FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi
1. Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
FIDO AUTHENTICATION:
ITS EVOLUTION AND OPPORTUNITIES
IN YOUR BUSINESS
Hidehito Gomi
Senior Chief Researcher, Yahoo! JAPAN Research
2. 2Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Ø Recap: FIDO Authentication Model
Ø Web Authentication & CTAP
Ø Solutions using FIDO Authentication
Ø Summary
3. 3Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Recap: FIDO Authentication Model
4. Trend of Authentication
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 4
Accurate and realtime user context can be captured so that the nature of authentication is changing.
High-reliability sensors and secure storages enable the following types of authentications:
• Local authn: user verification is operated at his own device with which he can interact easily.
• Continuous authn: user behavior continues to be monitored for authentication.
• Implicit authn: user is authenticated without explicit gesture or ceremony.
• Context-aware authn: data on context to which user belongs is used for user authentication.
User
User context
Secure storage
Geolocation
Orientation
Temperature
Sound
Acceleration
Steps
Walking distance
Etc.
Data on user context
5. Authentication Models: local vs. remote
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 5
ID・PWD
OKPWD input
Identification
Authentication
Traditional authn model (e.g. password) for web applications
Verification
Verification results
OK
FIDO Authentication
separation
FIDO Server
FIDO authn model
FIDO Client
Verification Identification
Authenticator
User
Credential
6. Concept: Pluggable Authentication (Recap)
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 6
FIDO ServerFIDO ClientFIDO Authenticator
Fingerprint
Iris
Face
USB Key
Smart Card
New Method
Plugged authenticators provide you with scalability for authentication.
Updated specs UAF & U2F 1.1 have been released.
FIDO standard messages
Service 3
Service 1
Service 2
Service N
7. 7Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Web Authentication & CTAP
*CTAP (Client To Authenticator Protocol)
8. Scoped Credential in Web Authentication
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 8
Relying Party (RP)User Authenticator
Public key
“Cryptographic” credential for web applications
(Static) link
Private key
(Credential)
particular for
authenticator and RP
(Static) linkLink (to be verified)
particular for user
ID
cf. Anthony Nadalin’s slides for more detail.
Trust chain
Another user
Another RP
9. Web Authentication API
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 9
Relying Party (RP)
User
Authenticator
Browser
• makeCredential()
• getAssertion()
Server sideUser side
User devices
Abstract API for browser accessing credential using Javascript
Web Authn API
Credential
10. Authenticator Registration
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 10
Relying Party (RP)
User
Authenticator
Browser
Private key for
Authentication
3. Creation of private/public keys
* A pair of keys for attestation are omitted in this picture.
Public key for
Authentication
6. Registering public key
for FIDO authentication
ID
1. makeCredential() request
Web Authn API
5. Response with signed data
about credential4. Producing the following data:
Credential info.
Attestation
Public key
Signature
2. User verification
11. Web Authentication using Authenticator
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 11
Relying Party (RP)
Authenticator
Browser
Private key
1. getAssertion() request
3. Producing the following data:
Credential Info.
Assertion
Signature
4. Response with signed data
about assertion
Public key
5. Verifying signature
* A pair of keys for attestation are omitted in this picture.
ID
Web Authn API
2. Verification of user
using a particular method
User
6. Discovering user ID
12. Mobile Phone as Authenticator
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 12
FIDO ServerWeb Authn API
Fingerprint
Iris
Face
USB Key
“Mobile phone authenticator” advances
the scalability for authentication more.
Smart Card
Authenticators
Service 3
Service 1
Service 2
Service N
Mobile Phone
Smart watch
13. Authenticator Variation
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 13
Authenticator
Embedded authenticator External authenticator
Wireless communication type
Removable type
Client
Web Authn API
CTAP (Client To Authenticator Protocol)
User device
Authenticator Web Authn API Client
14. 14Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016
Solutions using FIDO Authentication
15. Authentication: Foundation of trusted applications
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 15
User
Single sign-on
Server
Traditional identity and access management system
Authentication
Verifying user privileges
(Access control)
ID
Access response(OK/NG)
Access request
Personal attributes sharing
Personal service provisioning
User activities
after authentication
Server
Authentication is the first step that is required to do various online activities.
16. • User verification that the user is who he/she claims to be
• User presence nearby authenticator
• User confirmation of (consent to) his/her identity/transaction/context
Semantics for Assertion
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 16
User
User context Credential
Authenticator
Relying Party (RP)
Signed challenge
(Assertion)
challenge
Proofing
FIDO authentication is a mechanism for proofing user’s identity and context.
17. Authenticator Adoption
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 17
Authenticator implementing existing/legacy/new authentication methods/devices
• Biometrics
• Behavioral characteristics
• Wearable devices
cf. Jae Jung Kim’s slides for more detail.
Authenticator implementing certificate-based authentication (KICA’s case study)
Relying Party (RP)
Certificate Authority (CA)
PKI Module
Authenticator
certificate
Fingerprint sensor Iris sensor
Certificate verification
(Online certificate status protocol,
OCSP)
FIDO Authentication
(without any modification)
Certificate Issuance
(Legacy protocol)
Biometric API
Encrypted
private key
18. FIDO Authentication and Federation
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 18
User
FIDO Authentication
FIDO
Server
RP/IdP (Identity Provider)
Assertion
issueing
Identity
service
Federated RP
Federation
FIDO Client
Authenticator
Authentication
Assertion
Simpler and Stronger
Authentication
More seamless and secure
service
Authn
Context
Authn
Context
Authn context transits from authenticator to federated RP.
cf. https://fidoalliance.org/assets/images/general/FIDOTokyoSeminar101014_gomi.pdf
19. Proof Information Transition
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 19
Federated RPRP/IdP
User proof generated by authenticator can be used to provide user with trusted applications
at Internet scale
User
User context
Credential
Authenticator
Identity
Context
Transaction
Proof Proof
Proof
Proof
20. Transaction Confirmation
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 20
Bank for transfer: AAA Bank
Recipient Account #: 1234567
Amount: 10000 yen
Bank for transfer: XXX Bank
Recipient Account #: 7654321
Amount: 1000000 yen
Protecting against MITM (Man-in-the-Middle) attacks by detecting falsified transaction data
(already in UAF spec and deployed by several banks)
RP (Bank)Malware
User
User device
Authenticator
Falsified transaction data
Original transaction data
Client
Transaction data presented
is signed using private key
Signature of original transaction data
RP can prevent illegal money transfer by verifying the signature of transaction data
even if it is falsified.
signature
21. Identity Proofing Offline
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 21
User IDE-tickets
E-Ticket Server FIDO Server
Authn
Log
Realtime biometric FIDO authentication enables “identity proofing” when
accessing physical service.
User
(online)
FIDO Authentication online
(visit Yahoo Japan’s demo booth)
Entrance gate at event
Presenting identity proof
With e-ticket offline
Proof verification
Protecting from impersonationMalicious user
(offline)
User
(offline)
Same person?
(to be verified)
E-ticket use case
身分証明書
氏名: 山田 太郎
住所: 東京都港区赤坂9-7-1
年齢: 30歳
性別: 男
証明書発行元: ヤフー株式会社
証明書配布先: ABCサービス株式会社
証明書発行時刻: 2013年8月10日13時
証明書有効期限: 2014年8月10日13時まで
証明書識別番号: s8e3d5y9z0g3
本人画像 (2013年1月10日撮影)
身分証明書
氏名:山田太郎
住所:東京都港区赤坂9-7-1
年齢:30歳
性別:男
証明書発行元:ヤフー株式会社
証明書配布先:ABCサービス株式会社
証明書発行時刻:2013年8月10日13時
証明書有効期限:2014年8月10日13時まで
証明書識別番号:s8e3d5y9z0g3
本人画像(2013年1月10日撮影)
22. User Verification Caching Spec (New)
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 22
Developing a new spec to fulfill use cases provided by EMVCo.
Supporting CDCVM, enabling consumers to conveniently use on-device authenticators.
User FIDO authentication (online)
Server
Private key
User Device
Authenticator
App1App2
X
User verification
(App1)
Do not ask user for verification to authorize
payment for app2 if the user completed
verification within last 5 minutes.
Policy example
User verification process can be simplified for offline by authenticator
referring to previous verification results depending on user’s policy.
*CDCVM: Consumer Device Cardholder Verification Method
User verification
(App2)
23. • FIDO authentication model
• Local authentication using pluggable authenticators
• Consistent in specifications
• Web authentication & CTAP
• Scoped cryptographic credential
• Abstract API for various types of authenticators via browsers
• Solutions using FIDO authentication
• Authenticator adoption
• Enhancement of identity federated systems
• Identity/context proofing offline as well as online
Summary
Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 23
FIDO authentication is encouraged to be adopted
for developing secure and trust systems both online and offline.