Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to FIDO Biometric Authentication

1,053 views

Published on

The model of password authentication is broken. FIDO is a new approach to authentication, including a modality for biometric authentication. Learn about the specification and the clear benefits of adding FIDO Authentication to Device APIs.

Published in: Internet

Introduction to FIDO Biometric Authentication

  1. 1. All Rights Reserved | FIDO Alliance | Copyright 20181 INTRODUCTION TO FIDO BIOMETRIC AUTHENTICATION
  2. 2. All Rights Reserved | FIDO Alliance | Copyright 20182 THE FIDO ALLIANCE LEADERSHIP CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
  3. 3. All Rights Reserved | FIDO Alliance | Copyright 20183 THE PROBLEM IS “SHARING SECRETS” PASSWORDS OTPs PANs
  4. 4. All Rights Reserved | FIDO Alliance | Copyright 20184 THE COST IS GETTING HIGHER, FASTER Losses to CNP fraud exceeded $5.65 billion in 2015, with growth in nearly every country1 CNP already accounts for more than 50% of total fraud losses in the U.S.1 1The Nilson Report Data breaches in 2016 that involved weak, default, or stolen passwords1 Increase in phishing attacks over the number of attacks recorded in 20152 Breaches in 2016 up 40% over 2015 Breaches in 2017 up 45% over 2016 81% 65% 44.7% $5.65B 50%
  5. 5. Why is the old model SO BROKEN? All Rights Reserved | FIDO Alliance | Copyright 20185
  6. 6. All Rights Reserved | FIDO Alliance | Copyright 20186 HOW SHARED SECRETS WORK ONLINE CONNECTION The user authenticates themselves online by presenting a human-readable “shared secret”
  7. 7. Open Standards Public Key Cryptography Single Gesture Phishing Resistant MFA authentication All Rights Reserved | FIDO Alliance | Copyright 20187 SECURITY USABILITY Poor Easy WeakStrong
  8. 8. All Rights Reserved | FIDO Alliance | Copyright 20188 HOW FIDO WORKS LOCAL CONNECTION ONLINE CONNECTION The device authenticates the user online using public key cryptography The user authenticates “locally” to their device (by various means)
  9. 9. All Rights Reserved | FIDO Alliance | Copyright 20189 EARLY ADOPTERS (SAMPLE)
  10. 10. All Rights Reserved | FIDO Alliance | Copyright 201810 BIOMETRICS WITH FIDO AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key
  11. 11. All Rights Reserved | FIDO Alliance | Copyright 201811 BACKED BY ATTESTATION + METADATA Private attestation key Signed Attestation Object Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org FIDO Registration Verify using trust anchor included in Metadata
  12. 12. 12 METADATA CARRIES CERTIFICATION INFO • Ensures conformance & interoperability • Enables policy based on authenticator security level • Enables policy based on biometric performance All Rights Reserved | FIDO Alliance | Copyright 2016
  13. 13. 13 AUTHENTICATOR SECURITY LEVELS All Rights Reserved | FIDO Alliance | Copyright 2016
  14. 14. All Rights Reserved | FIDO Alliance | Copyright 201814 COMPARE TO DEVICE API (WITHOUT FIDO) Device API Flow Password Database Password ✓ Better UX × Still just a “Shared Secret” × Security end-to-end is all on you × Retrieving Device attributes is added cost (YMMV) × Financial risk to ROI (“long tail” of APIs) × Development risk (proprietary code abandonment) × Competitive risk (home grown vs. industry trend) × Opportunity cost (time on authn vs. core business) × No clear path to MFA/SCA regulatory approval Some analysis summarized from Nok Nok Labs paper: “Enabling Biometrics For Mobile Application Authentication”
  15. 15. All Rights Reserved | FIDO Alliance | Copyright 201815 ADDING FIDO TO DEVICE API FIDO Flow ✓ Better UX ✓ Public Key Crypto vs. “Shared Secret” ✓ Security end-to-end reviewed by industry ✓ Free Metadata Service for Device attributes ✓ Financial ROI from open standard economics ✓ Development risk shared/mitigated by industry ✓ Competitive & flexible UX above standard API ✓ Opportunity cost minimized by partnerships ✓ MFA/SCA regulators already educated on FIDO Public Key Database Challenge Response
  16. 16. All Rights Reserved | FIDO Alliance | Copyright 201816 EXAMPLE 1: US NIST/OMB GUIDANCE OMB (White House) removes requirement that one factor be separate from the device accessing the resource. Only binding on government applications but set a precedent in MFA regulation. Recognized by the U.S. government (NIST) in 2014: Technology is now mature enough to enable two secure, distinct authn factors in a single device
  17. 17. All Rights Reserved | FIDO Alliance | Copyright 201817 Recognized by the EBA in 2017 : Technology is now mature enough to enable two secure, distinct authn factors in a single device EXAMPLE 2: EUROPEAN PSD2 Strong Customer Authentication can be achieved…. with a single-gesture UX… helped by the FIDO Metadata that can clearly convey device compliance with… Article 9/3(a): “the use of a separated secure execution environment”
  18. 18. All Rights Reserved | FIDO Alliance | Copyright 201818 “FIDO Alliance and EMVCo are in the process of expanding our scope of collaboration to include a work item to define in detail how EMV 3DS messages may be used to pass FIDO authenticator attestation and signatures in a manner that is both scalable and interoperable across the EMV payments ecosystem.” JOINT STATEMENT FROM FIDO ALLIANCE & EMVCO “ FIDO AND 3DS
  19. 19. All Rights Reserved | FIDO Alliance | Copyright 201819 Connect with FIDO Alliance fidoalliance.org

×