Michael Barrett, president of the FIDO Alliance
Cloud Iden*ty Summit July, 2014
www.fidoalliance.org Copyright 2014, The FIDO Alliance
All Rights Reserved 1
Problems, problems, problems
Rampant online attacks
3
• Major hacks have been targeted at password databases within Online Gaming, Financial Services, Social Media organizations
• Password Re-use is a
significant problem – technical analysis of data breaches have shown that 76% of passwords used across multiple sites.
Opportunity for Better Authentication is Upon Us
For Users For Organiza0ons
Painful to Use
• 25 Accounts • 8 Logins / Day • 6.5 Passwords
Difficult to Secure
• $5.5M / Data Breach • $15M / PWD Reset • $60+ / Token
For the Ecosystem
Impossible to Scale
• Fragmented • Inflexible • Slow to Adopt
3
JUST EASY
“BETTER AUTHENTICATION”
JUST BAD
Hig
h Se
curit
y Lo
w
UNPLEASANT
Low High Usability
Authentication is not a Continuum…
5
What is FIDO?
Common authentication plumbing
Users
Cloud/Enterprise
Devices
Federation
Open Standard Plug-In Approach
Interoperable Ecosystem
Usable Authentication
WHAT IS NEEDED
FIDO -‐ Unique Approach Any Device. Any Application. Any Authenticator.
Standardized Protocols
Local authentication unlocks app specific key
Key used to authenticate to server
Improved security
Unique cryptographic secret created per user account + device + site
• Protection against brute force attacks • Segmentation of risk • Protection against unintentional disclosure
FIDO’s Explosive growth
Industry Standard
Feb 2013 May 2014 Next
6 118
Companies Companies
Public Launch
Public Review Spec
Companies
TODAY
Marrying FIDO to IdenGty
With thanks to Paul Madsen (whose slides I stole…)
Generic federaGon flow diagram
Copyright © 2014 Ping Identity Corp. All rights reserved. 13
Complementary
. 14
• FIDO • Insulates authentication
server from specific authenticators
• Focused solely on primary authentication
• Does not support attribute sharing
• Can communicate details of authentication from device to server
• Federation – Insulates application from
specific identity providers
– Does not address primary authentication
– Does enable secondary authentication & attribute sharing
– Can communicate details of authentication from IdP to SP
High
Low
High
Low Frequency
of login
Assurance
status quo
High
Low
High Low Frequency
of login
Assurance
status quo
federa0on
SSO slide
No more ‘Passsword123’ bump
High
Low
High
Low Frequency
of login
Assurance
status quo
federa0on
FIDO
Con0nuum
FIDO implicaGons
• FIDO supports a range of assurance – determined by the specifics of the local authentication
• Recall – “Unique cryptographic secret created per user account + device + site”
• Implication is multiple registrations & authentications – which may be sub-optimal from the user’s PoV
High
Low
High
Low Frequency
of login
Assurance
status quo
federa0on
FIDO + federa0on
FIDO
CALL TO ACTION • AUTHENTICATION IS A FUNDAMENTAL PROBLEM AND
IT IS AN INDUSTRY PROBLEM • NO ONE COMPANY CAN FIX THIS PROBLEM • JOIN FIDO ALLIANCE – HELP FIX • OPPORTUNITY TO CREATE NEW SERVICES, NEW
MARKETS, NEW INNOVATIONS, NEW BUSINESSES AND NEW REVENUE MODELS
• TAKE THE LEADERSHIP, INCLUDE FIDO SUPPORT AT THE SOURCE ON YOUR DEVICES
• FIDO READY COMMERCIAL PRODUCTS ARE AVAILABLE IN THE MARKET
• MAKE THE CONNECTED WORLD SECURE, PRIVATE, FRAUD FREE , EASY TO USE AND STAY CONNECTED