CIS14: FIDO 101 (What, Why and Wherefore of FIDO)

4,784 views

Published on

Rajiv Dholakia, Nok Nok Labs
Basics of how FIDO protocols work, how they fit into the broader identity ecosystem, the benefits of the design and the state of implementation/deployment in the market; appropriate for both technical and non-technical individuals, giving orientation before diving into the details of the specific FIDO protocols.

Published in: Technology
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,784
On SlideShare
0
From Embeds
0
Number of Embeds
53
Actions
Shares
0
Downloads
360
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide

CIS14: FIDO 101 (What, Why and Wherefore of FIDO)

  1. 1. © 2014 FIDO Alliance Standards for Simpler Stronger Authentication Rajiv Dholakia – VP Products & Business Development , Nok Nok Labs rajiv@noknok.com
  2. 2. Context & Aspirations
  3. 3. I.T. HAS SCALED: IT’S A HETEROGENEOUS WORLD $$$ Technological capabilities: (1971 ! 2013) Clock speed x4700 #transistors x608k Structure size /450 Price: (1980 ! 2013) HDD $/MB /12k NV RAM $/MB /1.3m Ubiquity: More than 7bn mobile connected devices by end of 2013 Connectivity: (2013) 34% of all people ww have internet access Relevance: (2012) $1 trillion eCommerce Social media: (2013) >10% of all people ww active NOK NOK LABS
  4. 4. The Authentication Tower of Babel Silos, proprietary, privacy, reliance on 3rd party, tolls NOK NOK LABS ? 4
  5. 5. IMPLEMENTOR’s PERSPECTIVE: A CHALLENGE Aplumbingproblem:ShadesofRubeGoldberg… NOK NOK LABS App 2 New App ? RP 1 RP 1 App 1 ? Applications Authentication MethodsOrganizations Silo 1 Silo 2 Silo N Silo 3 5
  6. 6. Taking lessons from History 6 Authentication SSL Communication ???
  7. 7. Common authentication plumbing 7 Users Cloud/Enterprise Devices Federation Open Standard Plug-In Approach Interoperable Ecosystem Usable Authentication WHAT IS NEEDED
  8. 8. FIDO 101
  9. 9. Goal: Simpler, Stronger Authentication (a) Developing unencumbered Specifications that define interoperable mechanisms that supplant reliance on passwords (b) Operating programs to help ensure industry adoption (c) Submitting mature Specifications for formal standardization Mission: To Change Authentication Online by:
  10. 10. Identity & Authentication Building Blocks NOK NOK LABS 10 Physical-to-digital identity User Management Authentication Federation Single Sign-On E-Gov Payments Security Passwords Risk-BasedStrong MODERN AUTHENTICATION Personalization
  11. 11. User Authentication Online Do you want to login? Do you want to transfer $100 to Frank? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Authentication today: Ask user for a password (and perhaps a one time code)
  12. 12. Today’s Passwords REUSED PHISHED KEYLOGGED
  13. 13. Today’s Password Alternatives One Time Codes with SMS or Device SMS USABILITY DEVICE USABILITY USER EXPERIENCE STILL PHISHABLE Coverage | Delay | Cost One per site | $$ | Fragile User find it hard Known attacks today
  14. 14. Megatrend Simpler, Stronger Local Device Auth PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY Carry Personal Data Pins & Patterns today Simpler, Stronger local auth
  15. 15. Putting It Together The problem: Simpler, Stronger online The trend: Simpler, Stronger local device auth Why not: Use local device auth for online auth? This is the core idea behind FIDO standards!
  16. 16. FIDO Experiences LOCAL DEVICE AUTH SUCCESSONLINE AUTH REQUEST PASSWORDLESS EXPERIENCE (UAF standards) SECOND FACTOR EXPERIENCE (U2F standards) Show a biometricTransaction Detail Done Login & Password Insert Dongle, Press button Done
  17. 17. FIDO Registration REGISTRATION BEGINS USER APPROVAL REGISTRATION COMPLETE NEW KEY CREATED USER APPROVAL KEY REGISTERED 1 2 Using Public key Cryptography 4 3
  18. 18. FIDO Login LOGIN USER APPROVAL LOGIN COMPLETE KEY SELECTED LOGIN CHALLENGE LOGIN RESPONSE 1 2 4 3 Login Using Public key Cryptography
  19. 19. Decouple User Verification Method from Authentication Protocol LOGIN USER APPROVAL REGISTRATION COMPLETE KEY SELECTED LOGIN CHALLENGE LOGIN RESPONSE 1 2 4 3 Leverage public key cryptography ONLINE SECURITY PROTOCOL PLUGGABLE LOCAL AUTH
  20. 20. User Device User Agent Mobile Apps Authenticator Abstraction (ASM) Authenticators Authenticators Private Keys Authentication Keys Attestation Keys Relying Party Web Application FIDO UAF Server Authentication Keys Attestation Key Public KeysRegistration, Authentication & Transaction Confirmation! UAF Protocol UAF ARCHITECTURE OVERVIEW UAF Authenticators
  21. 21. Relying Party User Side U2F APDU USB API NFC API Bluetooth API U2F JS API Secure U2F Element Connectors USB NFC Bluetooth Web Application FIDO U2F Server User Keys U2F Flow Diagram User Action BrowserU2F Token
  22. 22. Options Passwordless UX = UAF: Universal Auth Framework •  User carries client device with UAF stack installed •  User presents a local biometric or PIN •  Website can choose whether to retain password Simpler Stronger Authentication Second Factor UX = U2F: Universal Second Factor •  User carries U2F device with built- in support in web browsers •  User presents U2F device •  Website can simplify password (e.g, 4 digit PIN)
  23. 23. Design Considerations
  24. 24. No 3rd Party in the Protocol
  25. 25. No secrets on Server side
  26. 26. Focus on User Privacy • Biometric data never leaves user’s device • No linkability between RPs • No linkability between RP accounts
  27. 27. Embrace all kinds of Authenticators software, proprietary hardware, certified hardware, ...
  28. 28. Risk Based Authentication "  Login to online account "  Change shipping address "  Transfer $10.000 Low High
  29. 29. Choice of Security Profiles NOK NOK LABS User Space Secure Hardware FIDO UX Layer Input, Display Crypto Layer FIDO UX Layer Input, Display Crypto Layer FIDO Crypto Layer UX Layer Input, Display No Secure HW Secure Crypto + Storage Secure Execution Environment
  30. 30. Risk Appropriate Authentication 30 Strong Stronger FIDO Security Spectrum Software Only ID TPM/SE ID TEE + SE ID Protects Keys Protects Keys Protects Crypto Protects Keys Protects Crypto Protects Code Protects Display Strongest
  31. 31. Permanent link to this comic: http://xkcd.com/538/ A webcomic of romance, sarcasm, math, and language. On SECURITY
  32. 32. A peek into MODERN AUTHENTICATION 32NOK NOK LABS IMPLICIT AUTHENTICATION EXPLICIT AUTHENTICATION
  33. 33. COMPLEMENTS IDENTITY & FEDERATION STANDARDS NOK NOK LABS 33 STRONG AUTH PASSWORDS SSO/FEDERATION Recreated PMS First Mile Second Mile SAML OpenID FIDO/Strong Auth Federation Standards
  34. 34. FIDO Model: Direct to Relying Party OR through IdP 34Devices support multiple authenticators User Authenticates to the Device Relying Parties (SP) Device Authenticates to Relying Party 2a 1 Identity Provider (IdP) 2b OR Device Authenticates to Identity Provider (IDP) 2c IDP asserts identity via SAML, Oauth, OpenID Connect… OR
  35. 35. Recap
  36. 36. Identity & Authentication NOK NOK LABS 36 Physical-to-digital identity User Management Authentication Federation Single Sign-On E-Gov Payments Security Passwords Risk-BasedStrong MODERN AUTHENTICATION Personalization
  37. 37. Simplifying and Scaling Authentication AnyDevice.AnyApplication.AnyAuthenticator. 37 Standardized Protocols Local authentication unlocks app specific key Key used to authenticate to server
  38. 38. IMPLEMENTATION CHALLENGE Aplumbingproblem:ShadesofRubeGoldberg… NOK NOK LABS App 2 New App ? RP 1 RP 1 App 1 ? Applications Authentication MethodsOrganizations Silo 1 Silo 2 Silo N Silo 3 38
  39. 39. SIMPLIFIED IMPLEMENTATION WHATISBEINGSTANDARDIZED App 2 Applications Authentication Methods RP 1 RP 1 App 1 New App FIDO UNIFIED STANDARDS Organizations ? 39 Online Crypto Protocol Pluggable Authentication
  40. 40. CONCLUSIONS •  The enemy is symmetric shared secrets •  The enemy is poor user experiences and friction •  FIDO is a building block •  Even simple software-based authenticator with a pin offers many advantages over passwords •  FIDO complements your investments in federation and improves your security and ease of use
  41. 41. FIDO Alliance Snapshot July 2014
  42. 42. 42Nok Nok Labs Confidential — Do Not Distribute
  43. 43. FIDO Alliance Role •  Paper Specifications, Interop and Conformance testing, Trademark licensing against criteria, thought leadership, nurture ecosystem of vendors delivering FIDO implementations to market •  Alliance does not ship products (only specifications) o  Implementations left to commercial vendors •  FIDO Alliance designs core protocol o  Like SSL, FIDO has no domain semantics o  Relying parties and Vendors may adapt FIDO into commercial solutions o  Vendors may deliver FIDO specification as product or service, standalone or as part of a solution stack o  Extended use cases may be explored by vendors long before imported into protocol
  44. 44. Version 1.0 (Review Draft) is in Public Review
  45. 45. FIDO at Industry Events – Readiness FIDO-Ready Products & Deployment for Mobile & More SIM + Secure Element PIN + MicroSD, USB Fingerprint, Mobile Speaker Recognition Mobile via NFC*
  46. 46. Useful to keep these separate: Design Intent FIDO Protocol Specification Specific Implementations Solution that incorporates FIDO
  47. 47. Select Authenticate Purchase 47 MOBILE DEVICES reshaping Security, Commerce NOK NOK LABS AUTHENTICATION THAT IS “One-Swipe”, “One-Phrase”, “One-Look”, “One Touch”
  48. 48. OEMs SHIPPING FIDO-READY ™ PRODUCTS New and existing devices are supported 48 OEM Enabled: Samsung Galaxy S5OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors Clients available for these operating systems : Software Authenticator Examples: Voice/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element
  49. 49. First FIDO Deployment already live… 49 •  Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready™ software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique cryptographic “public key” that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers.
  50. 50. Breaking news for July… •  Alipay – formerly a part of Alibaba Group in China •  Processed $519 Billion in transactions in 2013 •  Launched FIDO-based payments using Galaxy S5
  51. 51. Better Security, Better User Experience Goingbeyond“Risk,Regulation,Reputation” 51 Setup Confirm Sent DESIGN, DELIGHT & DOLLARS!
  52. 52. Call to Action •  FIDO is ready for use – launch a POC, Pilot •  Get involved: o  Develop or adapt your products to FIDO o  Come to the plenary, meet and mingle, speak with the pioneers, select your partners o  Join the Alliance and contribute – we are a volunteer run organization! o  Contact donal@fidoalliance.org for membership details o  Other questions – rajiv@noknok.com
  53. 53. FIN
  54. 54. THANK YOU

×