Beyond Passwords: FIDO & the Future of Consumer Authentication
1 like786 views
The document discusses the transformation in consumer authentication led by FIDO, addressing the prevalent issues with passwords and advocating for stronger, simpler authentication methods using public key cryptography. It highlights FIDO's certification programs, regulatory impacts, and how various global entities are adopting FIDO standards to enhance security. The future of authentication is portrayed as an ongoing collaboration within the industry, focusing on interoperability and user identity protection.
Beyond Passwords: FIDO & the Future of Consumer Authentication
- 1. All Rights Reserved | FIDO Alliance | Copyright 20181 BEYOND PASSWORDS: FIDO & THE FUTURE OF CONSUMER AUTHENTICATION DAVE BOSSIO HEAD OF OPERATING SYSTEM SECURITY, MICROSOFT SEPTEMBER 19, 2018
- 2. All Rights Reserved | FIDO Alliance | Copyright 20182 THE WORLD HAS A PASSWORD PROBLEM Data breaches in 2016 that involved weak, default, or stolen passwords1 81% Phishing attacks were successful in 20161 Breaches in 2017, a 45% increase over 20162 1 IN 14 1,579 CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME
- 3. All Rights Reserved | FIDO Alliance | Copyright 20183 THE SOLUTION: SIMPLER *AND* STRONGER open standards for simpler, stronger authentication using public key cryptography Single Gesture Phishing-resistant MFA = SECURITY USABILITY Poor Easy WeakStrong
- 4. All Rights Reserved | FIDO Alliance | Copyright 20184 FIDO IS “HIGH-ASSURANCE STRONG AUTHENTICATION” Javelin Strategy & Research, 2017 State of Authentication Report High-assurance strong authentication = ✓ Use of two + factors ✓ At least one leverages public key cryptography ✓ Not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials
- 5. All Rights Reserved | FIDO Alliance | Copyright 20185 FIDO ECOSYSTEM STATUS CERTIFICATIONS MEMBERS & PARTNERS DEPLOYMENTSREGULATORY FIT SPECIFICATIONS
- 6. All Rights Reserved | FIDO Alliance | Copyright 20186 BOARD MEMBERS LEADING THE WAY CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
- 7. LIAISON PROGRAM All Rights Reserved | FIDO Alliance | Copyright 20187
- 8. All Rights Reserved | FIDO Alliance | Copyright 20188 FIDO CERTIFIED ECOSYSTEM (SAMPLE) PHONES, PCs, & BROWSERS SECURITY KEYS CLOUD/SERVER SOLUTIONS
- 9. All Rights Reserved | FIDO Alliance | Copyright 20189 EARLY ADOPTERS DEPLOYING (SAMPLE) Past Testing/Pilot/PoC stage… Becoming mainstream “best practice”
- 10. All Rights Reserved | FIDO Alliance | Copyright 201810 FIDO’S IMPACT ON GOVERNMENT POLICIES US (NIST/OMB): Technology now enables two secure, distinct authentication factors in a single device (2014) US Commission: Emphasizes authentication, cites open-source standards and specifications such as FIDO Authentication as best models (2016) US Senate: Senator Ron Wyden issues letter to bank regulators, asking for support of U2F (2017) US (NIST/OMB): FIDO Authentication meets new Authenticator Assurance Level 3 requirements (2017)
- 11. All Rights Reserved | FIDO Alliance | Copyright 201811 FIDO’S IMPACT ON GOVERNMENT POLICIES UK Government: Cites emerging industry standards such as FIDO for future to replace passwords (2016) European Banking Authority PSD2: Accepts one device two-factor authentication (2017) Taiwan Bank Assoc. and Financial Supervisory Commission: Client-side biometrics are appropriate to use for e-Banking applications (2016) Korean Internet Security Agency: Embraces FIDO Specifications as part of a broader, more modern and vendor-neutral approach to authentication (2017)
- 12. All Rights Reserved | FIDO Alliance | Copyright 201812 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key
- 13. All Rights Reserved | FIDO Alliance | Copyright 201813 FIDO SPECIFICATIONS Passwordless Experience (UAF Standards) Authenticated Online 3 Biometric User Verification* 21 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) *There are other types of authenticators 21
- 14. All Rights Reserved | FIDO Alliance | Copyright 201814 WEB AUTHENTICATION SPECIFICATION BRINGS FIDO TO THE PLATFORM Participation from all of these platform providers World Wide Web Consortium (W3C) developing a Web Authentication specification based on 3 FIDO Alliance technical specifications A new standard JavaScript API Works with all FIDO2 platforms and authenticators ? Candidate Recommendation
- 15. All Rights Reserved | FIDO Alliance | Copyright 201815 FIDO SPECIFICATIONS FIDO2 (CTAP & Web Authentication)
- 16. All Rights Reserved | FIDO Alliance | Copyright 201816 FIDO CERTIFIED PROGRAMS • Functional Interoperability Testing: • Enables servers, clients, SDKs and authenticators to officially be identified as FIDO Certified • Ensures interoperability across the FIDO ecosystem • 475+ Certified implementations to date • Certified Authenticator Levels • Assure that authenticator secrets are protected on all FIDO Implementation Types • Based on third-party laboratory verification of FIDO Security Requirements • Done in coordination with existing security programs • Universal Server: • Ensures compatibility with all FIDO Certified Authenticators
- 17. 17 CERTIFIED AUTHENTICATOR LEVELS DETAILS
- 18. All Rights Reserved | FIDO Alliance | Copyright 201818 BIOMETRIC CERTIFICATION • First of its kind program • Empirically validates biometrics components through third-party labs • Assures that biometrics correctly identify users regardless of modality on all FIDO Implementation Types
- 19. All Rights Reserved | FIDO Alliance | Copyright 201819 FIDO: THE FUTURE OF CONSUMER AUTHENTICATION FIDO Authentication is the industry’s response to the password problem • INDUSTRY SUPPORT - FIDO represents the efforts of some of the world’s largest companies whose very businesses rely upon better user authentication • THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realized in products being used every day • ONGOING INNOVATION - Specifications, certification programs, and deployment working groups establishing best implementation practices • ENABLEMENT - Leading service providers representing billions of user identities are already FIDO- enabling their authentication processes
- 20. All Rights Reserved | FIDO Alliance | Copyright 201820 Join the FIDO Ecosystem www.fidoalliance.org Deploy Take Part in FIDO Events Build FIDO Certified Solutions Join the Alliance