Technical Overview of FIDO Solution
23 likes5,125 views
This document proposes a new unified authentication architecture using biometrics and security tokens. Some key points: - It describes a new approach that allows any device, application, or authenticator to be used for authentication. This is enabled by standards-based protocols and a unified authentication module. - The solution aims to address issues with current siloed authentication methods by providing a single sign-on and reducing complexity, redundancy and costs. - Authentication works by registering user devices to generate and store cryptographic keys, then authenticating the user to unlock the key and sign responses during the authentication process. - Integration with systems like ForgeRock OpenAM is described, allowing policy-based authentication via the
Technical Overview of FIDO Solution
- 1. 1 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB A NEW AUTHENTICATION ARCHITECTURE Avinash Umap (aumap@noknok.com) Javed Shah (javed.shah@forgerock.com)
- 2. WHEREWEFIT 2 Physical-to-digital Identity User Management Authentication Federation Single Sign-On Strong Risk Based Passwords
- 3. NNL ADDRESSES FIRST MILE AUTHENTICATION 3 Recreated PMS 1st Mile Nok Nok Labs ForgeRock Authenticate Identity SSO / Federate 2nd Mile
- 4. AUTHENTICATION SILOS 4 COMPLEXITY,REDUNDANCY,COSTS App A App B ? OpenAM ? Applications Authentication Methods
- 5. THE NOK NOK LABS UNIFIED APPROACH 5 ANYDEVICE. ANYAPPLICATION. ANYAUTHENTICATOR. App A OpenAM App B NOK NOK LABS Unified Authentication Protocol ? Applications Authentication Methods
- 6. HOW THE FIDO ARCHITECTURE WORKS 6 Standardized Protocol Local user verification unlocks key Key used to authenticate to server
- 7. SOLUTIONARCHITECTURE 7 NOK NOK LABS 3RD PARTY PROTOCOLS Relying Party MFAS Web Application/ Mobile App Server/ Federation Server Risk & Identity Systems Browser Device Mobile App MFAC Policy Rules
- 8. MFAS Web Browser FORGEROCK INTEGRATION 8 AUTHENTICATIONMODULEINTEGRATION USER’SDESKTOPDEVICE Browser Extension HTML Javascript MFAC Customer Web Application Relying Party NOK NOK 3rd party OpenAM (SAML, OpenID, etc.) Authentication Module AUTHENTICATIONINFRASTRUCTURE Authen=ca=on Registra=on Authen=ca=on ForgeRock J2EE Agent Oracle/ Postgres 1 2 3 SSO/Federate
- 9. REGISTRATION 9 Initiate Provisioning Registration Response + Public Key Validate Response & Attestation Registration Request + Policy MFAS MFAC Self Service Reg App J2EE Agent Protected Pages Browser /App 2 4 5 Device Relying Party 1 3 Enroll User & Generate Keys
- 10. AUTHENTICATION 10 Initiate Authentication Authentication Response Validate Response Authentication Request + Challenge + Policy MFAS MFAC OpenAM Login Page Auth Module Browser /App 2 4 5 Device Relying Party 1 3 Authenticate User & Unlock Key
- 11. TRANSACTION CONFIRMATION 11 Initiate Transaction Authentication Response + Text Hash Validate Response & Text Hash Auth Req+ Challenge + Policy + Transaction Text MFAS MFAC Web App Browser /App 2 4 5 Device Relying Party 1 3 Display Text, Authenticate User & Unlock Key
- 12. INTEGRATION PATTERNS 12 STRONGAUTHPROVIDER Custom Authen=ca=on Module Strong AuthN Client External AuthN Servlet REST / SOAP POST / GET Strong AuthN Server Custom Authen=ca=on Module RedirectCallback Customized Login Page External AuthN Provider Browser Redirect Iden=ty Provider SAML 2.0 / OAuth 2.0 Strong AuthN Client PasswordCallback OPENAM
- 13. Any Device. Any Application. Any Authenticator. 13 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB
- 14. NOK NOK LABS AUTHENTICATION MODULE 14