SlideShare a Scribd company logo
1 of 34
Download to read offline
Fast IDentity Online
New wave of open
authentication standards
Marius Vitkevičius
Software architect @ Telesoftas
.NET Crowd / 2019
1
Passwords today:
Reused | Keylogged | Phished | Leaked
2
Default choice
Communication
Strong
Authentication
Symmetric encryption
3
OTP code cards: Root of all evil
SMS: Coverage, delay, cost
OTP app (Google authenticator): Inconvenient, bad UX
OTP device: Cost, one per site, batteries, bad UX
Custom mobile app: Reach, cost, difficult to „get right“
Password alternatives/2nd factors
Too many choices
}
No
protection
from
phishing
5
Phishing example (legal)
Legal phishing
6
Meet U2F (universal second factor) security keys
Created by Google and Yubico
USB, NFC or Bluetooth
Communicates with browser using custom API
Phishing resistant (browser sends origin directly to token)
7
U2F Mandatory for all employees
Support of U2F for Google customers
U2F statistics from Google
U2F vs OTP
• >2x faster to authenticate
• Significant reduction in fraud cases
• Support reduced by 40%
Open alliance, similar to:
Defines standards and provides paid certification
allowing you to put FIDO sticker on your product
9
FIDO alliance members
10
FIDO alliance members
???
11
Essence of FIDO
Authenticator FIDO authenticationUser verification
Ask user for verification
User provides gesture or biometrics
Challenge
Signed response
12
Basic registration flow
Authenticator
Client
(browser or OS)
Relying party
(server)
13
Set of standards for strong authentication
So, what is FIDO?
U2F
Universal second factor
UAF
Universal authentication framework
CTAP
Client to authenticator protocol
FIDO2 (WebAuthn + CTAP2)
Web authentication
14
Web Authentication: evolution of U2F
Official W3C standard: JavaScript API for communication with hardware authenticators
Supported by all major browsers (not yet Safari):
Driven by FIDO2 project (sub-spec of FIDO2)
Can be used as a second factor and as a first factor (password-less)
Multi-factor authenticators - protected by biometrics, PIN, etc.
Attestation: verifiable information about authenticator properties and manufacturer
Platform (built-in) authenticators + Bluetooth, NFC or USB external tokens
15
WebAuthn architecture overview
Platform authenticator
External authenticator
18
Open standard
Simple to use
Strong
Unphisable
Reusable hardware authenticators (tokens)
Built-in platform authenticators
Decoupling user verification from authentication (GDPR friendly)
WebAuthn goals for authentication
19
Decoupling user verification from authentication
FIDO authentication protocol
Verification
Local verification unlocks
key on device
Authentication
Challenge signed by private key is used
to authenticate to server
20https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
WebAuthn registration flow (by Mozilla)
21https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
WebAuthn authentication flow (by Mozilla)
22
WebAuthn architecture overview (by Yubico)
23
WebAuthn architecture overview
24
WebAuthn architecture overview
25
FIDO architecture overview
26https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-uaf-protocol-v1.2-rd-20171128.html
FIDO UAF architecture overview
27
Basic U2F/WebAuthn flow
28
JavaScript sample
29
Not a silver bullet
Developers are still responsible for designing
smooth enrollment and account recovery flows
30
: the new gold standard for authentication
Protects against phishing
and credential theft
Allows hassle free login Already supported by major platforms
FIDO2 = WebAuthn + CTAP2
WebAuthn = Security keys or built-in authenticators
31
State of FIDO in .NET world
https://github.com/abergs/fido2-net-lib - pre-release nuget package
Crypto methods required by FIDO are not readily available in .NET
No announced built-in support in .NET Core 3.0
32
Demo
https://webauthnsample.azurewebsites.net
https://webauthndemo.appspot.com
https://demo.yubico.com/webauthn (works only with external keys)
https://fido2.azurewebsites.net (.NET Lib)
https://webauthn.me – interactive demo from Auth0
Further reading
https://webauthn.guide – simplified WebAuthn guide
33
Questions?

More Related Content

What's hot

What's hot (20)

Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali Fido U2F Protocol by Ather Ali
Fido U2F Protocol by Ather Ali
 
FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification FIDO Certified Program: The Value of Certification
FIDO Certified Program: The Value of Certification
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
Implementation Case Study by eWBM
Implementation Case Study by eWBMImplementation Case Study by eWBM
Implementation Case Study by eWBM
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
 
FIDO2 & Microsoft
FIDO2 & MicrosoftFIDO2 & Microsoft
FIDO2 & Microsoft
 
Solving the IoT Challenge
Solving the IoT ChallengeSolving the IoT Challenge
Solving the IoT Challenge
 
Go passwordless with fido2
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication ComplianceFIDO & PSD2 – Achieving Strong Customer Authentication Compliance
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
FIDO and Adaptive Authentication
FIDO and Adaptive AuthenticationFIDO and Adaptive Authentication
FIDO and Adaptive Authentication
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
Webinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA SessionWebinar: Catch Up with FIDO Plus AMA Session
Webinar: Catch Up with FIDO Plus AMA Session
 
FIDO, Federation and the Internet of Things
 FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 
FIDO in Government
FIDO in GovernmentFIDO in Government
FIDO in Government
 

Similar to Fast IDentity Online New wave of open authentication standards

Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevices
team-WIBU
 
Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863
RepentSinner
 

Similar to Fast IDentity Online New wave of open authentication standards (20)

FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
Fido U2F PROTOCOL
Fido U2F PROTOCOLFido U2F PROTOCOL
Fido U2F PROTOCOL
 
Cybersecurity Slides
Cybersecurity  SlidesCybersecurity  Slides
Cybersecurity Slides
 
The Present and Future of IoT Cybersecurity
The Present and Future of IoT CybersecurityThe Present and Future of IoT Cybersecurity
The Present and Future of IoT Cybersecurity
 
The State of FIDO
The State of FIDOThe State of FIDO
The State of FIDO
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Authenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevicesAuthenticate and authorize your IIoTdevices
Authenticate and authorize your IIoTdevices
 
FIDO Authentication for Gaming Webinar
FIDO Authentication for Gaming WebinarFIDO Authentication for Gaming Webinar
FIDO Authentication for Gaming Webinar
 
U2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKeyU2F/FIDO2 implementation of YubiKey
U2F/FIDO2 implementation of YubiKey
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
Mobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best PracticesMobile Devices & BYOD Security – Deployment & Best Practices
Mobile Devices & BYOD Security – Deployment & Best Practices
 
Security Keys Presentation.pptx
Security Keys Presentation.pptxSecurity Keys Presentation.pptx
Security Keys Presentation.pptx
 
Passwordless Mobile Banking.pdf
Passwordless Mobile Banking.pdfPasswordless Mobile Banking.pdf
Passwordless Mobile Banking.pdf
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863Cardholder authentication for the piv dig sig key nist ir-7863
Cardholder authentication for the piv dig sig key nist ir-7863
 
Digital authentication
Digital authenticationDigital authentication
Digital authentication
 
Hardware Authentication
Hardware AuthenticationHardware Authentication
Hardware Authentication
 
Smart OpenID & Mobile Network Security
Smart OpenID & Mobile Network SecuritySmart OpenID & Mobile Network Security
Smart OpenID & Mobile Network Security
 
Going Passwordless with Microsoft
Going Passwordless with MicrosoftGoing Passwordless with Microsoft
Going Passwordless with Microsoft
 

More from .NET Crowd

More from .NET Crowd (11)

Clean architecture
Clean architectureClean architecture
Clean architecture
 
Quantum Computing With the Q# Language
Quantum Computing With the Q# LanguageQuantum Computing With the Q# Language
Quantum Computing With the Q# Language
 
Multi-threading your way out
Multi-threading your way outMulti-threading your way out
Multi-threading your way out
 
Visual Studio Team Services Extensions by Taavi Kõosaar (@melborp)
Visual Studio Team Services Extensions by Taavi Kõosaar (@melborp)Visual Studio Team Services Extensions by Taavi Kõosaar (@melborp)
Visual Studio Team Services Extensions by Taavi Kõosaar (@melborp)
 
Typescript language
Typescript languageTypescript language
Typescript language
 
Dependency Injection: išmoktos pamokos
Dependency Injection: išmoktos pamokosDependency Injection: išmoktos pamokos
Dependency Injection: išmoktos pamokos
 
Raimondas tijunaitis tackle_big_ball_of_mud_super_mario_style
Raimondas tijunaitis tackle_big_ball_of_mud_super_mario_styleRaimondas tijunaitis tackle_big_ball_of_mud_super_mario_style
Raimondas tijunaitis tackle_big_ball_of_mud_super_mario_style
 
Tomas Urbonaitis "Introduction to asynchronous persistent messaging with NSer...
Tomas Urbonaitis "Introduction to asynchronous persistent messaging with NSer...Tomas Urbonaitis "Introduction to asynchronous persistent messaging with NSer...
Tomas Urbonaitis "Introduction to asynchronous persistent messaging with NSer...
 
Rokas Balevičius "Logstash - system heartbeat implementation"
Rokas Balevičius "Logstash - system heartbeat implementation"Rokas Balevičius "Logstash - system heartbeat implementation"
Rokas Balevičius "Logstash - system heartbeat implementation"
 
Andrej Slivko "CQRS praktikoje"
Andrej Slivko "CQRS praktikoje"Andrej Slivko "CQRS praktikoje"
Andrej Slivko "CQRS praktikoje"
 
Donatas Mačiūnas "Git - pažabokim istoriją"
Donatas Mačiūnas "Git - pažabokim istoriją"Donatas Mačiūnas "Git - pažabokim istoriją"
Donatas Mačiūnas "Git - pažabokim istoriją"
 

Recently uploaded

JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 

Recently uploaded (20)

Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
Salesforce Introduced Zero Copy Partner Network to Simplify the Process of In...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
AI Hackathon.pptx
AI                        Hackathon.pptxAI                        Hackathon.pptx
AI Hackathon.pptx
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
SQL Injection Introduction and Prevention
SQL Injection Introduction and PreventionSQL Injection Introduction and Prevention
SQL Injection Introduction and Prevention
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
What need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java DevelopersWhat need to be mastered as AI-Powered Java Developers
What need to be mastered as AI-Powered Java Developers
 
What is an API Development- Definition, Types, Specifications, Documentation.pdf
What is an API Development- Definition, Types, Specifications, Documentation.pdfWhat is an API Development- Definition, Types, Specifications, Documentation.pdf
What is an API Development- Definition, Types, Specifications, Documentation.pdf
 
Sourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing ManufacturerSourcing Success - How to Find a Clothing Manufacturer
Sourcing Success - How to Find a Clothing Manufacturer
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 

Fast IDentity Online New wave of open authentication standards