Mobile Connections – FIDO Alliance and GSMA Presentation

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION
1

Data Breaches
are out of control
2

783 data breaches
IN 2014...
>1 billion
records stolen since 2012
3
$3.5 million
average cost per breach

Re-used Phished Keylogged
TOO MANY TO REMEMBER,
DIFFICULT TO TYPE,
AND TOO VULNERABLE
5

Adding more authentication
has largely been rejected by users
6

ONE-TIME PASSCODES
Improve security but
aren’t easy enough
Still
Phishable
Poor User
Experience
Token
Necklace
SMS
Reliability
7

THE OLD
PARADIGM
8
USABILITYSECURITY
PasswordsOTP
2FA
PINs

WE NEED A
NEW MODEL
Fast IDentity Online9

THE FIDO
PARADIGM
10
Poor Good
WeakStrong
USABILITY
SECURITY
Passwords
™
PINs
OTP
2FA

HOW DOES FIDO WORK?
USER VERIFICATION FIDO AUTHENTICATION
AUTHENTICATOR
11

Fido Registration
2
Registration Begins
1
12
User Approval
3
New Key Created
4
Key Registered using
Public Key
Cryptography

Fido Login
2
Login
1
13
Login Challenge
3
Key Selected
4
Login Response using
Public Key
Cryptography
User Approval
Login Complete

online authentication using
public key cryptography
14

Passwordless Experience (FIDO UAF Standards)
Second Factor Experience (FIDO U2F Standards)
Transaction Detail User Authentication Done
1 2 3
Success
$10,000
Transfer Now
Login & Password
1
Insert dongle
Press Button
2
Done
3
Success
15

2014 Deployments
16
 PayPal continues FIDO enablement in
improved mobile wallet app.
 Google has FIDO in Chrome and
2-Step Verification.
 Samsung adds FIDO enabled Touch
authentication to Galaxy® S6

FIDO UNIVERSAL 2ND FACTOR
AUTHENTICATOR
Is a user
present?
Same
authenticator
as registered
before?
17

18
Step 1
U2F AUTHENTICATION DEMO EXAMPLE

19
Step 2

20
Step 3

21
Step 4
+Bob

AUTHENTICATOR
FIDO UNIVERSAL
AUTHENTICATION FRAMEWORK UAF
22
Same User
as enrolled
before?
Same
Authenticator
as registered
before?

UAF AUTHENTICATION
DEMO EXAMPLE
23
STEP 1

24
UAF AUTHENTICATION
DEMO EXAMPLE
STEP 2

25
UAF AUTHENTICATION
DEMO EXAMPLE
STEP 3

26
UAF AUTHENTICATION
DEMO EXAMPLE
STEP 4

USABILITY, SECURITY
and
PRIVACY
27

28
No 3rd Party in the Protocol
No Secrets on the Server side
Biometric data (if used) never leaves device
No link-ability between Services or Accounts

Better Security for online services
Reduced cost for the enterprise
Simple & Safe for consumers
29

The FIDO Alliance is an open
association of more than 180
diverse member organizations
30

31
Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION
10

Board Members
32
 Online Services
 Chip Providers
 Device Providers
 Biometrics Vendors
 Enterprise Servers
 Platform Providers

FIDO TIMELINE
FIDO 1.0 FINAL
Specification
First UAF & U2F
Deployments
Specification
Review DraftFIDO Ready
Program
Alliance
Announced
FEB
2013
(6 Members)
DEC
2013
(59 Members)
FEB
2014
(84 Members)
FEB-OCT
2014
(129 Members)
DEC 9
2014
(152 Members)
33

FIDO implementations and deployments
34
FIDO in 2015

35
A range of
FIDO PRODUCTS
is now available

36
Implementing 1.0 Specifications
(this is only a subset of active implementations)
Online Services
Chip Providers
Device Providers
Biometrics Technology Providers
Enterprise Servers
Open Source
Mobile Apps/Clients
WWW Browsers

FIDO in Windows 10
37
 Windows used by
1.5 billion users
 Windows 10 in 190
countries by Q3
 Free upgrade for
consumer

FIDO in Snapdragon
38
 Market leader to
ship FIDO client
 85+ OEMs as of Q4
 >1 billion Android
devices shipped
 Innovative sensor

FIDO in Healthcare
39
 First healthcare
deployment
 Physician access
to health records
 up to 50 million
Healthcare users

FIDO in Enterprise
40
 Google for Work announced Enterprise
admin support for FIDO® U2F “Security
Key” – April 21
 Google for Work is used by over 5
million businesses worldwide
 “The Security Keys are a great step
forward, as they are very practical and
more secure.” – Woolsworth IT

FIDO & Government
41
2013 Data Breach Investigations Report (conducted
by Verizon in concert with the U.S. Department of
Homeland Security) noted that 76% of 2012 network
intrusions exploited weak or stolen credentials.
-- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-
Feb-2014
 Governments
worldwide are
looking at FIDO
 FIDO featured at
White House Summit
 New collaboration
framework…

Infineon
NSP
NNL
New Government
Membership Class
 Reflecting an increased
focus on Government
collaboration worldwide
 Details are now published in
the new FIDO Alliance
Membership Agreement
42

About the GSMA
The GSMA represents the interests of
mobile operators worldwide
Spanning more than 220 countries, the
GSMA unites nearly 800 of the world’s
mobile operators, as well as more than
230 companies in the broader mobile
ecosystem

© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Mobile Connect: a convenient and secure alternative to
passwords that also Protects consumers privacy
• Easy to use as it uses the mobile phone for
authentication (i.e. no passwords)
• Anonymous but secure log-in (no passwords to
steal, improved user experience, reduce friction)
• Adds trust into digital transactions (e.g. by
confirming location, user identity, usage)
• Protects privacy (operator confirm credentials,
user gives consent for sharing)
• Reduce SP fraud through assurance that there
is as real person behind the account
• Simple and cost effective for MNOs to deploy,
leveraging existing operator assets

© GSMA 2014
Something I
Know
Something I
Have
Something I Have
+
Something I
Know
Something I Have
+
Something I Am
Or
Mobile Connect and FIDO both seek to replace passwords

© GSMA 2014
 Both FIDO and Mobile Connect are addressing the same problem: easier, safer
online authentication
 Both FIDO and Mobile Connect leverage the mobile phone to achieve this
 Whilst Mobile Connect uses existing MNO services for authentication (SMS, USSD,
SIM Toolkit)
 … FIDO leverages the local device authentication on the phone itself
 In doing so, both provide easy, secure two-factor authentication
 Both also provide a pluggable framework that can support a variety of security
levels as well as supporting new authentication methods as they arise
FIDO objectives align well with those of Mobile Connect

© GSMA 2014
Synergistic fit using FIDO for the first mile of Mobile Connect
FIDO UAF protocol
Mobile phone
with FIDO client AuthN server
MNO
Tablet/desktop
Service access request
Service Provider
Authentication
request
Identity GW
First mile
Second mileSIM applet protocol (CPAS8)
AuthN
server
SIM
applet
A key difference between FIDO and
Mobile Connect is that FIDO purposefully
focuses solely on the first mile –
authentication itself – whilst Mobile
Connect also provides a federation layer
via OpenID Connect

© GSMA 2014
MNO
 Leveraging FIDO enables users to authenticate using existing
authentication mechanisms on their mobile phone
 …including biometrics – the user
becomes the credential (Something I am)
FIDO can be integrated into Mobile Connect to extend the range of
authenticators
Authentication
Mobile phone
with FIDO client MFAS Identity GW

© GSMA 2014
Mobile Connect and FIDO UAF integration: White Paper
 Main objective:
– Overview of FIDO Architecture and use cases
– Integration of FIDO UAF authenticators into Mobile Connect arch
 Status:
– Co-developed between GSMA, MNOs and FIDO members
– First draft finished and out for review within FIDO Alliance and GSMA; targeting
publication by end June
 Left for a second phase:
– UICC based FIDO authenticator
– Use of UICC to enhance FIDO implementation security
– FIDO U2F integration

© GSMA 2014
 Service Providers need to be able to both specify and receive feedback on the type of
authenticator used
 Mobile Connect
– uses Level of Assurance (LoA) values (ISO 29115) in the OIDC request acr_values
params, so the SP can indicate the authenticator class that should be used
 FIDO
– uses the FIDO Policy to describe the required authenticator characteristics for
accepted authenticators
 Options:
– Expand the list of acr_values to accommodate additional LoA/policies
– Capture SP requirements at registration to the Mobile Connect service and
propagate via the Mobile Connect federation
Matching of FIDO policies to OpenID Connect ‘acr_values’

© GSMA 2014
 GSMA White paper
– Continue Working on open issues related to the integration of
the FIDO authentication framework with Mobile Connect
– Improve the document with feedback from the PoC
 FIDO/GSMA/MNO PoC (June/July)
– Prototype of FIDO integration into an end-end Mobile Connect
implementation: Telefonica + Nok Nok Labs
– Targeted for Mobile World Congress Shanghai
 MNO/SP beta trial (post MWCS)
– Live implementation and trial of FIDO authenticators within a
Mobile Connect service provided to an SP
Next steps

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION
54

Mobile Connections – FIDO Alliance and GSMA Presentation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Mobile Connections – FIDO Alliance and GSMA Presentation

Similar to Mobile Connections – FIDO Alliance and GSMA Presentation (20)

More from FIDO Alliance

More from FIDO Alliance (20)

Recently uploaded

Recently uploaded (20)

Mobile Connections – FIDO Alliance and GSMA Presentation