SlideShare a Scribd company logo

FIDO UAF 1.0 Specs: Overview and Insights

FIDO Alliance
FIDO Alliance

Explore how FIDO UAF works, how to perform FIDO registration, and how FIDO is used in the world today, as well as the process from start to finish of UAF authentication. From FIDO Alliance Seminar in Washington, D.C., October, 2015.

1 of 49
Download to read offline
FIDO UAF Tutorial
How Secure is Authentication?
How Secure is Authentication?
How Secure is Authentication?
Cloud Authentication
Password might be entered into untrusted App / Web-site (“phishing”) Password could be stolen from the server Too many passwords to remember  re-use / cart abandonment Inconvenient to type password on phone Password Issues
OTP Issues OTP vulnerable to real- time MITM and MITB attacks SMS security questionable, especially when Device is the phone OTP HW tokens are expensive and people don’t want another device Inconvenient to type OTP on phone
Summary 1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don‘t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision
How does FIDO work? Device
How does FIDO work? Private key Public key challenge (signed) response Require user gesture before private key can be used
How does FIDO UAF work? … …SE
How does FIDO UAF work? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Same Authenticator as registered before? Same User as enrolled before?
How does FIDO UAF work? Identity binding to be done outside FIDO: This this “John Doe with customer ID X”. Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Same Authenticator as registered before? Same User as enrolled before?
How does FIDO UAF work? … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
Attestation & Metadata Metadata Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org (or other sources) Private attestation key
Binding Keys to Apps Use google.com key Use paypal.com key Use same user gesture (e.g. same finger or PIN) for unlocking each private key.
FIDO USER DEVICE FIDO CLIENT FIDO AUTHENTICATOR BROWSER / APP FIDO Building Blocks ASM RELYING PARTY Attestation key Authentication keys FIDO SERVER METADATA SERVICE WEB APPLICATION Update Cryptographic authentication key DB Authenticator Metadata UAF Protocol TLS Server Key
Registration Overview FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send Registration Request: - Policy - Random Challenge Start registration Verify user Generate key pair Sign attestation object: • Public key • AAID • Random Challenge • Name of relying party Signed by attestation key Verify signature Check AAID against policy Store public key AAID = Authenticator Attestation ID, i.e. model ID Perform legacy authentication first, in order to bind authenticator to an electronic identity, then perform FIDO registration.
FIDO Authenticator FIDO Server Web App App Prepare0 UAF Authentication
FIDO Authenticator FIDO Server Web App App Prepare UAF Authentication 0
FIDO Authenticator FIDO Server Web App App Prepare UAF Authentication 0
FIDO Authenticator FIDO Server Web App App Prepare UAF Authentication Initiate Authentication 1 0
FIDO Authenticator FIDO Server Web App App Prepare UAF Authentication Initiate Authentication 1 Auth. Request with Challenge 2 0
FIDO Server Web App App Prepare UAF Authentication pat@example.com Pat Johnson Initiate Authentication 1 3 Verify User & Sign Challenge (Key specific to RP Webapp) FIDO Authenticator Auth. Request with Challenge 2 0
FIDO Server Web App App Prepare UAF Authentication Pat Johnson 650 Castro Street Mountain View, CA 94041 United States Initiate Authentication 1 FIDO Authenticator 3 Verify User & Sign Challenge (Key specific to RP Webapp) Auth. Response 4 Auth. Request with Challenge 2 0
FIDO Server Web App App Prepare UAF Authentication pat@example.com Pat Johnson Payment complete! Return to the merchant’s web site to continue shopping Return to the merchant Initiate Authentication 1 FIDO Authenticator 3 Verify User & Sign Challenge (Key specific to RP Webapp) Auth. Request with Challenge 2 Auth. Response 4 Success 5 0
FIDO Server Browser or Native App FIDO Authenticator Initiate Transaction Authentication Response + Text Hash, signed by User’s private key Validate Response & Text Hash using User’s Public Key Authentication Request + Transaction Text 2 4 5 Device Relying Party 1 3 Web App Display Text, Verify User & Unlock Private Key (specific to User + RP Webapp) Transaction Confirmation
Convenience & Security Convenience Security Password
Convenience & Security Convenience Security Password Password + OTP
Convenience & Security Convenience Security Password Password + OTP FIDO In FIDO: • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
Convenience & Security Convenience Security Password Password + OTP FIDO In FIDO: • Only public keys on server • Not phishable In FIDO: Scalable security depending on Authenticator implementation
FIDO Authenticator Concept FIDO Authenticator User Verification / Presence Attestation Key Authentication Key(s) Injected at manufacturing, doesn’t change Generated at runtime (on Registration) Optional Components Transaction Confirmation Display
What about rubber fingers? Protection methods in FIDO 1. Attacker needs access to the Authenticator and swipe rubber finger on it. This makes it a non-scalable attack. 2. Authenticators might implement presentation attack detection methods. Remember: Creating hundreds of millions of rubber fingers + stealing the related authenticators is expensive. Stealing hundreds of millions of passwords from a server has low cost per password.
But I can’t revoke my finger… • Protection methods in FIDO You don’t need to revoke your finger, you can simply de-register the old (=attacked) authenticator. Then, 1. Get a new authenticator 2. Enroll your finger (or iris, …) to it 3. Register the new authenticator to the service
FIDO & Federation FIDO USER DEVICE FIDO CLIENT IdP FIDO SERVER FIDO AUTHENTICATOR FEDERATION SERVERBROWSER / APP FIDO Protocol Service Provider Federation Id DB Knows details about the Authentication strength Knows details about the Identity and its verification strength. First Mile Second Mile
Enterprise IT FIDO & Federation in Enterprise IdP FIDO SERVER FEDERATION SERVER Enterprise Appl. 1 Cloud-hosted Appl. 1 Enterprise Appl. 2 Enterprise Appl. N Cloud-hosted Appl. 2 Cloud-hosted Appl. N “External” User “Internal” User Federated Login, e.g. OpenID Connect Could be operated externally as well
OEM Enabled Smartphones & Tablets Clients available for these operating systems: Software Authenticator Examples: Speaker/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element FIDO UAF Enabled Products Samsung Galaxy S6, S6 Edge, S6 Edge+ Galaxy Tab S2 8“+9.7“ Galaxy Note 5 Galaxy S5, S5 Mini, S5 Plus Galaxy Alpha Galaxy Note 4, Note 4 Edge Galaxy Tab S 8.4“+10.5“ Sony Xperia Z5, Z5 Compact, Z5 Premium Sharp Aquos Zeta SH-03G, SH01H Fujitsu Arrows NX F-04G, Fit F-01H, NX F-02H
FIDO is used Today
Typical RP Deployment FIDO USER DEVICE FIDO CLIENT FIDO AUTHENTICATOR MOBILE APP ASM Native FIDO Stack (not on old devices) Challenge: Old devices do not have a native FIDO Stack
Typical RP Deployment FIDO USER DEVICE FIDO CLIENT FIDO AUTHENTICATOR MOBILE APP ASM App SDK Native FIDO Stack (not on old devices) FIDO CLIENT AUTHENR ASM Embedded FIDO Stack Challenge: Old devices do not have a native FIDO Stack Solution: embed FIDO Stack in App SDK
Typical Native FIDO Stack FIDO USER DEVICE (SMARTPHONE) FIDO CLIENT FIDO AUTHENTICATOR ASM Trusted Execution Environment (TEE) Fingerprint is mostly used today. Typically on high-end devices. Some devices use eye/iris as modality. No need for expensive FP Sensors. Rich Execution Environment, e.g. Android.
Conclusion • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation Rolf Lindemann, Nok Nok Labs, rolf@noknok.com
How does FIDO UAF work? 5. Generate key pair in Authenticator to protect against phishing 7. Verify user before signing authentication response 4. Provide cryptographic proof of authenticator model 1. Use Metadata to understand Authenticator security characteristic 2. Define policy of acceptable Authenticators6. Use site-specific keys in order to protect privacy 3. Store public keys on the server (no secrets) 8. Use channel binding to protect against MITM
Classifying Threats Remotely attacking central servers steal data for impersonation 1 Physically attacking user devices misuse them for impersonation 6 Physically attacking user devices steal data for impersonation 5 Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions 2 3 4 Scalable attacks Physical attacks possible on lost or stolen devices (3% in the US in 2013)
Registration Overview (2) Physical Identity Virtual Identity FIDO AUTHENTICATOR FIDO SERVER WEB Application { userid=1234, jane@mail.com, known since 03/05/04, payment history=xx, … } { userid=1234, pubkey=0x43246, AAID=x +pubkey=0xfa4731, AAID=y } Registration AAID y key for foo.com: 0xfa4731 Relying Party foo.com Link new Authenticator to existing userid “Know Your Customer” rules Legacy Authentication
SIM Card FIDO Authenticator Attestation Key Authentication Key(s) Using Secure Hardware PIN Verification PIN Entry User Verification / Presence
Trusted Execution Environment (TEE) FIDO Authenticator as Trusted Application (TA) User Verification / Presence Attestation Key Authentication Key(s) Store at Enrollment Compare at Authentication Unlock after comparison Client Side Biometrics
Trusted Execution Environment (TEE) Secure Element Combining TEE and SE FIDO Authenticator as Trusted Application (TA) Attestation Key Authentication Key(s) User Verification / Presence Transaction Confirmation Display e.g. GlobalPlatform Trusted UI

Recommended

FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
FIDO Alliance
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 

Recommended

FIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & TutorialFIDO U2F Specifications: Overview & Tutorial
FIDO U2F Specifications: Overview & Tutorial
FIDO Alliance
 
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance
 
API Security Best Practices & Guidelines
API Security Best Practices & GuidelinesAPI Security Best Practices & Guidelines
API Security Best Practices & Guidelines
Prabath Siriwardena
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
FIDO Alliance
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
FIDO Alliance
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
FIDO Alliance
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
FIDO Alliance
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Amazon Web Services
 
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
Lee Ji Eun
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Integrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation ProtocolsIntegrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation Protocols
FIDO Alliance
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
Nordic APIs
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
FIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
FIDO Alliance
 

More Related Content

What's hot

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
FIDO Alliance
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
FIDO Alliance
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Amazon Web Services
 
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
Lee Ji Eun
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Integrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation ProtocolsIntegrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation Protocols
FIDO Alliance
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
FIDO Alliance
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
Nordic APIs
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
FIDO Alliance
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
FIDO Alliance
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
FIDO Alliance
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveNov Matake
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 

What's hot (20)

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidDeveloper Tutorial: WebAuthn for Web & FIDO2 for Android
Developer Tutorial: WebAuthn for Web & FIDO2 for Android
 
Security for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarjSecurity for oauth 2.0 - @topavankumarj
Security for oauth 2.0 - @topavankumarj
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
FIDO기반 생체인식 인증기술_SK플래닛@tech세미나판교
 
OAuth
OAuthOAuth
OAuth
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Integrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation ProtocolsIntegrating FIDO Authentication & Federation Protocols
Integrating FIDO Authentication & Federation Protocols
 
Google & FIDO Authentication
Google & FIDO AuthenticationGoogle & FIDO Authentication
Google & FIDO Authentication
 
Future-proofing Authentication with Passkeys
Future-proofing Authentication with PasskeysFuture-proofing Authentication with Passkeys
Future-proofing Authentication with Passkeys
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
OAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devloveOAuth認証再考からのOpenID Connect #devlove
OAuth認証再考からのOpenID Connect #devlove
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 

Similar to FIDO UAF 1.0 Specs: Overview and Insights

FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
FIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
FIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
FIDO Alliance
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CloudIDSummit
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
FIDO Alliance
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native AppsUAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
FIDO Alliance
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CloudIDSummit
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
Ki-Eun Shin
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
FIDO Alliance
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
FIDO Alliance
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
FIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
FIDO Alliance
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
FIDO Alliance
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
FIDO Alliance
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
FIDO Alliance
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
AuthShield Labs
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
Identity Days
 

Similar to FIDO UAF 1.0 Specs: Overview and Insights (20)

FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
FIDO Authentication Technical Overview
FIDO Authentication Technical OverviewFIDO Authentication Technical Overview
FIDO Authentication Technical Overview
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native AppsUAF Tutorial: Passwordless, Biometric Authentication for Native Apps
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
FIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG HackathonFIDO Technical Overview at FIDO KWG Hackathon
FIDO Technical Overview at FIDO KWG Hackathon
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
 
Technical Principles of FIDO Authentication
Technical Principles of FIDO AuthenticationTechnical Principles of FIDO Authentication
Technical Principles of FIDO Authentication
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
FIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology LandscapeFIDO & Strong Authentication Technology Landscape
FIDO & Strong Authentication Technology Landscape
 
FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance: Year in Review Webinar slides from January 20 2016
FIDO Alliance: Year in Review Webinar slides from January 20 2016
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 
FIDO Technical Specifications Overview
FIDO Technical Specifications OverviewFIDO Technical Specifications Overview
FIDO Technical Specifications Overview
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 

More from FIDO Alliance

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdfFIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdfFIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdfFIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdfFIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdfFIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FIDO Alliance
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
FIDO Alliance
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
FIDO Alliance
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
FIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
FIDO Alliance
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
FIDO Alliance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
FIDO Alliance
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
FIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
FIDO Alliance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
FIDO Alliance
 

More from FIDO Alliance (20)

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdfFIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
FIDO Alliance Osaka Seminar: LY-DOCOMO-KDDI-Mercari Panel.pdf
 
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdfFIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
FIDO Alliance Osaka Seminar: NEC & Yubico Panel.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
FIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdfFIDO Alliance Osaka Seminar: CloudGate.pdf
FIDO Alliance Osaka Seminar: CloudGate.pdf
 
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdfFIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
FIDO Alliance Osaka Seminar: PlayStation Passkey Deployment Case Study.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdfFIDO Alliance Osaka Seminar: Welcome Slides.pdf
FIDO Alliance Osaka Seminar: Welcome Slides.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
Choosing the Right FDO Deployment Model for Your Application _ Geoffrey at In...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 

Recently uploaded

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
Jen Stirrup
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 

Recently uploaded (20)

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...The Metaverse and AI: how can decision-makers harness the Metaverse for their...
The Metaverse and AI: how can decision-makers harness the Metaverse for their...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 

FIDO UAF 1.0 Specs: Overview and Insights

  • 2. How Secure is Authentication?
  • 3. How Secure is Authentication?
  • 4. How Secure is Authentication?
  • 6. Password might be entered into untrusted App / Web-site (“phishing”) Password could be stolen from the server Too many passwords to remember  re-use / cart abandonment Inconvenient to type password on phone Password Issues
  • 7. OTP Issues OTP vulnerable to real- time MITM and MITB attacks SMS security questionable, especially when Device is the phone OTP HW tokens are expensive and people don’t want another device Inconvenient to type OTP on phone
  • 8.
  • 9. Summary 1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don‘t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision
  • 10. How does FIDO work? Device
  • 11. How does FIDO work? Private key Public key challenge (signed) response Require user gesture before private key can be used
  • 12. How does FIDO UAF work? … …SE
  • 13. How does FIDO UAF work? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Same Authenticator as registered before? Same User as enrolled before?
  • 14. How does FIDO UAF work? Identity binding to be done outside FIDO: This this “John Doe with customer ID X”. Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Same Authenticator as registered before? Same User as enrolled before?
  • 15. How does FIDO UAF work? … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
  • 16. Attestation & Metadata Metadata Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org (or other sources) Private attestation key
  • 17. Binding Keys to Apps Use google.com key Use paypal.com key Use same user gesture (e.g. same finger or PIN) for unlocking each private key.
  • 18. FIDO USER DEVICE FIDO CLIENT FIDO AUTHENTICATOR BROWSER / APP FIDO Building Blocks ASM RELYING PARTY Attestation key Authentication keys FIDO SERVER METADATA SERVICE WEB APPLICATION Update Cryptographic authentication key DB Authenticator Metadata UAF Protocol TLS Server Key
  • 19. Registration Overview FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send Registration Request: - Policy - Random Challenge Start registration Verify user Generate key pair Sign attestation object: • Public key • AAID • Random Challenge • Name of relying party Signed by attestation key Verify signature Check AAID against policy Store public key AAID = Authenticator Attestation ID, i.e. model ID Perform legacy authentication first, in order to bind authenticator to an electronic identity, then perform FIDO registration.
  • 25. FIDO Server Web App App Prepare UAF Authentication pat@example.com Pat Johnson Initiate Authentication 1 3 Verify User & Sign Challenge (Key specific to RP Webapp) FIDO Authenticator Auth. Request with Challenge 2 0
  • 26. FIDO Server Web App App Prepare UAF Authentication Pat Johnson 650 Castro Street Mountain View, CA 94041 United States Initiate Authentication 1 FIDO Authenticator 3 Verify User & Sign Challenge (Key specific to RP Webapp) Auth. Response 4 Auth. Request with Challenge 2 0
  • 27. FIDO Server Web App App Prepare UAF Authentication pat@example.com Pat Johnson Payment complete! Return to the merchant’s web site to continue shopping Return to the merchant Initiate Authentication 1 FIDO Authenticator 3 Verify User & Sign Challenge (Key specific to RP Webapp) Auth. Request with Challenge 2 Auth. Response 4 Success 5 0
  • 28. FIDO Server Browser or Native App FIDO Authenticator Initiate Transaction Authentication Response + Text Hash, signed by User’s private key Validate Response & Text Hash using User’s Public Key Authentication Request + Transaction Text 2 4 5 Device Relying Party 1 3 Web App Display Text, Verify User & Unlock Private Key (specific to User + RP Webapp) Transaction Confirmation
  • 31. Convenience & Security Convenience Security Password Password + OTP FIDO In FIDO: • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
  • 32. Convenience & Security Convenience Security Password Password + OTP FIDO In FIDO: • Only public keys on server • Not phishable In FIDO: Scalable security depending on Authenticator implementation
  • 33. FIDO Authenticator Concept FIDO Authenticator User Verification / Presence Attestation Key Authentication Key(s) Injected at manufacturing, doesn’t change Generated at runtime (on Registration) Optional Components Transaction Confirmation Display
  • 34. What about rubber fingers? Protection methods in FIDO 1. Attacker needs access to the Authenticator and swipe rubber finger on it. This makes it a non-scalable attack. 2. Authenticators might implement presentation attack detection methods. Remember: Creating hundreds of millions of rubber fingers + stealing the related authenticators is expensive. Stealing hundreds of millions of passwords from a server has low cost per password.
  • 35. But I can’t revoke my finger… • Protection methods in FIDO You don’t need to revoke your finger, you can simply de-register the old (=attacked) authenticator. Then, 1. Get a new authenticator 2. Enroll your finger (or iris, …) to it 3. Register the new authenticator to the service
  • 36. FIDO & Federation FIDO USER DEVICE FIDO CLIENT IdP FIDO SERVER FIDO AUTHENTICATOR FEDERATION SERVERBROWSER / APP FIDO Protocol Service Provider Federation Id DB Knows details about the Authentication strength Knows details about the Identity and its verification strength. First Mile Second Mile
  • 37. Enterprise IT FIDO & Federation in Enterprise IdP FIDO SERVER FEDERATION SERVER Enterprise Appl. 1 Cloud-hosted Appl. 1 Enterprise Appl. 2 Enterprise Appl. N Cloud-hosted Appl. 2 Cloud-hosted Appl. N “External” User “Internal” User Federated Login, e.g. OpenID Connect Could be operated externally as well
  • 38. OEM Enabled Smartphones & Tablets Clients available for these operating systems: Software Authenticator Examples: Speaker/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element FIDO UAF Enabled Products Samsung Galaxy S6, S6 Edge, S6 Edge+ Galaxy Tab S2 8“+9.7“ Galaxy Note 5 Galaxy S5, S5 Mini, S5 Plus Galaxy Alpha Galaxy Note 4, Note 4 Edge Galaxy Tab S 8.4“+10.5“ Sony Xperia Z5, Z5 Compact, Z5 Premium Sharp Aquos Zeta SH-03G, SH01H Fujitsu Arrows NX F-04G, Fit F-01H, NX F-02H
  • 39. FIDO is used Today
  • 40. Typical RP Deployment FIDO USER DEVICE FIDO CLIENT FIDO AUTHENTICATOR MOBILE APP ASM Native FIDO Stack (not on old devices) Challenge: Old devices do not have a native FIDO Stack
  • 41. Typical RP Deployment FIDO USER DEVICE FIDO CLIENT FIDO AUTHENTICATOR MOBILE APP ASM App SDK Native FIDO Stack (not on old devices) FIDO CLIENT AUTHENR ASM Embedded FIDO Stack Challenge: Old devices do not have a native FIDO Stack Solution: embed FIDO Stack in App SDK
  • 42. Typical Native FIDO Stack FIDO USER DEVICE (SMARTPHONE) FIDO CLIENT FIDO AUTHENTICATOR ASM Trusted Execution Environment (TEE) Fingerprint is mostly used today. Typically on high-end devices. Some devices use eye/iris as modality. No need for expensive FP Sensors. Rich Execution Environment, e.g. Android.
  • 43. Conclusion • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation Rolf Lindemann, Nok Nok Labs, rolf@noknok.com
  • 44. How does FIDO UAF work? 5. Generate key pair in Authenticator to protect against phishing 7. Verify user before signing authentication response 4. Provide cryptographic proof of authenticator model 1. Use Metadata to understand Authenticator security characteristic 2. Define policy of acceptable Authenticators6. Use site-specific keys in order to protect privacy 3. Store public keys on the server (no secrets) 8. Use channel binding to protect against MITM
  • 45. Classifying Threats Remotely attacking central servers steal data for impersonation 1 Physically attacking user devices misuse them for impersonation 6 Physically attacking user devices steal data for impersonation 5 Remotely attacking lots of user devices steal data for impersonation Remotely attacking lots of user devices misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions 2 3 4 Scalable attacks Physical attacks possible on lost or stolen devices (3% in the US in 2013)
  • 46. Registration Overview (2) Physical Identity Virtual Identity FIDO AUTHENTICATOR FIDO SERVER WEB Application { userid=1234, jane@mail.com, known since 03/05/04, payment history=xx, … } { userid=1234, pubkey=0x43246, AAID=x +pubkey=0xfa4731, AAID=y } Registration AAID y key for foo.com: 0xfa4731 Relying Party foo.com Link new Authenticator to existing userid “Know Your Customer” rules Legacy Authentication
  • 47. SIM Card FIDO Authenticator Attestation Key Authentication Key(s) Using Secure Hardware PIN Verification PIN Entry User Verification / Presence
  • 48. Trusted Execution Environment (TEE) FIDO Authenticator as Trusted Application (TA) User Verification / Presence Attestation Key Authentication Key(s) Store at Enrollment Compare at Authentication Unlock after comparison Client Side Biometrics
  • 49. Trusted Execution Environment (TEE) Secure Element Combining TEE and SE FIDO Authenticator as Trusted Application (TA) Attestation Key Authentication Key(s) User Verification / Presence Transaction Confirmation Display e.g. GlobalPlatform Trusted UI