SlideShare a Scribd company logo
1 of 24
Download to read offline
FIDO U2F&UAF Tutorial
How Secure is Authentication?
How Secure is Authentication?
How Secure is Authentication?
Cloud Authentication
Password might be entered
into untrusted App / Web-site
(“phishing”)
Password could be stolen
from the server
Too many passwords to
remember
 re-use / cart
abandonment
Inconvenient to type
password on phone
Password Issues
Classifying Threats
Remotely attacking central servers
steal data for impersonation
1
Physically attacking user
devices
misuse them for
impersonation
6
Physically attacking user
devices
steal data for impersonation
5
Remotely
attacking lots of
user devices
steal data for
impersonation
Remotely
attacking lots of
user devices
misuse them for
impersonation
Remotely
attacking lots of
user devices
misuse
authenticated
sessions
2 3 4
Scalable attacks
Physical attacks
possible on lost or
stolen devices
(3% in the US in 2013)
How does FIDO work?
Device
How does FIDO work?
Private key
dedicated to one App
Public key
challenge
(signed)
response
Require user gesture
before private key
can be used
How does FIDO work?
Can recognize the user
(i.e. user verification), but
doesn’t know its identity
attributes.
Same Authenticator
as registered before?
Same User as
enrolled before?
How does FIDO work?
Identity binding to be done
outside FIDO: This this
“John Doe with customer
ID X”.
Can recognize the user
(i.e. user verification), but
doesn’t know its identity
attributes.
Same Authenticator
as registered before?
Same User as
enrolled before?
How does FIDO work?
… …SE
How does FIDO work?
… …SE
How is the key protected (TPM,
SE, TEE, …)?
Which user verification method is
used?
Attestation & Metadata
Metadata
Signed Attestation Object
Verify using trust anchor
included in Metadata
Understand Authenticator security
characteristic by looking into
Metadata from mds.fidoalliance.org
(or other sources)
Private attestation key
Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
Authenticated
Online
3
Biometric User
Verification*
2
Authentication Challenge
1
?
Authenticated
Online
3
Second Factor Challenge
1
Insert Dongle* / Press Button
2
*There are other types of authenticators
Relying
Party
AppID, challenge
a; challenge, origin, channel id, etc.
a
generate:
key kpub
key kpriv
handle h kpub, h, attestation cert, signature(a,fc,kpub,h)
fc, kpub, h, attestation cert, s
cookie store:
key kpub
handle h
s
FIDO Client /
BrowserU2F Authenticator
check AppID
fc
U2F Registration
U2F Authenticator
FIDO Client /
Browser
Relying
Party
h, a; challenge, origin, channel id, etc.
retrieve:
key kpriv
from
handle h;
cntr++
cntr, signature(a,fc,cntr)
cntr, fc, s
check
signature
using
key kpub
s
fc
a
handle, AppID, challenge
U2F Authentication
hcheck AppID
set cookie
retrieve
key kpub
from
handle h
Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
Authenticated
Online
3
Biometric User
Verification*
2
Authentication Challenge
1
?
Authenticated
Online
3
Second Factor Challenge
1
Insert Dongle* / Press Button
2
*There are other types of authenticators
Registration Overview
FIDO AUTHENTICATOR
FIDO SERVER
FIDO CLIENT
Send Registration Request:
- Policy
- Random Challenge
Start
registration
Verify user
Generate key pair
Sign attestation object:
• Public key
• AAID
• Hash(FinalChallenge)
• Name of relying party
Signed by attestation key
Verify signature
Check AAID against policy
Store public key
AAID = Authenticator Attestation ID, i.e. model ID
FinalChallenge=AppID | FacetID | channelBinding
| serveChallenge
Perform legacy authentication first, in order to bind authenticator to an electronic identity,
then perform FIDO registration.
Authentication Overview
FIDO AUTHENTICATOR
FIDO SERVER
FIDO CLIENT
Send Authentication Request:
- Policy
- Random Challenge
- Opt: TransactionText
Start
authentication
Verify user
Opt: Display TransactionText
Sign signData object:
• Signature alg
• Hash(FinalChallenge)
• Opt: Hash(TransactionText)
• Signature counter
• Authenticator random
Signature (Uauth key)
Verify signature
Check AAID against policy
FinalChallenge=AppID | FacetID | channelBinding
| serveChallenge
Convenience & Security
Convenience
Security
Password
Password + OTP
Convenience & Security
Convenience
Security
Password
Password + OTP
FIDO
In FIDO:
• Same user verification
method for all servers
In FIDO: Arbitrary user
verification methods are
supported (+ they are
interoperable)
Convenience & Security
Convenience
Security
Password
Password + OTP
FIDO
In FIDO:
• Only public keys on server
• Not phishable
In FIDO: Scalable security
depending on Authenticator
implementation
Conclusion
• Different authentication use-cases lead to different
authentication requirements
• FIDO separates user verification from authentication
and hence supports all user verification methods
• FIDO supports scalable convenience & security
• User verification data is known to Authenticator only
• FIDO complements federation
Rolf Lindemann, Nok Nok Labs, rolf@noknok.com

More Related Content

What's hot

Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical OverviewFIDO Alliance
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装FIDO Alliance
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationFIDO Alliance
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO AllianceFIDO Alliance
 
pfSense - Proxy autenticado no AD com inspeção SSL
pfSense - Proxy autenticado no AD com inspeção SSLpfSense - Proxy autenticado no AD com inspeção SSL
pfSense - Proxy autenticado no AD com inspeção SSLCavalcante Treinamentos
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance
 
The Value of FIDO Certification
The Value of FIDO CertificationThe Value of FIDO Certification
The Value of FIDO CertificationFIDO Alliance
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO Alliance
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security KeysFIDO Alliance
 

What's hot (20)

Fido Technical Overview
Fido Technical OverviewFido Technical Overview
Fido Technical Overview
 
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -NadalinNew FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
New FIDO Specifications Overview -FIDO Alliance -Tokyo Seminar -Nadalin
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
2019 FIDO Tokyo Seminar - LINE PayへのFIDO2実装
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
IBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptxIBM - Hey FIDO, Meet Passkey!.pptx
IBM - Hey FIDO, Meet Passkey!.pptx
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
 
pfSense - Proxy autenticado no AD com inspeção SSL
pfSense - Proxy autenticado no AD com inspeção SSLpfSense - Proxy autenticado no AD com inspeção SSL
pfSense - Proxy autenticado no AD com inspeção SSL
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
The Value of FIDO Certification
The Value of FIDO CertificationThe Value of FIDO Certification
The Value of FIDO Certification
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Securing a Web App with Security Keys
Securing a Web App with Security KeysSecuring a Web App with Security Keys
Securing a Web App with Security Keys
 

Viewers also liked

Fido Overview: Status and Future
Fido Overview: Status and FutureFido Overview: Status and Future
Fido Overview: Status and FutureFIDO Alliance
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCloudIDSummit
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxFIDO Alliance
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18Nov Matake
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2
 
NTT Docomo Deployment Case Study: Your Security, More Simple
NTT Docomo Deployment Case Study: Your Security, More SimpleNTT Docomo Deployment Case Study: Your Security, More Simple
NTT Docomo Deployment Case Study: Your Security, More SimpleFIDO Alliance
 

Viewers also liked (7)

Fido Overview: Status and Future
Fido Overview: Status and FutureFido Overview: Status and Future
Fido Overview: Status and Future
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
U2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F ParadoxU2F Case Study: Examining the U2F Paradox
U2F Case Study: Examining the U2F Paradox
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
 
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity ServerWSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
WSO2 Guest Webinar: FIDO Universal Second Factor (U2F) for WSO2 Identity Server
 
NTT Docomo Deployment Case Study: Your Security, More Simple
NTT Docomo Deployment Case Study: Your Security, More SimpleNTT Docomo Deployment Case Study: Your Security, More Simple
NTT Docomo Deployment Case Study: Your Security, More Simple
 

Similar to FIDO U2F & UAF Tutorial

FIDO Specifications Tutorial
FIDO Specifications TutorialFIDO Specifications Tutorial
FIDO Specifications TutorialFIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxVladVlad504281
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications OverviewFIDO Alliance
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native AppsUAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native AppsFIDO Alliance
 
apidays London 2023 - Building Multi-Factor Authentication into your applicat...
apidays London 2023 - Building Multi-Factor Authentication into your applicat...apidays London 2023 - Building Multi-Factor Authentication into your applicat...
apidays London 2023 - Building Multi-Factor Authentication into your applicat...apidays
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Alliance
 
U2F in Dashlane
U2F in DashlaneU2F in Dashlane
U2F in DashlaneDashlane
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Alliance
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Alliance
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication FIDO Alliance
 
"Bypassing two factor authentication", Shahmeer Amir
"Bypassing two factor authentication", Shahmeer Amir"Bypassing two factor authentication", Shahmeer Amir
"Bypassing two factor authentication", Shahmeer AmirHackIT Ukraine
 
Street conf overview
Street conf overviewStreet conf overview
Street conf overviewericsachs
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO Alliance
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationFIDO Alliance
 

Similar to FIDO U2F & UAF Tutorial (20)

FIDO Specifications Tutorial
FIDO Specifications TutorialFIDO Specifications Tutorial
FIDO Specifications Tutorial
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
FIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptxFIDO-U2F-Case-Study_Hanson.pptx
FIDO-U2F-Case-Study_Hanson.pptx
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native AppsUAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
 
apidays London 2023 - Building Multi-Factor Authentication into your applicat...
apidays London 2023 - Building Multi-Factor Authentication into your applicat...apidays London 2023 - Building Multi-Factor Authentication into your applicat...
apidays London 2023 - Building Multi-Factor Authentication into your applicat...
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
U2F in Dashlane
U2F in DashlaneU2F in Dashlane
U2F in Dashlane
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication Technical Considerations for Deploying FIDO Authentication
Technical Considerations for Deploying FIDO Authentication
 
"Bypassing two factor authentication", Shahmeer Amir
"Bypassing two factor authentication", Shahmeer Amir"Bypassing two factor authentication", Shahmeer Amir
"Bypassing two factor authentication", Shahmeer Amir
 
Street conf overview
Street conf overviewStreet conf overview
Street conf overview
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
 

More from FIDO Alliance

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FIDO Alliance
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...FIDO Alliance
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...FIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfFIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfFIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
OTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxOTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxFIDO Alliance
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Alliance
 
CISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptxCISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptxFIDO Alliance
 

More from FIDO Alliance (20)

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
OTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxOTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptx
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
 
CISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptxCISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptx
 

Recently uploaded

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfSrushith Repakula
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...marcuskenyatta275
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistandanishmna97
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Skynet Technologies
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxMasterG
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimaginedpanagenda
 

Recently uploaded (20)

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties ReimaginedEasier, Faster, and More Powerful – Notes Document Properties Reimagined
Easier, Faster, and More Powerful – Notes Document Properties Reimagined
 

FIDO U2F & UAF Tutorial

  • 2. How Secure is Authentication?
  • 3. How Secure is Authentication?
  • 4. How Secure is Authentication?
  • 6. Password might be entered into untrusted App / Web-site (“phishing”) Password could be stolen from the server Too many passwords to remember  re-use / cart abandonment Inconvenient to type password on phone Password Issues
  • 7. Classifying Threats Remotely attacking central servers steal data for impersonation 1 Physically attacking user devices misuse them for impersonation 6 Physically attacking user devices steal data for impersonation 5 Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions 2 3 4 Scalable attacks Physical attacks possible on lost or stolen devices (3% in the US in 2013)
  • 8. How does FIDO work? Device
  • 9. How does FIDO work? Private key dedicated to one App Public key challenge (signed) response Require user gesture before private key can be used
  • 10. How does FIDO work? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Same Authenticator as registered before? Same User as enrolled before?
  • 11. How does FIDO work? Identity binding to be done outside FIDO: This this “John Doe with customer ID X”. Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Same Authenticator as registered before? Same User as enrolled before?
  • 12. How does FIDO work? … …SE
  • 13. How does FIDO work? … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
  • 14. Attestation & Metadata Metadata Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org (or other sources) Private attestation key
  • 15. Passwordless Experience (UAF Standards) Second Factor Experience (U2F Standards) Authenticated Online 3 Biometric User Verification* 2 Authentication Challenge 1 ? Authenticated Online 3 Second Factor Challenge 1 Insert Dongle* / Press Button 2 *There are other types of authenticators
  • 16. Relying Party AppID, challenge a; challenge, origin, channel id, etc. a generate: key kpub key kpriv handle h kpub, h, attestation cert, signature(a,fc,kpub,h) fc, kpub, h, attestation cert, s cookie store: key kpub handle h s FIDO Client / BrowserU2F Authenticator check AppID fc U2F Registration
  • 17. U2F Authenticator FIDO Client / Browser Relying Party h, a; challenge, origin, channel id, etc. retrieve: key kpriv from handle h; cntr++ cntr, signature(a,fc,cntr) cntr, fc, s check signature using key kpub s fc a handle, AppID, challenge U2F Authentication hcheck AppID set cookie retrieve key kpub from handle h
  • 18. Passwordless Experience (UAF Standards) Second Factor Experience (U2F Standards) Authenticated Online 3 Biometric User Verification* 2 Authentication Challenge 1 ? Authenticated Online 3 Second Factor Challenge 1 Insert Dongle* / Press Button 2 *There are other types of authenticators
  • 19. Registration Overview FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send Registration Request: - Policy - Random Challenge Start registration Verify user Generate key pair Sign attestation object: • Public key • AAID • Hash(FinalChallenge) • Name of relying party Signed by attestation key Verify signature Check AAID against policy Store public key AAID = Authenticator Attestation ID, i.e. model ID FinalChallenge=AppID | FacetID | channelBinding | serveChallenge Perform legacy authentication first, in order to bind authenticator to an electronic identity, then perform FIDO registration.
  • 20. Authentication Overview FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send Authentication Request: - Policy - Random Challenge - Opt: TransactionText Start authentication Verify user Opt: Display TransactionText Sign signData object: • Signature alg • Hash(FinalChallenge) • Opt: Hash(TransactionText) • Signature counter • Authenticator random Signature (Uauth key) Verify signature Check AAID against policy FinalChallenge=AppID | FacetID | channelBinding | serveChallenge
  • 22. Convenience & Security Convenience Security Password Password + OTP FIDO In FIDO: • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
  • 23. Convenience & Security Convenience Security Password Password + OTP FIDO In FIDO: • Only public keys on server • Not phishable In FIDO: Scalable security depending on Authenticator implementation
  • 24. Conclusion • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation Rolf Lindemann, Nok Nok Labs, rolf@noknok.com