The FIDO Alliance is introducing a new passwordless authentication framework to address security issues related to weak and stolen passwords, emphasizing the use of public key cryptography and user gestures for secure access. Recent updates include FIDO's ratification as an ITU standard and the launch of FIDO2 certified products, signifying greater industry adoption. The innovations aim to improve security, reduce reliance on shared secrets, and enhance user convenience in the authentication process.

1. All Rights Reserved | FIDO Alliance | Copyright 20171
TOKYO SEMINAR, DECEMBER 2018
FIDO Alliance VISION and UPDATES
BRETT MCDOWELL
EXECUTIVE DIRECTOR

2. All Rights Reserved | FIDO Alliance | Copyright 20182
Data breaches in 2016
that involved weak,
default, or stolen
passwords (VDBR)
81%
Phishing attacks were
successful in 2016
(VDBR)
Breaches in 2017, a 45%
increase over 2016
(ITRC)
1 IN 14
1,579
Annual cost to a large
organization for
password resets
(Forrester)
$1M/YR
Of helpdesk calls are
for password resets
(at $70/reset)
Password-driven cart
abandonment rate (Visa)
20-50%
49%
MEASURING THE COST OF PASSWORDS

3. All Rights Reserved | FIDO Alliance | Copyright 20183
FIDO Alliance is the global industry
collaboration dedicated to solving the
password problem
…with no dependency on “shared secrets”

4. Open Standards
Public Key Cryptography
Single Gesture
Phishing Resistant MFA
All Rights Reserved | FIDO Alliance | Copyright 20184
SECURITY
USABILITY
Poor Easy
WeakStrong

5. All Rights Reserved | FIDO Alliance | Copyright 20185
OLD AUTHENTICATION WITH PASSWORDS
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4

6. All Rights Reserved | FIDO Alliance | Copyright 20186
NEW AUTHENTICATION WITH FIDO
AuthenticatorUser verification FIDO Authentication
Require user gesture
before private key can
be used
Challenge
(Signed) Response
Private key (handle)
per account Public key
No secrets stored on the
server
1
Authenticator cannot be
“tricked” by phishing
2
Nothing to remember, no friction
added to transaction process
3
Single gesture
convenience for User
4

7. All Rights Reserved | FIDO Alliance | Copyright 20187
FIDO SPECIFICATIONS (2014 – 2018)
Passwordless Experience (UAF & FIDO2)
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Security Key* /
Press Button
Second Factor Experience (U2F & FIDO2)
*There are other types of authenticators
21

8. All Rights Reserved | FIDO Alliance | Copyright 20188
WHO IS USING FIDO TODAY?
(Sample of deployments in production around the world)

9. All Rights Reserved | FIDO Alliance | Copyright 20189
BACKED BY CERTIFICATION (>500)
• Functional Certification (End-to-End):
• Conformance Testing
• Interoperability Testing
• Authenticator Security Certification Levels
• How well do you protect the private key?
• 3rd-party laboratory verification
• Complimented by new Biometric Component certification
• Universal Server:
• Ensures compatibility with all FIDO Certified Authenticators

10. All Rights Reserved | FIDO Alliance | Copyright 201810
WHAT’S NEW?

11. *NEW* FIDO IS NOW AN ITU STANDARD
All Rights Reserved | FIDO Alliance | Copyright 201811
x.1277 -- ITU ratification of FIDO UAF
x.1278 -- ITU ratification of FIDO2 CTAP (includes CTAP1/U2F)

12. 12
*NEW* FIDO2 CERTIFICATIONS
• The first 20+ FIDO2 Certified products were
introduced September 26
• This week the latest FIDO2 Certified products
were announced, including offerings from
these companies based in Japan:
All Rights Reserved | FIDO Alliance | Copyright 2018

13. All Rights Reserved | FIDO Alliance | Copyright 201813
*NEW* FIDO IS A W3C SPECIFICATION (CR)
FIDO2 (CTAP & W3C Web Authentication)

14. All Rights Reserved | FIDO Alliance | Copyright 201814
*NEW* FIDO NOW IN THE WEB BROWSER & OS

15. All Rights Reserved | FIDO Alliance | Copyright 201815
*NEW* WELCOME YAHOO! JAPAN TO THE BOARD
FIDO Board Level Leadership from Japan
2015.5~ 2017.5~Today

16. All Rights Reserved | FIDO Alliance | Copyright 201816
FIDO ALLIANCE BOARD MEMBERS
BALANCE OF TECHNOLOGY & SERVICE COMPANIES
Yahoo! Japan has become a Board member

17. All Rights Reserved | FIDO Alliance | Copyright 201817
IN SUMMARY… SECURE BY DESIGN
Based on public
key cryptography
No server-side
shared secrets
Keys stay
on device
No 3rd party in
the protocol
Biometrics, if used,
never leave device
No link-ability between
services or accounts

18. 18
IN SUMMARY… SECURE IN PRACTICE
All Rights Reserved | FIDO Alliance | Copyright 2018
85,000
employees
over 18 months
No ATO’s from
phishing since
using FIDO

19. All Rights Reserved | FIDO Alliance | Copyright 201819
Internet Day 2018:
“If I could start over again I would have
introduced a lot more strong authentication
and cryptography into the system. It is good
to see new internet standards from FIDO
Alliance and W3C filling that gap.”
-- Vint Cerf, Co-Inventor of the Internet

20. All Rights Reserved | FIDO Alliance | Copyright 201820
THANK YOU
WWW.FIDOALLIANCE.ORG