© 2014 FIDO Alliance

Standards for Simpler Stronger Authentication

Rajiv Dholakia – VP Products & Business Development , Nok Nok Labs

rajiv@noknok.com

Context & Aspirations

I.T. HAS SCALED: IT’S A HETEROGENEOUS WORLD

$$$

Technological capabilities: (1971 ! 2013) Clock speed x4700 #transistors x608k Structure size /450

Price: (1980 ! 2013) HDD $/MB /12k

NV RAM $/MB /1.3m

Ubiquity: More than 7bn mobile

connected devices by end of 2013

Connectivity: (2013) 34% of all people ww have internet access

Relevance: (2012) $1 trillion eCommerce

Social media: (2013) >10% of all people ww active

NOK NOK LABS

The Authentication Tower of Babel

Silos, proprietary, privacy, reliance on 3rd party, tolls NOK NOK LABS

?

4

IMPLEMENTOR’s PERSPECTIVE: A CHALLENGE A plumbing problem: Shades of Rube Goldberg…

NOK NOK LABS

App 2 !

New !App!

?

RP 1 RP 1 App 1!

?

Applications Authentication Methods Organizations

Silo 1

Silo 2

Silo N

Silo 3

5

Taking lessons from History

6

Authentication!

SSL

Communication!

???

Common authentication plumbing

7

Users

Cloud/Enterprise

Devices

Federation

Open Standard Plug-In Approach

Interoperable Ecosystem

Usable Authentication

WHAT IS NEEDED

FIDO 101

Goal: Simpler, Stronger Authentication

(a) Developing unencumbered Specifications that define

interoperable mechanisms that supplant reliance on

passwords

(b) Operating programs to help ensure industry adoption

(c) Submitting mature Specifications for formal

standardization

Mission: To Change Authentication Online by:

Identity & Authentication Building Blocks

NOK NOK LABS 10

Physical-to-digital identity

User Management

Authentication

Federation

Single Sign-On

E-Gov Payments Security

Passwords Risk-Based Strong

MODERN!AUTHENTICATION!

Personalization

User Authentication Online Do you want to login?

Do you want to transfer $100 to Frank?

Do you want to ship to a new address?

Do you want to delete all of your emails?

Do you want to share your dental record?

Authentication today: Ask user for a password

(and perhaps a one time code)

Today’s Passwords

REUSED PHISHED KEYLOGGED

Today’s Password Alternatives One Time Codes with SMS or Device

SMS USABILITY

DEVICE USABILITY

USER EXPERIENCE

STILL PHISHABLE

Coverage | Delay | Cost One per site | $$ | Fragile User find it hard Known attacks today

Megatrend Simpler, Stronger Local Device Auth

PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY

Carry Personal Data Pins & Patterns today Simpler, Stronger local auth

Putting It Together

The problem: Simpler, Stronger online The trend: Simpler, Stronger local device auth

Why not: Use local device auth for online auth? This is the core idea behind FIDO standards!

FIDO Experiences LOCAL DEVICE AUTH SUCCESS ONLINE AUTH REQUEST

PASSWORDLESS EXPERIENCE (UAF standards)

SECOND FACTOR EXPERIENCE (U2F standards) Show a biometric Transaction Detail Done

Login & Password Insert Dongle, Press button Done

FIDO Registration REGISTRATION BEGINS USER APPROVAL

REGISTRATION COMPLETE NEW KEY CREATED

USER APPROVAL

KEY REGISTERED

1 2

Using Public key

Cryptography

4 3

FIDO Login LOGIN USER APPROVAL

LOGIN COMPLETE KEY SELECTED

LOGIN CHALLENGE

LOGIN RESPONSE

1 2

4 3

Login

Using Public key

Cryptography

Decouple User Verification Method from Authentication Protocol

LOGIN USER APPROVAL

REGISTRATION COMPLETE KEY SELECTED

LOGIN CHALLENGE

LOGIN RESPONSE

1 2

4 3

Leverage public key cryptography

ONLINE SECURITY PROTOCOL

PLUGGABLE LOCAL AUTH

User Device User Agent Mobile Apps

Authenticator Abstraction (ASM)

Authenticators Authenticators

Private Keys Authentication Keys

Attestation Keys

Relying Party Web Application

FIDO UAF Server

Authentication Keys Attestation Key

Public Keys Registration, Authentication &

Transaction Confirmation!

UAF Protocol

UAF ARCHITECTURE OVERVIEW

UAF Authenticators

Relying Party User Side

U2F APDU USB API

NFC API

Bluetooth API

U2F JS API Secure U2F

Element

Connectors USB

NFC

Bluetooth

Web Application

FIDO U2F Server

User Keys

U2F Flow Diagram

User Action Browser U2F Token

Options

Passwordless UX = UAF: Universal Auth Framework

•  User carries client device with UAF

stack installed •  User presents a local biometric or PIN •  Website can choose whether to retain

password Simpler Stronger Authentication

Second Factor UX = U2F: Universal Second Factor

•  User carries U2F device with built-in support in web browsers

•  User presents U2F device •  Website can simplify password

(e.g, 4 digit PIN)

Design Considerations

No 3rd Party in the Protocol

No secrets on Server side

Focus on User Privacy

• Biometric data never leaves user’s device • No linkability between RPs

• No linkability between RP accounts

Embrace all kinds of Authenticators software, proprietary hardware, certified hardware, ...

Risk Based Authentication

"  Login to online account

"  Change shipping address

"  Transfer $10.000

Low

High

Choice of Security Profiles

NOK NOK LABS

User Space !

Secure !Hardware !

FIDO!

UX Layer!Input, Display!

Crypto Layer!FIDO!

UX Layer!Input, Display!

Crypto Layer!

FIDO!

Crypto Layer!

UX Layer!Input, Display!

No Secure HW Secure Crypto +

Storage

Secure Execution Environment

Risk Appropriate Authentication

30

Strong Stronger

FIDO Security Spectrum!

Software Only!ID!

TPM/SE!ID!

TEE + SE!ID!

Protects Keys!

Protects Keys!Protects Crypto !

Protects Keys!Protects Crypto!Protects Code !Protects Display !

Strongest

Permanent link to this comic: http://xkcd.com/538/

A webcomic of romance, sarcasm, math, and language. On SECURITY

A peek into MODERN AUTHENTICATION

32 NOK NOK LABS

IMPLICIT AUTHENTICATION

EXPLICIT AUTHENTICATION

COMPLEMENTS IDENTITY & FEDERATION STANDARDS

NOK NOK LABS 33

STRONG AUTH

PASSWORDS SSO/FEDERATION!

Recreated PMS

First Mile Second Mile

SAML

OpenID

FIDO/Strong Auth Federation Standards

FIDO Model: Direct to Relying Party OR through IdP

34 Devices support multiple authenticators

User Authenticates to the Device

Relying Parties (SP) Device Authenticates to Relying Party

2a

1

Identity Provider (IdP)

2b

OR Device Authenticates to Identity Provider (IDP)

2c IDP asserts identity via SAML, Oauth, OpenID Connect…

OR

Recap

Identity & Authentication

NOK NOK LABS 36

Physical-to-digital identity

User Management

Authentication

Federation

Single Sign-On

E-Gov Payments Security

Passwords Risk-Based Strong

MODERN!AUTHENTICATION!

Personalization

Simplifying and Scaling Authentication Any Device. Any Application. Any Authenticator. !

37

Standardized Protocols!

Local authentication unlocks app specific key!

Key used to authenticate to server!

IMPLEMENTATION CHALLENGE A plumbing problem: Shades of Rube Goldberg…

NOK NOK LABS

App 2 !

New !App!

?

RP 1 RP 1 App 1!

?

Applications Authentication Methods Organizations

Silo 1

Silo 2

Silo N

Silo 3

38

SIMPLIFIED IMPLEMENTATION WHAT IS BEING STANDARDIZED

App 2 !

Applications Authentication Methods

RP 1 RP 1 App 1!

New !App!

FIDO UNIFIED STANDARDS

Organizations

?

39

Online Crypto Protocol

Pluggable Authentication

CONCLUSIONS •  The enemy is symmetric shared secrets •  The enemy is poor user experiences and friction •  FIDO is a building block •  Even simple software-based authenticator with a pin

offers many advantages over passwords •  FIDO complements your investments in federation and

improves your security and ease of use

FIDO Alliance Snapshot July 2014

42 Nok Nok Labs Confidential — Do Not Distribute

FIDO Alliance Role •  Paper Specifications, Interop and Conformance testing, Trademark

licensing against criteria, thought leadership, nurture ecosystem of vendors delivering FIDO implementations to market

•  Alliance does not ship products (only specifications) o  Implementations left to commercial vendors

•  FIDO Alliance designs core protocol o  Like SSL, FIDO has no domain semantics o  Relying parties and Vendors may adapt FIDO into commercial solutions o  Vendors may deliver FIDO specification as product or service, standalone or as

part of a solution stack o  Extended use cases may be explored by vendors long before imported into

protocol

Version 1.0 (Review Draft) is in Public Review

FIDO at Industry Events – Readiness FIDO-Ready Products & Deployment for Mobile & More

SIM + Secure Element!

PIN + MicroSD, USB!

Fingerprint, Mobile!

Speaker Recognition!

Mobile via NFC*!

Useful to keep these separate: Design Intent FIDO Protocol Specification Specific Implementations Solution that incorporates FIDO

Select Authenticate Purchase 47

MOBILE DEVICES reshaping Security, Commerce

NOK NOK LABS

AUTHENTICATION THAT IS “One-Swipe”, “One-Phrase”, “One-Look”, “One Touch”

OEMs SHIPPING FIDO-READY ™ PRODUCTS New and existing devices are supported!

48

OEM Enabled: Samsung Galaxy S5 OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors

Clients available for these operating systems :

Software Authenticator Examples:!Voice/Face recognition, PIN, QR Code, etc.

Aftermarket Hardware Authenticator Examples:!USB fingerprint scanner, MicroSD Secure Element

First FIDO Deployment already live…

49

•  Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready™ software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique cryptographic “public key” that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers.

Breaking news for July… •  Alipay – formerly a part of

Alibaba Group in China •  Processed $519 Billion in

transactions in 2013 •  Launched FIDO-based

payments using Galaxy S5

Better Security, Better User Experience Going beyond “Risk, Regulation, Reputation”

51

Setup Confirm Sent

DESIGN, DELIGHT & DOLLARS!

Call to Action •  FIDO is ready for use – launch a POC, Pilot •  Get involved:

o  Develop or adapt your products to FIDO o  Come to the plenary, meet and mingle, speak with the pioneers,

select your partners o  Join the Alliance and contribute – we are a volunteer run

organization! o  Contact donal@fidoalliance.org for membership details o  Other questions – rajiv@noknok.com

FIN

THANK YOU