2. 1. The FIDO (Fast IDentity Online) Alliance is a non-profit organization nominally formed
in July 2012 to address the lack of interoperability among strong authentication
devices as well as the problems users face with creating and remembering multiple
usernames and passwords.
2. The FIDO Alliance plans to change the nature of authentication by developing
specifications that define an open, scalable, interoperable set of mechanisms that
supplant reliance on passwords to securely authenticate users of online services.
3. This new standard for security devices and browser plugins will allow any website or
cloud application to interface with a broad variety of existing and future FIDO-enabled
devices that the user has for online security.
7. SMS USABILITY
Coverage Issues - Delay - User Cost
DEVICE USABILITY
One Per Site - Expensive - Fragile
USER EXPERIENCE
Users find it hard
Today's solution: One time codes: SMS or Device
8. ● One device, many services
● Easy: Insert and press button
● Safe: Un-phishable Security
The U2F solution: How it works
9. Core idea: Standard public key cryptography:
User's device mints new key pair, gives public key to server
Server asks user's device to sign data to verify the user.
One device, many services, "bring your own device" enabled
Lots of refinement for this to be consumer facing:
Privacy: Site Specific Keys, No unique ID per device
Security: No phishing, man-in-the-middles
Trust: Verify who made the device(Attestation Certificate)
Pragmatics: Affordable today, ride hardware cost curve down
Speed for user: Fast crypto in device (Elliptic Curve)
Think "Smartcard re-designed for modern consumer web"
U2F PROTOCOL
15. “I promise a user is here”,
“the server challenge was: 337423”,
“the origin was: accounts.google.com”,
“the TLS connection state was: 342384”
proofThatUserIsThere