Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Getting to Know the FIDO Specifications - Technical Tutorial

7,987 views

Published on

What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.

Published in: Technology
  • Be the first to comment

Getting to Know the FIDO Specifications - Technical Tutorial

  1. 1. GETTING TO KNOW THE FIDO SPECIFICATIONS Rolf Lindemann, Senior Director Products & Technology, Nok Nok Labs All Rights Reserved | FIDO Alliance | Copyright 2016.
  2. 2. How Secure is Authentication? 2All Rights Reserved | FIDO Alliance | Copyright 2016.
  3. 3. Cloud Authentication 3 DeviceSomething Authentication Risk Analytics Internet All Rights Reserved | FIDO Alliance | Copyright 2016.
  4. 4. Password Issues 4 DeviceSomething Authentication Internet Password could be stolen from the server 1Password might be entered into untrusted App / Web- site (“phishing”) 2 Too many passwords to remember (>re-use / cart Abandonment) 3 Inconvenient to type password on phone 4 All Rights Reserved | FIDO Alliance | Copyright 2016.
  5. 5. Classifying Threats 5 Remotely attacking central servers steal data for impersonation Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions Physically attacking user devices steal data for impersonation Physically attacking user devices misuse them for impersonation 1 2 3 4 5 6 Physical attacks possible on lost or stolen devices (3% in the US in 2013) Scalable attacks All Rights Reserved | FIDO Alliance | Copyright 2016.
  6. 6. How does FIDO work? 6 DeviceUser verification FIDO Authentication Authenticator All Rights Reserved | FIDO Alliance | Copyright 2016.
  7. 7. How does FIDO work? 7 AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key All Rights Reserved | FIDO Alliance | Copyright 2016.
  8. 8. How does FIDO work? 8 AuthenticatorUser verification FIDO Authentication … …SE All Rights Reserved | FIDO Alliance | Copyright 2016.
  9. 9. How does FIDO work? 9 AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. All Rights Reserved | FIDO Alliance | Copyright 2016.
  10. 10. How does FIDO work? 10 AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Identity binding to be done outside FIDO: This this “John Doe with customer ID X”. All Rights Reserved | FIDO Alliance | Copyright 2016.
  11. 11. How does FIDO work? 11 AuthenticatorUser verification FIDO Authentication … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used? All Rights Reserved | FIDO Alliance | Copyright 2016.
  12. 12. Attestation & Metadata 12 Authenticator FIDO Registration Signed Attestation Object Metadata Private attestation key Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org (or other sources) All Rights Reserved | FIDO Alliance | Copyright 2016.
  13. 13. FIDO Authenticator Concept FIDO Authenticator User Verification / Presence Attestation Key Authentication Key(s) Injected at manufacturing, doesn’t change Generated at runtime (on Registration) Optional Components Transaction Confirmation Display
  14. 14. Trusted Execution Environment (TEE) FIDO Authenticator as Trusted Application (TA) User Verification / Presence Attestation Key Authentication Key(s) Store at Enrollment Compare at Authentication Unlock after comparison Client Side Biometrics
  15. 15. 15 Passwordless Experience (UAF Standards) Authenticated Online 3 Biometric User Verification* 21 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) *There are other types of authenticators 21 All Rights Reserved | FIDO Alliance | Copyright 2016.
  16. 16. U2F Registration 16 Relying Party AppID, challenge a; challenge, origin, channel id, etc. a generate: key kpub key kpriv handle h kpub, h, attestation cert, signature(a,fc,kpub,h) fc, kpub, h, attestation cert, s cookie store: key kpub handle h s U2F Authenticator check AppID fc FIDO Client / Browser All Rights Reserved | FIDO Alliance | Copyright 2016.
  17. 17. U2F Authentication 17 U2F Authenticator FIDO Client / Browser Relying Party h, a; challenge, origin, channel id, etc. retrieve: key kpriv from handle h; cntr++ cntr, signature(a,fc,cntr) cntr, fc, s check signature using key kpub s f c handle, AppID, challenge h acheck AppID set cookie retrieve key kpub from handle h All Rights Reserved | FIDO Alliance | Copyright 2016.
  18. 18. 18 Authenticated Online 3 Biometric User Verification* 2 Passwordless Experience (UAF Standards) 1 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) 1 2 *There are other types of authenticators All Rights Reserved | FIDO Alliance | Copyright 2016.
  19. 19. Registration Overview 19 Perform legacy authentication first, in order to bind authenticator to an electronicidentity, then perform FIDO registration. FIDO CLIENT FIDO AUTHENTICATOR FIDO SERVER Verify user Generate key pair Sign attestation object: • Public key • AAID • Hash(FinalChallenge) • Name of relying party Signed by attestation key Send Registration Request: • Policy • Random Challenge Verify signature Check AAID against policy Store public key Start registration AAID = Authenticator Attestation ID, i.e. model ID FinalChallenge=AppID | FacetID | channelBinding | serveChallenge All Rights Reserved | FIDO Alliance | Copyright 2016.
  20. 20. Authentication Overview 20 FIDO CLIENT FIDO AUTHENTICATOR FIDO SERVER Verify user Opt: Display TransactionText Sign signData object: Signature alg • Hash(FinalChallenge) • Opt: Hash(TransactionText) • Signature counter Authenticator random Signature (Uauth key) Send Authentication Request: • Policy • Random Challenge • Opt: TransactionText Verify signature Check AAID against policy Start authentication FinalChallenge=AppID | FacetID | channelBinding | serveChallenge All Rights Reserved | FIDO Alliance | Copyright 2016.
  21. 21. Convenience & Security 21 Security Convenience Password + OTP Password All Rights Reserved | FIDO Alliance | Copyright 2016.
  22. 22. Convenience & Security 22 Security Convenience Password + OTP Password FIDO In FIDO • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable) All Rights Reserved | FIDO Alliance | Copyright 2016.
  23. 23. Convenience & Security 23 Security Convenience Password + OTP Password FIDO In FIDO: Scalable security depending on Authenticator implementation In FIDO: • Only public keys on server • Not phishable All Rights Reserved | FIDO Alliance | Copyright 2016.
  24. 24. Conclusion • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation 24All Rights Reserved | FIDO Alliance | Copyright 2016.
  25. 25. What about rubber fingers? Protection methods in FIDO 1. Attacker needs access to the Authenticator and swipe rubber finger on it. This makes it a non-scalable attack. 2. Authenticators might implement presentation attack detection methods. Remember: Creating hundreds of millions of rubber fingers + stealing the related authenticators is expensive. Stealing hundreds of millions of passwords from a server has low cost per password.
  26. 26. But I can’t revoke my finger… • Protection methods in FIDO You don’t need to revoke your finger, you can simply de-register the old (=attacked) authenticator. Then, 1. Get a new authenticator 2. Enroll your finger (or iris, …) to it 3. Register the new authenticator to the service

×