Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Javelin Research's State of Strong Authentication 2019 Report Webinar

2,292 views

Published on

Webinar:Javelin Research's State of Strong Authentication 2019 Report

Presented by:
Al Pascual, SVP and Research Director, Javelin Strategy
Andrew Shikiar, Chief Marketing Officer, FIDO Alliance

February 7, 2019

Published in: Technology
  • Be the first to comment

Javelin Research's State of Strong Authentication 2019 Report Webinar

  1. 1. All Rights Reserved | FIDO Alliance | Copyright 20191 JAVELIN RESEARCH’S STATE OF STRONG AUTHENTICATION 2019 REPORT AL PASCUAL – SVP AND RESEARCH DIRECTOR JAVELIN STRATEGY & RESEARCH ANDREW SHIKIAR – CHIEF MARKETING OFFICER FIDO ALLIANCE FEBRUARY 7, 2019 
  2. 2. 2 SPEAKERS All Rights Reserved | FIDO Alliance | Copyright 2019 Al Pascual SVP & Research Director Javelin Strategy & Research Andrew Shikiar CMO FIDO Alliance
  3. 3. 3 THE STATE OF STRONG AUTHENTICATION 2019 REPORT AL PASCUAL, JAVELIN STRATEGY & RESEARCH All Rights Reserved | FIDO Alliance | Copyright 2019
  4. 4. All Rights Reserved | FIDO Alliance | Copyright 20194 METHODOLOGY Enterprise data in this report was collected from a survey of 600 identity and authentication decision-makers for businesses headquartered in the United States, with revenues of at least $20 million for the previous year. 301 respondents answered questions about their business' practices in authenticating customers and 299 answered questions about their business' practices in authenticating employees, vendors, and contractors. When data was compared against 2017 responses, previous years' data was adjusted to exclude businesses with annual revenues under $20 million for more accurate comparisons against the 2018 respondent pool.
  5. 5. 5 STRONG VS TRADITIONAL AUTHENTICATION STRONG AUTHENTICATION ✓ Multiple factors ✓ 1+ factor uses cryptographically backed authentication method TRADITIONAL AUTHENTICATION ✓ Multiple factors x No cryptographic handshake All Rights Reserved | FIDO Alliance | Copyright 2019 CRYPTOGRAPHICALLY BACKED STRONG AUTHENTICATION: Where one of multiple authentication factors uses public key cryptography
  6. 6. 6 KEY FINDINGS: DRAMATIC GROWTH SINCE 2017 Adoption of cryptographically backed authentication has… All Rights Reserved | FIDO Alliance | Copyright 2019 for consumers TRIPLED for enterprise INCREASED 50%
  7. 7. 7 KEY FINDINGS: ADOPTION ACCELERATED BY REGULATION Nearly 70% of businesses agree they face strong regulatory pressure to provide strong authentication for their customers All Rights Reserved | FIDO Alliance | Copyright 2019 PSD2 GDP R
  8. 8. 8 KEY FINDINGS: HOLDOUTS UNDERESTIMATE RISKS Two-thirds of businesses that use only passwords to authenticate their employees do so because they believe passwords are “good enough” All Rights Reserved | FIDO Alliance | Copyright 2019 despite cybercriminals’ continuing to target a wide variety of consumer and business information
  9. 9. 9 RECOMMENDATIONS: SUNSET OTPS With cyber criminals using social engineering, phone porting and malware to compromise OTP authenticators, Javelin recommends moving away from them and adopting cryptographically-backed strong authentication All Rights Reserved | FIDO Alliance | Copyright 2019
  10. 10. 10 CASE STUDIES: GOOGLE, TRADELINK, VISA All Rights Reserved | FIDO Alliance | Copyright 2019 • No successful phishing attacks against 85,000+ employees since implementing FIDO Security Keys in 2017 • Released their FIDO-based Titan Security Key, intended for enterprises using Google services • Chrome supports WebAuthn • Using FIDO Authentication since 2016 • Adoption by banks has been strong – no user information ever leaves the device • Hong Kong government will launch new initiative for electronic ID in 2020 leveraging FIDO Authentication • Using a FIDO Certified solution as part of it’s ID Intelligence suite for FIDO-based biometrics • Visa chose a FIDO-based solution because it aligned with its approach to prioritize protecting user data and leveraging available data to make better decisions
  11. 11. All Rights Reserved | FIDO Alliance | Copyright 201911 FIDO: CRYPTOGRAPHICALLY BACKED AUTHENTICATION ANDREW SHIKIAR, FIDO ALLIANCE
  12. 12. All Rights Reserved | FIDO Alliance | Copyright 201912 Data breaches in 2016 that involved weak, default, or stolen passwords (VDBR) 81% Phishing attacks were successful in 2017 (VDBR) Breaches in 2017, a 45% increase over 2016 (ITRC) 1 IN 8 1,579 Of passwords are reused across services (University of Oxford) 51% Of helpdesk calls are for password resets (at $70/reset)(Gartner/Forrester) Password-driven cart abandonment rate (Visa) 20-50% 49% MEASURING THE PROBLEM
  13. 13. All Rights Reserved | FIDO Alliance | Copyright 201913 LEADING THE EFFORT CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
  14. 14. All Rights Reserved | FIDO Alliance | Copyright 201914 DeviceSomething Authentication Internet Password could be stolen from the server 1Password might be entered into untrusted App / Web-site (“phishing”) 2 Too many passwords to remember (>re-use / cart Abandonment) 3 Inconvenient to type password on phone 4 OLD AUTHENTICATION WITH PASSWORDS
  15. 15. All Rights Reserved | FIDO Alliance | Copyright 201915 NEW AUTHENTICATION WITH FIDO AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key (handle) per account Public key No secrets stored on the server 1 Authenticator cannot be “tricked” by phishing 2 Nothing to remember, no friction added to transaction process 3 Single gesture convenience for User 4
  16. 16. All Rights Reserved | FIDO Alliance | Copyright 201916 THE FIDO AUTHENTICATOR AuthenticatorUser verification FIDO Authentication … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
  17. 17. All Rights Reserved | FIDO Alliance | Copyright 201917 FIDO SPECIFICATIONS Passwordless Experience (UAF & FIDO2) Authenticated Online 3 Biometric User Verification* 21 Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Security Key* / Press Button Second Factor Experience (U2F & FIDO2) *There are other types of authenticators 21
  18. 18. All Rights Reserved | FIDO Alliance | Copyright 201918 FIDO IS A W3C SPECIFICATION FIDO2 (CTAP & W3C Web Authentication / “WebAuthn”)
  19. 19. FIDO IS AN ITU STANDARD x.1277 -- ITU ratification of FIDO UAF x.1278 -- ITU ratification of FIDO2 CTAP (includes CTAP1/U2F) All Rights Reserved | FIDO Alliance | Copyright 201919
  20. 20. INDUSTRY PARTNERSHIPS All Rights Reserved | FIDO Alliance | Copyright 201920
  21. 21. All Rights Reserved | FIDO Alliance | Copyright 201921 BACKED BY CERTIFICATION (500++) • Functional Certification (End-to-End): • Conformance Testing • Interoperability Testing • Authenticator Security Certification Levels • How well do you protect the private key? • 3rd-party laboratory verification • Complimented by Biometric Component certification • Universal Server: • Ensures compatibility with all FIDO Certified Authenticators
  22. 22. All Rights Reserved | FIDO Alliance | Copyright 201922 FIDO CERTIFIED ECOSYSTEM (SAMPLE) SECURITY KEYS (and more)HANDSETS + PCS CLOUD/SERVER SOLUTIONS
  23. 23. All Rights Reserved | FIDO Alliance |23 FIDO IS NOW IN THE WEB BROWSER & OS
  24. 24. All Rights Reserved | FIDO Alliance | Copyright 201924 FIDO IS BEING USED AROUND THE WORLD (Sample of deployments in production)
  25. 25. All Rights Reserved | FIDO Alliance | Copyright 201925 IN SUMMARY… SECURE BY DESIGN Based on public key cryptography No server-side shared secrets Keys stay on device No 3rd party in the protocol Biometrics, if used, never leave device No link-ability between services or accounts
  26. 26. All Rights Reserved | FIDO Alliance | Copyright 201926 FIDO: THE FUTURE OF USER AUTHENTICATION FIDO Authentication is the industry’s response to the password problem • INDUSTRY SUPPORT - FIDO represents the efforts of some of the world’s largest companies whose very businesses rely upon better user authentication • THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realized in products being used every day • ONGOING INNOVATION - Specifications, certification programs, and deployment working groups establishing best implementation practices • ENABLEMENT - Leading service providers representing billions of user identities are already FIDO-enabling their authentication processes
  27. 27. All Rights Reserved | FIDO Alliance | Copyright 201927 Join the FIDO Ecosystem www.fidoalliance.org Deploy Take Part in FIDO Events Build FIDO Certified Solutions Join the Alliance Twitter: @fidoalliance
  28. 28. All Rights Reserved | FIDO Alliance | Copyright 201828 Connect with FIDO fidoalliance.org

×