Introduction to FIDO: A New Model for Authentication

All Rights Reserved | FIDO Alliance | Copyright 20171
Jeremy Grant, Managing Director, The Chertoff Group
INTRODUCTION TO FIDO:
A New Model for Authentication
#FIDOseminar

AGENDA:
THE PROBLEM
THE SOLUTION
FIDO ADOPTION
FIDO AND GOVERNMENT

THE WORLD HAS A PASSWORD PROBLEM

THE WORLD HAS A PASSWORD
PROBLEM
63% of data breaches
in 2015 involved
weak, default, or
stolen passwords
-Verizon 2016 Data
Breach Report
Data breaches
expected to reach
1,000 in 2016
up 22% from 2015
-Identity Theft Resource
Center
Each data breach
costs $3.8 million
on average
up 23% from 2013
-Ponemon Institute
SevenWaysYahoo’s 500M-User Data Breach
Affects Banks

ONE-TIME PASSCODES
Improve security but aren’t easy enough to use
Still
Phishable
User
Confusion
Token
Necklace
SMS
Reliability

THE WORLD HAS A “SHARED SECRETS” PROBLEM

WE NEED A
NEW MODEL

AGENDA:
THE PROBLEM
THE SOLUTION
FIDO ADOPTION
FIDO AND GOVERNMENT

THE NEW MODEL
Fast IDentity Online
online authentication using
public key cryptography

THE FACTS ON FIDO
The FIDO Alliance is an open
industry association of over
250 organizations with a
focused mission:
300+
FIDO Certified Solutions
3 BILLION
Available to protect
user accounts worldwide
Today, its members provide
the world’s largest ecosystem
for standards-based,
interoperable authentication
AUTHENTICATION
STANDARDS
based on public key cryptography
to solve the password problem

FIDO Alliance Mission
Develop
Specifications
Operate
Adoption Programs
Pursue Formal
Standardization
1 2 3

DRIVEN BY 250 MEMBERS
Leading global brands and technology providers
+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS

THE OLD
PARADIGM
SECURITY
USABILITY
Poor Easy
WeakStrong

THE FIDO
PARADIGM
SECURITY
USABILITY
Poor Easy
WeakStrong
authentication

ONLINE CONNECTION
The user authenticates themselves online by
presenting a human-readable “shared secret”
HOW OLD AUTHENTICATION WORKS

HOW FIDO WORKS
LOCAL CONNECTION
ONLINE CONNECTION
The device
authenticates the
user online using
public key
cryptography
The user
authenticates
“locally” to
their device
(by various means)

Passwordless Experience Second Factor Experience
Flexible authentication spanning
a myriad of service providers
ENHANCED AUTHENTICATION
EXPERIENCES

User Approval
2
Registration
Complete
4
New Keys Created
3
User is in a Session
or New Account Flow
1
PUBLIC KEY REGISTERED
WITH ONLINE SERVER
INVITATION SENT
FIDO REGISTRATION

User Approval
2
Login
Complete
4
Key Selected & Signs
3
User needs to login or
authorize a transaction
1
SIGNED RESPONSE
VERIFIED USING PUBLIC
KEY CRYPTOGRAPHY
FIDO CHALLENGE
FIDO AUTHENTICATION

USABILITY, SECURITY, R.O.I.
and
PRIVACY

No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts

EU Privacy Principle FIDO Implementation of EU Privacy Principle
Personal data must be processed
fairly and lawfully
For a User to access a Relying Party’s services through FIDO Authentication, the User must first agree to register with that Relying Party. When the User
wishes to access the online service, they must execute the User Verification step, e.g. touching a sensor, entering a passcode, or providing their fingerprint,
in order to execute the cryptographic computation. This ensures that malware installed on the User’s device is unable to autonomously perform FIDO
operations.
Personal data can only be processed
for one or more specified lawful
purpose(s)
The Personal Data required to access an online service, such as a fingerprint, can only be accessed by the FIDO Authenticator which is part of the User’s
device. The FIDO Authenticator can only access such data when it is required to perform an Authentication. The FIDO protocol requires a minimum amount
of data stored by the Relying Party, for which the user is required to provide consent.
Personal data must be adequate,
relevant, and not excessive in
relation to the purposes for which it
is being used
The data needed to perform an Authentication is collected by the Relying Party when the User registers with it. This data is:
 A public key: This allows the Relying Party to verify that the FIDO Authenticator being used is the one previously registered by the User.
 Authenticator Attestation ID (AAID): This is a reference that allows the Relying Party to look-up the characteristics of the used FIDO Authenticator.
 Key Handle: An identifier created by a FIDO Authenticator, potentially containing an encrypted private key, to refer to a specific key maintained the
FIDO Authenticator.
Personal data must be accurate and
up to date
The data used for FIDO Authentication, such as the registered public key, must be accurate since cryptographic verification fails otherwise.
If the data becomes corrupted for any reason, the User needs to re-register with the Relying Party. Re-registration changes the registered public key.
Personal data must not be kept for
longer than necessary to fulfil the
purposes for which it was collected
The User may de-register from a Relying Party at any time. Once de-registration has taken place the Public key held by the Relying Party is of no further use.
Personal data must be kept secure Allowing users to authenticate using FIDO Authentication provides a greater level of security around accessing personal data than passwords alone.
Data required for local User Verification is stored locally on the FIDO Authenticator. FIDO-related data stored at the Relying Party is not confidential by
itself. The FIDO Authenticator is required to protect data required for User Verification and FIDO-related data, such as cryptographic keys, against
unauthorized access by third parties.
Personal data must be processed in
accordance with rights of data
subjects
Personal data used to authenticate a User can only be accessed by that User when the User wishes to be authenticated.
Personal data cannot be transferred
outside a given geographical area,
such as the EEA, without specific
circumstances being in place.
Personal data held in a FIDO Authenticator will be protected by the same mechanisms irrespective of the device’s location and the device can only leave the
EEA if the owner wishes it to do so.
The FIDO Server used by the Relying Party does not contain personal data.
FIDO WAS DESIGNED FROM THE START TO SUPPORT THE PRIVACY
PRINCIPLES OF THE EUROPEAN DATA PROTECTION DIRECTIVE

AGENDA:
THE PROBLEM
THE SOLUTION
FIDO ADOPTION
FIDO AND GOVERNMENT

FIDO 1.0
FINALFirst
Deployments
UAF & U2FSpecification
Review Draft
FIDO Ready
Program
FEB
2013
DEC
2013
FEB
2014
FEB-OCT
2014
DEC 9
2014
MAY
2015
FEB
2016
Formal
Standardization
JUNE
2015
Certification
Program
New U2F
Transports
NOV
2016
FIDO 1.1
FIDO DEVELOPMENT TIMELINE
Alliance
Announced

FIDO-ENABLED APPS + SERVICES
3 BILLION
AVAILABLE TO PROTECT
ACCOUNTS WORLDWIDE

Deployments are enabled by over 300
FIDO® Certified products
available today

CERTIFICATIONS – 200% YoY GROWTH
152
64
32
62
74
108
162
216
253
304
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Dec-16
230
74
 An open competitive market
 Ensures interoperability
 Sign of mature FIDO ecosystem

FIDO IN THE ANDROID ECOSYSTEM
S5,
Mini
Alpha Note 4,5 Note
Edge
Tab S,
Tab S2
S6,
S6 Edge
S7,
S7 Edge
Vernee
Thor
Xperia Z5
SO-01H
Xperia Z5
Compact
SO-02H
Xperia Z5
Premium
SO-03H
Mate 8
V10 G5
Z2, Z2
Pro Xperia X
Performance
Xperia XZ Xperia X
Compact
SO-02J
Arrow
s
NX
Arrow
s
Fit
Arrow
s
Tab
F-02HF-04HF-04G
F-01H
Aquos Zeta
SH-02J
MO1T
F-01J

Supported iOS fingerprint devices
iPhone SE iPhone & iPhone+
iPad Pro iPad Air, Mini
FIDO IN THE iOS ECOSYSTEM

FIDO IN THE WINDOWS + WEB ECOSYSTEMS
Windows Platforms Web
Yoga 910

AGENDA:
THE PROBLEM
THE SOLUTION
FIDO ADOPTION
FIDO AND GOVERNMENT

AUTHENTICATION IS IMPORTANT TO GOVERNMENT
1. Protects access to government assets
2. Enables more high-value citizen-facing services
3. Empowers private sector to provide a wider range of high value
services to consumers
4. Secures critical assets and infrastructure
Governments seek identity solutions that can deliver not just improved
Security – but also Privacy, Interoperability, and better Customer
Experiences

FIDO IMPACT ON POLICY
FIDO specifications offer governments newer, better options for
strong authentication – but governments may need to update
some policies to support the ways in which FIDO is different.
As technology evolves,
policy needs to evolve with it.

AS TECHNOLOGY EVOLVES,
POLICY NEEDS TO EVOLVE WITH IT.
• While this statement was true of most “old” MFA
technology, FIDO specifically addresses these cost
and usability issues
• FIDO enables simpler, stronger authentication
capabilities that governments, businesses and
consumers can easily adopt at scale
1) Recognize that two-factor authentication
no longer brings higher burdens or costs

• Recognized by the U.S. government (NIST) in 2014
• “OMB (White House) to update guidance on remote
electronic authentication” to remove requirements
that one factor be separate from the device accessing
the resource
• The evolution of mobile devices – in particular,
hardware architectures that offer highly robust and
isolated execution environments (such as TEE, SE and
TPM) – has allowed these devices to achieve high-
grade security without the need for a physically
distinct token
2) Recognize technology is now mature enough to enable
two secure, distinct authn factors in a single device

2) Recognize technology is now mature enough to enable
two secure, distinct authn factors in a single device

• The market is in the midst of a burst of innovation around
authentication technology—some solutions are better than others. Don’t
build rules focused on old authentication technology
• Old authentication technologies impose significant costs and burdens on
the user—which decreases adoption
• Old authentication technologies have security (i.e., phishable) and
privacy issues—putting both users and online service providers at risk
3) As governments promote or require strong authentication,
make sure it is the “right” authentication

Priorities:
• Ensuring that future online
products and services coming
into use are “secure by default”
• Empowering consumers to
“choose products and services
that have built-in security as a
default setting.”
“[We will] invest in technologies like Trusted Platform Modules (TPM)
and emerging industry standards such as Fast IDentity Online (FIDO),
which do not rely on passwords for user authentication, but use the
machine and other devices in the user’s possession to authenticate.
The Government will test innovative authentication mechanisms to
demonstrate what they can offer, both in terms of security and overall
user experience.”
FIDO IS IMPACTING HOW GOVERNMENTS THINK
ABOUT AUTHENTICATION

U.S. Commission on Enhancing
National Cybersecurity:
• Bipartisan commission established by
the White House in April – charged
with crafting recommendations for
the next President
• Major focus on Authentication
FIDO IS IMPACTING HOW GOVERNMENTS THINK
ABOUT AUTHENTICATION

US COMMISSION ON ENHANCING NATIONAL
CYBERSECURITY
“Other important work that must be undertaken to
overcome identity authentication challenges includes the
development of open-source standards and specifications
like those developed by the Fast IDentity Online (FIDO)
Alliance. FIDO specifications are focused largely on the
mobile smartphone platform to deliver multifactor
authentication to the masses, all based on industry
standard public key cryptography.
Windows 10 has deployed FIDO specifications (known as
Windows Hello), and numerous financial institutions have
adopted FIDO for consumer banking. Today, organizations
complying with FIDO specifications are able to deliver
secure authentication technology on a wide range of
devices, including mobile phones, USB keys, and near-field
communications (NFC) and Bluetooth low energy (BLE)
devices and wearables.
This work, other standards activities, and new tools that
support continuous authentication provide a strong
foundation for opt-in identity management for the digital
infrastructure.”

Security
Privacy Interoperability
Usability
FIDO DELIVERS ON KEY PRIORITIES

QUESTIONS?
THANK YOU!
jeremy.grant@chertoffgroup.com
info@fidoalliance.org

Introduction to FIDO: A New Model for Authentication

More Related Content

What's hot (20)

Viewers also liked (17)

Similar to Introduction to FIDO: A New Model for Authentication (20)

More from FIDO Alliance (20)

Recently uploaded (20)

Introduction to FIDO: A New Model for Authentication

Editor's Notes