CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
13 likes5,890 views
The document discusses the FIDO (Fast IDentity Online) Alliance's goal to enhance online authentication by implementing simpler and stronger methods over traditional passwords. It emphasizes the need for open standards that enable interoperable authentication mechanisms, focusing on leveraging public key cryptography for greater security and user privacy. The FIDO Alliance aims to foster industry adoption of these standards while improving user experience and reducing reliance on third-party authentication methods.
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
- 1. © 2014 FIDO Alliance Standards for Simpler Stronger Authentication Rajiv Dholakia – VP Products & Business Development , Nok Nok Labs rajiv@noknok.com
- 3. I.T. HAS SCALED: IT’S A HETEROGENEOUS WORLD $$$ Technological capabilities: (1971 ! 2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 ! 2013) HDD $/MB /12k NV RAM $/MB /1.3m Ubiquity: More than 7bn mobile connected devices by end of 2013 Connectivity: (2013) 34% of all people ww have internet access Relevance: (2012) $1 trillion eCommerce Social media: (2013) >10% of all people ww active NOK NOK LABS
- 4. The Authentication Tower of Babel Silos, proprietary, privacy, reliance on 3rd party, tolls NOK NOK LABS ? 4
- 5. IMPLEMENTOR’s PERSPECTIVE: A CHALLENGE Aplumbingproblem:ShadesofRubeGoldberg… NOK NOK LABS App 2 New App ? RP 1 RP 1 App 1 ? Applications Authentication MethodsOrganizations Silo 1 Silo 2 Silo N Silo 3 5
- 6. Taking lessons from History 6 Authentication SSL Communication ???
- 7. Common authentication plumbing 7 Users Cloud/Enterprise Devices Federation Open Standard Plug-In Approach Interoperable Ecosystem Usable Authentication WHAT IS NEEDED
- 8. FIDO 101
- 9. Goal: Simpler, Stronger Authentication (a) Developing unencumbered Specifications that define interoperable mechanisms that supplant reliance on passwords (b) Operating programs to help ensure industry adoption (c) Submitting mature Specifications for formal standardization Mission: To Change Authentication Online by:
- 10. Identity & Authentication Building Blocks NOK NOK LABS 10 Physical-to-digital identity User Management Authentication Federation Single Sign-On E-Gov Payments Security Passwords Risk-BasedStrong MODERN AUTHENTICATION Personalization
- 11. User Authentication Online Do you want to login? Do you want to transfer $100 to Frank? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Authentication today: Ask user for a password (and perhaps a one time code)
- 12. Today’s Passwords REUSED PHISHED KEYLOGGED
- 13. Today’s Password Alternatives One Time Codes with SMS or Device SMS USABILITY DEVICE USABILITY USER EXPERIENCE STILL PHISHABLE Coverage | Delay | Cost One per site | $$ | Fragile User find it hard Known attacks today
- 14. Megatrend Simpler, Stronger Local Device Auth PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY Carry Personal Data Pins & Patterns today Simpler, Stronger local auth
- 15. Putting It Together The problem: Simpler, Stronger online The trend: Simpler, Stronger local device auth Why not: Use local device auth for online auth? This is the core idea behind FIDO standards!
- 16. FIDO Experiences LOCAL DEVICE AUTH SUCCESSONLINE AUTH REQUEST PASSWORDLESS EXPERIENCE (UAF standards) SECOND FACTOR EXPERIENCE (U2F standards) Show a biometricTransaction Detail Done Login & Password Insert Dongle, Press button Done
- 17. FIDO Registration REGISTRATION BEGINS USER APPROVAL REGISTRATION COMPLETE NEW KEY CREATED USER APPROVAL KEY REGISTERED 1 2 Using Public key Cryptography 4 3
- 18. FIDO Login LOGIN USER APPROVAL LOGIN COMPLETE KEY SELECTED LOGIN CHALLENGE LOGIN RESPONSE 1 2 4 3 Login Using Public key Cryptography
- 19. Decouple User Verification Method from Authentication Protocol LOGIN USER APPROVAL REGISTRATION COMPLETE KEY SELECTED LOGIN CHALLENGE LOGIN RESPONSE 1 2 4 3 Leverage public key cryptography ONLINE SECURITY PROTOCOL PLUGGABLE LOCAL AUTH
- 20. User Device User Agent Mobile Apps Authenticator Abstraction (ASM) Authenticators Authenticators Private Keys Authentication Keys Attestation Keys Relying Party Web Application FIDO UAF Server Authentication Keys Attestation Key Public KeysRegistration, Authentication & Transaction Confirmation! UAF Protocol UAF ARCHITECTURE OVERVIEW UAF Authenticators
- 21. Relying Party User Side U2F APDU USB API NFC API Bluetooth API U2F JS API Secure U2F Element Connectors USB NFC Bluetooth Web Application FIDO U2F Server User Keys U2F Flow Diagram User Action BrowserU2F Token
- 22. Options Passwordless UX = UAF: Universal Auth Framework • User carries client device with UAF stack installed • User presents a local biometric or PIN • Website can choose whether to retain password Simpler Stronger Authentication Second Factor UX = U2F: Universal Second Factor • User carries U2F device with built- in support in web browsers • User presents U2F device • Website can simplify password (e.g, 4 digit PIN)
- 24. No 3rd Party in the Protocol
- 25. No secrets on Server side
- 26. Focus on User Privacy • Biometric data never leaves user’s device • No linkability between RPs • No linkability between RP accounts
- 27. Embrace all kinds of Authenticators software, proprietary hardware, certified hardware, ...
- 28. Risk Based Authentication " Login to online account " Change shipping address " Transfer $10.000 Low High
- 29. Choice of Security Profiles NOK NOK LABS User Space Secure Hardware FIDO UX Layer Input, Display Crypto Layer FIDO UX Layer Input, Display Crypto Layer FIDO Crypto Layer UX Layer Input, Display No Secure HW Secure Crypto + Storage Secure Execution Environment
- 30. Risk Appropriate Authentication 30 Strong Stronger FIDO Security Spectrum Software Only ID TPM/SE ID TEE + SE ID Protects Keys Protects Keys Protects Crypto Protects Keys Protects Crypto Protects Code Protects Display Strongest
- 31. Permanent link to this comic: http://xkcd.com/538/ A webcomic of romance, sarcasm, math, and language. On SECURITY
- 32. A peek into MODERN AUTHENTICATION 32NOK NOK LABS IMPLICIT AUTHENTICATION EXPLICIT AUTHENTICATION
- 33. COMPLEMENTS IDENTITY & FEDERATION STANDARDS NOK NOK LABS 33 STRONG AUTH PASSWORDS SSO/FEDERATION Recreated PMS First Mile Second Mile SAML OpenID FIDO/Strong Auth Federation Standards
- 34. FIDO Model: Direct to Relying Party OR through IdP 34Devices support multiple authenticators User Authenticates to the Device Relying Parties (SP) Device Authenticates to Relying Party 2a 1 Identity Provider (IdP) 2b OR Device Authenticates to Identity Provider (IDP) 2c IDP asserts identity via SAML, Oauth, OpenID Connect… OR
- 35. Recap
- 36. Identity & Authentication NOK NOK LABS 36 Physical-to-digital identity User Management Authentication Federation Single Sign-On E-Gov Payments Security Passwords Risk-BasedStrong MODERN AUTHENTICATION Personalization
- 37. Simplifying and Scaling Authentication AnyDevice.AnyApplication.AnyAuthenticator. 37 Standardized Protocols Local authentication unlocks app specific key Key used to authenticate to server
- 38. IMPLEMENTATION CHALLENGE Aplumbingproblem:ShadesofRubeGoldberg… NOK NOK LABS App 2 New App ? RP 1 RP 1 App 1 ? Applications Authentication MethodsOrganizations Silo 1 Silo 2 Silo N Silo 3 38
- 39. SIMPLIFIED IMPLEMENTATION WHATISBEINGSTANDARDIZED App 2 Applications Authentication Methods RP 1 RP 1 App 1 New App FIDO UNIFIED STANDARDS Organizations ? 39 Online Crypto Protocol Pluggable Authentication
- 40. CONCLUSIONS • The enemy is symmetric shared secrets • The enemy is poor user experiences and friction • FIDO is a building block • Even simple software-based authenticator with a pin offers many advantages over passwords • FIDO complements your investments in federation and improves your security and ease of use
- 41. FIDO Alliance Snapshot July 2014
- 42. 42Nok Nok Labs Confidential — Do Not Distribute
- 43. FIDO Alliance Role • Paper Specifications, Interop and Conformance testing, Trademark licensing against criteria, thought leadership, nurture ecosystem of vendors delivering FIDO implementations to market • Alliance does not ship products (only specifications) o Implementations left to commercial vendors • FIDO Alliance designs core protocol o Like SSL, FIDO has no domain semantics o Relying parties and Vendors may adapt FIDO into commercial solutions o Vendors may deliver FIDO specification as product or service, standalone or as part of a solution stack o Extended use cases may be explored by vendors long before imported into protocol
- 44. Version 1.0 (Review Draft) is in Public Review
- 45. FIDO at Industry Events – Readiness FIDO-Ready Products & Deployment for Mobile & More SIM + Secure Element PIN + MicroSD, USB Fingerprint, Mobile Speaker Recognition Mobile via NFC*
- 46. Useful to keep these separate: Design Intent FIDO Protocol Specification Specific Implementations Solution that incorporates FIDO
- 47. Select Authenticate Purchase 47 MOBILE DEVICES reshaping Security, Commerce NOK NOK LABS AUTHENTICATION THAT IS “One-Swipe”, “One-Phrase”, “One-Look”, “One Touch”
- 48. OEMs SHIPPING FIDO-READY ™ PRODUCTS New and existing devices are supported 48 OEM Enabled: Samsung Galaxy S5OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors Clients available for these operating systems : Software Authenticator Examples: Voice/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element
- 49. First FIDO Deployment already live… 49 • Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready™ software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique cryptographic “public key” that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers.
- 50. Breaking news for July… • Alipay – formerly a part of Alibaba Group in China • Processed $519 Billion in transactions in 2013 • Launched FIDO-based payments using Galaxy S5
- 51. Better Security, Better User Experience Goingbeyond“Risk,Regulation,Reputation” 51 Setup Confirm Sent DESIGN, DELIGHT & DOLLARS!
- 52. Call to Action • FIDO is ready for use – launch a POC, Pilot • Get involved: o Develop or adapt your products to FIDO o Come to the plenary, meet and mingle, speak with the pioneers, select your partners o Join the Alliance and contribute – we are a volunteer run organization! o Contact donal@fidoalliance.org for membership details o Other questions – rajiv@noknok.com
- 53. FIN
- 54. THANK YOU