TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Beyond Passwords: FIDO and the Future of User Authentication
1. All Rights Reserved | FIDO Alliance | Copyright 201966
BEYOND PASSWORDS:
FIDO AND THE FUTURE OF
USER AUTHENTICATION
FIDO + GSMA SEMINAR | 21 JANUARY 2019
Andrew Shikiar
Chief Marketing Officer
FIDO Alliance
2. THE WORLD HAS A PASSWORD PROBLEM
All Rights Reserved | FIDO Alliance | Copyright 201967 All Rights Reserved | FIDO Alliance | Copyright 201967
3. All Rights Reserved | FIDO Alliance | Copyright 201968
CONSUMERS HAVE A PASSWORD PROBLEM
Per average user
(Oxford University)
90+ ACCOUNTS
Per user, and 50%
haven’t changed said
password in last 5
years (Pew)
<5 PASSWORDS
Use a unique password
(Visa)
32%
Collectively spent by
humans each day
entering passwords
(Microsoft)
1,300 YEARS
CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGEDALL THE TIME
4. All Rights Reserved | FIDO Alliance | Copyright 201969
BUSINESSES HAVE A PASSWORD PROBLEM
Data breaches in 2016
that involved weak,
default, or stolen
passwords (VDBR)
81%
Phishing attacks were
successful in 2016
(VDBR)
Breaches in 2017, a 45%
increase over 2016
(ITRC)
1 IN 14
1,579
Annual cost to a large
organization for
password resets
(Forrester)
$1M/YR
Of helpdesk calls are
for password resets
(at $70/reset)
Password-driven cart
abandonment rate (Visa)
20-50%
49%
5. ONE-TIME PASSCODES?
They are still “shared secrets”
Still
Phishable
User Experience
Friction
Token
Necklace
SMS
Vulnerability
All Rights Reserved | FIDO Alliance | Copyright 201970
6. (Shape Security 2017 & 2018 Credential Spill Reports)
71
CENTRALIZED AUTHENTICATION PITFALLS
Credentials stolen in
2017 alone
2.3 BILLION
Lead to credential
stuffing
STOLEN
PASSWORDS
Of e-commerce sites’
attempted log-ins are
stuffing attempts
80-90%
For credential
stuffing
2% SUCCESS
RATE
cost to U.S. businesses
alone each year
$5 BILLION
Stuffing attempts in
retail alone each day
130+ MILLION
All Rights Reserved | FIDO Alliance | Copyright 2019
7. All Rights Reserved | FIDO Alliance | Copyright 201972
THE SOLUTION: SIMPLER *AND* STRONGER
SECURITY
USABILITY
Poor Easy
WeakStrong
open standards for
simpler, stronger
authentication
using public key
cryptography
Single Gesture
Phishing-resistant MFA
=
8. All Rights Reserved | FIDO Alliance | Copyright 201973
FIDO Alliance is the global industry
collaboration dedicated to solving the
password problem
…with no dependency on “shared secrets”
9. All Rights Reserved | FIDO Alliance | Copyright 201974
FIDO SPECIFICATIONS
Passwordless Experience (UAF & FIDO2)
Authenticated Online
3
BiometricUser Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Security Key* /
Press Button
Second Factor Experience (U2F & FIDO2)
*There are other types of authenticators
21
10. All Rights Reserved | FIDO Alliance | Copyright 201975
OLD AUTHENTICATION WITH PASSWORDS
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4
11. All Rights Reserved | FIDO Alliance | Copyright 201976
NEW AUTHENTICATION WITH FIDO
AuthenticatorUser verification FIDO Authentication
Require user gesture
before private key can
be used
Challenge
(Signed) Response
Private key (handle)
per account Public key
No secrets stored on the
server
1
Authenticator cannot be
“tricked” by phishing
2
Nothing to remember, no friction
added to transaction process
3
Single gesture
convenience for User
4
12. All Rights Reserved | FIDO Alliance | Copyright 201979
LEADING THE EFFORT
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCESERVICES
14. FIDO IS AN ITU STANDARD
x.1277 -- ITU ratification of FIDO UAF
x.1278 -- ITU ratification of FIDO2 CTAP (includes CTAP1/U2F)
All Rights Reserved | FIDO Alliance | Copyright 201981
15. All Rights Reserved | FIDO Alliance | Copyright 201983
BACKED BY CERTIFICATION (>500)
• Functional Certification (End-to-End):
• Conformance Testing
• Interoperability Testing
• Authenticator Security Certification Levels
• How well do you protect the private key?
• 3rd-party laboratory verification
• Complimented by Biometric Component certification
• Universal Server:
• Ensures compatibility with all FIDO Certified Authenticators
17. All Rights Reserved | FIDO Alliance | Copyright 201985
FIDO IS NOW IN THE WEB BROWSER & OS
18. All Rights Reserved | FIDO Alliance | Copyright 201986
FIDO IS BEING USED AROUND THE WORLD
(Sample of deployments in production)
19. All Rights Reserved | FIDO Alliance | Copyright 201987
IN SUMMARY… SECURE BY DESIGN
Based on public
key cryptography
No server-side
shared secrets
Keys stay
on device
No 3rd party in
the protocol
Biometrics, if used,
never leave device
No link-ability between
services or accounts
20. 88
IN SUMMARY… SECURE IN PRACTICE
All Rights Reserved | FIDO Alliance | Copyright 2019
85,000
employees
over 18 months
No ATO’s from
phishing since
using FIDO
21. All Rights Reserved | FIDO Alliance | Copyright 201989
FIDO:
THE FUTURE OF
CONSUMER
AUTHENTICATION
FIDO Authentication is the industry’s
response to the password problem
• INDUSTRY SUPPORT- FIDO represents the efforts of some of the world’s largest companies whose very
businesses rely upon better user authentication
• THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realizedin products being used every day
• ONGOING INNOVATION - Specifications, certificationprograms, and deployment working groups
establishing best implementation practices
• ENABLEMENT - Leadingservice providers representing billions of user identities are already FIDO-
enabling their authenticationprocesses
22. All Rights Reserved | FIDO Alliance | Copyright 201990
Join the FIDO Ecosystem
www.fidoalliance.org
Deploy
Take Part in FIDO Events
Build FIDO CertifiedSolutions
Join the Alliance
Twitter: @fidoalliance