER APPROVAL
KEY REGISTERED
1 2
Using Public key
Cryptography
4 3
FIDO Login LOGIN USER APPROVAL
LOGIN COMPLETE KEY SELECTED
LOGIN CHALLENGE
LOGIN RESPONSE
1 2
4 3
Login
Using Public key
Cryptography
Decouple User Verification Method from Authentication Protocol
LOGIN USER APPROVAL
REGISTRATION COMPLETE KEY SELECTED
LOGIN CHALLENGE
LOGIN RESPONSE
1 2
4 3
Leverage public key cryptography
ONLINE SECURITY PROTOCOL
PLUGGABLE LOCAL AUTH
User Device User Agent Mobile Apps
Authenticator Abstraction (ASM)
Authenticators Authenticators
Private Keys Authentication Keys
Attestation Keys
Relying Party Web Application
FIDO UAF Server
Authentication Keys Attestation Key
Public Keys Registration, Authentication &
Transaction Confirmation!
UAF Protocol
UAF ARCHITECTURE OVERVIEW
UAF Authenticators
Relying Party User Side
U2F APDU USB API
NFC API
Bluetooth API
U2F JS API Secure U2F
Element
Connectors USB
NFC
Bluetooth
Web Application
FIDO U2F Server
User Keys
U2F Flow Diagram
User Action Browser U2F Token
Options
Passwordless UX = UAF: Universal Auth Framework
• User carries client device with UAF
stack installed • User presents a local biometric or PIN • Website can choose whether to retain
password Simpler Stronger Authentication
Second Factor UX = U2F: Universal Second Factor
• User carries U2F device with built-in support in web browsers
• User presents U2F device • Website can simplify password
(e.g, 4 digit PIN)
Design Considerations
No 3rd Party in the Protocol
No secrets on Server side
Focus on User Privacy
• Biometric data never leaves user’s device • No linkability between RPs
• No linkability between RP accounts
Embrace all kinds of Authenticators software, proprietary hardware, certified hardware, ...
Risk Based Authentication
" Login to online account
" Change shipping address
" Transfer $10.000
Low
High
Choice of Security Profiles
NOK NOK LABS
User Space !
Secure !Hardware !
FIDO!
UX Layer!Input, Display!
Crypto Layer!FIDO!
UX Layer!Input, Display!
Crypto Layer!
FIDO!
Crypto Layer!
UX Layer!Input, Display!
No Secure HW Secure Crypto +
Storage
Secure Execution Environment
Risk Appropriate Authentication
30
Strong Stronger
FIDO Security Spectrum!
Software Only!ID!
TPM/SE!ID!
TEE + SE!ID!
Protects Keys!
Protects Keys!Protects Crypto !
Protects Keys!Protects Crypto!Protects Code !Protects Display !
Strongest
Permanent link to this comic: http://xkcd.com/538/
A webcomic of romance, sarcasm, math, and language. On SECURITY
A peek into MODERN AUTHENTICATION
32 NOK NOK LABS
IMPLICIT AUTHENTICATION
EXPLICIT AUTHENTICATION
COMPLEMENTS IDENTITY & FEDERATION STANDARDS
NOK NOK LABS 33
STRONG AUTH
PASSWORDS SSO/FEDERATION!
Recreated PMS
First Mile Second Mile
SAML
OpenID
FIDO/Strong Auth Federation Standards
FIDO Model: Direct to Relying Party OR through IdP
34 Devices support multiple authenticators
User Authenticates to the Device
Relying Parties (SP) Device Authenticates to Relying Party
2a
1
Identity Provider (IdP)
2b
OR Device Authenticates to Identity Provider (IDP)
2c IDP asserts identity via SAML, Oauth, OpenID Connect…
OR
Recap
Identity & Authentication
NOK NOK LABS 36
Physical-to-digital identity
User Management
Authentication
Federation
Single Sign-On
E-Gov Payments Security
Passwords Risk-Based Strong
MODERN!AUTHENTICATION!
Personalization
Simplifying and Scaling Authentication Any Device. Any Application. Any Authenticator. !
37
Standardized Protocols!
Local authentication unlocks app specific key!
Key used to authenticate to server!
IMPLEMENTATION CHALLENGE A plumbing problem: Shades of Rube Goldberg…
NOK NOK LABS
App 2 !
New !App!
?
RP 1 RP 1 App 1!
?
Applications Authentication Methods Organizations
Silo 1
Silo 2
Silo N
Silo 3
38
SIMPLIFIED IMPLEMENTATION WHAT IS BEING STANDARDIZED
App 2 !
Applications Authentication Methods
RP 1 RP 1 App 1!
New !App!
FIDO UNIFIED STANDARDS
Organizations
?
39
Online Crypto Protocol
Pluggable Authentication
CONCLUSIONS • The enemy is symmetric shared secrets • The enemy is poor user experiences and friction • FIDO is a building block • Even simple software-based authenticator with a pin
offers many advantages over passwords • FIDO complements your investments in federation and
improves your security and ease of use
FIDO Alliance Snapshot July 2014
42 Nok Nok Labs Confidential — Do Not Distribute
FIDO Alliance Role • Paper Specifications, Interop and Conformance testing, Trademark
licensing against criteria, thought leadership, nurture ecosystem of vendors delivering FIDO implementations to market
• Alliance does not ship products (only specifications) o Implementations left to commercial vendors
• FIDO Alliance designs core protocol o Like SSL, FIDO has no domain semantics o Relying parties and Vendors may adapt FIDO into commercial solutions o Vendors may deliver FIDO specification as product or service, standalone or as
part of a solution stack o Extended use cases may be explored by vendors long before imported into
protocol
Version 1.0 (Review Draft) is in Public Review
FIDO at Industry Events – Readiness FIDO-Ready Products & Deployment for Mobile & More
SIM + Secure Element!
PIN + MicroSD, USB!
Fingerprint, Mobile!
Speaker Recognition!
Mobile via NFC*!
Useful to keep these separate: Design Intent FIDO Protocol Specification Specific Implementations Solution that incorporates FIDO
Select Authenticate Purchase 47
MOBILE DEVICES reshaping Security, Commerce
NOK NOK LABS
AUTHENTICATION THAT IS “One-Swipe”, “One-Phrase”, “One-Look”, “One Touch”
OEMs SHIPPING FIDO-READY ™ PRODUCTS New and existing devices are supported!
48
OEM Enabled: Samsung Galaxy S5 OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors
Clients available for these operating systems :
Software Authenticator Examples:!Voice/Face recognition, PIN, QR Code, etc.
Aftermarket Hardware Authenticator Examples:!USB fingerprint scanner, MicroSD Secure Element
First FIDO Deployment already live…
49
• Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready™ software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique cryptographic “public key” that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers.
Breaking news for July… • Alipay – formerly a part of
Alibaba Group in China • Processed $519 Billion in
transactions in 2013 • Launched FIDO-based
payments using Galaxy S5
Better Security, Better User Experience Going beyond “Risk, Regulation, Reputation”
51
Setup Confirm Sent
DESIGN, DELIGHT & DOLLARS!
Call to Action • FIDO is ready for use – launch a POC, Pilot • Get involved:
o Develop or adapt your products to FIDO o Come to the plenary, meet and mingle, speak with the pioneers,
select your partners o Join the Alliance and contribute – we are a volunteer run
organization! o Contact [email protected] for membership details o Other questions – [email protected]
FIN
THANK YOU