Introduces FIDO Authentication: the problem, the solution, the Alliance and the market. Presented by Brett McDowell, Executive Director of the FIDO Alliance.
3. 781 data breaches in 2015
Data Breaches…
170 million records in 2015 (up 50%)
$3.8 million cost/breach (up 23% f/2013)
All Rights Reserved. FIDO Alliance. Copyright 2016. 3
4. “95% of these incidents
involve harvesting credentials
stolen from customer devices,
then logging into web
applications with them.”
2015 Data Breach Investigations Report
5. “A look through the details of these
incidents shows a common sequence of
phish customer ≥
get credentials ≥
abuse web application ≥
empty bank/bitcoin account.”
2015 Data Breach Investigations Report
7. ONE-TIME PASSCODES
Improve security but aren’t easy enough to use
Still
Phishable
User
Confusion
Token
Necklace
SMS
Reliability
6Confidential All Rights Reserved. FIDO Alliance. Copyright 2016. 7
8. The world has a “SHARED SECRETS” PROBLEM
5Confidential
9. WE NEED A
NEW MODEL
All Rights Reserved. FIDO Alliance. Copyright 2016. 9
14. HOW “Shared Secrets” WORK
ONLINE
The user authenticates
themselves online by presenting a
human-readable “shared secret”
15. HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device
(by various means)
The device authenticates
the user online using
public key cryptography
All Rights Reserved. FIDO Alliance. Copyright 2016. 15
16. FIDO Registration
Invitation Sent New Keys Created
Pubic Key Registered
With Online Server
User is in a Session
Or
New Account Flow
1 2 3
4
Registration Complete
User Approval
All Rights Reserved. FIDO Alliance. Copyright 2016. 16
17. Login Complete
FIDO Authentication
FIDO Challenge Key Selected & Signs
Signed Response verified using
Public Key Cryptography
User needs to login or
authorize a transaction
1 2 3
4
User Approval
All Rights Reserved. FIDO Alliance. Copyright 2016. 17
18. OPEN STANDARDS R.O.I.
FIDO-ENABLE ONCE
GAIN EVERY DEVICE YOU TRUST
NO MORE ONE-OFF INTEGRATIONS
All Rights Reserved. FIDO Alliance. Copyright 2016. 18
20. No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts
21. FIDO Delivers on Key Priorities
Security
• Authentication using strong
asymmetric Public Key
cryptography
• Superior to old “shared
secrets” model – there is
nothing to steal on the
server
• Biometrics as second factor
Privacy
• Privacy architected in up
front; supports EU Privacy
Principles, other national
privacy initiatives
• No linkability or tracking
• Biometric data never leaves
device
• Consumer control and
consent
Interoperability
• Open standards: FIDO 2.0
specs are in W3C
standardization process
• FIDO compliance/
conformance testing to
ensure interoperability of
“FIDO certified” products
Usability
• Designed with the user
experience (UX) first – with
a goal of making
authentication as easy as
possible.
• Security built to support the
user’s needs, not the other
way around
22. Better security for online services
Reduced cost for the enterprise
Simpler and safer for consumers
All Rights Reserved. FIDO Alliance. Copyright 2016. 22
32. FIDO DEVELOPMENT TIMELINE
FIDO 1.0
FINALFirst
DeploymentsSpecification
Review Draft
FIDO Ready
Program
Alliance
Announced
FEB
2013
DEC
2013
FEB
2014
FEB-OCT
2014
DEC
2014
MAY
2015
NOV
2015
Submission
of FIDO
Web API
into W3C
JUNE
2015
Certification
Program
New U2F
Transports
All Rights Reserved. FIDO Alliance. Copyright 2016. 32
40. Leading OEMs Shipping FIDO Certified Devices
S5, Mini Alpha Note 4,5 Note Edge Tab S,
Tab S2
S6,
S6 Edge
S7,
S7 Edge
Vernee
Thor
Aquos Zeta
Xperia Z5 Xperia Z5
Compact
Xperia Z5
Premium
Mate 8
V10 G5
Phab2
Pro
Phab2
Plus
Z2, Z2 ProArrows
NX
Arrows
Fit
Arrows
Tab
All Rights Reserved. FIDO Alliance. Copyright 2016. 40
41. iPhone 5s iPhone 6, 6+
iPad Air 2, Mini 3
iPhone 6s, 6s+
iPad Mini 4 iPad Pro
FIDO Applications Now Run on iOS
Supported iOS Fingerprint Devices
All Rights Reserved. FIDO Alliance. Copyright 2016. 41
Source of 781 breaches in 2015 = Identity Theft Resource Center Breach Report
Source of 170m records exposed in 2015 = Identity Theft Resource Center Breach Report (note >66% of these in healthcare)
Source of $3.8m / breach in 2015 = Ponemon Institute Cost of Data Breach Study
Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.
Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.
But what specifically makes passwords such a problem? (lead into next slide)
The only thing worse than a password is two passwords.
SMS is not always available / dedicated hardware is often service-specific / it’s cumbersome process users generally don’t like / and it is still vulnerable to phishing (it is still a symmetric shared secret, just short-lived, but malware tools have adjusted to this)
But what specifically makes passwords such a problem? (lead into next slide)
User convenience is so important that we put it in the very name of the technology itself - the “F” in FIDO stands for Fast.
Historically, “Fast” has always meant “Weak” – but it’s important to understand that FIDO was designed from the ground up to provide privacy protections in addition to providing strong authentication. Fundamentally, the solution that we developed replaces passwords, which are over 50 years old, with modern public key cryptography.
AMEX, VASCO and INFINEON announced today
One more prominent EU government agency is about to be announced.
One more prominent EU government agency is about to be announced.
We support a growing number of fingerprint enabled Android devices that have in-built UAF capabilities
Most of the new Samsung high devices with FPSs support UAF
Newer devices from Fujitsu, Sharp and Sony increasingly include UAF support out of the box
Fujitsu Arrows NX supports UAF-enabled iris authentication.
We will see other types of authenticators also appear in coming devices
We support the Android M fingerprint API
Apart from these devices with native FIDO UAF support, we also support virtually any non-FPS Android device running Kit Kat or newer
using an embedded UAF PIN authenticator.
We support all Touch ID enabled iOS devices
These devices don’t have native FIDO UAF support
We have built a UAF authenticator using the Touch ID API and the secure enclave
We also support non-Touch ID devices(Eg iPhone 4s and 5) running iOS 8 or higher using device passcode (PIN) authenticator