Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
T
FINGERPRINT
SEC
U
FA
BIOME
TOKEN
RBA
ACTIVE
FINGERPRINT
SECURE
ELEMENT
NFC
BIOMETRIC
PIN
RBA
SILEFINGERPRINT
ELEME
NFF...
SECURITY IN PERSPECTIVE:
Its like drinking water from the tap in 1800s
NOK NOK LABS 2
Pills, Potions & Spells vs. Chlorina...
PURPOSE OF SECURITY
Device Integrity Network Integrity
OS & App Integrity User Integrity
Data & Transaction
Integrity
(and...
SECURITY NEEDS TO SPAN LINKS
4
Integrity
User Hardware OS/App Network Service
NOK NOK LABS
USERINTEGRITY:THEGLOBALAUTHENTICATIONPROBLEM
5
Fear Frustration
and Friction
40#million#credit#cards##
Cost:#$148M#USD#
Th...
IDENTITY SERVICES
AUTHENTICATIONINCONTEXT
NOK NOK LABS 6
Physical>to>digital#iden@ty##
User#Management##
Authen@ca@on#
Fed...
Mobile Security Stacks
7
Device&Integrity&
&
&
&
&
&
LAYERED
SECURITY
MODELS
NOK NOK LABS 8
Device#Keys#&#
Cer@ficates#
Crypto#Engines#
Trusted#Exec...
INTEGRITY MECHANISMS – I
•  TPMs
•  Backwardscompatibility
requirements
•  SEs
•  Limitedduetooperatorcontrols
•  TEEs(Tru...
INTEGRITY MECHANISMS – II
10
App User
•  Appverification
- RiseOfTheAppStore
•  AppIsolation
- Appcontainers
- RestrictedI...
ISOLATION ARCHITECTURE
ARMTRUSTZONE
11
Secure
OS Boot
FP Sensor
Touchscreen
Storage
1.7 B
ARM Cortex
SoCs Shipped
18 Month...
SECURITY NEEDS TO SPAN LINKS
12
Integrity
Hardware OS App Network User
NOK NOK LABS
So how are doing?
13
SOME EXAMPLES FROM 2014
NOK NOK LABS 14
Infrastructure/Relying#Party#
(Payments#or#other)#
Opera@ng#System#
Hardware#
HOWFIDOWORKSTOSIMPLIFYANDSCALEAUTHENTICATION
userauthenticatestodevice,deviceauthenticatestonetwork
15
Standardized Protoc...
ATTACKS
MITIGATED
Remotely#a_acking#central#servers##
steal&data#for#impersona@on#
1#
Physically#a_acking#user#devices##
m...
SECURITYPROFILESFORAUTHENTICATION
17
Strong Stronger
Security Hardware Integration Spectrum
Software Only
ID
TPM/SE
ID
TEE...
BUILDING AUTHENTICATORS: THREE PROFILES
18
RichOS#
Trusted#
Execu@on#
Environment#
Secure#Element#
Soeware#and#Tamper>Resi...
A UNIQUE OPPORTUNITY
19
Hardware Integrity
OS Integrity
App Integrity
Network Integrity
User Integrity
Re-Architect
Comput...
SUPPORT IN THE FABRIC
• QualcommshippingFIDOsupportinSnapDragon
chipsetsstartingDec2014
• Microsoftdeclares inFeb2015FIDOs...
FIDO-CAPABLEMOBILE,TABLET+PCFORECAST
Non-FIDO
FIDO iOS
FIDO Android
FIDO Windows
35#Million,#Aug.#2014#
2.5&Billion,&Dec.&...
PULLINGITALLTOGETHER:
NTTDOCOMOLIVEWITHFIDOAUTHENTICATION:May2015
22
Many FIDO Ecosystem Firsts: First Carrier, Multiple O...
ONLINEAUTHENTICATIONFORDOCOMOSERVICES
Biometric Authentication from DOCOMO, May 26, 2015
Online#authen@ca@on#using#biometr...
24
Everything
Authenticates
50 Billion
Connected Devices by 2020:
Internet of Things
People Devices Ecosystems
+ +
Corpora...
Any Device.
Any Application.
Any Authenticator.
25
T
FINGERPRINT
SEC
U
FA
BIOME
TOKEN
RBA
ACTIVE
FINGERPRINT
SECURE
ELEMEN...
Appendix
26NOK NOK LABS
BENEFITSOFTHEFIDOAPPROACH
27
PrivacySecurityUser
Experience
AuthenticateAuthenticate
Requirements for next generation auth...
Upcoming SlideShare
Loading in …5
×

Mobile security, identity & authentication reasons for optimism 20150607 v2

1,126 views

Published on

  • Be the first to comment

Mobile security, identity & authentication reasons for optimism 20150607 v2

  1. 1. 1 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB MOBILESECURITY,IDENTITY&AUTHENTICATION REASONSFOROPTIMISM RAJIVDHOLAKIA VPPRODUCTS RAJIV@NOKNOK.COM
  2. 2. SECURITY IN PERSPECTIVE: Its like drinking water from the tap in 1800s NOK NOK LABS 2 Pills, Potions & Spells vs. Chlorination
  3. 3. PURPOSE OF SECURITY Device Integrity Network Integrity OS & App Integrity User Integrity Data & Transaction Integrity (and Privacy where appropriate) 3
  4. 4. SECURITY NEEDS TO SPAN LINKS 4 Integrity User Hardware OS/App Network Service NOK NOK LABS
  5. 5. USERINTEGRITY:THEGLOBALAUTHENTICATIONPROBLEM 5 Fear Frustration and Friction 40#million#credit#cards## Cost:#$148M#USD# The problem continues to get BIGGER and more EXPENSIVE Fraud Stolen / hacked passwords leading cause of identity theft Passwords DO NOT WORK, especially on Mobile Devices Too many accounts and passwords to remember Significant commerce abandonment by users Personal and Corporate Damage $# 56#million#credit#cards## Nok Nok Labs
  6. 6. IDENTITY SERVICES AUTHENTICATIONINCONTEXT NOK NOK LABS 6 Physical>to>digital#iden@ty## User#Management## Authen@ca@on# Federa@on# # #Single Sign-On E>Gov# Payments# Security# Passwords# Risk>Based#Strong# MODERN AUTHENTICATION Personaliza@on#
  7. 7. Mobile Security Stacks 7
  8. 8. Device&Integrity& & & & & & LAYERED SECURITY MODELS NOK NOK LABS 8 Device#Keys#&# Cer@ficates# Crypto#Engines# Trusted#Execu@on#Environments# # Ç√# Secure#Elements# Trustlet# Trustlet# Trustlet# Rich&Opera2ng&System&(e.g.&Android)& # # # # # # #OS#Par@@on# User#Par@@on# # # # App# Sandbox# User# Par@@on# # # # App# Sandbox# App# Sandbox# Overlay&Services& # # # # # # App#Stores# OS#Integrity#Services#(e.g.#Android# Safety#Net)# Site#and#App##Reputa@on/Integrity# Device#and#Cloud#Data#Managers# Filter#what#gets#on# the#device…# Isolate#the#apps…# Harden#the#device…##
  9. 9. INTEGRITY MECHANISMS – I •  TPMs •  Backwardscompatibility requirements •  SEs •  Limitedduetooperatorcontrols •  TEEs(TrustedExecutionEnvironments) •  Thirdtimeisacharm? •  Secureboot - Verificationofimage •  Virtualization - Hardwareassistedisolation •  Anti-virus •  DeviceTheftResponse - Standardonmobiledevices 9 TEE SE TPM Hardware OS NOK NOK LABS
  10. 10. INTEGRITY MECHANISMS – II 10 App User •  Appverification - RiseOfTheAppStore •  AppIsolation - Appcontainers - RestrictedIPC •  ProtectingData&Content - On-devicedataencryption - DRM •  IdentityProofing - Knowyourcustomer •  StrongAuthentication - Explicit&implicit -  Firstmile&Secondmile NOK NOK LABS
  11. 11. ISOLATION ARCHITECTURE ARMTRUSTZONE 11 Secure OS Boot FP Sensor Touchscreen Storage 1.7 B ARM Cortex SoCs Shipped 18 Month Phone Refresh Rate NOK NOK LABS
  12. 12. SECURITY NEEDS TO SPAN LINKS 12 Integrity Hardware OS App Network User NOK NOK LABS
  13. 13. So how are doing? 13
  14. 14. SOME EXAMPLES FROM 2014 NOK NOK LABS 14 Infrastructure/Relying#Party# (Payments#or#other)# Opera@ng#System# Hardware#
  15. 15. HOWFIDOWORKSTOSIMPLIFYANDSCALEAUTHENTICATION userauthenticatestodevice,deviceauthenticatestonetwork 15 Standardized Protocols Local authentication unlocks app specific key Key used to authenticate to server (unique key per site) Nok Nok Labs server&client& Decoupled&User&Verifica2on&from&Authen2ca2on&Protocol&
  16. 16. ATTACKS MITIGATED Remotely#a_acking#central#servers## steal&data#for#impersona@on# 1# Physically#a_acking#user#devices## misuse&them#for#impersona@on# 6# Physically#a_acking#user#devices# steal&data#for#impersona@on# 5# Remotely#a_acking# lots#of#user#devices# & steal&data#for# impersona@on# Remotely#a_acking# lots#of#user#devices# & misuse&them#for# impersona@on# Remotely#a_acking# lots#of#user#devices# & misuse& authen-cated& sessions! 2# 3# 4# Scalable#a_acks# Physical#a_acks## possible#on#lost#or# stolen#devices# (≈3%#in#the#US#in#2013)# User&Coercion# Not#Scalable# With#hardening#of# FIDO## Authen@cator## Implementa@ons#–# mi@gate#remote/ scalable#a_acks# NOK NOK LABS
  17. 17. SECURITYPROFILESFORAUTHENTICATION 17 Strong Stronger Security Hardware Integration Spectrum Software Only ID TPM/SE ID TEE + SE ID Protects Keys Protects Keys Protects Crypto Protects Keys Protects Crypto Protects Code Protects Display Strongest NOK NOK LABS
  18. 18. BUILDING AUTHENTICATORS: THREE PROFILES 18 RichOS# Trusted# Execu@on# Environment# Secure#Element# Soeware#and#Tamper>Resistant#Hardware# Cost#to#Acquire#and#Manage#Tokens# Stronger# Soeware#&#Hardware# Cost#to#Acquire#and#Manage#Mobile#Device# Stronger# Soeware#Only# No#extra#cost# Strong# NOK NOK LABS
  19. 19. A UNIQUE OPPORTUNITY 19 Hardware Integrity OS Integrity App Integrity Network Integrity User Integrity Re-Architect Computing Using Hardware-Based Trust Chain of Trust Trusted Platform for Authentication NOK NOK LABS
  20. 20. SUPPORT IN THE FABRIC • QualcommshippingFIDOsupportinSnapDragon chipsetsstartingDec2014 • Microsoftdeclares inFeb2015FIDOsupportcoming toWindows10andaffiliatedservices • GoogleintendstobringbiometricAPIs&system keychaintoAndroidM–June2015 • ApplecontinuingtosupportTouchID&system keychaininiOS–2014-2015 NOK NOK LABS 20
  21. 21. FIDO-CAPABLEMOBILE,TABLET+PCFORECAST Non-FIDO FIDO iOS FIDO Android FIDO Windows 35#Million,#Aug.#2014# 2.5&Billion,&Dec.&2019&User#Growth#of#70.43%#over#5# Years# 2016 201920182017 86.73% 93.43% 96.98% 98.61% 6.57% 3.02% 1.39% 2.6BTotal Devices 2.5B Fido Capable 331M iOS Devices 1.1B Android Devices 1.16B Windows Devices 2.08B Total Devices 1.8B Fido Capable 281M iOS Devices 793M Android Devices 724M Windows Devices 2.19B Total Devices 2.05B Fido Capable 298M iOS Devices 945M Android Devices 805M Windows Devices 2.36B Total Devices 2.29B Fido Capable 315M iOS Devices 942M Android Devices 1.04B Windows Devices 13.27% NOK NOK LABS
  22. 22. PULLINGITALLTOGETHER: NTTDOCOMOLIVEWITHFIDOAUTHENTICATION:May2015 22 Many FIDO Ecosystem Firsts: First Carrier, Multiple OEM Launch at Same Time, First Federated Identity Solution, First Carrier Billing System, First Iris Sensor, First Chipset Support NOK NOK LABS
  23. 23. ONLINEAUTHENTICATIONFORDOCOMOSERVICES Biometric Authentication from DOCOMO, May 26, 2015 Online#authen@ca@on#using#biometric#informa@on:# Authen@ca@on#for#docomo#ID#and#carrier#billing#payments Password>less#biometric# authen@ca@on Iris Fingerprint login Unlock# devices# payments#
  24. 24. 24 Everything Authenticates 50 Billion Connected Devices by 2020: Internet of Things People Devices Ecosystems + + Corporate Networks Mobile Commerce Mobile Payments Social Networks eHealth Consumer Use Cases Enterprise Use Cases HOPEFORSCALINGAHIGHLYCONNECTEDWORLD NOK NOK LABS
  25. 25. Any Device. Any Application. Any Authenticator. 25 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB
  26. 26. Appendix 26NOK NOK LABS
  27. 27. BENEFITSOFTHEFIDOAPPROACH 27 PrivacySecurityUser Experience AuthenticateAuthenticate Requirements for next generation authentication Public/private keys instead of passwords Fraud Reduction Unified Auth Infrastructure# Natural and faster authentication Use authentication method of choice User& Device& Service& User information stays on device Not stored on servers that can be compromised Cost Standards -Based Adaptable infrastructure Future-proofed and flexible Scalability NOK NOK LABS

×