FIDO And the Future of User Authentication

All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO & THE FUTURE OF
USER AUTHENTICATION
ANDREW SHIKIAR
CHIEF MARKETING OFFICER, FIDO ALLIANCE

CONSUMERS HAVE A PASSWORD PROBLEM
Per average user
(Oxford University)
90+ ACCOUNTS
Per user, and 50%
haven’t changed said
password in last 5
years (Pew)
<5 PASSWORDS
Use a unique password
(Visa)
32%
Collectively spent by
humans each day
entering passwords
(Microsoft)
1,300 YEARS
CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME

BUSINESSES HAVE A PASSWORD PROBLEM
Data breaches in 2016
that involved weak,
default, or stolen
passwords (VDBR)
81%
Phishing attacks were
successful in 2016
(VDBR)
Breaches in 2017, a 45%
increase over 2016
(ITRC)
1 IN 14
1,579
Annual cost to a large
organization for
password resets
(Forrester)
$1M/YR
Of helpdesk calls are
for password resets
(at $70/reset)
Password-driven cart
abandonment rate (Visa)
20-50%
49%

(Shape Security 2017 & 2018 Credential Spill Reports)
4
CENTRALIZED AUTHENTICATION PITFALLS
Credentials stolen in
2017 alone
2.3 BILLION
Lead to credential
stuffing
STOLEN
PASSWORDS
Of e-commerce sites’
attempted log-ins are
stuffing attempts
80-90%
For credential
stuffing
2% SUCCESS
RATE
cost to U.S. businesses
each year
$5 BILLION
Stuffing attempts in
retail alone each day
130+ MILLION

THE SOLUTION: SIMPLER *AND* STRONGER
SECURITY
USABILITY
Poor Easy
WeakStrong
open standards for
simpler, stronger
authentication
using public key
cryptography
Single Gesture
Phishing-resistant MFA
=

6
HOW DOES FIDO WORK?
FIDO
Authenticator
User verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one
app Public key

FIDO IS “HIGH-ASSURANCE STRONG AUTHENTICATION”
Javelin Strategy & Research, 2017 State of Authentication Report
High-assurance strong authentication =
✓ Use of two + factors
✓ At least one leverages public key cryptography
✓ Not susceptible to phishing, man-in-the-middle
and/or other attacks targeting credentials

FIDO ECOSYSTEM STATUS
CERTIFICATIONS
MEMBERS & PARTNERS
DEPLOYMENTSREGULATORY FIT
SPECIFICATIONS

BOARD MEMBERS LEADING THE WAY
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES

LIAISON PROGRAM

FIDO’S IMPACT ON GOVERNMENT POLICIES
US (NIST/OMB): Technology now enables two secure,
distinct authentication factors in a single device (2014)
US Commission: Emphasizes authentication, cites
open-source standards and specifications such as
FIDO Authentication as best models (2016)
US Senate: Senator Ron Wyden issues letter to bank
regulators, asking for support of U2F (2017)
US (NIST/OMB): FIDO Authentication meets new
Authenticator Assurance Level 3 requirements (2017)

FIDO’S IMPACT ON GOVERNMENT POLICIES
UK Government: Cites emerging industry standards
such as FIDO for future to replace passwords (2016)
European Banking Authority PSD2: Accepts
one device two-factor authentication (2017)
Taiwan Bank Assoc. and Financial Supervisory Commission: Client-side
biometrics are appropriate to use for e-Banking applications (2016)
Korean Internet Security Agency: Embraces FIDO Specifications as part of a
broader, more modern and vendor-neutral approach to authentication (2017)

FIDO SPECIFICATIONS
Passwordless Experience
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience
*There are other types of authenticators
21

WEB AUTHENTICATION SPECIFICATION BRINGS
FIDO TO THE PLATFORM
Participation from all
of these platform
providers
World Wide Web
Consortium (W3C)
developing a Web
Authentication
specification based
on 3 FIDO Alliance
technical
specifications
A new standard
JavaScript API
Works with all FIDO2
platforms and
authenticators

FIDO SPECIFICATIONS
FIDO2 (CTAP & Web Authentication)

FIDO CERTIFIED PROGRAMS
• Functional Interoperability Testing:
• Enables servers, clients, SDKs and authenticators to officially
be identified as FIDO Certified
• Ensures interoperability across the FIDO ecosystem
• 475+ Certified implementations to date
• Certified Authenticator Levels
• Assure that authenticator secrets are protected on all FIDO
implementation types
• Based on third-party laboratory verification of FIDO Security
Requirements
• Done in coordination with existing security programs
• Universal Server:
• Ensures compatibility with all FIDO Certified Authenticators

FIDO CERTIFIED ECOSYSTEM (SAMPLE)
PHONES, PCs, & BROWSERS SECURITY KEYS CLOUD/SERVER SOLUTIONS

EARLY ADOPTERS DEPLOYING (SAMPLE)
Past Testing/Pilot/PoC stage…
Becoming mainstream best practice

FIDO:
THE FUTURE OF
CONSUMER
AUTHENTICATION
FIDO Authentication is the industry’s
response to the password problem
• INDUSTRY SUPPORT - FIDO represents the efforts of some of the world’s largest companies whose very
businesses rely upon better user authentication
• THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realized in products being used every day
• ONGOING INNOVATION - Specifications, certification programs, and deployment working groups
establishing best implementation practices
• ENABLEMENT - Leading service providers representing billions of user identities are already FIDO-
enabling their authentication processes

Join the FIDO Ecosystem
www.fidoalliance.org
Deploy
Take Part in FIDO Events
Build FIDO Certified Solutions
Join the Alliance
Twitter: @fidoalliance

FIDO And the Future of User Authentication

More Related Content

What's hot

Similar to FIDO And the Future of User Authentication

More from FIDO Alliance

FIDO And the Future of User Authentication