Overview of FIDO Security Requirements and CertificationsFIDO Alliance
Overview of FIDO Security Requirements and Certifications by Laurence Lundblade, Docomo Innovations
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
The General Data Protection Regulation (GDPR) come into effect earlier this year, ushering in the most significant change to European data protection laws in twenty years. The regulation impacts not only impact firms resident in the European Union (EU), but around the world, as any organization doing business with EU citizens must comply with the regulation.
FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.
This presentation includes:
- Key GDPR considerations when deploying strong authentication
- Where FIDO Authentication relates to GDPR articles on data protection, consent of data subject and data subject rights
- How FIDO can help your organization meet GDPR requirements
FIDO UAF and PKI in Asia - Case Study and RecommendationsFIDO Alliance
FIDO UAF and PKI in Asia - Case Study and Recommendations by Karen Chang and Wei-Chung Hwang, APKIC
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO Alliance
The PSD2 (the Revised Payment Service Directive) from the European Commission requires financial institutions to deploy Strong Customer Authentication. FIDO offers a solution to the challenges created by this new regulation.
FIDO UAF and PKI in Asia: A Case Study and RecommendationsFIDO Alliance
This paper depicts three possible scenarios for integrating FIDO UAF and public key infrastructure (PKI) in Asian countries, along with recommendations for how the two technologies can work together to bring innovation to the authentication marketplace and to pave the way for deploying better authentication solutions to the public.
Overview of FIDO Security Requirements and CertificationsFIDO Alliance
Overview of FIDO Security Requirements and Certifications by Laurence Lundblade, Docomo Innovations
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
The General Data Protection Regulation (GDPR) come into effect earlier this year, ushering in the most significant change to European data protection laws in twenty years. The regulation impacts not only impact firms resident in the European Union (EU), but around the world, as any organization doing business with EU citizens must comply with the regulation.
FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.
This presentation includes:
- Key GDPR considerations when deploying strong authentication
- Where FIDO Authentication relates to GDPR articles on data protection, consent of data subject and data subject rights
- How FIDO can help your organization meet GDPR requirements
FIDO UAF and PKI in Asia - Case Study and RecommendationsFIDO Alliance
FIDO UAF and PKI in Asia - Case Study and Recommendations by Karen Chang and Wei-Chung Hwang, APKIC
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO Alliance
The PSD2 (the Revised Payment Service Directive) from the European Commission requires financial institutions to deploy Strong Customer Authentication. FIDO offers a solution to the challenges created by this new regulation.
FIDO UAF and PKI in Asia: A Case Study and RecommendationsFIDO Alliance
This paper depicts three possible scenarios for integrating FIDO UAF and public key infrastructure (PKI) in Asian countries, along with recommendations for how the two technologies can work together to bring innovation to the authentication marketplace and to pave the way for deploying better authentication solutions to the public.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
The Second Payment Services Directive (PSD2) and the associated Regulatory Technical Standards (RTS) on strong customer authentication and secure communication impose stringent requirements on multi-factor authentication and on the security of implementations. Payment Service Providers will want to know whether the authentication solutions they put in place conform to the RTS both in terms of functionality and security.
The FIDO Alliance standards are based on multi-factor authentication and are a strong fit for PSD2 compliance. The FIDO Alliance’s certification program provides an independent evaluation of functional compliance to the standards as well as of the achieved level of security of FIDO authenticators.
Featuring industry experts, this presentation explores how FIDO can resolve key issues, including:
• How the FIDO standards conform to the RTS
• How FIDO’s certification program guarantees this conformity
• How FIDO’s certification program provides for the mandatory security evaluation imposed by the RTS
Presented at FIDO Authentication Seminar – Tokyo
By: Alain Martin, VP, Strategic Partnerships, Gemalto; Secretary, FIDO Alliance Board of Directors; Co-Chair, FIDO Europe Working Group
FIDO Certified Program: The Value of Certification FIDO Alliance
A look at FIDO Certification program, including functional, authenticator and biometric; the value of certification for relaying parties and vendors, and how to get started.
An overview of the Alliance, the problem we are addressing the password problem, how FIDO is addressing it, the new ecosystem we are creating and the road ahead.
FIDO® for Government & Enterprise - PresentationFIDO Alliance
With FIDO 1.0 standards published in December, 2015, mainstream product adoption and service deployment has begun with more announcement planned for the RSA Security Conference 2015. This webinar will feature FIDO highlights from the conference and a discussion of how governments and enterprises are engaging with FIDO Alliance and the new wave of innovative authentication solutions FIDO standards enable, with a special focus on how the US Government is positioning FIDO within the context of NSTIC (National Strategy for Trusted Identities in Cyberspace).
A detailed look at the "Your Security, More Simple" d ACCOUNT initiative at NTT DOCOMO, including design principles, solution architecture, security architecture, FIDO standards and deployment of FIDO Authentication. Presented by Koichi Moriyama, Senior Director, Product Department, NTT DOCOMO, Inc.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
The Second Payment Services Directive (PSD2) and the associated Regulatory Technical Standards (RTS) on strong customer authentication and secure communication impose stringent requirements on multi-factor authentication and on the security of implementations. Payment Service Providers will want to know whether the authentication solutions they put in place conform to the RTS both in terms of functionality and security.
The FIDO Alliance standards are based on multi-factor authentication and are a strong fit for PSD2 compliance. The FIDO Alliance’s certification program provides an independent evaluation of functional compliance to the standards as well as of the achieved level of security of FIDO authenticators.
Featuring industry experts, this presentation explores how FIDO can resolve key issues, including:
• How the FIDO standards conform to the RTS
• How FIDO’s certification program guarantees this conformity
• How FIDO’s certification program provides for the mandatory security evaluation imposed by the RTS
Presented at FIDO Authentication Seminar – Tokyo
By: Alain Martin, VP, Strategic Partnerships, Gemalto; Secretary, FIDO Alliance Board of Directors; Co-Chair, FIDO Europe Working Group
FIDO Certified Program: The Value of Certification FIDO Alliance
A look at FIDO Certification program, including functional, authenticator and biometric; the value of certification for relaying parties and vendors, and how to get started.
An overview of the Alliance, the problem we are addressing the password problem, how FIDO is addressing it, the new ecosystem we are creating and the road ahead.
FIDO® for Government & Enterprise - PresentationFIDO Alliance
With FIDO 1.0 standards published in December, 2015, mainstream product adoption and service deployment has begun with more announcement planned for the RSA Security Conference 2015. This webinar will feature FIDO highlights from the conference and a discussion of how governments and enterprises are engaging with FIDO Alliance and the new wave of innovative authentication solutions FIDO standards enable, with a special focus on how the US Government is positioning FIDO within the context of NSTIC (National Strategy for Trusted Identities in Cyberspace).
A detailed look at the "Your Security, More Simple" d ACCOUNT initiative at NTT DOCOMO, including design principles, solution architecture, security architecture, FIDO standards and deployment of FIDO Authentication. Presented by Koichi Moriyama, Senior Director, Product Department, NTT DOCOMO, Inc.
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
Introduction to FIDO: A New Model for AuthenticationFIDO Alliance
An overview of FIDO authentication with a special section on government and policy. This was presented at the European Policy Forum by Jeremy Grant, managing director of The Chertoff Group.
Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
Javelin Research's State of Strong Authentication 2019 Report Webinar FIDO Alliance
Webinar:Javelin Research's State of Strong Authentication 2019 Report
Presented by:
Al Pascual, SVP and Research Director, Javelin Strategy
Andrew Shikiar, Chief Marketing Officer, FIDO Alliance
February 7, 2019
Identifies security authentication issues and explains how FIDO works to resolve these issues. Gives an overview of how FIDO separates user verification from authentication, supports scalable convenience & security and complements federation.
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works, how to perform FIDO registration, and how FIDO is used in the world today, as well as the process from start to finish of UAF authentication.
From FIDO Alliance Seminar in Washington, D.C., October, 2015.
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
Rolf Lindemann,
Nok Nok Labs
Introduction to the UAF protocol, which is designed to provide a “passwordless” experience, discussing potential use cases and implementation models, with a real-world example shown via the FIDO client on the Samsung Galaxy S5.
FIDO, Federation and the Internet of ThingsFIDO Alliance
Learn how FIDO-based authentication can complement federated authentication - and why they are better together.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Introduces FIDO Authentication: the problem, the solution, the Alliance and the market. Presented by Brett McDowell, Executive Director of the FIDO Alliance.
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
2. All Rights Reserved | FIDO Alliance | Copyright 20182
HOW SECURE IS AUTHENTICATION?
3. All Rights Reserved | FIDO Alliance | Copyright 20183
CLOUD AUTHENTICATION
DeviceSomething Authentication
Risk Analytics
Internet
4. All Rights Reserved | FIDO Alliance | Copyright 20184
PASSWORD ISSUES
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to
remember
(>re-use / cart
Abandonment)
3
Inconvenient to type
password on phone
4
5. All Rights Reserved | FIDO Alliance | Copyright 20175
OTP ISSUES
DeviceSomething Authentication
Internet
OTP vulnerable to real-
time MITM and MITB
attacks
1
SMS security questionable,
especially when Device is
the phone
2
OTP HW tokens are
expensive and people don’t
want another device
3
Inconvenient to type
OTP into phone
4
6. All Rights Reserved | FIDO Alliance | Copyright 20186
HOW SECURE IS AUTHENTICATION?
7. All Rights Reserved | FIDO Alliance | Copyright 20187
HOW SECURE IS AUTHENTICATION?
Attacks require physical action → not scalable
Things are never 100% secure, so focus on adequate security.
Focus on the scalable attacks first.
Scalable Attacks
9. All Rights Reserved | FIDO Alliance | Copyright 20189
HOW DOES FIDO WORK?
DeviceUser verification FIDO Authentication
Authenticator
10. All Rights Reserved | FIDO Alliance | Copyright 201810
FIDO AUTHENTICATORS
We see “Bound” Authenticators,
i.e. authenticators that are an
integral part of a smartphone or laptop.
We see “Roaming” Authenticators,
i.e. authenticators that can be connected to
different smartphones or laptops using
CTAP.
In both categories you find support for different modalities
Verify
User
Verify User
Presence
11. All Rights Reserved | FIDO Alliance | Copyright 201811
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one
app Public key
12. All Rights Reserved | FIDO Alliance | Copyright 201812
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
Can recognize the user (i.e.
user verification), but doesn’t
know its identity attributes.
13. All Rights Reserved | FIDO Alliance | Copyright 201813
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
Can recognize the user (i.e.
user verification), but doesn’t
know its identity attributes.
Identity binding to be
done outside FIDO:
This this “John Doe
with customer ID X”.
14. FIDO & Federation
FIDO USER DEVICE
FIDO CLIENT
IdP
FIDO SERVER
FIDO
AUTHENTICATOR
FEDERATION SERVERBROWSER / APP FIDO Protocol
Service Provider
Federation
Id DB
Knows details about the
Authentication strength
Knows details about the
Identity and its
verification strength.
First Mile Second Mile
14
15. All Rights Reserved | FIDO Alliance | Copyright 201815
FIDO ECOSYSTEM
AuthenticatorUser verification FIDO Authentication
… …SE
16. All Rights Reserved | FIDO Alliance | Copyright 201816
FIDO ECOSYSTEM
AuthenticatorUser verification FIDO Authentication
… …SE
How is the key protected
(TPM, SE, TEE, …)?
Which user verification
method is used?
17. All Rights Reserved | FIDO Alliance | Copyright 201817
ATTESTATION + METADATA
Private
attestation key
Signed Attestation Object
Metadata
Understand Authenticator
security characteristic by
looking into Metadata from
mds.fidoalliance.org
FIDO Registration
Verify using trust anchor
included in Metadata
Relying parties can store
this for auditing purposes
18. All Rights Reserved | FIDO Alliance | Copyright 201818
BINDING KEYS TO RELYING PARTIES
Use A-corp.com key
Use B-corp.com key
A
calc
A
docs
B
One Account – All
Applications
As Mobile App & Web App
A
calc
A
docs
B
Platform determines the
“caller” and passes it to the
Authenticator for selecting the
correct key.
FIDO Client determines the
“caller” (AppID/RP ID) and
passes it to the Authenticator
for selecting the correct key.
b-corp
a-corp
19. All Rights Reserved | FIDO Alliance | Copyright 201819
FIDO AUTHENTICATORS
FIDO has an Authenticator Certification program.
Different certification levels address the
needs to protect against scalable and physical attacks.
See https://fidoalliance.org/certification/authenticator-certification-levels/
20. User Environment
All Rights Reserved | FIDO Alliance | Copyright 201820
HOW DOES FIDO WORK?
Authenticator
User gesture before
private key can be used
(Touch, PIN entry,
Biometric)
PSD2: (no equivalent)
FIDO: Challenge
PSD2: Authentication Code
FIDO: (Signed) Response
PSD2: Personalized
Security Credential
FIDO: Private key
PSD2: (no equivalent)
FIDO: Public key
PSD2: PSU
FIDO: User
PSD2: ASPSP
FIDO: Relying Party
Local user verification step On-line authentication step
21. All Rights Reserved | FIDO Alliance | Copyright 201821
FIDO AUTHENTICATOR CONCEPT
FIDO Authenticator
User
Verification /
Presence
Attestation Key
Authentication Key(s)
Injected at
manufacturing,
doesn’t change
Generated at
runtime (on
Registration)
Optional
Components
Transaction
Confirmation
Display
22. All Rights Reserved | FIDO Alliance | Copyright 201822
FIDO BUILDING BLOCKS
(External)
Authenticator
USER DEVICE
FIDO Client
(Bound)
Authenticator
ASM
RP App FIDO Authentication
RP App
Server
FIDO Server
Metadata
23. All Rights Reserved | FIDO Alliance | Copyright 201823
FIDO USE CASES
Passwordless Experience
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience
*There are other types of authenticators (e.g. PIN)
21
24. All Rights Reserved | FIDO Alliance | Copyright 201824
FIDO BUILDING BLOCKS
(Roaming)
Authenticator
User Device
Browser
(Bound)
Authenticator
Platform
RP App FIDO Authentication
RP App
Server
FIDO Server
Metadata
Web
Authentication
JS API
CTA
P
25. All Rights Reserved | FIDO Alliance | Copyright 201825
WEB AUTHENTICATION
Supported In:
JavaScript API that enables
FIDO Authentication directly in web browsers
26. All Rights Reserved | FIDO Alliance | Copyright 201826
FIDO AUTHENTICATION:
SECURITY & CONVENIENCE
27. All Rights Reserved | FIDO Alliance | Copyright 201827
CONVENIENCE & SECURITY
Security
Convenience
Password
28. All Rights Reserved | FIDO Alliance | Copyright 201828
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
29. All Rights Reserved | FIDO Alliance | Copyright 201829
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
FIDO
In FIDO
• Same user verification method
for all servers
In FIDO: Arbitrary user verification
methods are supported
(+ they are interoperable)
30. All Rights Reserved | FIDO Alliance | Copyright 201830
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
FIDO
In FIDO: Scalable security
depending on Authenticator
implementation
In FIDO:
• Only public keys on server
• Not phishable
31. All Rights Reserved | FIDO Alliance | Copyright 201831
CONCLUSION
• Different authentication use-cases lead to different
authentication requirements
• FIDO separates user verification from authentication and
hence supports all user verification methods
• FIDO supports scalable convenience & security
• User verification data is known to Authenticator only
• FIDO complements federation
32. All Rights Reserved | FIDO Alliance | Copyright 201832
FIDO REGISTRATION
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]
verify user
generate:
key kpub
key kpriv
credential c
c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],
signature(tbs)
c,kpub,clientData,ac,tbs, s
store:
key kpub
c
s
Authenticator
select Authenticator according to cOpts;
determine rpId, get tlsData;
clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list,
extensions
cdh
ai
tbs
ac: attestation certificate chain
33. All Rights Reserved | FIDO Alliance | Copyright 201833
FIDO AUTHENTICATION
Authenticator Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;
check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;
clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub
from DB
check:
exts +
signature
using
key kpub
s
cdh
challenge, [aOpts]
verify user
find
key kpriv
cntr++;
process exts