This document discusses new trends in mobile authentication. It suggests that smartphones and their built-in sensors can enable simpler and more secure authentication compared to passwords. Biometric authentication methods like fingerprint sensors, facial recognition, and voice recognition are discussed as easier and more secure alternatives to traditional passwords. The document also introduces the FIDO protocol as a way to standardize authentication across devices, applications, and services using public-key cryptography instead of reusable passwords.
3. THEPOWEROFAUTHENTICATION
① Bookonline
② Ridetorentalcenter
③ Waitinline
④ Handovercreditcard+Driver’s
license
⑤ Sign forms
⑥ Driveaway
① Bookonline
② Walktonearbyparkinglot
③ Unlockcarwithmobileapp/
ZipCard
④ Driveaway
3
Total Time: 15-30 min Total Time: 2 min
9. Opportunity for Better Authentication is Upon Us
Are you ready?
For
Users
For
Organiza.ons
Painful to Use
• 25
Accounts
• 8
Logins
/
Day
• 6.5
Passwords
Difficult to Secure
• $5.5M
/
Data
Breach
• $15M
/
PWD
Reset
• $60+
/
Token
For
the
Ecosystem
Impossible to Scale
• Fragmented
• Inflexible
• Slow
to
Adopt
10. User Auth Online
Do you want to login?
Do you want to transfer $100 to Joe?
Do you want to ship to a new address?
Do you want to delete all of your emails?
Do you want to share your dental record?
Auth today: Ask user for a password
(and perhaps a one time code)
15. One Time Codes
Improves security but not easy enough
SMS
USABILITY
DEVICE
USABILITY
USER
EXPERIENCE
STILL
PHISHABLE
Coverage | Delay | Cost One per site | Fragile User confusion Known attacks today
16. Megatrend
Simpler, Stronger Local Device Auth
PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY
Carry Personal Data Pins & Patterns today Simpler, Stronger local auth
2F
29. MORESECUREAUTHENTICATION
29
Unique Cryptographic Secrets
Feature Security Benefit
Unique key per user/device/site Segmentation of risk
High-entropy asymmetric keys
instead of passwords
Protection against dictionary, brute
force attacks
Secrets not exposed to user Protection against phishing, key
logging, shoulder surfing
User Account Device Site
The protocol allows the authentication client to communicate with the server. It has 3 main functions: Discovery – Allows the servers to discovery what capabilities are present on the client device. Enables the use of existing device capabilities for authentication Provisioning -Allows users to self-register using authenticator(s) by the server. Keys are provisioned in this step. Authentication – Provides token-abstracted authentication using a challenge-response model based on OCRA (Oath Challenge-Response Algorithms)FIDO is designed to be extensible - Enables plugging-in of new authenticators, cryptographic, etcFollows a challenge response model based on OCRA It supports both symmetric and asymmetric key encryptionValidates authenticators present in client devices to verify their genuineness
MFAC’s design takes advantage of secure hardware when it is available on devicesDepending on device capabilities, more parts of MFAC can be “sunk into” secure hardware When no secure hardware is present, all software executes in userspaceSoftware techniques are used to protect cryptographic material and code Whitebox encryption Code obfuscation Signing of code When cyrptographic chips like TPMs and Secure Elements are present MFAC SDK and the UX Layer execute in userspaceCryptographic operations and key storage use secure hardware When full secure execute enviroments like Trustzone are availableMFAC SDK still executes in userspaceCryptographic operations and key storage use secure hardware UX Layer uses secure keyboards and secure display Fingerprint sensors and also securely hardwired This mode is provides the most security