Webinar:Javelin Research's State of Strong Authentication 2019 Report
Presented by:
Al Pascual, SVP and Research Director, Javelin Strategy
Andrew Shikiar, Chief Marketing Officer, FIDO Alliance
February 7, 2019
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Javelin Research's State of Strong Authentication 2019 Report Webinar
1. All Rights Reserved | FIDO Alliance | Copyright 20191
JAVELIN RESEARCH’S STATE OF
STRONG AUTHENTICATION
2019 REPORT
AL PASCUAL – SVP AND RESEARCH DIRECTOR
JAVELIN STRATEGY & RESEARCH
ANDREW SHIKIAR – CHIEF MARKETING OFFICER
FIDO ALLIANCE
FEBRUARY 7, 2019
2. 2
SPEAKERS
All Rights Reserved | FIDO Alliance | Copyright 2019
Al Pascual
SVP & Research
Director
Javelin Strategy
& Research
Andrew Shikiar
CMO
FIDO Alliance
3. 3
THE STATE OF STRONG
AUTHENTICATION
2019 REPORT
AL PASCUAL, JAVELIN STRATEGY &
RESEARCH
All Rights Reserved | FIDO Alliance | Copyright 2019
4. All Rights Reserved | FIDO Alliance | Copyright 20194
METHODOLOGY
Enterprise data in this report was collected from a survey of 600 identity and authentication
decision-makers for businesses headquartered in the United States, with revenues of at least $20
million for the previous year.
301 respondents answered questions about their business' practices in authenticating customers and
299 answered questions about their business' practices in authenticating employees, vendors, and
contractors.
When data was compared against 2017 responses, previous years' data was adjusted to exclude
businesses with annual revenues under $20 million for more accurate comparisons against the 2018
respondent pool.
5. 5
STRONG VS TRADITIONAL AUTHENTICATION
STRONG AUTHENTICATION
✓ Multiple factors
✓ 1+ factor uses cryptographically
backed authentication method
TRADITIONAL AUTHENTICATION
✓ Multiple factors
x No cryptographic handshake
All Rights Reserved | FIDO Alliance | Copyright 2019
CRYPTOGRAPHICALLY BACKED STRONG AUTHENTICATION:
Where one of multiple authentication factors uses public key cryptography
6. 6
KEY FINDINGS: DRAMATIC GROWTH SINCE 2017
Adoption of cryptographically
backed authentication has…
All Rights Reserved | FIDO Alliance | Copyright 2019
for consumers
TRIPLED
for enterprise
INCREASED 50%
7. 7
KEY FINDINGS: ADOPTION ACCELERATED BY REGULATION
Nearly 70% of businesses agree they face strong regulatory pressure
to provide strong authentication for their customers
All Rights Reserved | FIDO Alliance | Copyright 2019
PSD2
GDP
R
8. 8
KEY FINDINGS: HOLDOUTS UNDERESTIMATE RISKS
Two-thirds of businesses that use only passwords to authenticate their
employees do so because they believe passwords are “good enough”
All Rights Reserved | FIDO Alliance | Copyright 2019
despite cybercriminals’ continuing to target a wide variety
of consumer and business information
9. 9
RECOMMENDATIONS: SUNSET OTPS
With cyber criminals using social engineering, phone porting and malware
to compromise OTP authenticators, Javelin recommends moving away from
them and adopting cryptographically-backed strong authentication
All Rights Reserved | FIDO Alliance | Copyright 2019
10. 10
CASE STUDIES: GOOGLE, TRADELINK, VISA
All Rights Reserved | FIDO Alliance | Copyright 2019
• No successful phishing attacks
against 85,000+ employees since
implementing FIDO Security Keys
in 2017
• Released their FIDO-based
Titan Security Key, intended for
enterprises using Google services
• Chrome supports WebAuthn
• Using FIDO Authentication since
2016
• Adoption by banks has been
strong – no user information ever
leaves the device
• Hong Kong government will
launch new initiative for
electronic ID in 2020 leveraging
FIDO Authentication
• Using a FIDO Certified solution
as part of it’s ID Intelligence
suite for FIDO-based biometrics
• Visa chose a FIDO-based solution
because it aligned with its
approach to prioritize protecting
user data and leveraging
available data to make better
decisions
11. All Rights Reserved | FIDO Alliance | Copyright 201911
FIDO: CRYPTOGRAPHICALLY
BACKED AUTHENTICATION
ANDREW SHIKIAR, FIDO ALLIANCE
12. All Rights Reserved | FIDO Alliance | Copyright 201912
Data breaches in 2016
that involved weak,
default, or stolen
passwords (VDBR)
81%
Phishing attacks were
successful in 2017
(VDBR)
Breaches in 2017, a 45%
increase over 2016
(ITRC)
1 IN 8
1,579
Of passwords are
reused across services
(University of Oxford)
51%
Of helpdesk calls are for
password resets (at
$70/reset)(Gartner/Forrester)
Password-driven cart
abandonment rate (Visa)
20-50%
49%
MEASURING THE PROBLEM
13. All Rights Reserved | FIDO Alliance | Copyright 201913
LEADING THE EFFORT
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
14. All Rights Reserved | FIDO Alliance | Copyright 201914
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App /
Web-site (“phishing”)
2
Too many passwords to remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4
OLD AUTHENTICATION WITH PASSWORDS
15. All Rights Reserved | FIDO Alliance | Copyright 201915
NEW AUTHENTICATION WITH FIDO
AuthenticatorUser verification FIDO Authentication
Require user gesture
before private key can
be used
Challenge
(Signed) Response
Private key (handle)
per account Public key
No secrets stored on the
server
1
Authenticator cannot be
“tricked” by phishing
2
Nothing to remember, no friction
added to transaction process
3
Single gesture
convenience for User
4
16. All Rights Reserved | FIDO Alliance | Copyright 201916
THE FIDO AUTHENTICATOR
AuthenticatorUser verification FIDO Authentication
… …SE
How is the key protected
(TPM, SE, TEE, …)?
Which user verification
method is used?
17. All Rights Reserved | FIDO Alliance | Copyright 201917
FIDO SPECIFICATIONS
Passwordless Experience (UAF & FIDO2)
Authenticated Online
3
Biometric User Verification*
21
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Security Key* /
Press Button
Second Factor Experience (U2F & FIDO2)
*There are other types of authenticators
21
18. All Rights Reserved | FIDO Alliance | Copyright 201918
FIDO IS A W3C SPECIFICATION
FIDO2 (CTAP & W3C Web Authentication / “WebAuthn”)
19. FIDO IS AN ITU STANDARD
x.1277 -- ITU ratification of FIDO UAF
x.1278 -- ITU ratification of FIDO2 CTAP (includes CTAP1/U2F)
All Rights Reserved | FIDO Alliance | Copyright 201919
24. All Rights Reserved | FIDO Alliance | Copyright 201924
FIDO IS BEING USED AROUND THE WORLD
(Sample of deployments in production)
25. All Rights Reserved | FIDO Alliance | Copyright 201925
IN SUMMARY… SECURE BY DESIGN
Based on public
key cryptography
No server-side
shared secrets
Keys stay
on device
No 3rd
party in
the protocol
Biometrics, if used,
never leave device
No link-ability between
services or accounts
26. All Rights Reserved | FIDO Alliance | Copyright 201926
FIDO:
THE FUTURE OF
USER
AUTHENTICATION
FIDO Authentication is the industry’s
response to the password problem
• INDUSTRY SUPPORT - FIDO represents the efforts of some of the world’s largest companies whose very
businesses rely upon better user authentication
• THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realized in products being used every day
• ONGOING INNOVATION - Specifications, certification programs, and deployment working groups
establishing best implementation practices
• ENABLEMENT - Leading service providers representing billions of user identities are already
FIDO-enabling their authentication processes
27. All Rights Reserved | FIDO Alliance | Copyright 201927
Join the FIDO Ecosystem
www.fidoalliance.org
Deploy
Take Part in FIDO Events
Build FIDO Certified Solutions
Join the Alliance
Twitter: @fidoalliance
28. All Rights Reserved | FIDO Alliance | Copyright 201828
Connect with FIDO
fidoalliance.org