Explore how FIDO UAF works, how to perform FIDO registration, and how FIDO is used in the world today, as well as the process from start to finish of UAF authentication.
From FIDO Alliance Seminar in Washington, D.C., October, 2015.
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience. From FIDO Alliance Seminar in Tokyo, Japan, November, 2015.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
FIDO U2F (Universal Authentication Framework) Specifications: Overview & Tutorial
by Jerrod Chong, Yubico
Explore how FIDO U2F works and how it is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience. From FIDO Alliance Seminar in Tokyo, Japan, November, 2015.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
FIDO UAF (Universal Second Factor Framework) Specifications: Overview & Tutorial
by Todd Thiemann, Nok Nok Labs
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
This tutorial walks through how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. It also covers how to build an Android app with a simple re-authentication functionality using a fingerprint sensor. "Re-authentication" is a concept where user signs into an app once, then authenticate again when they come back to your app, or trying to access an important section of your app.
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works and how FIDO is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
Developer Tutorial: WebAuthn for Web & FIDO2 for AndroidFIDO Alliance
This tutorial walks through how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. It also covers how to build an Android app with a simple re-authentication functionality using a fingerprint sensor. "Re-authentication" is a concept where user signs into an app once, then authenticate again when they come back to your app, or trying to access an important section of your app.
Security for oauth 2.0 - @topavankumarjPavan Kumar J
OAuth is one of the most successful authorization protocols on the Internet. The OAuth 2.0 framework, the proposed standard to replace OAuth 1.0, enables a third-party application to obtain limited access to an application, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the application, or by allowing the third-party application to obtain access on its own behalf.
In this webinar, we provide an overview of the OAuth 2.0 authorization model, how it fits in the enterprise environment, and some critical security implications of note for software architects and security analysts.
Vulnerable App: https://github.com/topavankumarj/Vulnerable-OAuth2.0-Application
Key Takeaways:
1.) Comprehensive understanding of the OAuth 2.0 authorization framework.
2.) Threats/Attacks specific to OAuth 2.0
3.) Practical demonstration of exploit vectors
4.) Outline of architectural best practices in OAuth 2.0
Who should attend:
1.) Application architects /API developers who use OAuth to publish and/or interact with protected data.
2.) Security Analysts who want to learn about security implications relevant to the OAuth Framework.
Hacking and Defending APIs - Red and Blue make Purple.pdfMatt Tesauro
From LASCON 2022:
APIs are a foundational technology in today’s app-driven world and increasingly becoming the main target for attackers. How do you protect yourself? This talk will walk you through the techniques attackers use against APIs like broken object level authorization (BOLA) by following a typical API pen testing methodology. For each phase and attack, the tables are turned by covering how the attack looks from the defender's point of view including proactive ways to catch attacks early. You’ll understand how attackers find and exploit vulnerabilities and gain insight into why many traditional AppSec approaches fall short for APIs. The goal is to provide a complete overview of API vulnerabilities from both attack and defense perspectives so you can ramp up your testing and protection of all the new APIs in your AppSec life.
Learn how FIDO standards compliment federation protocols. These guidelines detail how to integrate the two in order to add support for FIDO-based multi-factor authentication and replace or supplement traditional authentication methods in federation environments.
WebAuthn and Security Keys = Unlocking the key to authentication by John Fontana, Yubico on behalf of Christiaan Brand at Google
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
A tutorial on how the process of writing an application using a browser’s WebAuthn API, plus how to install a server, how to generate authentication challenges & responses, and how to integrate with related IAM infrastructure.
Code: https://github.com/fido-alliance/webauthn-demo
Live slides: http://slides.com/herrjemand/jan-2018-fido-seminar-webauthn-tutorial#/
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works and how FIDO is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
Rolf Lindemann,
Nok Nok Labs
Introduction to the UAF protocol, which is designed to provide a “passwordless” experience, discussing potential use cases and implementation models, with a real-world example shown via the FIDO client on the Samsung Galaxy S5.
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CloudIDSummit
Rajiv Dholakia, Nok Nok Labs
Basics of how FIDO protocols work, how they fit into the broader identity ecosystem, the benefits of the design and the state of implementation/deployment in the market; appropriate for both technical and non-technical individuals, giving orientation before diving into the details of the specific FIDO protocols.
FIDO Alliance: Year in Review Webinar slides from January 20 2016FIDO Alliance
Last year was a year of great progress for the FIDO Alliance and standards-based strong authentication. Tens of millions of FIDO-enabled devices are now in use worldwide. There are over 100 FIDO Certified™ products available, and nearly 250 organizations are now taking part in the Alliance, including more than a dozen trade association partners. The market is clearly showing that now is the time to deploy FIDO authentication to modernize failing password systems.
These slides address:
– The uptake in global momentum
– Details on FIDO’s recent submission to the World Wide Web Consortium
– The Alliance’s plans and strategy for 2016 and what this means to you and your organization in the upcoming year
We encourage you and your colleagues to view these slides to catch up on what happened in 2015 and to learn how FIDO’s explosive growth can benefit your organization in 2016. You can listen to the webinar audio here: https://fidoalliance.org/events/fido-alliance-year-in-review-webinar/
FIDO, Federation and the Internet of ThingsFIDO Alliance
Learn how FIDO-based authentication can complement federated authentication - and why they are better together.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletIdentity Days
L’authentification sans mot de passe est en passe devenir réalité. En effet, Azure AD propose le support des clés de sécurité FIDO2 pour s’authentifier. Connaissez-vous le projet FIDO2 et l’authentification sans mot de passe ? Savez-vous que Windows Hello est un authentificateur FIDO2?
Au cours de cette session, découvrez FIDO2 et les étapes pour aller vers un monde sans mot de passe.
Similar to FIDO UAF 1.0 Specs: Overview and Insights (20)
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
6. Password might be
entered into untrusted
App / Web-site
(“phishing”)
Password could be stolen
from the server
Too many passwords to
remember
re-use / cart
abandonment
Inconvenient to type
password on phone
Password Issues
7. OTP Issues
OTP vulnerable to real-
time MITM and MITB
attacks
SMS security questionable,
especially when Device is the
phone
OTP HW tokens are
expensive and people
don’t want another device
Inconvenient to type OTP
on phone
8.
9. Summary
1. Passwords are insecure and inconvenient
especially on mobile devices
2. Alternative authentication methods are silos and
hence don‘t scale to large scale user populations
3. The required security level of the authentication
depends on the use
4. Risk engines need information about the explicit
authentication security for good decision
13. How does FIDO UAF work?
Can recognize the user
(i.e. user verification), but
doesn’t know its identity
attributes.
Same Authenticator
as registered before?
Same User as
enrolled before?
14. How does FIDO UAF work?
Identity binding to be done
outside FIDO: This this
“John Doe with customer
ID X”.
Can recognize the user
(i.e. user verification), but
doesn’t know its identity
attributes.
Same Authenticator
as registered before?
Same User as
enrolled before?
15. How does FIDO UAF work?
… …SE
How is the key protected (TPM,
SE, TEE, …)?
Which user verification method is
used?
16. Attestation & Metadata
Metadata
Signed Attestation Object
Verify using trust anchor
included in Metadata
Understand Authenticator security
characteristic by looking into
Metadata from mds.fidoalliance.org
(or other sources)
Private attestation key
17. Binding Keys to Apps
Use google.com key
Use paypal.com key
Use same user gesture
(e.g. same finger or PIN)
for unlocking each private key.
18. FIDO USER DEVICE
FIDO CLIENT
FIDO AUTHENTICATOR
BROWSER / APP
FIDO Building Blocks
ASM
RELYING PARTY
Attestation key
Authentication
keys
FIDO SERVER
METADATA SERVICE
WEB APPLICATION
Update
Cryptographic
authentication key
DB
Authenticator
Metadata
UAF Protocol
TLS Server Key
19. Registration Overview
FIDO AUTHENTICATOR
FIDO SERVER
FIDO CLIENT
Send Registration Request:
- Policy
- Random Challenge
Start
registration
Verify user
Generate key pair
Sign attestation object:
• Public key
• AAID
• Random Challenge
• Name of relying party
Signed by attestation key
Verify signature
Check AAID against policy
Store public key
AAID = Authenticator Attestation
ID, i.e. model ID
Perform legacy authentication first, in order to bind authenticator to an electronic identity,
then perform FIDO registration.
26. FIDO
Server
Web
App
App
Prepare
UAF Authentication
Pat Johnson
650 Castro Street
Mountain View, CA 94041
United States
Initiate
Authentication
1
FIDO
Authenticator
3
Verify User &
Sign Challenge
(Key specific to RP
Webapp)
Auth.
Response
4
Auth. Request
with Challenge
2
0
28. FIDO
Server
Browser or
Native App
FIDO
Authenticator Initiate Transaction
Authentication Response
+ Text Hash,
signed by User’s private key
Validate
Response &
Text Hash using
User’s Public Key
Authentication Request +
Transaction Text 2
4
5
Device Relying Party
1
3
Web
App
Display Text, Verify
User & Unlock Private
Key
(specific to User + RP Webapp)
Transaction Confirmation
33. FIDO Authenticator Concept
FIDO Authenticator
User
Verification /
Presence
Attestation Key
Authentication Key(s)
Injected at
manufacturing,
doesn’t change
Generated at
runtime (on
Registration)
Optional
Components
Transaction
Confirmation
Display
34. What about rubber fingers?
Protection methods in FIDO
1. Attacker needs access to the Authenticator and swipe rubber
finger on it. This makes it a non-scalable attack.
2. Authenticators might implement presentation attack detection
methods.
Remember:
Creating hundreds of millions of rubber fingers + stealing the related
authenticators is expensive. Stealing hundreds of millions of
passwords from a server has low cost per password.
35. But I can’t revoke my finger…
• Protection methods in FIDO
You don’t need to revoke your finger, you can simply
de-register the old (=attacked) authenticator. Then,
1. Get a new authenticator
2. Enroll your finger (or iris, …) to it
3. Register the new authenticator to the service
36. FIDO & Federation
FIDO USER DEVICE
FIDO CLIENT
IdP
FIDO SERVER
FIDO AUTHENTICATOR
FEDERATION SERVERBROWSER / APP FIDO Protocol
Service Provider
Federation
Id DB
Knows details
about the
Authentication
strength
Knows details
about the
Identity and its
verification
strength.
First Mile Second Mile
37. Enterprise IT
FIDO & Federation in Enterprise
IdP
FIDO SERVER
FEDERATION SERVER
Enterprise Appl. 1
Cloud-hosted Appl. 1
Enterprise Appl. 2
Enterprise Appl. N
Cloud-hosted Appl. 2
Cloud-hosted Appl. N
“External” User
“Internal” User
Federated Login,
e.g. OpenID Connect
Could be operated
externally as well
38. OEM Enabled Smartphones & Tablets
Clients available for these operating systems:
Software Authenticator Examples:
Speaker/Face recognition, PIN, QR Code, etc.
Aftermarket Hardware Authenticator Examples:
USB fingerprint scanner, MicroSD Secure Element
FIDO UAF Enabled Products
Samsung
Galaxy S6, S6 Edge, S6 Edge+
Galaxy Tab S2 8“+9.7“
Galaxy Note 5
Galaxy S5, S5 Mini, S5 Plus
Galaxy Alpha
Galaxy Note 4, Note 4 Edge
Galaxy Tab S 8.4“+10.5“
Sony
Xperia Z5, Z5 Compact,
Z5 Premium
Sharp
Aquos Zeta SH-03G, SH01H
Fujitsu
Arrows NX F-04G, Fit F-01H,
NX F-02H
40. Typical RP Deployment
FIDO USER DEVICE
FIDO CLIENT
FIDO AUTHENTICATOR
MOBILE APP
ASM Native FIDO Stack
(not on old devices)
Challenge: Old devices do not have a native FIDO Stack
41. Typical RP Deployment
FIDO USER DEVICE
FIDO CLIENT
FIDO AUTHENTICATOR
MOBILE APP
ASM
App SDK
Native FIDO Stack
(not on old devices)
FIDO CLIENT
AUTHENR
ASM Embedded FIDO Stack
Challenge: Old devices do not have a native FIDO Stack
Solution: embed FIDO Stack in App SDK
42. Typical Native FIDO Stack
FIDO USER DEVICE (SMARTPHONE)
FIDO CLIENT
FIDO AUTHENTICATOR
ASM
Trusted Execution
Environment (TEE)
Fingerprint is mostly used today.
Typically on high-end devices.
Some devices use eye/iris as modality.
No need for expensive FP Sensors.
Rich Execution Environment,
e.g. Android.
43. Conclusion
• Different authentication use-cases lead to different
authentication requirements
• FIDO separates user verification from authentication
and hence supports all user verification methods
• FIDO supports scalable convenience & security
• User verification data is known to Authenticator only
• FIDO complements federation
Rolf Lindemann, Nok Nok Labs, rolf@noknok.com
44. How does FIDO UAF work?
5. Generate key pair in
Authenticator to protect
against phishing
7. Verify user before
signing authentication
response
4. Provide cryptographic
proof of authenticator
model
1. Use Metadata to
understand Authenticator
security characteristic
2. Define policy of
acceptable
Authenticators6. Use site-specific
keys in order to protect
privacy
3. Store public keys on
the server
(no secrets)
8. Use channel binding to
protect against MITM
45. Classifying Threats
Remotely attacking central servers
steal data for impersonation
1
Physically attacking user
devices
misuse them for
impersonation
6
Physically attacking user
devices
steal data for impersonation
5
Remotely
attacking lots of
user devices
steal data for
impersonation
Remotely
attacking lots of
user devices
misuse them for
impersonation
Remotely
attacking lots of
user devices
misuse
authenticated
sessions
2 3 4
Scalable attacks
Physical attacks
possible on lost or
stolen devices
(3% in the US in 2013)
46. Registration Overview (2)
Physical Identity
Virtual Identity
FIDO AUTHENTICATOR FIDO SERVER
WEB Application
{ userid=1234,
jane@mail.com,
known since 03/05/04,
payment history=xx,
…
}
{ userid=1234,
pubkey=0x43246, AAID=x
+pubkey=0xfa4731, AAID=y
}
Registration
AAID y
key for foo.com: 0xfa4731
Relying Party foo.com
Link new
Authenticator to
existing userid
“Know Your Customer” rules
Legacy Authentication
48. Trusted Execution Environment (TEE)
FIDO Authenticator as Trusted Application (TA)
User Verification / Presence
Attestation Key
Authentication Key(s)
Store at Enrollment
Compare at Authentication
Unlock after comparison
Client Side Biometrics
49. Trusted Execution Environment
(TEE)
Secure Element
Combining TEE and SE
FIDO Authenticator as Trusted Application (TA)
Attestation Key
Authentication Key(s)
User Verification
/ Presence
Transaction
Confirmation
Display
e.g. GlobalPlatform
Trusted UI