introduction to fido authentication€¦ · “95% of these incidents involve harvesting...
TRANSCRIPT
![Page 1: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/1.jpg)
INTRODUCTION TO FIDO AUTHENTICATION
Brett McDowell, Executive Director, FIDO Alliance
[email protected] All Rights Reserved. FIDO Alliance. Copyright 2016.
![Page 2: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/2.jpg)
The world has a PASSWORD PROBLEM
5 Confidential
![Page 3: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/3.jpg)
781 data breaches in 2015
Data Breaches…
170 million records in 2015 (up 50%)
$3.8 million cost/breach (up 23% f/2013)
All Rights Reserved. FIDO Alliance. Copyright 2016. 3
![Page 4: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/4.jpg)
“95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.” 2015 Data Breach Investigations Report
![Page 5: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/5.jpg)
ONE-TIME PASSCODES Improve security but aren’t easy enough to use
Still Phishable
User Confusion
Token Necklace
SMS Reliability
6 Confidential All Rights Reserved. FIDO Alliance. Copyright 2016. 5
![Page 6: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/6.jpg)
The world has a “SHARED SECRETS” PROBLEM
5 Confidential
![Page 7: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/7.jpg)
WE NEED A NEW MODEL
All Rights Reserved. FIDO Alliance. Copyright 2016. 7
![Page 8: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/8.jpg)
THE NEW MODEL Fast IDentity Online
online authentication using public key cryptography
![Page 9: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/9.jpg)
THE FIDO PARADIGM
Poor Easy
Wea
k St
rong
USABILITY
SECU
RITY
All Rights Reserved. FIDO Alliance. Copyright 2016. 9
![Page 10: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/10.jpg)
HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates “locally” to their device
(by various means)
The device authenticates the user online using
public key cryptography
All Rights Reserved. FIDO Alliance. Copyright 2016. 10
![Page 11: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/11.jpg)
FIDO Registration
Invitation Sent New Keys Created
Pubic Key Registered With Online Server
User is in a Session Or
New Account Flow
1 2 3
4
Registration Complete
User Approval
All Rights Reserved. FIDO Alliance. Copyright 2016. 11
![Page 12: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/12.jpg)
Login Complete
FIDO Authentication
FIDO Challenge Key Selected & Signs
Signed Response verified using Public Key Cryptography
User needs to login or authorize a transaction
1 2 3
4
User Approval
All Rights Reserved. FIDO Alliance. Copyright 2016. 12
![Page 13: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/13.jpg)
OPEN STANDARDS R.O.I.
FIDO-ENABLE ONCE GAIN EVERY DEVICE YOU TRUST NO MORE ONE-OFF INTEGRATIONS
All Rights Reserved. FIDO Alliance. Copyright 2016. 13
![Page 14: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/14.jpg)
USABILITY, SECURITY, R.O.I. and
PRIVACY All Rights Reserved. FIDO Alliance. Copyright 2016. 14
![Page 15: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/15.jpg)
No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts
![Page 16: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/16.jpg)
The FIDO Alliance is an open industry association of over 250 organizations with a focused mission: authentication standards
![Page 17: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/17.jpg)
Board Members
All Rights Reserved. FIDO Alliance. Copyright 2016.
![Page 18: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/18.jpg)
Government Members
18 18 All Rights Reserved. FIDO Alliance. Copyright 2016.
![Page 19: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/19.jpg)
Liaison Partners
19 19
![Page 20: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/20.jpg)
FIDO Adoption
All Rights Reserved. FIDO Alliance. Copyright 2016. 20
![Page 21: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/21.jpg)
Deployments are enabled by over 250 FIDO® Certified products available today
All Rights Reserved. FIDO Alliance. Copyright 2016. 21
![Page 22: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/22.jpg)
# of Certified FIDO Products since program launch
22 All Rights Reserved | FIDO Alliance | Copyright 2016
32
62 74
108
162
216
253
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16
![Page 23: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/23.jpg)
Leading OEMs Shipping FIDO Certified Devices
S5, Mini Alpha Note 4,5 Note Edge Tab S, Tab S2
S6, S6 Edge
S7, S7 Edge
Vernee Thor
Aquos Zeta Xperia Z5 Xperia Z5 Compact
Xperia Z5 Premium
Mate 8
V10
G5
Phab2 Pro
Phab2 Plus
Z2, Z2 Pro Arrows NX
Arrows Fit
Arrows Tab
All Rights Reserved. FIDO Alliance. Copyright 2016. 23
![Page 24: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/24.jpg)
iPhone SE iPhone
iPad Air
iPhone+
iPad Mini iPad Pro
FIDO Applications Now Run on iOS Supported iOS Fingerprint Devices
All Rights Reserved. FIDO Alliance. Copyright 2016. 24
![Page 25: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/25.jpg)
Better security for online services Reduced cost for the enterprise
Simpler and safer for consumers All Rights Reserved. FIDO Alliance. Copyright 2016.
![Page 26: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/26.jpg)
POLICY DISCUSSION
Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 26
![Page 27: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/27.jpg)
FIDO Impact on Policy
FIDO specifications offer governments newer, better options for strong authentication – but governments may need to update some policies to support the ways in which FIDO is different.
As technology evolves, policy needs to evolve with it.
Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 27
![Page 28: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/28.jpg)
1. Recognize that two-factor authentication no longer brings higher burdens or costs.
Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 28
• While this statement was true of most “old” MFA technology, FIDO specifically addresses these cost and usability issues.
• FIDO enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale.
![Page 29: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/29.jpg)
2. Recognize technology is now mature enough to enable two secure, distinct auth. factors in a single device.
All Rights Reserved. FIDO Alliance. Copyright 2016.
• Recognized by the US government (NIST) in 2014…
• “OMB (White House) to update guidance on remote electronic authentication” to remove requirements that one factor be separate from the device accessing the resource
• The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token
![Page 30: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/30.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2016.
European Banking Authority (EBA) Draft Regulatory Technical Standards on PSD2 Strong Authentication
2. Recognize technology is now mature enough to enable two secure, distinct auth. factors in a single device.
![Page 31: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/31.jpg)
The market is in the midst of a burst of innovation around authentication technology – some solutions are better than others. Don’t build rules focused on old authentication technology.
• Old authentication technologies impose significant costs and burdens on the user –
which decreases adoption • Old authentication technologies have security (i.e., phishable) and privacy issues –
putting both users and online service providers at risk
All Rights Reserved. FIDO Alliance. Copyright 2016.
3. As governments promote or require strong auth., make sure it is the “right” strong auth..
![Page 32: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/32.jpg)
FIDO Delivers on Key Policy Priorities
Security • Authentication using
strong asymmetric Public Key cryptography
• Superior to old “shared secrets” model – there is nothing to steal on the server
• Biometrics as second factor
Privacy • Privacy architected in
up front; No linkability or tracking
• Biometric data never leaves device
• Consumer control and consent
Interoperability • Open standards: FIDO
2.0 specs are in W3C standardization process
• FIDO compliance/ conformance testing to ensure interoperability of “FIDO certified” products
Usability • Designed with the user
experience (UX) first – with a goal of making authentication as easy as possible.
• Security built to support the user’s needs, not the other way around
All Rights Reserved. FIDO Alliance. Copyright 2016.
![Page 33: INTRODUCTION TO FIDO AUTHENTICATION€¦ · “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.”](https://reader035.vdocuments.site/reader035/viewer/2022070803/5f0310177e708231d4075968/html5/thumbnails/33.jpg)
THANK YOU!
QUESTIONS?
[email protected] | [email protected]
All Rights Reserved. FIDO Alliance. Copyright 2016.