FIDO 2.0 specifications are being developed to standardize strong web authentication across platforms. This includes a Web Authentication API submitted to W3C, key attestation and signature formats. A Client to Authenticator Protocol enables authentication using external devices over transports like USB, Bluetooth, and NFC. FIDO aims to accelerate adoption by providing authentication built into browsers, operating systems, and platforms.
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
1. NEW FIDO SPECIFICATIONS OVERVIEW
- STRONG WEB AUTHENTICATION -
12/8/2016
Chief Security Architect, Microsoft
FIDO2.0 TWG Co-Chair
Anthony J Nadalin
All Rights Reserved. FIDO Alliance. Copyright 2016
2. for platforms in ubiquitous environments
FIDO
All Rights Reserved. FIDO Alliance. Copyright 2016 2
3. What is missing in FIDO today...
•Universal distribution of the FIDO technology
•Ideally
•Every major platform delivers the FIDO API and technology
•Web platforms, OS Platforms
All Rights Reserved. FIDO Alliance. Copyright 2016 3
4. How will platform support help?
• Accelerate mass FIDO adoption
• For RP
• It’s available on all devices, so incentive to adopt
• PC may have an imbedded authenticator (TPM)
• For the authenticator vendors
• RPs are adopting, all devices want authenticators
• Think way back to TCP/IP
• Took off when Win95/MacOS integrated it
• Compatible browsers appeared on all platforms
All Rights Reserved. FIDO Alliance. Copyright 2016 4
5. So what FIDO is doing NOW?
• Crafting standards which in future will come built-in in all
platforms.
• The web platform is special, and the future API needs to be
standardized in W3C, hence FIDO liaison with W3C.
• The Web API is the first one we standardize and use it to drive
other platform (native) specific APIs
All Rights Reserved. FIDO Alliance. Copyright 2016 5
6. Goals
All Rights Reserved. FIDO Alliance. Copyright 2016
Support for Major Platforms (Browsers, OSs)
Chrome
IE/Edge
Firefox
Safari
etc.
Browsers
Windows
Android
MacOS
iOS
etc.
Web Authentication ServerWeb Authentication Clients/Authenticators
6
OSs
7. Specifications
All Rights Reserved. FIDO Alliance. Copyright 2016
• Web API
• Key Attestation Format
• Signature Format
These are submitted to W3C,
the international standards organization
for the World Wide Web.
• CTAP (Client to Authenticator Protocol)
Web Platform API specs:
Client to Authenticator Protocol:
Abstract API calls (in/out) and messages
Communication between client and external authenticator
*API: Application Programming Interface
7
8. Overview
All Rights Reserved. FIDO Alliance. Copyright 2016
User Device
OS/Browser
(FIDO Client)
RP ServerRP App
Formats
- Signature
- Key Attestation
W3C Web API
FIDO Server
Client to Authenticator Protocol
Server
Authenticator
Authenticator
*RP: Relying Party
OS Platform API
OS Platform API
8
9. Web API for Accessing FIDO 2.0 Technology
All Rights Reserved. FIDO Alliance. Copyright 2016
Specifies an API that enables web pages to access FIDO 2.0
compliant strong cryptographic technology through Javascript.
(1) service request
(2) authentication requestJava script calls
credential API
(3) Request for
cryptographic
operation
Scoped Credential
information required for authentication
(private key) (instead of password)
Authenticator
(5) Response with
cryptographic proof
(4) User gesture allows
cryptographic operations
Browser Server
User
9
10. Use Case for Web API (1)
All Rights Reserved. FIDO Alliance. Copyright 2016
(2) registration request
(3) Request for Scoped
Credential creation
(5) Response with Scoped Credential
information
(public key, attestation,
client data (with signature), etc.)
(4) Scoped Credential creation
Registration of authenticator
Java script calls
credential API
“Do you want to register this device (authenticator) with server?”
- User gesture
- Authorize creating a key pair
10
(1) service request
Authenticator
Private key
ServerBrowser
User
public key
11. “Do you want to authenticate using this device (authenticator)?”
- User gesture
- Authorize using an existing credential
Use Case for Web API (2)
All Rights Reserved. FIDO Alliance. Copyright 2016
(1) service request
(2) authentication request
(5) Response with assertion
(signed challenge + other data)
(4) Credential discoveryPrivate key
Authentication using registered authenticator
Java script calls
credential API
(3) Request for
authentication
11
(1) service request
Authenticator
Private key
Public key
ServerBrowser
User
12. Browser Responsibilities
• Compose messages for operations
• Provide origin and RP IDs
• Compute client data hashes
• Process extensions
• Provide UI for authenticators that lack the ability
• Error handling / housekeeping
All Rights Reserved. FIDO Alliance. Copyright 2016 12
13. Authenticator Responsibilities
• Perform operations
• Obtain user gesture if needed: consent button, password, PIN, a
biometric...
• Process extensions
• e.g. show and sign message for transaction auth
• Provide Attestation(s)
All Rights Reserved. FIDO Alliance. Copyright 2016 13
14. API Details
• makeCredential: key generation with attestation
• used to register new keypair with RP
• getAssertion: authentication
• mixes in state like facet id, token-binding id
• also: key discovery (for “typeless” authentication)
All Rights Reserved. FIDO Alliance. Copyright 2016 14
15. Key Attestation Format
• Defines generic data structures that cover the semantics of
FIDO various authenticator attestation formats.
• Authenticator asserts the trust of a private key that it
maintains.
• Provides profiles such as TPM, Android, etc.
All Rights Reserved. FIDO Alliance. Copyright 2016 15
16. Signature Format
• Proves possession of a private key of a FIDO 2.0 credential and
asserts contextual information about the client and
authenticator that generated it.
• Client data allows other information to be bound to signature
All Rights Reserved. FIDO Alliance. Copyright 2016 16
19. Web Authentication API Example
All Rights Reserved. FIDO Alliance. Copyright 2016
/* Verify platform is capable. Handle error if not. */ }
var userAccountInformation = {
rpDisplayName: "Acme",
displayName: "John P. Smith",
name: "johnpsmith@example.com",
id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
var cryptoParams = [{type: "ScopedCred", algorithm: "ES256"}, {type: "ScopedCred", algorithm: "RS256"}];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {}; // No extensions
// Note: The following call will cause the authenticator to display UI.
window.webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});
19
23. CTAP (Client to Authenticator Protocol)
All Rights Reserved. FIDO Alliance. Copyright 2016
Java script calls
for credential
(3) Request for
cryptographic operation
External
Authenticator
browser
(4) credential creation/discovery
Private key
User device
Transport binding for USB/BLE/NFC
located outside of user device
• Describes an application layer protocol for communication between an
external authenticator and another client/platform.
• Can be run over a variety of transport protocols using different physical
media.
User
23
24. Use Case for CTAP
All Rights Reserved. FIDO Alliance. Copyright 2016
Example) Authentication for an application on PC using a smartphone
Private key
BLE
User can choose an external authenticator that is used to authenticate
himself for applications running on his multiple clients across devices.
Public key
Server
PC (Client)
Smartphone
(external authenticator)
User
FIDO Authentication
24
25. Current Timeline
• W3C Web Authentication Specification
• Candidate Recommendation 1Q2017
• FIDO Client to Authenticator Protocol
• Implementation draft 1Q2017
All Rights Reserved. FIDO Alliance. Copyright 2016 25
26. Summary
• FIDO authentication
• Authenticators are pluggable, using public key cryptography.
• FIDO 1.X deployments have enabled FIDO ecosystem in market.
• FIDO 2.0: for platforms (Web Platform and OS Platforms)
natively supporting FIDO
• Web Platform APIs: submitted to W3C
• CTAP enables client authentication using external authenticator.
All Rights Reserved. FIDO Alliance. Copyright 2016
FIDO continues to expand its ecosystem to support
authentication in ubiquitous computing with FIDO 2.0.
26
27. Specification References
• W3C Web Authentication Specification Latest Draft
http://www.w3.org/TR/2016/WD-webauthn-20160902/
• FIDO Client to Authenticator Protocol
https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-
client-to-authenticator-protocol-v2.0-rd-20161004.pdf
All Rights Reserved. FIDO Alliance. Copyright 2016 27
28. Thank you for your attention!
All Rights Reserved. FIDO Alliance. Copyright 2016 28
29. Acknowledgement
• Thank FIDO Alliance members especially FIDO 2.0 Technology
Working Group members.
• Thank W3C for the collaboration.
• Thank Dr. Gomi’s and his presentation for FIDO Tokyo Seminar
2015.
All Rights Reserved. FIDO Alliance. Copyright 2016 29