Rajiv Dholakia, Nok Nok Labs
Basics of how FIDO protocols work, how they fit into the broader identity ecosystem, the benefits of the design and the state of implementation/deployment in the market; appropriate for both technical and non-technical individuals, giving orientation before diving into the details of the specific FIDO protocols.
3. I.T. HAS SCALED: IT’S A HETEROGENEOUS WORLD
$$$
Technological capabilities: (1971 ! 2013)
Clock speed x4700
#transistors x608k
Structure size /450
Price: (1980 ! 2013)
HDD $/MB /12k
NV RAM $/MB /1.3m
Ubiquity:
More than 7bn mobile
connected devices by end of
2013
Connectivity: (2013)
34% of all people ww have internet
access
Relevance: (2012)
$1 trillion eCommerce
Social media: (2013)
>10% of all people ww active
NOK NOK LABS
4. The Authentication Tower of Babel
Silos, proprietary, privacy, reliance on 3rd party, tolls
NOK NOK LABS
?
4
5. IMPLEMENTOR’s PERSPECTIVE: A CHALLENGE
Aplumbingproblem:ShadesofRubeGoldberg…
NOK NOK LABS
App 2
New
App
?
RP 1
RP 1
App 1
?
Applications Authentication MethodsOrganizations
Silo 1
Silo 2
Silo N
Silo 3
5
9. Goal: Simpler, Stronger Authentication
(a) Developing unencumbered Specifications that define
interoperable mechanisms that supplant reliance on
passwords
(b) Operating programs to help ensure industry adoption
(c) Submitting mature Specifications for formal
standardization
Mission: To Change Authentication Online by:
10. Identity & Authentication Building Blocks
NOK NOK LABS 10
Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
E-Gov Payments Security
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION
Personalization
11. User Authentication Online
Do you want to login?
Do you want to transfer $100 to Frank?
Do you want to ship to a new address?
Do you want to delete all of your emails?
Do you want to share your dental record?
Authentication today:
Ask user for a password
(and perhaps a one time code)
13. Today’s Password Alternatives
One Time Codes with SMS or Device
SMS
USABILITY
DEVICE
USABILITY
USER
EXPERIENCE
STILL
PHISHABLE
Coverage | Delay | Cost One per site | $$ | Fragile User find it hard Known attacks today
14. Megatrend
Simpler, Stronger Local Device Auth
PERSONAL DEVICES LOCAL LOCKING
NEW WAVE: CONVENIENT
SECURITY
Carry Personal Data Pins & Patterns today
Simpler, Stronger local
auth
15. Putting It Together
The problem:
Simpler, Stronger online
The trend:
Simpler, Stronger local device auth
Why not:
Use local device auth for online auth?
This is the core idea behind FIDO standards!
16. FIDO Experiences
LOCAL DEVICE AUTH SUCCESSONLINE AUTH REQUEST
PASSWORDLESS EXPERIENCE (UAF standards)
SECOND FACTOR EXPERIENCE (U2F standards)
Show a biometricTransaction Detail Done
Login & Password Insert Dongle, Press button Done
17. FIDO Registration
REGISTRATION BEGINS USER APPROVAL
REGISTRATION COMPLETE NEW KEY CREATED
USER APPROVAL
KEY REGISTERED
1 2
Using
Public key
Cryptography
4 3
18. FIDO Login
LOGIN USER APPROVAL
LOGIN COMPLETE KEY SELECTED
LOGIN CHALLENGE
LOGIN RESPONSE
1 2
4 3
Login
Using
Public key
Cryptography
19. Decouple User Verification Method from
Authentication Protocol
LOGIN USER APPROVAL
REGISTRATION COMPLETE KEY SELECTED
LOGIN CHALLENGE
LOGIN RESPONSE
1 2
4 3
Leverage public key
cryptography
ONLINE SECURITY
PROTOCOL
PLUGGABLE
LOCAL
AUTH
20. User Device
User Agent Mobile Apps
Authenticator Abstraction
(ASM)
Authenticators
Authenticators
Private Keys
Authentication Keys
Attestation Keys
Relying Party
Web Application
FIDO UAF Server
Authentication Keys
Attestation Key
Public KeysRegistration,
Authentication &
Transaction Confirmation!
UAF
Protocol
UAF ARCHITECTURE OVERVIEW
UAF Authenticators
21. Relying Party
User Side
U2F APDU
USB API
NFC API
Bluetooth API
U2F JS API
Secure U2F
Element
Connectors
USB
NFC
Bluetooth
Web Application
FIDO U2F
Server
User Keys
U2F Flow Diagram
User Action
BrowserU2F Token
22. Options
Passwordless UX = UAF:
Universal Auth Framework
• User carries client device with UAF
stack installed
• User presents a local biometric or PIN
• Website can choose whether to retain
password
Simpler Stronger Authentication
Second Factor UX = U2F:
Universal Second Factor
• User carries U2F device with built-
in support in web browsers
• User presents U2F device
• Website can simplify password
(e.g, 4 digit PIN)
29. Choice of Security Profiles
NOK NOK LABS
User Space
Secure
Hardware
FIDO
UX Layer
Input, Display
Crypto Layer
FIDO
UX Layer
Input, Display
Crypto Layer
FIDO
Crypto Layer
UX Layer
Input, Display
No Secure HW Secure Crypto
+
Storage
Secure Execution
Environment
30. Risk Appropriate Authentication
30
Strong Stronger
FIDO Security Spectrum
Software Only
ID
TPM/SE
ID
TEE + SE
ID
Protects Keys
Protects Keys
Protects Crypto
Protects Keys
Protects Crypto
Protects Code
Protects Display
Strongest
31. Permanent link to this comic: http://xkcd.com/538/
A webcomic of romance, sarcasm, math, and language.
On SECURITY
32. A peek into MODERN AUTHENTICATION
32NOK NOK LABS
IMPLICIT
AUTHENTICATION
EXPLICIT
AUTHENTICATION
33. COMPLEMENTS IDENTITY &
FEDERATION STANDARDS
NOK NOK LABS 33
STRONG AUTH
PASSWORDS
SSO/FEDERATION
Recreated PMS
First Mile Second Mile
SAML
OpenID
FIDO/Strong Auth Federation Standards
34. FIDO Model: Direct to Relying Party OR through IdP
34Devices support multiple authenticators
User Authenticates to the Device
Relying Parties (SP)
Device Authenticates
to Relying Party
2a
1
Identity Provider (IdP)
2b
OR Device Authenticates
to Identity Provider (IDP)
2c
IDP asserts identity via
SAML, Oauth,
OpenID Connect…
OR
36. Identity & Authentication
NOK NOK LABS 36
Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
E-Gov Payments Security
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION
Personalization
37. Simplifying and Scaling Authentication
AnyDevice.AnyApplication.AnyAuthenticator.
37
Standardized Protocols
Local authentication
unlocks app specific key
Key used to authenticate
to server
40. CONCLUSIONS
• The enemy is symmetric shared secrets
• The enemy is poor user experiences and friction
• FIDO is a building block
• Even simple software-based authenticator with a pin
offers many advantages over passwords
• FIDO complements your investments in federation and
improves your security and ease of use
43. FIDO Alliance Role
• Paper Specifications, Interop and Conformance testing, Trademark
licensing against criteria, thought leadership, nurture ecosystem of
vendors delivering FIDO implementations to market
• Alliance does not ship products (only specifications)
o Implementations left to commercial vendors
• FIDO Alliance designs core protocol
o Like SSL, FIDO has no domain semantics
o Relying parties and Vendors may adapt FIDO into commercial solutions
o Vendors may deliver FIDO specification as product or service, standalone or as
part of a solution stack
o Extended use cases may be explored by vendors long before imported into
protocol
45. FIDO at Industry Events – Readiness
FIDO-Ready Products & Deployment for Mobile & More
SIM + Secure Element
PIN + MicroSD, USB
Fingerprint, Mobile
Speaker Recognition
Mobile via NFC*
46. Useful to keep these separate:
Design Intent
FIDO Protocol Specification
Specific Implementations
Solution that incorporates FIDO
47. Select Authenticate Purchase
47
MOBILE DEVICES reshaping Security, Commerce
NOK NOK LABS
AUTHENTICATION THAT IS
“One-Swipe”, “One-Phrase”, “One-Look”, “One Touch”
48. OEMs SHIPPING FIDO-READY ™ PRODUCTS
New and existing devices are supported
48
OEM Enabled: Samsung Galaxy S5OEM Enabled: Lenovo ThinkPads with
Fingerprint Sensors
Clients available for these operating systems :
Software Authenticator Examples:
Voice/Face recognition, PIN, QR Code, etc.
Aftermarket Hardware Authenticator Examples:
USB fingerprint scanner, MicroSD Secure Element
49. First FIDO Deployment already live…
49
• Customers can use their finger to pay with
PayPal from their new Samsung Galaxy S5
because the FIDO Ready™ software on the
device securely communicates between the
fingerprint sensor on their device and
PayPal’s service in the cloud. The only
information the device shares with PayPal
is a unique cryptographic “public key”
that allows PayPal to verify the identity of the
customer without having to store any
biometric information on PayPal’s
servers.
50. Breaking news for July…
• Alipay – formerly a part of
Alibaba Group in China
• Processed $519 Billion in
transactions in 2013
• Launched FIDO-based
payments using Galaxy S5
51. Better Security, Better User Experience
Goingbeyond“Risk,Regulation,Reputation”
51
Setup Confirm Sent
DESIGN, DELIGHT & DOLLARS!
52. Call to Action
• FIDO is ready for use – launch a POC, Pilot
• Get involved:
o Develop or adapt your products to FIDO
o Come to the plenary, meet and mingle, speak with the pioneers,
select your partners
o Join the Alliance and contribute – we are a volunteer run
organization!
o Contact donal@fidoalliance.org for membership details
o Other questions – rajiv@noknok.com