Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi

2,539 views

Published on

FIDO Authentication: Its Evolution and Opportunities in Business presented by Dr. Hidehito Gomi

Published in: Technology
  • Be the first to comment

FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi

  1. 1. Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 FIDO AUTHENTICATION: ITS EVOLUTION AND OPPORTUNITIES IN YOUR BUSINESS Hidehito Gomi Senior Chief Researcher, Yahoo! JAPAN Research
  2. 2. 2Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 Ø Recap: FIDO Authentication Model Ø Web Authentication & CTAP Ø Solutions using FIDO Authentication Ø Summary
  3. 3. 3Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 Recap: FIDO Authentication Model
  4. 4. Trend of Authentication Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 4 Accurate and realtime user context can be captured so that the nature of authentication is changing. High-reliability sensors and secure storages enable the following types of authentications: • Local authn: user verification is operated at his own device with which he can interact easily. • Continuous authn: user behavior continues to be monitored for authentication. • Implicit authn: user is authenticated without explicit gesture or ceremony. • Context-aware authn: data on context to which user belongs is used for user authentication. User User context Secure storage Geolocation Orientation Temperature Sound Acceleration Steps Walking distance Etc. Data on user context
  5. 5. Authentication Models: local vs. remote Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 5 ID・PWD OKPWD input Identification Authentication Traditional authn model (e.g. password) for web applications Verification Verification results OK FIDO Authentication separation FIDO Server FIDO authn model FIDO Client Verification Identification Authenticator User Credential
  6. 6. Concept: Pluggable Authentication (Recap) Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 6 FIDO ServerFIDO ClientFIDO Authenticator Fingerprint Iris Face USB Key Smart Card New Method Plugged authenticators provide you with scalability for authentication. Updated specs UAF & U2F 1.1 have been released. FIDO standard messages Service 3 Service 1 Service 2 Service N
  7. 7. 7Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 Web Authentication & CTAP *CTAP (Client To Authenticator Protocol)
  8. 8. Scoped Credential in Web Authentication Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 8 Relying Party (RP)User Authenticator Public key “Cryptographic” credential for web applications (Static) link Private key (Credential) particular for authenticator and RP (Static) linkLink (to be verified) particular for user ID cf. Anthony Nadalin’s slides for more detail. Trust chain Another user Another RP
  9. 9. Web Authentication API Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 9 Relying Party (RP) User Authenticator Browser • makeCredential() • getAssertion() Server sideUser side User devices Abstract API for browser accessing credential using Javascript Web Authn API Credential
  10. 10. Authenticator Registration Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 10 Relying Party (RP) User Authenticator Browser Private key for Authentication 3. Creation of private/public keys * A pair of keys for attestation are omitted in this picture. Public key for Authentication 6. Registering public key for FIDO authentication ID 1. makeCredential() request Web Authn API 5. Response with signed data about credential4. Producing the following data: Credential info. Attestation Public key Signature 2. User verification
  11. 11. Web Authentication using Authenticator Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 11 Relying Party (RP) Authenticator Browser Private key 1. getAssertion() request 3. Producing the following data: Credential Info. Assertion Signature 4. Response with signed data about assertion Public key 5. Verifying signature * A pair of keys for attestation are omitted in this picture. ID Web Authn API 2. Verification of user using a particular method User 6. Discovering user ID
  12. 12. Mobile Phone as Authenticator Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 12 FIDO ServerWeb Authn API Fingerprint Iris Face USB Key “Mobile phone authenticator” advances the scalability for authentication more. Smart Card Authenticators Service 3 Service 1 Service 2 Service N Mobile Phone Smart watch
  13. 13. Authenticator Variation Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 13 Authenticator Embedded authenticator External authenticator Wireless communication type Removable type Client Web Authn API CTAP (Client To Authenticator Protocol) User device Authenticator Web Authn API Client
  14. 14. 14Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 Solutions using FIDO Authentication
  15. 15. Authentication: Foundation of trusted applications Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 15 User Single sign-on Server Traditional identity and access management system Authentication Verifying user privileges (Access control) ID Access response(OK/NG) Access request Personal attributes sharing Personal service provisioning User activities after authentication Server Authentication is the first step that is required to do various online activities.
  16. 16. • User verification that the user is who he/she claims to be • User presence nearby authenticator • User confirmation of (consent to) his/her identity/transaction/context Semantics for Assertion Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 16 User User context Credential Authenticator Relying Party (RP) Signed challenge (Assertion) challenge Proofing FIDO authentication is a mechanism for proofing user’s identity and context.
  17. 17. Authenticator Adoption Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 17 Authenticator implementing existing/legacy/new authentication methods/devices • Biometrics • Behavioral characteristics • Wearable devices cf. Jae Jung Kim’s slides for more detail. Authenticator implementing certificate-based authentication (KICA’s case study) Relying Party (RP) Certificate Authority (CA) PKI Module Authenticator certificate Fingerprint sensor Iris sensor Certificate verification (Online certificate status protocol, OCSP) FIDO Authentication (without any modification) Certificate Issuance (Legacy protocol) Biometric API Encrypted private key
  18. 18. FIDO Authentication and Federation Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 18 User FIDO Authentication FIDO Server RP/IdP (Identity Provider) Assertion issueing Identity service Federated RP Federation FIDO Client Authenticator Authentication Assertion Simpler and Stronger Authentication More seamless and secure service Authn Context Authn Context Authn context transits from authenticator to federated RP. cf. https://fidoalliance.org/assets/images/general/FIDOTokyoSeminar101014_gomi.pdf
  19. 19. Proof Information Transition Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 19 Federated RPRP/IdP User proof generated by authenticator can be used to provide user with trusted applications at Internet scale User User context Credential Authenticator Identity Context Transaction Proof Proof Proof Proof
  20. 20. Transaction Confirmation Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 20 Bank for transfer: AAA Bank Recipient Account #: 1234567 Amount: 10000 yen Bank for transfer: XXX Bank Recipient Account #: 7654321 Amount: 1000000 yen Protecting against MITM (Man-in-the-Middle) attacks by detecting falsified transaction data (already in UAF spec and deployed by several banks) RP (Bank)Malware User User device Authenticator Falsified transaction data Original transaction data Client Transaction data presented is signed using private key Signature of original transaction data RP can prevent illegal money transfer by verifying the signature of transaction data even if it is falsified. signature
  21. 21. Identity Proofing Offline Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 21 User IDE-tickets E-Ticket Server FIDO Server Authn Log Realtime biometric FIDO authentication enables “identity proofing” when accessing physical service. User (online) FIDO Authentication online (visit Yahoo Japan’s demo booth) Entrance gate at event Presenting identity proof With e-ticket offline Proof verification Protecting from impersonationMalicious user (offline) User (offline) Same person? (to be verified) E-ticket use case 身分証明書 氏名: 山田 太郎 住所: 東京都港区赤坂9-7-1 年齢: 30歳 性別: 男 証明書発行元: ヤフー株式会社 証明書配布先: ABCサービス株式会社 証明書発行時刻: 2013年8月10日13時 証明書有効期限: 2014年8月10日13時まで 証明書識別番号: s8e3d5y9z0g3 本人画像 (2013年1月10日撮影) 身分証明書 氏名:山田太郎 住所:東京都港区赤坂9-7-1 年齢:30歳 性別:男 証明書発行元:ヤフー株式会社 証明書配布先:ABCサービス株式会社 証明書発行時刻:2013年8月10日13時 証明書有効期限:2014年8月10日13時まで 証明書識別番号:s8e3d5y9z0g3 本人画像(2013年1月10日撮影)
  22. 22. User Verification Caching Spec (New) Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 22 Developing a new spec to fulfill use cases provided by EMVCo. Supporting CDCVM, enabling consumers to conveniently use on-device authenticators. User FIDO authentication (online) Server Private key User Device Authenticator App1App2 X User verification (App1) Do not ask user for verification to authorize payment for app2 if the user completed verification within last 5 minutes. Policy example User verification process can be simplified for offline by authenticator referring to previous verification results depending on user’s policy. *CDCVM: Consumer Device Cardholder Verification Method User verification (App2)
  23. 23. • FIDO authentication model • Local authentication using pluggable authenticators • Consistent in specifications • Web authentication & CTAP • Scoped cryptographic credential • Abstract API for various types of authenticators via browsers • Solutions using FIDO authentication • Authenticator adoption • Enhancement of identity federated systems • Identity/context proofing offline as well as online Summary Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 23 FIDO authentication is encouraged to be adopted for developing secure and trust systems both online and offline.
  24. 24. All Rights Reserved. FIDO Alliance. Copyright 2016. 24
  25. 25. Please Silence All Electronic Devices All Rights Reserved. FIDO Alliance. Copyright 2016.

×