The document discusses the problems with password-based authentication and introduces FIDO authentication as a solution. It summarizes that FIDO authentication uses public key cryptography to allow users to authenticate with a single gesture on their device, without needing shared secrets or passwords. FIDO authentication is being adopted by major companies and specifications are standardized, with over 500 authenticators certified for compatibility and security. The presentation promotes FIDO as the future of secure, usable authentication.
ICT role in 21st century education and its challenges
FIDO and the Future of User Authentication
1. All Rights Reserved | FIDO Alliance | Copyright 20191
BEYOND PASSWORDS:
FIDO AND THE FUTURE OF
USER AUTHENTICATION
AUSTIN SEMINAR | JANUARY 28, 2019
Andrew Shikiar
Chief Marketing Officer
FIDO Alliance
2. THE WORLD HAS A PASSWORD PROBLEM
All Rights Reserved | FIDO Alliance | Copyright 20192 All Rights Reserved | FIDO Alliance | Copyright 20192
3. All Rights Reserved | FIDO Alliance | Copyright 20193
CONSUMERS HAVE A PASSWORD PROBLEM
Per average user
(Oxford University)
90+ ACCOUNTS
Per user, and 50%
haven’t changed said
password in last 5
years (Pew)
<5 PASSWORDS
Of IT leaders re-use a
single password (Sailpoint)
55%
Collectively spent by
humans each day
entering passwords
(Microsoft)
1,300 YEARS
CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME
4. All Rights Reserved | FIDO Alliance | Copyright 20194
BUSINESSES HAVE A PASSWORD PROBLEM
Data breaches in 2016
that involved weak,
default, or stolen
passwords (VDBR)
81%
Phishing attacks were
successful in 2016
(VDBR)
Breaches in 2017, a 45%
increase over 2016
(ITRC)
1 IN 14
1,579
Annual cost to a large
organization for
password resets
(Forrester)
$1M/YR
Of helpdesk calls are
for password resets
(at $70/reset)
Password-driven cart
abandonment rate (Visa)
20-50%
49%
5. ONE-TIME PASSCODES?
They are still “shared secrets”
Still
Phishable
User Experience
Friction
Token
Necklace
SMS
Vulnerability
All Rights Reserved | FIDO Alliance | Copyright 20195
6. (Shape Security 2017 & 2018 Credential Spill Reports)
6
COMPOUNDED THREAT OF STOLEN CREDENTIALS
Credentials stolen in
2017 alone
2.3 BILLION
Lead to credential
stuffing
STOLEN
PASSWORDS
Of e-commerce sites’
attempted log-ins are
stuffing attempts
80-90%
For credential
stuffing
2% SUCCESS
RATE
cost to U.S. businesses
alone each year
$5 BILLION
Stuffing attempts in
retail alone each day
130+ MILLION
All Rights Reserved | FIDO Alliance | Copyright 2019
7. All Rights Reserved | FIDO Alliance | Copyright 20197
INDUSTRY IMPERATIVE: SIMPLER *AND* STRONGER
SECURITY
USABILITY
Poor Easy
WeakStrong
open standards for
simpler, stronger
authentication
using public key
cryptography
Single Gesture
Phishing-resistant MFA
=
8. All Rights Reserved | FIDO Alliance | Copyright 20198
FIDO Alliance is the global industry
collaboration dedicated to solving the
password problem
…with no dependency on “shared secrets”
9. All Rights Reserved | FIDO Alliance | Copyright 20199
LEADING THE EFFORT
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
11. All Rights Reserved | FIDO Alliance | Copyright 201911
OLD AUTHENTICATION WITH PASSWORDS
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4
12. All Rights Reserved | FIDO Alliance | Copyright 201912
MODERN AUTHENTICATION WITH FIDO
AuthenticatorUser verification FIDO Authentication
Require user gesture
before private key can
be used
Challenge
(Signed) Response
Private key (handle)
per account Public key
No secrets stored on the
server
1
Authenticator cannot be
“tricked” by phishing
2
Nothing to remember, no friction
added to transaction process
3
Single gesture
convenience for User
4
13. All Rights Reserved | FIDO Alliance | Copyright 201915
FIDO SPECIFICATIONS
Passwordless Experience (UAF & FIDO2)
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Security Key* /
Press Button
Second Factor Experience (U2F & FIDO2)
*There are other types of authenticators
21
14. All Rights Reserved | FIDO Alliance | Copyright 201916
FIDO IS A W3C SPECIFICATION
FIDO2 (CTAP & W3C Web Authentication / “WebAuthn”)
15. FIDO IS AN ITU STANDARD
x.1277 -- ITU ratification of FIDO UAF
x.1278 -- ITU ratification of FIDO2 CTAP (includes CTAP1/U2F)
All Rights Reserved | FIDO Alliance | Copyright 201917
16. All Rights Reserved | FIDO Alliance | Copyright 201918
BACKED BY CERTIFICATION (500++)
• Functional Certification (End-to-End):
• Conformance Testing
• Interoperability Testing
• Authenticator Security Certification Levels
• How well do you protect the private key?
• 3rd-party laboratory verification
• Complimented by Biometric Component certification
• Universal Server:
• Ensures compatibility with all FIDO Certified Authenticators
18. All Rights Reserved | FIDO Alliance | Copyright 201920
FIDO IS NOW IN THE WEB BROWSER & OS
19. All Rights Reserved | FIDO Alliance | Copyright 201921
FIDO IS BEING USED AROUND THE WORLD
(Sample of deployments in production)
20. All Rights Reserved | FIDO Alliance | Copyright 201922
IN SUMMARY… SECURE BY DESIGN
Based on public
key cryptography
No server-side
shared secrets
Keys stay
on device
No 3rd party in
the protocol
Biometrics, if used,
never leave device
No link-ability between
services or accounts
21. 23
IN SUMMARY… SECURE IN PRACTICE
All Rights Reserved | FIDO Alliance | Copyright 2019
85,000
employees
over 18 months
No ATO’s from
phishing since
using FIDO
22. All Rights Reserved | FIDO Alliance | Copyright 201924
FIDO:
THE FUTURE
OF USER
AUTHENTICATION
FIDO Authentication is the industry’s
response to the password problem
• INDUSTRY SUPPORT - FIDO represents the efforts of some of the world’s largest companies whose very
businesses rely upon better user authentication
• THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realized in products being used every day
• ONGOING INNOVATION - Specifications, certification programs, and deployment working groups
establishing best implementation practices
• ENABLEMENT - Leading service providers representing billions of user identities are already FIDO-
enabling their authentication processes
23. All Rights Reserved | FIDO Alliance | Copyright 201925
Take Part in the FIDO
Ecosystem
www.fidoalliance.org
Deploy FIDO Authentication
Attend FIDO Events
Build FIDO Certified Solutions
Join the Alliance
Twitter: @fidoalliance