Introduction to FIDO Alliance
•Als PPTX, PDF herunterladen•
2 gefällt mir•7,471 views
Introduces FIDO Authentication: the problem, the solution, the Alliance and the market. Presented by Brett McDowell, Executive Director of the FIDO Alliance.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (15)
Ähnlich wie Introduction to FIDO Alliance
Ähnlich wie Introduction to FIDO Alliance (20)
Mehr von FIDO Alliance
Mehr von FIDO Alliance (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Introduction to FIDO Alliance
- 1. INTRODUCTION TO FIDO ALLIANCE Brett McDowell, Executive Director brett@fidoalliance.org All Rights Reserved. FIDO Alliance. Copyright 2016.
- 2. The Problem The Solution The Alliance The Market
- 3. 781 data breaches in 2015 Data Breaches… 170 million records in 2015 (up 50%) $3.8 million cost/breach (up 23% f/2013) All Rights Reserved. FIDO Alliance. Copyright 2016. 3
- 4. “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.” 2015 Data Breach Investigations Report
- 5. “A look through the details of these incidents shows a common sequence of phish customer ≥ get credentials ≥ abuse web application ≥ empty bank/bitcoin account.” 2015 Data Breach Investigations Report
- 6. The world has a PASSWORD PROBLEM 5Confidential
- 7. ONE-TIME PASSCODES Improve security but aren’t easy enough to use Still Phishable User Confusion Token Necklace SMS Reliability 6Confidential All Rights Reserved. FIDO Alliance. Copyright 2016. 7
- 8. The world has a “SHARED SECRETS” PROBLEM 5Confidential
- 9. WE NEED A NEW MODEL All Rights Reserved. FIDO Alliance. Copyright 2016. 9
- 10. The Problem The Solution The Alliance The Market
- 11. THE NEW MODEL Fast IDentity Online online authentication using public key cryptography
- 13. THE FIDO PARADIGM Poor Easy WeakStrong USABILITY SECURITY All Rights Reserved. FIDO Alliance. Copyright 2016. 13
- 14. HOW “Shared Secrets” WORK ONLINE The user authenticates themselves online by presenting a human-readable “shared secret”
- 15. HOW FIDO WORKS AUTHENTICATOR LOCAL ONLINE The user authenticates “locally” to their device (by various means) The device authenticates the user online using public key cryptography All Rights Reserved. FIDO Alliance. Copyright 2016. 15
- 16. FIDO Registration Invitation Sent New Keys Created Pubic Key Registered With Online Server User is in a Session Or New Account Flow 1 2 3 4 Registration Complete User Approval All Rights Reserved. FIDO Alliance. Copyright 2016. 16
- 17. Login Complete FIDO Authentication FIDO Challenge Key Selected & Signs Signed Response verified using Public Key Cryptography User needs to login or authorize a transaction 1 2 3 4 User Approval All Rights Reserved. FIDO Alliance. Copyright 2016. 17
- 18. OPEN STANDARDS R.O.I. FIDO-ENABLE ONCE GAIN EVERY DEVICE YOU TRUST NO MORE ONE-OFF INTEGRATIONS All Rights Reserved. FIDO Alliance. Copyright 2016. 18
- 19. USABILITY, SECURITY, R.O.I. and PRIVACY All Rights Reserved. FIDO Alliance. Copyright 2016. 19
- 20. No 3rd Party in the Protocol No Secrets on the Server Side Biometric Data (if used) Never Leaves Device No Link-ability Between Services No Link-ability Between Accounts
- 21. FIDO Delivers on Key Priorities Security • Authentication using strong asymmetric Public Key cryptography • Superior to old “shared secrets” model – there is nothing to steal on the server • Biometrics as second factor Privacy • Privacy architected in up front; supports EU Privacy Principles, other national privacy initiatives • No linkability or tracking • Biometric data never leaves device • Consumer control and consent Interoperability • Open standards: FIDO 2.0 specs are in W3C standardization process • FIDO compliance/ conformance testing to ensure interoperability of “FIDO certified” products Usability • Designed with the user experience (UX) first – with a goal of making authentication as easy as possible. • Security built to support the user’s needs, not the other way around
- 22. Better security for online services Reduced cost for the enterprise Simpler and safer for consumers All Rights Reserved. FIDO Alliance. Copyright 2016. 22
- 23. The Problem The Solution The Alliance The Market
- 24. The FIDO Alliance is an open industry association of over 250 organizations with a focused mission: authentication standards
- 25. Physical-to-digital identity User Management Authentication Federation Single Sign-On Passwords Risk-BasedStrong MODERN AUTHENTICATION FIDO SCOPE
- 26. FIDO Alliance Mission Develop Specifications Operate Adoption Programs Pursue Formal Standardization 1 2 3
- 27. Board Members All Rights Reserved. FIDO Alliance. Copyright 2016.
- 28. Sponsor Members All Rights Reserved. FIDO Alliance. Copyright 2016. 28
- 29. Associate Members All Rights Reserved. FIDO Alliance. Copyright 2016. 29
- 30. Government & Research 30 30All Rights Reserved. FIDO Alliance. Copyright 2016.
- 32. FIDO DEVELOPMENT TIMELINE FIDO 1.0 FINALFirst DeploymentsSpecification Review Draft FIDO Ready Program Alliance Announced FEB 2013 DEC 2013 FEB 2014 FEB-OCT 2014 DEC 2014 MAY 2015 NOV 2015 Submission of FIDO Web API into W3C JUNE 2015 Certification Program New U2F Transports All Rights Reserved. FIDO Alliance. Copyright 2016. 32
- 33. The Problem The Solution The Alliance The Market
- 34. All Rights Reserved. FIDO Alliance. Copyright 2016. EXAMPLE: PAYPAL & SAMSUNG (FIDO DEPLOYMENT #1) Value Proposition Video 34
- 35. PayPal All Rights Reserved. FIDO Alliance. Copyright 2016. 35
- 36. More FIDO Adoption/Announcements All Rights Reserved. FIDO Alliance. Copyright 2016. 36
- 37. Deployments are enabled by over 200 FIDO® Certified products available today All Rights Reserved. FIDO Alliance. Copyright 2016. 37
- 38. Certification Growth 38 151 62 32 62 74 108 159 213 Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 TOTAL All Rights Reserved. FIDO Alliance. Copyright 2016.
- 39. 39All Rights Reserved. FIDO Alliance. Copyright 2016.
- 40. Leading OEMs Shipping FIDO Certified Devices S5, Mini Alpha Note 4,5 Note Edge Tab S, Tab S2 S6, S6 Edge S7, S7 Edge Vernee Thor Aquos Zeta Xperia Z5 Xperia Z5 Compact Xperia Z5 Premium Mate 8 V10 G5 Phab2 Pro Phab2 Plus Z2, Z2 ProArrows NX Arrows Fit Arrows Tab All Rights Reserved. FIDO Alliance. Copyright 2016. 40
- 41. iPhone 5s iPhone 6, 6+ iPad Air 2, Mini 3 iPhone 6s, 6s+ iPad Mini 4 iPad Pro FIDO Applications Now Run on iOS Supported iOS Fingerprint Devices All Rights Reserved. FIDO Alliance. Copyright 2016. 41
- 44. THANK YOU! QUESTIONS? brett@fidoalliance.org | info@fidoalliance.org All Rights Reserved. FIDO Alliance. Copyright 2016.
Hinweis der Redaktion
- Source of 781 breaches in 2015 = Identity Theft Resource Center Breach Report Source of 170m records exposed in 2015 = Identity Theft Resource Center Breach Report (note >66% of these in healthcare) Source of $3.8m / breach in 2015 = Ponemon Institute Cost of Data Breach Study
- Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.
- Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.
- But what specifically makes passwords such a problem? (lead into next slide)
- The only thing worse than a password is two passwords. SMS is not always available / dedicated hardware is often service-specific / it’s cumbersome process users generally don’t like / and it is still vulnerable to phishing (it is still a symmetric shared secret, just short-lived, but malware tools have adjusted to this)
- But what specifically makes passwords such a problem? (lead into next slide)
- User convenience is so important that we put it in the very name of the technology itself - the “F” in FIDO stands for Fast. Historically, “Fast” has always meant “Weak” – but it’s important to understand that FIDO was designed from the ground up to provide privacy protections in addition to providing strong authentication. Fundamentally, the solution that we developed replaces passwords, which are over 50 years old, with modern public key cryptography.
- AMEX, VASCO and INFINEON announced today
- One more prominent EU government agency is about to be announced.
- One more prominent EU government agency is about to be announced.
- We support a growing number of fingerprint enabled Android devices that have in-built UAF capabilities Most of the new Samsung high devices with FPSs support UAF Newer devices from Fujitsu, Sharp and Sony increasingly include UAF support out of the box Fujitsu Arrows NX supports UAF-enabled iris authentication. We will see other types of authenticators also appear in coming devices We support the Android M fingerprint API Apart from these devices with native FIDO UAF support, we also support virtually any non-FPS Android device running Kit Kat or newer using an embedded UAF PIN authenticator.
- We support all Touch ID enabled iOS devices These devices don’t have native FIDO UAF support We have built a UAF authenticator using the Touch ID API and the secure enclave We also support non-Touch ID devices(Eg iPhone 4s and 5) running iOS 8 or higher using device passcode (PIN) authenticator