SlideShare a Scribd company logo

FIDO UAF Specifications: Overview & Tutorial

FIDO Alliance
FIDO Alliance

1. Passwords are insecure and inconvenient, especially on mobile devices, while alternative authentication methods are siloed and don't scale well. 2. FIDO separates user verification from authentication, supporting all verification methods and providing scalable convenience and security. 3. In FIDO, only public keys are stored on servers and authentication relies on private keys protected in authenticators, making it resistant to phishing and password theft.

Technology
1 of 40
Download to read offline
FIDO  UAF  Tutorial
Mobile Authentication Helps Drive Business 770  million  biometric   authentication   applications  will  be   downloaded  per   annum  by  2019,  up   from  just  6  million  this   year  and  dramatically   reducing  dependence   on  alphanumeric   passwords  in  the   mobile  phone  market. -­Juniper  Research,   20  January  2016 Source:  Criteo,  State  of  Mobile  Commerce  Report  4Q  2015  
How Secure is Authentication?
Cloud Authentication
Password  might  be   entered  into  untrusted   App  /  Web-­site   (“phishing”) 2 Password  could  be  stolen   from  the  server 1 Too  many  passwords  to   remember à re-­use  /  cart abandonment 3 Inconvenient  to  type   password  on  phone 4 Password Issues
OTP Issues OTP  vulnerable  to  real-­ time  MITM  and  MITB   attacks 1 SMS  security  questionable,   especially  when  Device  is  the   phone 2 OTP  HW  tokens  are   expensive  and  people   don’t  want  another  device 3 Inconvenient  to  type  OTP   on  phone 4
Do you want to login? 1 Authentication Needs Authentication today: Ask user for a password… (and perhaps a one time password) Do you want to share your dental records? 4 Do you want to change your shipping address? 3 Do you want to delete all of your emails? 2 Do you want to transfer $100 to Frank? 5 Do you want to transfer $10,000 to mymerchant.com? 6
Classifying Threats Remotely  attacking  central  servers   steal  data for  impersonation 1 Physically  attacking  user   devices   misuse  them for   impersonation 6 Physically  attacking  user   devices steal  data for  impersonation 5 Remotely   attacking  lots  of   user  devices steal  data for   impersonation Remotely   attacking  lots  of   user  devices misuse  them for   impersonation Remotely   attacking  lots  of   user  devices misuse   authenticated   sessions 2 3 4 Scalable  attacks Physical  attacks   possible  on  lost  or stolen  devices ( 3%  in  the  US  in  2013)
Summary 1. Passwords  are  insecure  and  inconvenient   especially  on  mobile  devices 2. Alternative  authentication   methods  are  silos  and   hence  don‘t  scale  to  large  scale  user  populations 3. The  required  security  level  of  the  authentication   depends  on  the  use 4. Risk  engines  need  information  about  the  explicit   authentication   security  for  good  decision  
How does FIDO work? Device
How does FIDO work? Private  key Public  key challenge (signed)   response Require  user  gesture before  private  key   can  be  used
How does FIDO UAF work? … …SE
How does FIDO UAF work? Can  recognize the  user   (i.e.  user  verification),  but   doesn’t  know  its  identity   attributes. Same  Authenticator   as  registered  before? Same  User  as   enrolled  before?
How does FIDO UAF work? Identity  binding   to  be  done   outside  FIDO:  This  this   “John  Doe  with  customer   ID  X”. Can  recognize the  user   (i.e.  user  verification),  but   doesn’t  know  its  identity   attributes. Same  Authenticator   as  registered  before? Same  User  as   enrolled  before?
How does FIDO UAF work? … …SE How  is  the  key  protected  (TPM,   SE,  TEE,  …)? Which  user  verification  method  is   used?
Binding Keys to Apps Use  google.com  key Use  paypal.com  key Use  same  user  gesture (e.g.  same  finger  or  PIN) for  unlocking  each  private  key.
FIDO  USER  DEVICE FIDO  CLIENT FIDO  AUTHENTICATOR BROWSER  /  APP FIDO Building Blocks ASM RELYING  PARTY Attestation  key Authentication   keys FIDO  SERVER METADATA   SERVICE WEB  APPLICATION Update Cryptographic   authentication  key   DB Authenticator   Metadata UAF  Protocol TLS  Server  Key
Registration Overview FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send  Registration  Request: -­ Policy -­ Random  Challenge Start   registration Verify  user Generate  key  pair Sign  attestation  object: • Public  key • AAID • Random  Challenge • Name  of  relying  party Signed  by  attestation  key Verify  signature Check  AAID  against  policy Store  public  key AAID  =  Authenticator  Attestation   ID,  i.e.  model  ID Perform  legacy  authentication  first,  in  order  to  bind  authenticator  to  an  electronic  identity, then  perform  FIDO  registration.
FIDO Authenticator FIDO Server Web   App App Prepare0 UAF Authentication
FIDO Authenticator FIDO Server Web   App App Prepare UAF Authentication 0
FIDO Authenticator FIDO Server Web   App App Prepare UAF Authentication 0
FIDO Authenticator FIDO Server Web   App App Prepare UAF Authentication Initiate   Authentication 1 0
FIDO Authenticator FIDO Server Web   App App Prepare UAF Authentication Initiate   Authentication 1 Auth.  Request with  Challenge 2 0
FIDO Server Web   App App Prepare UAF Authentication pat@example.com Pat  Johnson Initiate   Authentication 1 3 Verify  User  & Sign  Challenge   (Key  specific  to  RP   Webapp) FIDO Authenticator Auth.  Request with  Challenge 2 0
FIDO Server Web   App App Prepare UAF Authentication Pat  Johnson 650  Castro  Street Mountain  View,  CA  94041 United  States Initiate   Authentication 1 FIDO Authenticator 3 Verify  User  & Sign  Challenge   (Key  specific  to  RP   Webapp) Auth. Response 4 Auth.  Request with  Challenge 2 0
FIDO Server Web   App App Prepare UAF Authentication pat@example.com Pat  Johnson Payment  complete! Return  to  the  merchant’s  web   site  to  continue  shopping Return  to  the  merchant Initiate   Authentication 1 FIDO Authenticator 3 Verify  User  & Sign  Challenge   (Key  specific  to  RP   Webapp) Auth.  Request with  Challenge 2 Auth.   Response 4 Success 5 0
FIDO Server Browser  or   Native  App FIDO Authenticator Initiate  Transaction Authentication   Response +  Text  Hash,   signed  by  User’s  private  key Validate Response  &   Text  Hash  using User’s  Public  Key Authentication   Request  +   Transaction  Text 2 4 5 Device Relying  Party 1 3 Web   App Display  Text,  Verify   User  & Unlock  Private   Key (specific  to  User  +  RP  Webapp) Transaction Confirmation
Convenience & Security Convenience Security Password
Convenience & Security Convenience Security Password Password  +  OTP
Convenience & Security Convenience Security Password Password  +  OTP FIDO In  FIDO: • Same  user  verification   method  for  all  servers In  FIDO:    Arbitrary  user   verification  methods  are   supported  (+  they  are   interoperable)
Convenience & Security Convenience Security Password Password  +  OTP FIDO In  FIDO: • Only  public  keys  on  server • Not  phishable In  FIDO:    Scalable  security   depending  on  Authenticator   implementation
What about rubber fingers? Protection  methods  in  FIDO 1. Attacker  needs  access  to  the  Authenticator  and  swipe  rubber   finger  on  it.    This  makes  it  a  non-­scalable  attack. 2. Authenticators  might  implement  presentation  attack  detection   methods. Remember: Creating  hundreds  of  millions  of  rubber  fingers  +  stealing  the  related   authenticators  is  expensive.    Stealing  hundreds  of  millions  of   passwords  from  a  server  has  low  cost  per  password.
But I can’t revoke my finger… • Protection  methods  in  FIDO You  don’t  need  to  revoke  your  finger,  you  can  simply   de-­register  the  old  (=attacked)  authenticator.  Then,   1. Get  a  new  authenticator 2. Enroll  your  finger  (or  iris,  …)  to  it 3. Register  the  new  authenticator  to  the  service
FIDO is used Today
Conclusion • Different  authentication  use-­cases  lead  to  different   authentication   requirements • FIDO  separates  user  verification  from  authentication   and  hence  supports  all  user  verification  methods • FIDO  supports  scalable  convenience  &  security • User  verification  data  is  known  to  Authenticator  only • FIDO  complements  federation Todd  Thiemann,  Nok  Nok Labs,  tthiemann@noknok.com
How does FIDO UAF work? 5.  Generate  key  pair  in   Authenticator  to  protect   against  phishing 7.  Verify  user  before   signing  authentication   response 4.  Provide  cryptographic   proof  of  authenticator   model 1.  Use  Metadata  to   understand  Authenticator     security  characteristic 2.  Define  policy  of   acceptable   Authenticators 6.  Use  site-­specific   keys  in  order  to  protect   privacy 3.  Store  public  keys  on   the  server   (no  secrets) 8.  Use  channel  binding  to   protect  against  MITM
Registration Overview (2) Physical  Identity Virtual  Identity FIDO AUTHENTICATOR FIDO SERVER WEB Application {  userid=1234,   jane@mail.com, known  since  03/05/04, payment  history=xx,   …   } {  userid=1234,   pubkey=0x43246,  AAID=x +pubkey=0xfa4731,  AAID=y } Registration AAID  y key  for  foo.com:  0xfa4731 Relying  Party  foo.com Link  new   Authenticator  to   existing  userid “Know  Your  Customer”  rules Legacy  Authentication
SIM  Card FIDO  Authenticator Attestation  Key Authentication  Key(s) Using Secure Hardware PIN   Verification PIN  Entry User Verification /   Presence
Trusted  Execution  Environment  (TEE) FIDO  Authenticator  as  Trusted  Application  (TA) User  Verification  /  Presence Attestation  Key Authentication  Key(s) Store  at  Enrollment Compare  at  Authentication Unlock  after  comparison Client Side Biometrics
Trusted  Execution  Environment   (TEE) Secure  Element Combining TEE and SE FIDO  Authenticator  as  Trusted  Application  (TA) Attestation  Key Authentication  Key(s) User  Verification     /  Presence Transaction   Confirmation   Display e.g.  GlobalPlatform   Trusted  UI

Recommended

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
FIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 

Recommended

FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
Getting Started with FIDO2
Getting Started with FIDO2Getting Started with FIDO2
Getting Started with FIDO2
FIDO Alliance
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
FIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
FIDO Alliance
 
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
FIDO Alliance
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
Haniyama Wataru
 
Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装
Haniyama Wataru
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
FIDO Alliance
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
FIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
5 6
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
FIDO Alliance
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
FIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-on
Nov Matake
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
FIDO Alliance
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
FIDO Alliance
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
FIDO Alliance
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
FIDO Alliance
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CloudIDSummit
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
FIDO Alliance
 

More Related Content

What's hot

ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-on
Nov Matake
 

What's hot (20)

FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
 
Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装Idcon25 FIDO2 の概要と YubiKey の実装
Idcon25 FIDO2 の概要と YubiKey の実装
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
 
RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~RPで受け入れる認証器を選択する ~Idance lesson 2~
RPで受け入れる認証器を選択する ~Idance lesson 2~
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
ID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-onID & IT 2013 - OpenID Connect Hands-on
ID & IT 2013 - OpenID Connect Hands-on
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
 

Viewers also liked

Predicting Answering Behaviour in Online Question Answering Communities
Predicting Answering Behaviour in Online Question Answering CommunitiesPredicting Answering Behaviour in Online Question Answering Communities
Predicting Answering Behaviour in Online Question Answering Communities
Gregoire Burel
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
Nov Matake
 
Cultures in Community Question Answering
Cultures in Community Question AnsweringCultures in Community Question Answering
Cultures in Community Question Answering
Nicolas Kourtellis
 
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
Marco Brambilla
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
rahmed_sct
 

Viewers also liked (20)

CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
 
Predicting Answering Behaviour in Online Question Answering Communities
Predicting Answering Behaviour in Online Question Answering CommunitiesPredicting Answering Behaviour in Online Question Answering Communities
Predicting Answering Behaviour in Online Question Answering Communities
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
 
FOAF & SIOC applications
FOAF & SIOC applicationsFOAF & SIOC applications
FOAF & SIOC applications
 
Cultures in Community Question Answering
Cultures in Community Question AnsweringCultures in Community Question Answering
Cultures in Community Question Answering
 
Touch id in iphone 5s
Touch id in iphone 5sTouch id in iphone 5s
Touch id in iphone 5s
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
Tutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender SystemsTutorial on Robustness of Recommender Systems
Tutorial on Robustness of Recommender Systems
 
Google Case Study: Becoming Unphishable
Google Case Study: Becoming UnphishableGoogle Case Study: Becoming Unphishable
Google Case Study: Becoming Unphishable
 
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
Answering Search Queries with CrowdSearcher: a crowdsourcing and social netwo...
 
Neural Network and NLP
Neural Network and NLPNeural Network and NLP
Neural Network and NLP
 
Leveraging Fingerprint Verification on Mobile Devices
Leveraging Fingerprint Verification on Mobile DevicesLeveraging Fingerprint Verification on Mobile Devices
Leveraging Fingerprint Verification on Mobile Devices
 
[UMAP2013]Tutorial on Context-Aware User Modeling for Recommendation by Bamsh...
[UMAP2013]Tutorial on Context-Aware User Modeling for Recommendation by Bamsh...[UMAP2013]Tutorial on Context-Aware User Modeling for Recommendation by Bamsh...
[UMAP2013]Tutorial on Context-Aware User Modeling for Recommendation by Bamsh...
 
[스페이스클라우드] 간편결제 서비스 도입, 네이버페이로 파티룸 예약해요!
[스페이스클라우드] 간편결제 서비스 도입, 네이버페이로 파티룸 예약해요![스페이스클라우드] 간편결제 서비스 도입, 네이버페이로 파티룸 예약해요!
[스페이스클라우드] 간편결제 서비스 도입, 네이버페이로 파티룸 예약해요!
 
FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례FIDO 생체인증 기술 개발 사례
FIDO 생체인증 기술 개발 사례
 
Developing With JAAS
Developing With JAASDeveloping With JAAS
Developing With JAAS
 
FIDO - The Value of Membership
FIDO - The Value of Membership FIDO - The Value of Membership
FIDO - The Value of Membership
 
Introduction to association mapping and tutorial using tassel
Introduction to association mapping and tutorial using tasselIntroduction to association mapping and tutorial using tassel
Introduction to association mapping and tutorial using tassel
 
Role based access control - RBAC
Role based access control - RBACRole based access control - RBAC
Role based access control - RBAC
 

Similar to FIDO UAF Specifications: Overview & Tutorial

Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
FIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
FIDO Alliance
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance
 
Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...
Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...
Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...
Data Con LA
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
Sean Xiong
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 

Similar to FIDO UAF Specifications: Overview & Tutorial (20)

FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
 
FIDO Specifications Tutorial
FIDO Specifications TutorialFIDO Specifications Tutorial
FIDO Specifications Tutorial
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native AppsUAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
 
apidays London 2023 - Building Multi-Factor Authentication into your applicat...
apidays London 2023 - Building Multi-Factor Authentication into your applicat...apidays London 2023 - Building Multi-Factor Authentication into your applicat...
apidays London 2023 - Building Multi-Factor Authentication into your applicat...
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
 
Passwordless Mobile Banking.pdf
Passwordless Mobile Banking.pdfPasswordless Mobile Banking.pdf
Passwordless Mobile Banking.pdf
 
Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...
Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...
Data Con LA 2019 - So You got Hacked, how Quickly Can your Company Recover? b...
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
 
Fido Overview: Status and Future
Fido Overview: Status and FutureFido Overview: Status and Future
Fido Overview: Status and Future
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
 
Claim based authentaication
Claim based authentaicationClaim based authentaication
Claim based authentaication
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
 
Seminar-Two Factor Authentication
Seminar-Two Factor AuthenticationSeminar-Two Factor Authentication
Seminar-Two Factor Authentication
 

More from FIDO Alliance

Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
FIDO Alliance
 
Introduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS ServicesIntroduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS Services
FIDO Alliance
 

More from FIDO Alliance (20)

FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
OTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxOTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptx
 
CISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptxCISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptx
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 
Introducing FIDO Device Onboard (FDO)
Introducing FIDO Device Onboard (FDO)Introducing FIDO Device Onboard (FDO)
Introducing FIDO Device Onboard (FDO)
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDO
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
 
新しい認証技術FIDOの最新動向
新しい認証技術FIDOの最新動向新しい認証技術FIDOの最新動向
新しい認証技術FIDOの最新動向
 
日立PBI技術を用いた「デバイスフリーリモートワーク」構想
日立PBI技術を用いた「デバイスフリーリモートワーク」構想日立PBI技術を用いた「デバイスフリーリモートワーク」構想
日立PBI技術を用いた「デバイスフリーリモートワーク」構想
 
Introduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS ServicesIntroduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS Services
 
富士通の生体認証ソリューションと提案
富士通の生体認証ソリューションと提案富士通の生体認証ソリューションと提案
富士通の生体認証ソリューションと提案
 
テレワーク本格導入におけるID認証考察
テレワーク本格導入におけるID認証考察テレワーク本格導入におけるID認証考察
テレワーク本格導入におけるID認証考察
 
「開けゴマ!」からYubiKeyへ
「開けゴマ!」からYubiKeyへ「開けゴマ!」からYubiKeyへ
「開けゴマ!」からYubiKeyへ
 
YubiOnが目指す未来
YubiOnが目指す未来YubiOnが目指す未来
YubiOnが目指す未来
 
FIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみた
 
中小企業によるFIDO導入事例
中小企業によるFIDO導入事例中小企業によるFIDO導入事例
中小企業によるFIDO導入事例
 
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセスVPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
 
CloudGate UNOで安全便利なパスワードレスリモートワーク
CloudGate UNOで安全便利なパスワードレスリモートワークCloudGate UNOで安全便利なパスワードレスリモートワーク
CloudGate UNOで安全便利なパスワードレスリモートワーク
 
数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

FIDO UAF Specifications: Overview & Tutorial

  • 2. Mobile Authentication Helps Drive Business 770  million  biometric   authentication   applications  will  be   downloaded  per   annum  by  2019,  up   from  just  6  million  this   year  and  dramatically   reducing  dependence   on  alphanumeric   passwords  in  the   mobile  phone  market. -­Juniper  Research,   20  January  2016 Source:  Criteo,  State  of  Mobile  Commerce  Report  4Q  2015  
  • 3. How Secure is Authentication?
  • 5. Password  might  be   entered  into  untrusted   App  /  Web-­site   (“phishing”) 2 Password  could  be  stolen   from  the  server 1 Too  many  passwords  to   remember à re-­use  /  cart abandonment 3 Inconvenient  to  type   password  on  phone 4 Password Issues
  • 6. OTP Issues OTP  vulnerable  to  real-­ time  MITM  and  MITB   attacks 1 SMS  security  questionable,   especially  when  Device  is  the   phone 2 OTP  HW  tokens  are   expensive  and  people   don’t  want  another  device 3 Inconvenient  to  type  OTP   on  phone 4
  • 7. Do you want to login? 1 Authentication Needs Authentication today: Ask user for a password… (and perhaps a one time password) Do you want to share your dental records? 4 Do you want to change your shipping address? 3 Do you want to delete all of your emails? 2 Do you want to transfer $100 to Frank? 5 Do you want to transfer $10,000 to mymerchant.com? 6
  • 8. Classifying Threats Remotely  attacking  central  servers   steal  data for  impersonation 1 Physically  attacking  user   devices   misuse  them for   impersonation 6 Physically  attacking  user   devices steal  data for  impersonation 5 Remotely   attacking  lots  of   user  devices steal  data for   impersonation Remotely   attacking  lots  of   user  devices misuse  them for   impersonation Remotely   attacking  lots  of   user  devices misuse   authenticated   sessions 2 3 4 Scalable  attacks Physical  attacks   possible  on  lost  or stolen  devices ( 3%  in  the  US  in  2013)
  • 9. Summary 1. Passwords  are  insecure  and  inconvenient   especially  on  mobile  devices 2. Alternative  authentication   methods  are  silos  and   hence  don‘t  scale  to  large  scale  user  populations 3. The  required  security  level  of  the  authentication   depends  on  the  use 4. Risk  engines  need  information  about  the  explicit   authentication   security  for  good  decision  
  • 10. How does FIDO work? Device
  • 11. How does FIDO work? Private  key Public  key challenge (signed)   response Require  user  gesture before  private  key   can  be  used
  • 12. How does FIDO UAF work? … …SE
  • 13. How does FIDO UAF work? Can  recognize the  user   (i.e.  user  verification),  but   doesn’t  know  its  identity   attributes. Same  Authenticator   as  registered  before? Same  User  as   enrolled  before?
  • 14. How does FIDO UAF work? Identity  binding   to  be  done   outside  FIDO:  This  this   “John  Doe  with  customer   ID  X”. Can  recognize the  user   (i.e.  user  verification),  but   doesn’t  know  its  identity   attributes. Same  Authenticator   as  registered  before? Same  User  as   enrolled  before?
  • 15. How does FIDO UAF work? … …SE How  is  the  key  protected  (TPM,   SE,  TEE,  …)? Which  user  verification  method  is   used?
  • 16. Binding Keys to Apps Use  google.com  key Use  paypal.com  key Use  same  user  gesture (e.g.  same  finger  or  PIN) for  unlocking  each  private  key.
  • 17. FIDO  USER  DEVICE FIDO  CLIENT FIDO  AUTHENTICATOR BROWSER  /  APP FIDO Building Blocks ASM RELYING  PARTY Attestation  key Authentication   keys FIDO  SERVER METADATA   SERVICE WEB  APPLICATION Update Cryptographic   authentication  key   DB Authenticator   Metadata UAF  Protocol TLS  Server  Key
  • 18. Registration Overview FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send  Registration  Request: -­ Policy -­ Random  Challenge Start   registration Verify  user Generate  key  pair Sign  attestation  object: • Public  key • AAID • Random  Challenge • Name  of  relying  party Signed  by  attestation  key Verify  signature Check  AAID  against  policy Store  public  key AAID  =  Authenticator  Attestation   ID,  i.e.  model  ID Perform  legacy  authentication  first,  in  order  to  bind  authenticator  to  an  electronic  identity, then  perform  FIDO  registration.
  • 23. FIDO Authenticator FIDO Server Web   App App Prepare UAF Authentication Initiate   Authentication 1 Auth.  Request with  Challenge 2 0
  • 24. FIDO Server Web   App App Prepare UAF Authentication pat@example.com Pat  Johnson Initiate   Authentication 1 3 Verify  User  & Sign  Challenge   (Key  specific  to  RP   Webapp) FIDO Authenticator Auth.  Request with  Challenge 2 0
  • 25. FIDO Server Web   App App Prepare UAF Authentication Pat  Johnson 650  Castro  Street Mountain  View,  CA  94041 United  States Initiate   Authentication 1 FIDO Authenticator 3 Verify  User  & Sign  Challenge   (Key  specific  to  RP   Webapp) Auth. Response 4 Auth.  Request with  Challenge 2 0
  • 26. FIDO Server Web   App App Prepare UAF Authentication pat@example.com Pat  Johnson Payment  complete! Return  to  the  merchant’s  web   site  to  continue  shopping Return  to  the  merchant Initiate   Authentication 1 FIDO Authenticator 3 Verify  User  & Sign  Challenge   (Key  specific  to  RP   Webapp) Auth.  Request with  Challenge 2 Auth.   Response 4 Success 5 0
  • 27. FIDO Server Browser  or   Native  App FIDO Authenticator Initiate  Transaction Authentication   Response +  Text  Hash,   signed  by  User’s  private  key Validate Response  &   Text  Hash  using User’s  Public  Key Authentication   Request  +   Transaction  Text 2 4 5 Device Relying  Party 1 3 Web   App Display  Text,  Verify   User  & Unlock  Private   Key (specific  to  User  +  RP  Webapp) Transaction Confirmation
  • 30. Convenience & Security Convenience Security Password Password  +  OTP FIDO In  FIDO: • Same  user  verification   method  for  all  servers In  FIDO:    Arbitrary  user   verification  methods  are   supported  (+  they  are   interoperable)
  • 31. Convenience & Security Convenience Security Password Password  +  OTP FIDO In  FIDO: • Only  public  keys  on  server • Not  phishable In  FIDO:    Scalable  security   depending  on  Authenticator   implementation
  • 32. What about rubber fingers? Protection  methods  in  FIDO 1. Attacker  needs  access  to  the  Authenticator  and  swipe  rubber   finger  on  it.    This  makes  it  a  non-­scalable  attack. 2. Authenticators  might  implement  presentation  attack  detection   methods. Remember: Creating  hundreds  of  millions  of  rubber  fingers  +  stealing  the  related   authenticators  is  expensive.    Stealing  hundreds  of  millions  of   passwords  from  a  server  has  low  cost  per  password.
  • 33. But I can’t revoke my finger… • Protection  methods  in  FIDO You  don’t  need  to  revoke  your  finger,  you  can  simply   de-­register  the  old  (=attacked)  authenticator.  Then,   1. Get  a  new  authenticator 2. Enroll  your  finger  (or  iris,  …)  to  it 3. Register  the  new  authenticator  to  the  service
  • 34. FIDO is used Today
  • 35. Conclusion • Different  authentication  use-­cases  lead  to  different   authentication   requirements • FIDO  separates  user  verification  from  authentication   and  hence  supports  all  user  verification  methods • FIDO  supports  scalable  convenience  &  security • User  verification  data  is  known  to  Authenticator  only • FIDO  complements  federation Todd  Thiemann,  Nok  Nok Labs,  tthiemann@noknok.com
  • 36. How does FIDO UAF work? 5.  Generate  key  pair  in   Authenticator  to  protect   against  phishing 7.  Verify  user  before   signing  authentication   response 4.  Provide  cryptographic   proof  of  authenticator   model 1.  Use  Metadata  to   understand  Authenticator     security  characteristic 2.  Define  policy  of   acceptable   Authenticators 6.  Use  site-­specific   keys  in  order  to  protect   privacy 3.  Store  public  keys  on   the  server   (no  secrets) 8.  Use  channel  binding  to   protect  against  MITM
  • 37. Registration Overview (2) Physical  Identity Virtual  Identity FIDO AUTHENTICATOR FIDO SERVER WEB Application {  userid=1234,   jane@mail.com, known  since  03/05/04, payment  history=xx,   …   } {  userid=1234,   pubkey=0x43246,  AAID=x +pubkey=0xfa4731,  AAID=y } Registration AAID  y key  for  foo.com:  0xfa4731 Relying  Party  foo.com Link  new   Authenticator  to   existing  userid “Know  Your  Customer”  rules Legacy  Authentication
  • 38. SIM  Card FIDO  Authenticator Attestation  Key Authentication  Key(s) Using Secure Hardware PIN   Verification PIN  Entry User Verification /   Presence
  • 39. Trusted  Execution  Environment  (TEE) FIDO  Authenticator  as  Trusted  Application  (TA) User  Verification  /  Presence Attestation  Key Authentication  Key(s) Store  at  Enrollment Compare  at  Authentication Unlock  after  comparison Client Side Biometrics
  • 40. Trusted  Execution  Environment   (TEE) Secure  Element Combining TEE and SE FIDO  Authenticator  as  Trusted  Application  (TA) Attestation  Key Authentication  Key(s) User  Verification     /  Presence Transaction   Confirmation   Display e.g.  GlobalPlatform   Trusted  UI