Transcription
Who What Why
Board Members
Sponsors
Associates
To Change Authentication Online by:(a) Developing unencumbered Specifications thatdefine interoperable mechanisms that supplantreliance on passwords(b) Operating programs to help ensure industryadoption(c) Submitting mature Specifications for formalstandardization
FIDO Alliance’s Role “Paper” Specifications Interoperability and Conformance testing Trademark licensing against criteria Thought leadership, nurture ecosystem The Alliance does not ship products! Implementations left to commercial vendors
Identity & Authentication dsAuthenticationStrongRisk-BasedUser ManagementPhysical-to-digital identity NOK NOK LABS – Used by Permission8
Why Authentication isCybersecurity Priority #1Poor authentication mechanisms are a commonlyexploited vector of attack by adversaries; the 2013Data Breach Investigations Report (conducted byVerizon in concert with the U.S. Department ofHomeland Security) noted that 76% of 2012 networkintrusions exploited weak or stolen credentials.-- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb2014
Today’s PasswordsREUSEDPHISHEDKEYLOGGED
Today’s Password AlternativesOne Time Codes with SMS or LLPHISHABLECoverage Delay CostOne per site FragileUser find it hardKnown attacks today
Major Industry TrendSimpler, Stronger Local Device AuthPERSONAL DEVICESLOCAL LOCKINGNEW WAVE: CONVENIENTSECURITYCarry Personal DataPins & Patterns todaySimpler, Stronger localauthentication
Putting It TogetherThe problem:Simpler, Stronger onlineThe trend:Simpler, Stronger local device authWhy not:Use local device auth for online auth?This is the core idea behind FIDO standards!
FIDO ExperiencesONLINE AUTH REQUESTLOCAL DEVICE AUTHSUCCESSPASSWORDLESS EXPERIENCE (UAF standards)Transaction DetailShow a biometricDoneSECOND FACTOR EXPERIENCE (U2F standards)Login & PasswordInsert Dongle, Press buttonDone
What Have We Done So Far.
FIDO timeline1.0FinalSpecs(UAF & U2F)ReviewDraftAllianceAnnouncedFeb 2013FIDO ReadyProgramDec 2013First UAF andU2FDeploymentsSpecificationReview DraftFeb 2014Feb-Oct 2014 2014 FIDO AllianceFIDO 1.0 FINALSpecificationDec 9 2014
UAF DeploymentsStarting in April 2014, customers can use their finger to pay with PayPal from their newSamsung Galaxy S5 because the FIDO Ready software on the device securelycommunicates between the fingerprint sensor on their device and PayPal’s service inthe cloud.In July 2014, Alibaba also launched FIDO-based payments using Samsung Galaxy S5. Stronger biometric-basedauthentication.Easy to deploy.Biometric information never leaves thedevice.Provides a unique public and private keypair for each application or service.Clients available forthese operating systems:Software Authenticator Examples:Voice/Face recognition, PIN, QR Code, etc.Aftermarket Hardware Authenticator Examples:USB fingerprint scanner, MicroSD Secure Element 2014 FIDO Alliance
U2F DeploymentIn late October, Google released support for U2F in its Chrome browser. Inparallel, Yubico and Plug-Up introduced FIDO U2F Security Keys, public keyhardware devices that provide high-security using strong authenticationbased on the FIDO U2F protocol. Stronger two-step verification (2SV) forGoogle Accounts users. Easy to deploy Works seamlessly on Windows, OSX andLinux. Security Key performs cryptographicfunctions. Provides a unique public and private keypair for each application it protects. 2014 FIDO Alliance
FIDO ReadyTM Entersekt, eyeLock, Feintian, SonovationNok Nok LabsXXXplug-upSamsung SDSXXXXXXXXXStrongAuth, SurePass ID, Yahoo! JapanXSynaptics, Diamond Fortress, EgisTec, Go-TrustXXInfineon, NXPXAgnitio, DDS,XXYubicoX 2014 FIDO AllianceX
Key Benefit for Service Providers
Privacy & Security Design No 3rd Party in the Protocol No Secrets on the Server side Biometric data (if used) never leaves device No link-ability between Services No link-ability between Accounts 2014 FIDO Alliance
Summary of FIDO today. Final 1.0 spec announced Explosive growth in Alliance membership First products are shipping First deployments are live Great momentum heading into 2015To learn more about membership oin 2014 FIDO Alliance
How it works
FIDO Registration1REGISTRATION BEGINSUSER APPROVAL2USER APPROVAL4REGISTRATION COMPLETENEW KEY CREATEDKEY REGISTEREDUsingPublic keyCryptography3
FIDO Login1LOGINLogin4USER APPROVAL2LOGIN CHALLENGELOGIN COMPLETEKEY SELECTEDLOGIN RESPONSEUsingPublic keyCryptography3
Decouple User Verification Method fromAuthentication Protocol1PLUGGABLEUSER APPROVALLOCAL 2AUTHLOGINLOGIN CHALLENGE4ONLINE SECURITYPROTOCOLREGISTRATION COMPLETEKEY SELECTEDLOGIN RESPONSELeverage public keycryptography3
THANK YOUBrett McDowell [email protected] 2014 FIDO Alliance
the cloud. In July 2014, Alibaba also launched FIDO-based payments using Samsung Galaxy S5. Stronger biometric-based authentication. Easy to deploy. Biometric information never leaves the device. Provides a unique public and private key pair for each application or service. Clients available for these operating systems:
