FIDO Alliance, profile picture
Uploaded byFIDO Alliance
PDF, PPTX1,305 views

FIDO Specifications Tutorial

The document outlines the FIDO (Fast Identity Online) authentication framework, highlighting security vulnerabilities associated with traditional password systems and demonstrating how FIDO addresses these issues through user verification methods and public key cryptography. It explains the process of FIDO registration and authentication, emphasizing the need for a user gesture and the secure management of cryptographic keys. The conclusion stresses FIDO's capability to provide scalable convenience and security while supporting diverse user verification methods.

Technology
Related topics:
Online Security

Embed presentation

Download as PDF, PPTX
FIDO SPECIFICATION TUTORIAL Jerrod Chong, Yubico All Rights Reserved | FIDO Alliance | Copyright 2016
How Secure is Authentication? 2All Rights Reserved | FIDO Alliance | Copyright 2016. Passwords Broken Phishing Widespread Existing Options Inadequate
Online Authentication 3 DeviceSomething Authentication Risk Analytics Internet All Rights Reserved | FIDO Alliance | Copyright 2016.
Password Issues 4 DeviceSomething Authentication Internet Password could be stolen from the server 1Password might be entered into untrusted App / Web- site (“phishing”) 2 Too many passwords to remember (>re-use / cart Abandonment) 3 Inconvenient to type password on phone 4 All Rights Reserved | FIDO Alliance | Copyright 2016.
Classifying Threats 5 Remotely attacking central servers steal data for impersonation Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions Physically attacking user devices steal data for impersonation Physically attacking user devices misuse them for impersonation 1 2 3 4 5 6 All Rights Reserved | FIDO Alliance | Copyright 2016. Scalable 63% of confirmed data breaches involved leveraging weak/default/stolen passwords * * 2016 Verizon Data Breach
How does FIDO work? 6 AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key All Rights Reserved | FIDO Alliance | Copyright 2016.
How does FIDO work? 7 AuthenticatorUser verification FIDO Authentication …SE All Rights Reserved | FIDO Alliance | Copyright 2016.
How does FIDO work? 8 AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? All Rights Reserved | FIDO Alliance | Copyright 2016.
How does FIDO work? 9 AuthenticatorUser verification FIDO Authentication …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used? All Rights Reserved | FIDO Alliance | Copyright 2016.
FIDO ServerFIDO Authenticator Metadata Signed Attestation Object Verify Trust Anchor (Available from Metadata Service or Other Source) Understand Authenticator Characteristic (Using Info From Metadata or Other Source) ATTESTATION & METADATA 20Confidential
11 Single Factor Experience (UAF Standards) Authenticated Online 3 Biometric User Verification* 21 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) *There are other types of authenticators 21 All Rights Reserved | FIDO Alliance | Copyright 2016.
U2F Device Client Relying Party challenge challenge Sign with kpriv signature(challenge) s Check signature (s) using kpub s Lookup kpub Authentication
U2F Device Client Relying Party challenge challenge, origin, channel id Sign with kpriv signature(c) c, s Check s using kpub Verify origin & channel id s Lookup kpub Phishing/MitM Protection
U2F Device Client Relying Party handle, app id, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the kpriv associated with h Sign with kpriv signature(a,c) c, s Check s using kpub Verify origin & channel id s h Lookup the kpub associated with h Application-Specific Keys
U2F Device Client Relying Party app id, challenge a; challenge, origin, channel id, etc. c a Check app id Generate: kpub kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h) c, kpub, h, attestation cert, s Associate kpub with handle h for user s Registration + Device Attestation
16 Authenticated Online 3 Biometric User Verification* 2 Single Factor Experience (UAF Standards) 1 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) 1 2 *There are other types of authenticators All Rights Reserved | FIDO Alliance | Copyright 2016.
Registration Overview 17 Perform legacy authentication first, in order to bind authenticator to an electronic identity, then perform FIDO registration. FIDO CLIENT FIDO AUTHENTICATOR FIDO SERVER Verify user Generate key pair Sign attestation object: • Public key • AAID • Hash(FinalChallenge) • Name of relying party Signed by attestation key Send Registration Request: • Policy • Random Challenge Verify signature Check AAID against policy Store public key Start registration AAID = Authenticator Attestation ID, i.e. model ID FinalChallenge=AppID | FacetID | channelBinding | serveChallenge All Rights Reserved | FIDO Alliance | Copyright 2016.
Authentication Overview 18 FIDO CLIENT FIDO AUTHENTICATOR FIDO SERVER Verify user Opt: Display TransactionText Sign signData object: Signature alg • Hash(FinalChallenge) • Opt: Hash(TransactionText) • Signature counter Authenticator random Signature (Uauth key) Send Authentication Request: • Policy • Random Challenge • Opt: TransactionText Verify signature Check AAID against policy Start authentication FinalChallenge=AppID | FacetID | channelBinding | serveChallenge All Rights Reserved | FIDO Alliance | Copyright 2016.
Convenience & Security 19 Security Convenience Password + OTP Password All Rights Reserved | FIDO Alliance | Copyright 2016.
Common Authentication Stack 20 Security Convenience Password + OTP Password FIDO In FIDO: Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported and interoperable All Rights Reserved | FIDO Alliance | Copyright 2016.
Scalable 21 Security Convenience Password + OTP Password FIDO In FIDO: Scalable security depending on Authenticator implementation In FIDO: • Only public keys on server • One authenticator to many services • Not phishable All Rights Reserved | FIDO Alliance | Copyright 2016.
Conclusion • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • Simple, Single gesture authentication • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation 22All Rights Reserved | FIDO Alliance | Copyright 2016.

More Related Content

PDF
FIDO Specifications Overview: UAF & U2F
byFIDO Alliance
 
PDF
FIDO in Government
byFIDO Alliance
 
PDF
FIDO UAF Specifications: Overview & Tutorial
byFIDO Alliance
 
PPTX
Getting to Know the FIDO Specifications - Technical Tutorial
byFIDO Alliance
 
PDF
FIDO U2F & UAF Tutorial
byFIDO Alliance
 
PDF
Introduction to FIDO Authentication
byFIDO Alliance
 
PPTX
FIDO Specifications Overview
byFIDO Alliance
 
PDF
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
byCloudIDSummit
 
FIDO Specifications Overview: UAF & U2F
byFIDO Alliance
 
FIDO in Government
byFIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
byFIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
byFIDO Alliance
 
FIDO U2F & UAF Tutorial
byFIDO Alliance
 
Introduction to FIDO Authentication
byFIDO Alliance
 
FIDO Specifications Overview
byFIDO Alliance
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
byCloudIDSummit
 

What's hot

PPTX
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
byFIDO Alliance
 
PDF
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
PPTX
FIDO and Strong Authentication in US Federal Government
byFIDO Alliance
 
PDF
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
PPTX
FIDOAlliance
bySanjeev Verma, PhD
 
PPTX
Introduction to FIDO Alliance: Vision and Status -Tokyo Seminar -Brett McDowell
byFIDO Alliance
 
PDF
FIDO’s fit for Key Industries in Korea
byFIDO Alliance
 
PDF
FIDO U2F Specifications: Overview & Tutorial
byFIDO Alliance
 
PPTX
FIDO - The Value of Membership
byFIDO Alliance
 
PPTX
Fido China Working Group (FCWG)
byFIDO Alliance
 
PPTX
Google Case Study: Becoming Unphishable
byFIDO Alliance
 
PDF
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
PDF
Strong Authentication and US Federal Digital Services
byFIDO Alliance
 
PPTX
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
byFIDO Alliance
 
PDF
FIDO, PKI & beyond: Where Authentication Meets Identification
byFIDO Alliance
 
PDF
NTT DOCOMO Deployment Case Study: Your Security, More Simple
byFIDO Alliance
 
PDF
LINEのFIDO導入と将来展望
byFIDO Alliance
 
PDF
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
byFIDO Alliance
 
PDF
Identity Tech Talks #3 FIDO futur of authentication
byLeonard Moustacchis
 
PDF
Implementation Case Study by eWBM
byFIDO Alliance
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
byFIDO Alliance
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
FIDO and Strong Authentication in US Federal Government
byFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
FIDOAlliance
bySanjeev Verma, PhD
 
Introduction to FIDO Alliance: Vision and Status -Tokyo Seminar -Brett McDowell
byFIDO Alliance
 
FIDO’s fit for Key Industries in Korea
byFIDO Alliance
 
FIDO U2F Specifications: Overview & Tutorial
byFIDO Alliance
 
FIDO - The Value of Membership
byFIDO Alliance
 
Fido China Working Group (FCWG)
byFIDO Alliance
 
Google Case Study: Becoming Unphishable
byFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
Strong Authentication and US Federal Digital Services
byFIDO Alliance
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
byFIDO Alliance
 
FIDO, PKI & beyond: Where Authentication Meets Identification
byFIDO Alliance
 
NTT DOCOMO Deployment Case Study: Your Security, More Simple
byFIDO Alliance
 
LINEのFIDO導入と将来展望
byFIDO Alliance
 
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in Europe
byFIDO Alliance
 
Identity Tech Talks #3 FIDO futur of authentication
byLeonard Moustacchis
 
Implementation Case Study by eWBM
byFIDO Alliance
 

Similar to FIDO Specifications Tutorial

PDF
FIDO Authentication Technical Overview
byFIDO Alliance
 
PDF
FIDO Authentication Technical Overview
byFIDO Alliance
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PPTX
Fido Technical Overview
byFIDO Alliance
 
PDF
Technical Principles of FIDO Authentication
byFIDO Alliance
 
PDF
Technical Principles of FIDO Authentication
byFIDO Alliance
 
PPTX
Technical Principles of FIDO Authentication
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO & the Future of Consumer Authentication
byFIDO Alliance
 
PPTX
Introduction to FIDO: A New Model for Authentication
byFIDO Alliance
 
PDF
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
byFIDO Alliance
 
PDF
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
byFIDO Alliance
 
PPTX
FIDO Alliance: Year in Review Webinar slides from January 20 2016
byFIDO Alliance
 
PDF
FIDO And the Future of User Authentication
byFIDO Alliance
 
PDF
FIDO and the Future of User Authentication
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
PDF
Introduction to the FIDO Alliance
byFIDO Alliance
 
PDF
FIDO Technical Overview at FIDO KWG Hackathon
byKi-Eun Shin
 
PPTX
Technical Considerations for Deploying FIDO Authentication
byFIDO Alliance
 
PPTX
FIDO Masterclass
byFIDO Alliance
 
FIDO Authentication Technical Overview
byFIDO Alliance
 
FIDO Authentication Technical Overview
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
Fido Technical Overview
byFIDO Alliance
 
Technical Principles of FIDO Authentication
byFIDO Alliance
 
Technical Principles of FIDO Authentication
byFIDO Alliance
 
Technical Principles of FIDO Authentication
byFIDO Alliance
 
Beyond Passwords: FIDO & the Future of Consumer Authentication
byFIDO Alliance
 
Introduction to FIDO: A New Model for Authentication
byFIDO Alliance
 
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
byFIDO Alliance
 
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
byFIDO Alliance
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
byFIDO Alliance
 
FIDO And the Future of User Authentication
byFIDO Alliance
 
FIDO and the Future of User Authentication
byFIDO Alliance
 
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
Introduction to the FIDO Alliance
byFIDO Alliance
 
FIDO Technical Overview at FIDO KWG Hackathon
byKi-Eun Shin
 
Technical Considerations for Deploying FIDO Authentication
byFIDO Alliance
 
FIDO Masterclass
byFIDO Alliance
 

More from FIDO Alliance

PPTX
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
PPTX
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
PPTX
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
PPTX
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
PPTX
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 

Recently uploaded

PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PPTX
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
PDF
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPTX
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPTX
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PPTX
Accelerate Innovation with Engineering R&D Services
byChetu
 
PDF
January Patch Tuesday
byIvanti
 
PDF
Français Patch Tuesday - Janvier
byIvanti
 
PPT
Telecommunication system introduction to wireless communication
by143irha
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
Single Cell Protein from Methane or Methanol - Process development research c...
byJohn Downs
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Adding Copilot+ PCs with Snapdragon to your HP fleet won’t require IT deploym...
byPrincipled Technologies
 
Why Are Cloud Migration Services Essential for Modern Business Growth?
byGeoPITS Global Pvt Ltd
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Robot Vacuums are Cleaning Up. The global robot vacuum segment has high marke...
byRobert March
 
connectives-linking words in English.ppt
byAmrMohammed82
 
Achieve enterprise automation with SAP BTP solutions and SAP Signavio
bydarrellkiwi
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
TopMate ES11 3-Wheel Electric Scooter: Comfortable, Stable Mobility for Every...
byTopmate
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Accelerate Innovation with Engineering R&D Services
byChetu
 
January Patch Tuesday
byIvanti
 
Français Patch Tuesday - Janvier
byIvanti
 
Telecommunication system introduction to wireless communication
by143irha
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 

FIDO Specifications Tutorial

  • 1.
    FIDO SPECIFICATION TUTORIAL JerrodChong, Yubico All Rights Reserved | FIDO Alliance | Copyright 2016
  • 2.
    How Secure isAuthentication? 2All Rights Reserved | FIDO Alliance | Copyright 2016. Passwords Broken Phishing Widespread Existing Options Inadequate
  • 3.
    Online Authentication 3 DeviceSomething Authentication RiskAnalytics Internet All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 4.
    Password Issues 4 DeviceSomething Authentication Internet Passwordcould be stolen from the server 1Password might be entered into untrusted App / Web- site (“phishing”) 2 Too many passwords to remember (>re-use / cart Abandonment) 3 Inconvenient to type password on phone 4 All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 5.
    Classifying Threats 5 Remotely attackingcentral servers steal data for impersonation Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions Physically attacking user devices steal data for impersonation Physically attacking user devices misuse them for impersonation 1 2 3 4 5 6 All Rights Reserved | FIDO Alliance | Copyright 2016. Scalable 63% of confirmed data breaches involved leveraging weak/default/stolen passwords * * 2016 Verizon Data Breach
  • 6.
    How does FIDOwork? 6 AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 7.
    How does FIDOwork? 7 AuthenticatorUser verification FIDO Authentication …SE All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 8.
    How does FIDOwork? 8 AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 9.
    How does FIDOwork? 9 AuthenticatorUser verification FIDO Authentication …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used? All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 10.
    FIDO ServerFIDO Authenticator Metadata Signed Attestation Object Verify TrustAnchor (Available from Metadata Service or Other Source) Understand Authenticator Characteristic (Using Info From Metadata or Other Source) ATTESTATION & METADATA 20Confidential
  • 11.
    11 Single Factor Experience(UAF Standards) Authenticated Online 3 Biometric User Verification* 21 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) *There are other types of authenticators 21 All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 12.
  • 13.
    U2F Device Client Relying Party challenge challenge, origin,channel id Sign with kpriv signature(c) c, s Check s using kpub Verify origin & channel id s Lookup kpub Phishing/MitM Protection
  • 14.
    U2F Device Client Relying Party handle, appid, challenge h, a; challenge, origin, channel id, etc. c a Check app id Lookup the kpriv associated with h Sign with kpriv signature(a,c) c, s Check s using kpub Verify origin & channel id s h Lookup the kpub associated with h Application-Specific Keys
  • 15.
    U2F Device Client Relying Party app id,challenge a; challenge, origin, channel id, etc. c a Check app id Generate: kpub kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h) c, kpub, h, attestation cert, s Associate kpub with handle h for user s Registration + Device Attestation
  • 16.
    16 Authenticated Online 3 Biometric User Verification* 2 Single FactorExperience (UAF Standards) 1 ? Authentication Challenge Authenticated Online 3 Second Factor Challenge Insert Dongle* / Press Button Second Factor Experience (U2F Standards) 1 2 *There are other types of authenticators All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 17.
    Registration Overview 17 Perform legacyauthentication first, in order to bind authenticator to an electronic identity, then perform FIDO registration. FIDO CLIENT FIDO AUTHENTICATOR FIDO SERVER Verify user Generate key pair Sign attestation object: • Public key • AAID • Hash(FinalChallenge) • Name of relying party Signed by attestation key Send Registration Request: • Policy • Random Challenge Verify signature Check AAID against policy Store public key Start registration AAID = Authenticator Attestation ID, i.e. model ID FinalChallenge=AppID | FacetID | channelBinding | serveChallenge All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 18.
    Authentication Overview 18 FIDO CLIENT FIDOAUTHENTICATOR FIDO SERVER Verify user Opt: Display TransactionText Sign signData object: Signature alg • Hash(FinalChallenge) • Opt: Hash(TransactionText) • Signature counter Authenticator random Signature (Uauth key) Send Authentication Request: • Policy • Random Challenge • Opt: TransactionText Verify signature Check AAID against policy Start authentication FinalChallenge=AppID | FacetID | channelBinding | serveChallenge All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 19.
    Convenience & Security 19 Security Convenience Password+ OTP Password All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 20.
    Common Authentication Stack 20 Security Convenience Password+ OTP Password FIDO In FIDO: Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported and interoperable All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 21.
    Scalable 21 Security Convenience Password + OTP Password FIDO InFIDO: Scalable security depending on Authenticator implementation In FIDO: • Only public keys on server • One authenticator to many services • Not phishable All Rights Reserved | FIDO Alliance | Copyright 2016.
  • 22.
    Conclusion • Different authenticationuse-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • Simple, Single gesture authentication • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation 22All Rights Reserved | FIDO Alliance | Copyright 2016.