Your SlideShare is downloading. ×
CIS13: Fast IDentity Online (FIDO) Enables Better Authentication for the Open Mobile Ecosystem
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

CIS13: Fast IDentity Online (FIDO) Enables Better Authentication for the Open Mobile Ecosystem

677
views

Published on

Brett McDowell, Senior Manager, Ecosystem Security, PayPal …

Brett McDowell, Senior Manager, Ecosystem Security, PayPal
The mobile ecosystem needs simple and strong authentication capabilities that provide better user experiences—and better security—than today's passwords, PINs or OTPs.The FIDO Alliance members are working together to develop an open, interoperable, standards-based ecosystem that will enable seamless integration of online services with any certified authentication solution (such as biometrics on mobile devices). Find out what use cases FIDO addresses and how your organization can be an early beneficiary of this game-changing initiative.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
677
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
58
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Introducing Standards for Simpler Stronger Authentication
  • 2. Goal: Simpler Stronger Auth INTERNET SERVICES COMPONENT & DEVICE VENDORS SOFTWARE & STACKS
  • 3. User Auth Online Do you want to login? Do you want to transfer $100 to Joe? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Auth today: Ask user for a password (and perhaps a one time code)
  • 4. Passwords Too many to remember, difficult to type, and not secure REUSED PHISHED KEYLOGGED
  • 5. One Time Codes Improves security but not easy enough SMS USABILITY DEVICE USABILITY USER EXPERIENCE STILL PHISHABLE Coverage | Delay | Cost One per site | Fragile User confusion Known attacks today
  • 6. Megatrend Easy Local Device Auth PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY Carry Personal Data Pins & Patterns today Easy local device auth 2F
  • 7. Putting it together The problem: Easy, Safe online auth The trend: Easy, Safe local device auth Why not: Use local device auth for online auth? This is the core idea behind FIDO standards!
  • 8. FIDO Experiences LOCAL DEVICE AUTH SUCCESSONLINE AUTH REQUEST PASSWORDLESS EXPERIENCE SECOND FACTOR EXPERIENCE Show a biometricTransaction Detail Done Login & Password Insert Dongle, Press button Done
  • 9. FIDO Registration REGISTRATION BEGINS USER APPROVAL REGISTRATION COMPLETE NEW KEY CREATED USER APPROVAL KEY REGISTERED 1 2 Using Public key Cryptography 4 3
  • 10. FIDO Login LOGIN USER APPROVAL LOGIN COMPLETE KEY SELECTED LOGIN CHALLENGE LOGIN RESPONSE 1 2 4 3 Login Using Public key Cryptography
  • 11. FIDO Standardization LOGIN USER APPROVAL REGISTRATION COMPLETE KEY SELECTED LOGIN CHALLENGE LOGIN RESPONSE 1 2 4 3 Leverage public key cryptography ONLINE CRYPTO PROTOCOL PLUGGABLE LOCAL AUTH 2F
  • 12. Options for Internet Services UAF: Universal Auth Framework •  User carries client device with UAF stack installed •  User presents a local biometric or PIN •  Website can choose whether to retain password Simpler Stronger Authentication U2F: Universal Second Factor •  User carries U2F device with built- in support in web browsers •  User presents U2F device •  Website can simplify password (e.g, 4 digit PIN)
  • 13. What's the Benefit? For Users •  Easy to use •  No more worrying about passwords •  Be safer on the Internet For Internet Services •  Greatly improved PKI based security •  Increased user engagement •  User brings own device •  Build server once: Leverage any auth method For Vendors •  Standardization ignites market •  Move past fragmented custom solutions
  • 14. The Ecosystem INTERNET SERVICES COMPONENT & DEVICE VENDORS SOFTWARE & STACKS
  • 15. FIDO Today •  Technical Working Groups active o  Public Spec Drafts late 2013 o  Early Pilots late 2013 o  Complement to existing standards & efforts §  e.g., Federation, OpenID, SAML etc •  Actively adding to FIDO membership o  Targeting Internet Services, Client Platform Owners, Device & Component Vendors, System Integrators JOIN US!! info@fidoalliance.org Simpler Stronger Authentication