The model of password authentication is broken. FIDO is a new approach to authentication, including a modality for biometric authentication. Learn about the specification and the clear benefits of adding FIDO Authentication to Device APIs.
1. All Rights Reserved | FIDO Alliance | Copyright 20181
INTRODUCTION TO
FIDO BIOMETRIC
AUTHENTICATION
2. All Rights Reserved | FIDO Alliance | Copyright 20182
THE FIDO ALLIANCE LEADERSHIP
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
3. All Rights Reserved | FIDO Alliance | Copyright 20183
THE PROBLEM IS “SHARING SECRETS”
PASSWORDS
OTPs
PANs
4. All Rights Reserved | FIDO Alliance | Copyright 20184
THE COST IS GETTING HIGHER, FASTER
Losses to CNP fraud exceeded
$5.65 billion in 2015, with
growth in nearly every country1
CNP already accounts for more
than 50% of total fraud losses
in the U.S.1
1The Nilson Report
Data breaches in 2016
that involved weak,
default, or stolen
passwords1
Increase in phishing
attacks over the number
of attacks recorded in
20152
Breaches in 2016
up 40% over 2015
Breaches in 2017
up 45% over 2016
81% 65% 44.7%
$5.65B 50%
5. Why is the old model
SO BROKEN?
All Rights Reserved | FIDO Alliance | Copyright 20185
6. All Rights Reserved | FIDO Alliance | Copyright 20186
HOW SHARED SECRETS WORK
ONLINE CONNECTION
The user authenticates themselves online by
presenting a human-readable “shared secret”
7. Open Standards
Public Key Cryptography
Single Gesture
Phishing Resistant MFA
authentication
All Rights Reserved | FIDO Alliance | Copyright 20187
SECURITY
USABILITY
Poor Easy
WeakStrong
8. All Rights Reserved | FIDO Alliance | Copyright 20188
HOW FIDO WORKS
LOCAL CONNECTION
ONLINE CONNECTION
The device
authenticates the
user online using
public key
cryptography
The user
authenticates
“locally” to
their device
(by various means)
9. All Rights Reserved | FIDO Alliance | Copyright 20189
EARLY ADOPTERS (SAMPLE)
10. All Rights Reserved | FIDO Alliance | Copyright 201810
BIOMETRICS WITH FIDO
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one
app Public key
11. All Rights Reserved | FIDO Alliance | Copyright 201811
BACKED BY ATTESTATION + METADATA
Private
attestation key
Signed Attestation Object
Metadata
Understand Authenticator
security characteristic by
looking into Metadata from
mds.fidoalliance.org
FIDO Registration
Verify using trust anchor
included in Metadata
12. 12
METADATA CARRIES CERTIFICATION INFO
• Ensures conformance & interoperability
• Enables policy based on authenticator security level
• Enables policy based on biometric performance
All Rights Reserved | FIDO Alliance | Copyright 2016
14. All Rights Reserved | FIDO Alliance | Copyright 201814
COMPARE TO DEVICE API (WITHOUT FIDO)
Device API Flow
Password
Database
Password
✓ Better UX
× Still just a “Shared Secret”
× Security end-to-end is all on you
× Retrieving Device attributes is added cost (YMMV)
× Financial risk to ROI (“long tail” of APIs)
× Development risk (proprietary code abandonment)
× Competitive risk (home grown vs. industry trend)
× Opportunity cost (time on authn vs. core business)
× No clear path to MFA/SCA regulatory approval
Some analysis summarized from Nok Nok Labs paper: “Enabling Biometrics For Mobile Application Authentication”
15. All Rights Reserved | FIDO Alliance | Copyright 201815
ADDING FIDO TO DEVICE API
FIDO Flow
✓ Better UX
✓ Public Key Crypto vs. “Shared Secret”
✓ Security end-to-end reviewed by industry
✓ Free Metadata Service for Device attributes
✓ Financial ROI from open standard economics
✓ Development risk shared/mitigated by industry
✓ Competitive & flexible UX above standard API
✓ Opportunity cost minimized by partnerships
✓ MFA/SCA regulators already educated on FIDO
Public Key
Database
Challenge
Response
16. All Rights Reserved | FIDO Alliance | Copyright 201816
EXAMPLE 1: US NIST/OMB GUIDANCE
OMB (White House) removes requirement that one factor
be separate from the device accessing the resource.
Only binding on government applications but set a
precedent in MFA regulation.
Recognized by the U.S. government (NIST) in 2014:
Technology is now mature enough to enable
two secure, distinct authn factors in a single device
17. All Rights Reserved | FIDO Alliance | Copyright 201817
Recognized by the EBA in 2017 : Technology is now mature enough to enable
two secure, distinct authn factors in a single device
EXAMPLE 2: EUROPEAN PSD2
Strong Customer Authentication can be
achieved….
with a single-gesture UX…
helped by the FIDO Metadata that can
clearly convey device compliance with…
Article 9/3(a): “the use of a separated
secure execution environment”
18. All Rights Reserved | FIDO Alliance | Copyright 201818
“FIDO Alliance and EMVCo are in the process of expanding our
scope of collaboration to include a work item to define in detail
how EMV 3DS messages may be used to pass FIDO authenticator
attestation and signatures in a manner that is both scalable and
interoperable across the EMV payments ecosystem.”
JOINT STATEMENT FROM
FIDO ALLIANCE & EMVCO
“
FIDO AND 3DS
19. All Rights Reserved | FIDO Alliance | Copyright 201819
Connect with FIDO Alliance
fidoalliance.org