Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIDO Webinar – A New Model for Online Authentication: Implications for Policy and Government Applications

1,671 views

Published on

The new model for stronger, simpler online authentication has implications beyond businesses and their consumers, including government policy and applications. FIDO was designed with security and privacy at the forefront, making it a natural ally for government initiatives in these areas. View slides from policy experts on the role of FIDO in policy, what the Alliance is doing in policy and how governments are working to implement FIDO.

Contents:

Review of FIDO Alliance
– FIDO’s mission and vision
– Key liaison relationships & government members
– How FIDO enhances privacy
FIDO in Government Services, a NIST Perspective
Introduction to FIDO’s Privacy and Public Policy Workgroup (P3WG) and some key outputs:
– Privacy White Paper
– EBA Response
FIDO’s fit in global regulatory approaches to security and privacy
– Supporting common policy goals
– Key differences from traditional 2-factor authentication
– Related activities, including Cybersecurtiy National Plan (US), and eIDAS (EU)

Published in: Technology
  • Be the first to comment

FIDO Webinar – A New Model for Online Authentication: Implications for Policy and Government Applications

  1. 1. Implications for Policy and Government Applications Webinar – May 4, 2016 All Rights Reserved. FIDO Alliance. Copyright 2016. A NEW MODEL FOR ONLINE AUTHENTICATION
  2. 2. Our Speakers Jeremy Grant Brett McDowell Paul Grassi Chertoff Group FIDO Alliance NIST Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 2
  3. 3. Authentication is Important to Government 1. Protects access to government assets 2. Enables more high-value citizen-facing services 3. Empowers private sector to provide a wider range of high value services to consumers 4. Secures assets in regulated industries 5. Promotes good security practices in the private sector Governments seek identity solutions that can deliver not just improved Security – but also Privacy, Interoperability, and better Customer Experiences All Rights Reserved. FIDO Alliance. Copyright 2016.
  4. 4. FIDO Delivers on Key Policy Priorities Security • Authentication using strong asymmetric Public Key cryptography • Superior to old “shared secrets” model – there is nothing to steal • Biometrics as second factor Privacy • Privacy architected in up front; supports EU Privacy Principles, other national privacy initiatives • No linkability or tracking • Biometric data never leaves device • Consumer control and consent Interoperability • Open standards: FIDO 2.0 specs are in W3C standardization process • FIDO compliance/ conformance testing to ensure interoperability of “FIDO certified” products Usability • Designed with the user experience (UX) first – with a goal of making authentication as easy as possible. • Security built to support the user’s needs, not the other way around All Rights Reserved. FIDO Alliance. Copyright 2016.
  5. 5. FIDO Impact on Policy FIDO specifications offer governments newer, better options for strong authentication – but governments may need to update some policies to support the ways in which FIDO is different. As technology evolves, policy needs to evolve with it. All Rights Reserved. FIDO Alliance. Copyright 2016.
  6. 6. All Rights Reserved. FIDO Alliance. Copyright 2016. FIDO ALLIANCE: AN OVERVIEW Brett McDowell 6
  7. 7. The world has a PASSWORD PROBLEM 5Confidential
  8. 8. 781 data breaches in 2015 Data Breaches… 170 million records in 2015 (up 50%) $3.8 million cost/breach (up 23% f/2013)
  9. 9. ONE-TIME PASSCODES Improve security but aren’t easy enough to use Still Phishable User Confusion Token Necklace SMS Reliability 6Confidential
  10. 10. WE NEED A NEW MODEL
  11. 11. WE CALL OUR NEW MODEL Fast IDentity Online online authentication using public key cryptography
  12. 12. THE OLD PARADIGM USABILITYSECURITY
  13. 13. THE FIDO PARADIGM Poor Easy WeakStrong USABILITY SECURITY
  14. 14. HOW OLD AUTHN WORKS ONLINE The user authenticates themselves online by presenting a human-readable “shared secret”
  15. 15. HOW FIDO AUTHN WORKS AUTHENTICATOR LOCAL ONLINE The user authenticates “locally” to their device (by various means) The device authenticates the user online using public key cryptography
  16. 16. FIDO Registration Invitation Sent New Keys Created Pubic Key Registered With Online Server User is in a Session Or New Account Flow 1 2 3 4 Registration Complete User Approval
  17. 17. Login Complete FIDO Authentication FIDO Challenge Key Selected & Signs Signed Response verified using Public Key Cryptography User needs to login or authorize a transaction 1 2 3 4 User Approval
  18. 18. OPEN STANDARDS R.O.I. FIDO-ENABLE ONCE GAIN EVERY DEVICE YOU TRUST NO MORE ONE-OFF INTEGRATIONS
  19. 19. USABILITY, SECURITY, R.O.I. and PRIVACY
  20. 20. Better security for online services Reduced cost for the enterprise Simpler and safer for consumers
  21. 21. FIDO Alliance Mission Develop Specifications Operate Adoption Programs Pursue Formal Standardization 1 2 3
  22. 22. FIDO DEVELOPMENT TIMELINE FIDO 1.0 FINALFirst DeploymentsSpecification Review Draft FIDO Ready Program Alliance Announced FEB 2013 6 Members DEC 2013 FEB 2014 FEB-OCT 2014 DEC 9 2014 MAY 2015 TODAY >250 Members Market Adoption JUNE 2015 Certification Program New U2F Transports
  23. 23. Board Members 23
  24. 24. Sponsor Members
  25. 25. Associate Members
  26. 26. Government & Research “The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.” -- Mike Garcia, NSTIC NPO 26 2640Confidential
  27. 27. Liaison Program Our mission is highly complementary to many other associations around the world. We welcome the opportunity to collaborate with this growing list of industry partner organizations. 27 27
  28. 28. “PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5” Feb 24, 2014 “Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5” September 17, 2014 “Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication” October 21, 2014 2014 FIDO ADOPTION
  29. 29. “Microsoft Announces FIDO Support Coming to Windows 10” Feb 23, 2015 “Qualcomm launches Snapdragon fingerprint scanning technology” March 2, 2015 “Google for Work announced Enterprise admin support for FIDO® U2F ‘Security Key’” April 21, 2015 “Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO’s services using FIDO standards.” May 26, 2015 2015 FIDO ADOPTION “Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015 “[T]he technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards.” September 15, 2015 “GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification.” October 1, 2015
  30. 30. “NTT DOCOMO is now offering FIDO-enabled biometric authentication for customers using Apple iOS devices” Mar 7, 2016 2016 FIDO ADOPTION “FIDO Universal 2nd Factor (U2F) authentication is now being used to allow all UK citizens to easily and securely access GOV.UK Verify digital public services. Mar 23, 2016 “BC Card provides Token and FIDO services to strengthen security and safety of Samsung Pay” March 1, 2016 “KEB Hana’s new solution is notably FIDO Certified.” February 3, 2016
  31. 31. Deployments are enabled by over 150 FIDO® Certified products available today
  32. 32.  Available to anyone  Ensures interoperability  Promotes the FIDO ecosystem Steps to certification: 1. Conformance Self-Validation 2. Interoperability Testing 3. Certification Request 4. Trademark License (optional) fidoalliance.org/certification
  33. 33. 33
  34. 34. Leading OEMs Shipping FIDO Certified Devices Tab S, Tab S2S5, Mini Note 4, 5Alpha Note Edge S6/S7, S6/S7 Edge Sharp Aquos Zeta Sony Experia Z5 Fujitsu Arrows (Iris Biometrics) Samsung LG V10 & G5 Huawei Mate 8
  35. 35. iPhone 5s iPhone 6, 6+ iPad Air 2, Mini 3 iPhone 6s, 6s+ iPad Mini 4 iPad Pro FIDO Applications Now Run on iOS 9 Supported iOS Fingerprint Devices
  36. 36. JOIN THE FIDO ECOSYSTEM
  37. 37. JOIN THE FIDO ALLIANCE
  38. 38. FIDO IN GOVERNMENT SERVICES: A NIST PERSPECTIVE Paul Grassi Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 38
  39. 39. FIDO and Digital Government Services All Rights Reserved. FIDO Alliance. Copyright 2016.
  40. 40. –Dr. Andy Ozment “…encryption would not have helped…” All Rights Reserved. FIDO Alliance. Copyright 2016.
  41. 41. Privacy Enhancing & Voluntary Secure & Resilient Interoperable Cost-Effective & Easy to Use All Rights Reserved. FIDO Alliance. Copyright 2016.
  42. 42. USG Use Cases ?M-05-24 All Rights Reserved. FIDO Alliance. Copyright 2016.
  43. 43. All Rights Reserved. FIDO Alliance. Copyright 2016.
  44. 44. Identity Proofing Credential Attributes All Rights Reserved. FIDO Alliance. Copyright 2016.
  45. 45. strength of authentication All Rights Reserved. FIDO Alliance. Copyright 2016.
  46. 46. Update on the Update All Rights Reserved. FIDO Alliance. Copyright 2016.
  47. 47. PERSPECTIVES ON FIDO IN GLOBAL POLICY Jeremy Grant Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 47
  48. 48. FIDO Engagement on Policy Issues • FIDO Launched the Public Policy and Privacy Working Group (P3WG) in 2014 • Mission: • Focus on “Privacy by Design” approach to FIDO specifications, providing privacy expertise and guidance • Monitor global privacy and public policy issues that impact authentication, engaging in education efforts where appropriate • Co-Chairs: Hannes Tschofenig (ARM) and Stephan Somogyi (Google) All Rights Reserved. FIDO Alliance. Copyright 2016.
  49. 49. Why Policy Matters • Governments around the world are focusing on identity and authentication requirements, both for their own systems, as well as systems in industries that they regulate • Drivers for these enhanced requirements include both the increased number of attacks tied to passwords in public and private sector, as well as the need for more secure consumer/citizen-facing digital services • As governments engage here, support for new approaches like FIDO is not a given: • Most governments are not aware of FIDO, or if they are, do not properly understand it • Natural gap between technology innovation and understanding of that innovation by policymakers and regulators All Rights Reserved. FIDO Alliance. Copyright 2016.
  50. 50. FIDO Engagement on Policy Issues 2016 Activities • FIDO Privacy White Paper – January 2016 • Response to the European Banking Authority (EBA) Discussion Paper on Future Draft Technical Standards on Strong Customer Authentication and Secure Communication Under the Revised Payment Services Directive (PSD2) – February 2016 • Response to NIST RFI on updates to NIST “Framework for Improving Critical Infrastructure Cybersecurity” – March 2016 • Active inventorying and monitoring of authentication- related policies across the globe All Rights Reserved. FIDO Alliance. Copyright 2016.
  51. 51. What Governments Should Know 1. Recognize that two-factor authentication no longer brings higher burdens or costs. All Rights Reserved. FIDO Alliance. Copyright 2016. • While this statement was true of most “old” MFA technology, FIDO specifically addresses these cost and usability issues. • FIDO enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale.
  52. 52. What Governments Should Know 2. Recognize technology is now mature enough to enable two secure, distinct authentication factors in a single device. All Rights Reserved. FIDO Alliance. Copyright 2016. • Recognized by the US government (NIST) in 2014… • “OMB (White House) to update guidance on remote electronic authentication” to remove requirements that one factor be separate from the device accessing the resource • The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token
  53. 53. What Governments Should Know 3. As governments promote or require strong authentication, make sure it is the “right” strong authentication. The market is in the midst of a burst of innovation around authentication technology – some solutions are better than others. Don’t push the adoption of old authentication technology. • Old authentication technologies impose significant costs and burdens on the user – which decreases adoption • Old authentication technologies have security (i.e., phishable) and privacy issues – putting both users and online service providers at risk All Rights Reserved. FIDO Alliance. Copyright 2016.
  54. 54. What Governments Should Know 4. FIDO is designed to enhance privacy • Designed from the start to support the Privacy Principles of the European Data Protection Directive and other government privacy initiatives • No 3rd Party in the Protocol • No Secrets on the Server Side • Biometric Data (if used) Never Leaves Device • No Linkability Between Services • No Linkability Between Accounts All Rights Reserved. FIDO Alliance. Copyright 2016.
  55. 55. FIDO and User Privacy - US All Rights Reserved. FIDO Alliance. Copyright 2016. FIDO Privacy Principle IDESG Privacy requirements Require explicit, Informed consent for any operation using personal data PRIVACY-6. USAGE NOTICE PRIVACY-8. THIRD PARTY LIMITATIONS PRIVACY-9. USER NOTICE OF CHANGES PRIVACY-10. USER OPTION TO DECLINE PRIVACY-11. OPTIONAL INFORMATION Provide clear context to the user for any FIDO operations PRIVACY-6. USAGE NOTICE PRIVACY-8. THIRD PARTY LIMITATIONS PRIVACY-9. USER NOTICE OF CHANGES PRIVACY-10. USER OPTION TO DECLINE PRIVACY-11. OPTIONAL INFORMATION Limit collection of personal data to FIDO- related purposes PRIVACY-1. DATA MINIMIZATION PRIVACY-2. PURPOSE LIMITATION PRIVACY-3. ATTRIBUTE MINIMIZATION PRIVACY-5. DATA AGGREGATION RISK PRIVACY-8. THIRD PARTY LIMITATIONS PRIVACY-12. ANONYMITY PRIVACY-13. CONTROLS PROPORTIONATE TO RISK Use personal data only for FIDO operations PRIVACY-1. DATA MINIMIZATION PRIVACY-2. PURPOSE LIMITATION PRIVACY-5. DATA AGGREGATION RISK PRIVACY-8. THIRD PARTY LIMITATIONS FIDO Privacy Principle IDESG Privacy requirements Prevent identification of a user outside of FIDO operations PRIVACY-1. DATA MINIMIZATION PRIVACY-2. PURPOSE LIMITATION PRIVACY-3. ATTRIBUTE MINIMIZATION PRIVACY-5. DATA AGGREGATION RISK PRIVACY-8. THIRD PARTY LIMITATIONS PRIVACY-12. ANONYMITY Biometric data must never leave the user’s personal computing environment PRIVACY-1. DATA MINIMIZATION PRIVACY-2. PURPOSE LIMITATION PRIVACY-3. ATTRIBUTE MINIMIZATION PRIVACY-4. CREDENTIAL LIMITATION PRIVACY-8. THIRD PARTY LIMITATIONS PRIVACY-15 ATTRIBUTE SEGREGATION Protect FIDO-related data from unauthorized access or disclosure Covered by IDESG Security Requirements PRIVACY-14. DATA RETENTION Allow users to easily view and manage their FIDO Authenticators PRIVACY-7. USER DATA CONTROL PRIVACY-8. THIRD PARTY LIMITATIONS PRIVACY-14. DATA RETENTION FIDO Privacy Principles mapped to Identity Ecosystem Steering Group (IDESG) Requirements
  56. 56. FIDO and User Privacy - EU All Rights Reserved. FIDO Alliance. Copyright 2016. EU Privacy Principle FIDO Implementation of EU Privacy Principle Personal data must be processed fairly and lawfully For a User to access a Relying Party’s services through FIDO Authentication, the User must first agree to register with that Relying Party. When the User wishes to access the online service, they must execute the User Verification step, e.g. touching a sensor, entering a passcode, or providing their fingerprint, in order to execute the cryptographic computation. This ensures that malware installed on the User’s device is unable to autonomously perform FIDO operations. Personal data can only be processed for one or more specified lawful purpose(s) The Personal Data required to access an online service, such as a fingerprint, can only be accessed by the FIDO Authenticator which is part of the User’s device. The FIDO Authenticator can only access such data when it is required to perform an Authentication. The FIDO protocol requires a minimum amount of data stored by the Relying Party, for which the user is required to provide consent. Personal data must be adequate, relevant, and not excessive in relation to the purposes for which it is being used The data needed to perform an Authentication is collected by the Relying Party when the User registers with it. This data is:  A public key: This allows the Relying Party to verify that the FIDO Authenticator being used is the one previously registered by the User.  Authenticator Attestation ID (AAID): This is a reference that allows the Relying Party to look-up the characteristics of the used FIDO Authenticator.  Key Handle: An identifier created by a FIDO Authenticator, potentially containing an encrypted private key, to refer to a specific key maintained the FIDO Authenticator. Personal data must be accurate and up to date The data used for FIDO Authentication, such as the registered public key, must be accurate since cryptographic verification fails otherwise. If the data becomes corrupted for any reason, the User needs to re-register with the Relying Party. Re-registration changes the registered public key. Personal data must not be kept for longer than necessary to fulfil the purposes for which it was collected The User may de-register from a Relying Party at any time. Once de-registration has taken place the Public key held by the Relying Party is of no further use. Personal data must be kept secure Allowing users to authenticate using FIDO Authentication provides a greater level of security around accessing personal data than passwords alone. Data required for local User Verification is stored locally on the FIDO Authenticator. FIDO-related data stored at the Relying Party is not confidential by itself. The FIDO Authenticator is required to protect data required for User Verification and FIDO-related data, such as cryptographic keys, against unauthorized access by third parties. Personal data must be processed in accordance with rights of data subjects Personal data used to authenticate a User can only be accessed by that User when the User wishes to be authenticated. Personal data cannot be transferred outside a given geographical area, such as the EEA, without specific circumstances being in place. Personal data held in a FIDO Authenticator will be protected by the same mechanisms irrespective of the device’s location and the device can only leave the EEA if the owner wishes it to do so. The FIDO Server used by the Relying Party does not contain personal data.
  57. 57. Better security for online services Reduced cost for the enterprise Simpler and safer for consumers All Rights Reserved. FIDO Alliance. Copyright 2016.
  58. 58. THANK YOU Connect with Us: @FIDOAlliance linkedin.com/company/the-fido-alliance slideshare.net/FIDOAlliance All Rights Reserved. FIDO Alliance. Copyright 2016.

×