FIDO Alliance, profile picture
Uploaded byFIDO Alliance
PDF, PPTX2,550 views

Technical Principles of FIDO Authentication

The document discusses technical principles of FIDO authentication. It provides an overview of how FIDO works, including the FIDO ecosystem with authenticators, clients, servers and relying parties. It also summarizes the FIDO registration and authentication processes, which separate user verification from authentication through the use of public and private keys.

Embed presentation

Download as PDF, PPTX
1 TECHNICAL PRINCIPLES OF FIDO AUTHENTICATION Rolf Lindemann, Nok Nok Labs All Rights Reserved | FIDO Alliance | Copyright 2019
2 HOW SECURE IS AUTHENTICATION? All Rights Reserved | FIDO Alliance | Copyright 2019
All Rights Reserved | FIDO Alliance | Copyright 20193 HOW SECURE IS AUTHENTICATION? Attacks require physical action → not scalable Things are never 100% secure, so focus on adequate security. Focus on the scalable attacks first. Scalable Attacks
All Rights Reserved | FIDO Alliance | Copyright 20194 CLOUD AUTHENTICATION DeviceSomething Authentication Risk Analytics Internet
All Rights Reserved | FIDO Alliance | Copyright 20195 HOW DOES FIDO WORK?
All Rights Reserved | FIDO Alliance | Copyright 20196 HOW DOES FIDO WORK? DeviceUser verification FIDO Authentication Authenticator
All Rights Reserved | FIDO Alliance | Copyright 20197 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key
All Rights Reserved | FIDO Alliance | Copyright 20198 FIDO ECOSYSTEM AuthenticatorUser verification FIDO Authentication … …SE
All Rights Reserved | FIDO Alliance | Copyright 20199 FIDO ECOSYSTEM AuthenticatorUser verification FIDO Authentication … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
All Rights Reserved | FIDO Alliance | Copyright 201910 ATTESTATION + METADATA Private attestation key Signed Attestation Object Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org FIDO Registration Verify using trust anchor included in Metadata Relying parties can store this for auditing purposes
All Rights Reserved | FIDO Alliance | Copyright 201911 FIDO AUTHENTICATORS We see “Bound” Authenticators, i.e. authenticators that are an integral part of a smartphone or laptop. We see “Roaming” Authenticators, i.e. authenticators that can be connected to different smartphones or laptops using CTAP. In both categories you find support for different modalities Verify User Verify User Presence
All Rights Reserved | FIDO Alliance | Copyright 201912 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes.
All Rights Reserved | FIDO Alliance | Copyright 201913 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Identity binding to be done outside FIDO: This this “John Doe with customer ID X”.
All Rights Reserved | FIDO Alliance | Copyright 201914 FIDO BUILDING BLOCKS (Roaming) Authenticator USER DEVICE FIDO Client (Bound) Authenticator ASM RP App FIDO Authentication RP App Server FIDO Server Metadata
All Rights Reserved | FIDO Alliance | Copyright 201915 FIDO BUILDING BLOCKS (Roaming) Authenticator User Device Browser (Bound) Authenticator Platform RP App FIDO Authentication RP App Server FIDO Server Metadata Web Authentication JS API CTAP
FIDO USER DEVICE FIDO CLIENT IdP FIDO SERVER FIDO AUTHENTICATOR FEDERATION SERVERBROWSER / APP FIDO Protocol Service Provider Federation Id DB Knows details about the Authentication strength Knows details about the Identity and its verification strength. First Mile Second Mile 16 FIDO & FEDERATION All Rights Reserved | FIDO Alliance | Copyright 2019
All Rights Reserved | FIDO Alliance | Copyright 201917 WEB AUTHENTICATION Supported In: JavaScript API that enables FIDO Authentication directly in web browsers
All Rights Reserved | FIDO Alliance | Copyright 201918 FIDO AUTHENTICATION: SECURITY & CONVENIENCE
All Rights Reserved | FIDO Alliance | Copyright 201919 CONVENIENCE & SECURITY Security Convenience Password
All Rights Reserved | FIDO Alliance | Copyright 201920 CONVENIENCE & SECURITY Security Convenience Password + OTP Password
All Rights Reserved | FIDO Alliance | Copyright 201921 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
All Rights Reserved | FIDO Alliance | Copyright 201922 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO: Scalable security depending on Authenticator implementation In FIDO: • Only public keys on server • Not phishable
All Rights Reserved | FIDO Alliance | Copyright 201923 CONCLUSION • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation
24 FIDO TECHNICAL OVERVIEW Rolf Lindemann, Nok Nok Labs Thank You All Rights Reserved | FIDO Alliance | Copyright 2019
All Rights Reserved | FIDO Alliance | Copyright 201925 FIDO REGISTRATION accountInfo, challenge, [cOpts] rpId, ai, hash(clientData), cryptoP, [exts] verify user generate: key kpub key kpriv credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs) c,kpub,clientData,ac,tbs, s store: key kpub c s Authenticator select Authenticator according to cOpts; determine rpId, get tlsData; clientData := {challenge, origin, rpId, hAlg, tlsData} cOpts: crypto params, credential black list, extensions cdh ai tbs ac: attestation certificate chain
All Rights Reserved | FIDO Alliance | Copyright 201926 FIDO AUTHENTICATION Authenticator Relying Party rpId, [c,] hash(clientData) select Authenticator according to policy; check rpId, get tlsData (i.e. channel id, etc.); lookup key handle h; clientData := {challenge, rpId, tlsData} clientData,cntr,[exts],signature(cdh,cntr,exts) clientData, cntr, exts, s lookup kpub from DB check: exts + signature using key kpub s cdh challenge, [aOpts] verify user find key kpriv cntr++; process exts

More Related Content

PPTX
FIDO Alliance Vision and Updates
byFIDO Alliance
 
PDF
Strong Customer Authentication & Biometrics
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
PPTX
Fido Technical Overview
byFIDO Alliance
 
PDF
Lifecycle Consideration for Security Key Deployments
byFIDO Alliance
 
PDF
Using FIDO Authenticator for IoT Devices
byFIDO Alliance
 
PDF
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
byFIDO Alliance
 
PDF
Expected Use Cases of FIDO Authentication in Social Apps
byFIDO Alliance
 
FIDO Alliance Vision and Updates
byFIDO Alliance
 
Strong Customer Authentication & Biometrics
byFIDO Alliance
 
Beyond Passwords: FIDO and the Future of User Authentication
byFIDO Alliance
 
Fido Technical Overview
byFIDO Alliance
 
Lifecycle Consideration for Security Key Deployments
byFIDO Alliance
 
Using FIDO Authenticator for IoT Devices
byFIDO Alliance
 
FIDO & PSD2 – Achieving Strong Customer Authentication Compliance
byFIDO Alliance
 
Expected Use Cases of FIDO Authentication in Social Apps
byFIDO Alliance
 

What's hot

PDF
Deployment Snapshot from Japan: NTT DOCOMO, Yahoo! Japan
byFIDO Alliance
 
PDF
FIDO and the Future of User Authentication
byFIDO Alliance
 
PDF
FIDO Biometric Certification Program
byFIDO Alliance
 
PDF
Technical Principles of FIDO Authentication
byFIDO Alliance
 
PDF
The Value of FIDO Certification
byFIDO Alliance
 
PDF
FIDO Support for the GDPR
byFIDO Alliance
 
PPTX
Going Passwordless with Microsoft
byFIDO Alliance
 
PDF
FIDO Authentication in the Shifting Regulatory Landscape
byFIDO Alliance
 
PDF
FIDO Authentication Technical Overview
byFIDO Alliance
 
PPTX
A First Step to a World without Passwords
byFIDO Alliance
 
PDF
Introduction to FIDO Biometric Authentication
byFIDO Alliance
 
PDF
FIDO2 & Microsoft
byFIDO Alliance
 
PDF
FIDO & Mobile Connect
byFIDO Alliance
 
PDF
Overview of FIDO Security Requirements and Certifications
byFIDO Alliance
 
PDF
FIDO Certified Program: The Value of Certification
byFIDO Alliance
 
PDF
FIDO Authentication in Hong Kong
byFIDO Alliance
 
PDF
Beyond Passwords: FIDO & the Future of Consumer Authentication
byFIDO Alliance
 
PDF
FIDO Alliance Vision and Status
byFIDO Alliance
 
PDF
FIDO Authentication Technical Overview
byFIDO Alliance
 
PPTX
Technical Principles of FIDO Authentication
byFIDO Alliance
 
Deployment Snapshot from Japan: NTT DOCOMO, Yahoo! Japan
byFIDO Alliance
 
FIDO and the Future of User Authentication
byFIDO Alliance
 
FIDO Biometric Certification Program
byFIDO Alliance
 
Technical Principles of FIDO Authentication
byFIDO Alliance
 
The Value of FIDO Certification
byFIDO Alliance
 
FIDO Support for the GDPR
byFIDO Alliance
 
Going Passwordless with Microsoft
byFIDO Alliance
 
FIDO Authentication in the Shifting Regulatory Landscape
byFIDO Alliance
 
FIDO Authentication Technical Overview
byFIDO Alliance
 
A First Step to a World without Passwords
byFIDO Alliance
 
Introduction to FIDO Biometric Authentication
byFIDO Alliance
 
FIDO2 & Microsoft
byFIDO Alliance
 
FIDO & Mobile Connect
byFIDO Alliance
 
Overview of FIDO Security Requirements and Certifications
byFIDO Alliance
 
FIDO Certified Program: The Value of Certification
byFIDO Alliance
 
FIDO Authentication in Hong Kong
byFIDO Alliance
 
Beyond Passwords: FIDO & the Future of Consumer Authentication
byFIDO Alliance
 
FIDO Alliance Vision and Status
byFIDO Alliance
 
FIDO Authentication Technical Overview
byFIDO Alliance
 
Technical Principles of FIDO Authentication
byFIDO Alliance
 

Similar to Technical Principles of FIDO Authentication

PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PDF
FIDO Technical Specifications Overview
byFIDO Alliance
 
PDF
FIDO Specifications Tutorial
byFIDO Alliance
 
PPTX
FIDO Specifications Overview
byFIDO Alliance
 
PPTX
Getting to Know the FIDO Specifications - Technical Tutorial
byFIDO Alliance
 
PPTX
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
byFIDO Alliance
 
PDF
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
PDF
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
PDF
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
PDF
FIDO UAF Specifications: Overview & Tutorial
byFIDO Alliance
 
PDF
Introduction to the FIDO Alliance
byFIDO Alliance
 
PPTX
Introduction to the FIDO Alliance: Vision & Status
byFIDO Alliance
 
PDF
Deploying FIDO Authentication - Business Considerations
byFIDO Alliance
 
PDF
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
byFIDO Alliance
 
PDF
The Future of Authentication for IoT
byFIDO Alliance
 
PPTX
Introduction to FIDO: A New Model for Authentication
byFIDO Alliance
 
PPTX
FIDO Masterclass
byFIDO Alliance
 
PDF
Introduction to FIDO Authentication
byFIDO Alliance
 
PPTX
FIDOAlliance
bySanjeev Verma, PhD
 
PDF
FIDO And the Future of User Authentication
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
FIDO Technical Specifications Overview
byFIDO Alliance
 
FIDO Specifications Tutorial
byFIDO Alliance
 
FIDO Specifications Overview
byFIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
byFIDO Alliance
 
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
byFIDO Alliance
 
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
byCloudIDSummit
 
FIDO UAF 1.0 Specs: Overview and Insights
byFIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
byFIDO Alliance
 
Introduction to the FIDO Alliance
byFIDO Alliance
 
Introduction to the FIDO Alliance: Vision & Status
byFIDO Alliance
 
Deploying FIDO Authentication - Business Considerations
byFIDO Alliance
 
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
byFIDO Alliance
 
The Future of Authentication for IoT
byFIDO Alliance
 
Introduction to FIDO: A New Model for Authentication
byFIDO Alliance
 
FIDO Masterclass
byFIDO Alliance
 
Introduction to FIDO Authentication
byFIDO Alliance
 
FIDOAlliance
bySanjeev Verma, PhD
 
FIDO And the Future of User Authentication
byFIDO Alliance
 

More from FIDO Alliance

PPTX
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
PPTX
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
PPTX
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
PPTX
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
PPTX
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
PPTX
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
PPTX
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
PDF
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 
Securing Account Lifecycles in the Age of Deepfakes.pptx
byFIDO Alliance
 
FIDO Seminar: Perspectives on Passkeys & Consumer Adoption.pptx
byFIDO Alliance
 
FIDO Seminar: Evolving Landscape of Post-Quantum Cryptography.pptx
byFIDO Alliance
 
FIDO Seminar: Targeting Trust: The Future of Identity in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: New Data: Passkey Adoption in the Workforce.pptx
byFIDO Alliance
 
FIDO Seminar: Authentication for a Billion Consumers - Amazon.pptx
byFIDO Alliance
 
FIDO Alliance Seminar State of Passkeys.pptx
byFIDO Alliance
 
FIDO Munich Seminar: FIDO Tech Principles.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Securing Smart Car.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
byFIDO Alliance
 
FIDO Munich Seminar: Biometrics and Passkeys for In-Vehicle Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
byFIDO Alliance
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
byFIDO Alliance
 
FIDO Munich Seminar FIDO Automotive Apps.pptx
byFIDO Alliance
 
FIDO Munich Seminar Blueprint for In-Vehicle Payment Standard.pptx
byFIDO Alliance
 
FIDO Munich Seminar Introduction to FIDO.pptx
byFIDO Alliance
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
byFIDO Alliance
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
byFIDO Alliance
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
byFIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
byFIDO Alliance
 

Recently uploaded

PPTX
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
PPT
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
PDF
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
PPTX
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
PPTX
Facebook: How to Maximize for Everyday Business
byLP3I Surabaya
 
PDF
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
PDF
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
PDF
A La Recherche Du Temps Perdu: In Search of the Cozy Web
byJen Looper
 
PDF
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
PPTX
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
PPTX
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
PDF
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
PPTX
Passive Presentation pasdskpasdasdasdasf
byNoOne501682
 
PPTX
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
PPTX
evolution of internet (internet journey)
byyamunadevi49
 
MEANING OF EMOJIS OF SOCIAL MEDIA - RUKUNDO Emmanuel..pptx
bysongsormusics
 
INTRODUCTION_TO_SOFTWARE_APPLICATION.pptx
byMESFINBELAY4
 
Cybrain Software Solutions – Building Future-Ready Digital Tools
byCybrain Software Solutions
 
BTCFi on Starknet,Troves.fi offers automated strategies for Bitcoin users on ...
bytrovesfi
 
Facebook: How to Maximize for Everyday Business
byLP3I Surabaya
 
Automating ISP Networks Using Ansible and IPAM as a Source of Truth [SoT]
byBangladesh Network Operators Group
 
DNSSEC Implementation Journey at Prime Bank’s Domain
byBangladesh Network Operators Group
 
A La Recherche Du Temps Perdu: In Search of the Cozy Web
byJen Looper
 
A Day in the Life of IPv6 Scanning by Matsuzaki ʻmazʼ
byBangladesh Network Operators Group
 
ARCHITECTURESACGCHCIUOHCOHCSAKJCOQKCHUO.pptx
bymchlrdpc2921
 
ENDNOTE refrencing how to do step by step..
byhumairasohaib19
 
OFFENSIVE OPERATIONS : THE ANATOMY OF A NETWORK TAKEOVER
byBangladesh Network Operators Group
 
Passive Presentation pasdskpasdasdasdasf
byNoOne501682
 
AI Presentation it all about what is ai and how to implement in real life
byshraddhasule1710
 
evolution of internet (internet journey)
byyamunadevi49
 

Technical Principles of FIDO Authentication

  • 1.
    1 TECHNICAL PRINCIPLES OF FIDOAUTHENTICATION Rolf Lindemann, Nok Nok Labs All Rights Reserved | FIDO Alliance | Copyright 2019
  • 2.
    2 HOW SECURE ISAUTHENTICATION? All Rights Reserved | FIDO Alliance | Copyright 2019
  • 3.
    All Rights Reserved| FIDO Alliance | Copyright 20193 HOW SECURE IS AUTHENTICATION? Attacks require physical action → not scalable Things are never 100% secure, so focus on adequate security. Focus on the scalable attacks first. Scalable Attacks
  • 4.
    All Rights Reserved| FIDO Alliance | Copyright 20194 CLOUD AUTHENTICATION DeviceSomething Authentication Risk Analytics Internet
  • 5.
    All Rights Reserved| FIDO Alliance | Copyright 20195 HOW DOES FIDO WORK?
  • 6.
    All Rights Reserved| FIDO Alliance | Copyright 20196 HOW DOES FIDO WORK? DeviceUser verification FIDO Authentication Authenticator
  • 7.
    All Rights Reserved| FIDO Alliance | Copyright 20197 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Require user gesture before private key can be used Challenge (Signed) Response Private key dedicated to one app Public key
  • 8.
    All Rights Reserved| FIDO Alliance | Copyright 20198 FIDO ECOSYSTEM AuthenticatorUser verification FIDO Authentication … …SE
  • 9.
    All Rights Reserved| FIDO Alliance | Copyright 20199 FIDO ECOSYSTEM AuthenticatorUser verification FIDO Authentication … …SE How is the key protected (TPM, SE, TEE, …)? Which user verification method is used?
  • 10.
    All Rights Reserved| FIDO Alliance | Copyright 201910 ATTESTATION + METADATA Private attestation key Signed Attestation Object Metadata Understand Authenticator security characteristic by looking into Metadata from mds.fidoalliance.org FIDO Registration Verify using trust anchor included in Metadata Relying parties can store this for auditing purposes
  • 11.
    All Rights Reserved| FIDO Alliance | Copyright 201911 FIDO AUTHENTICATORS We see “Bound” Authenticators, i.e. authenticators that are an integral part of a smartphone or laptop. We see “Roaming” Authenticators, i.e. authenticators that can be connected to different smartphones or laptops using CTAP. In both categories you find support for different modalities Verify User Verify User Presence
  • 12.
    All Rights Reserved| FIDO Alliance | Copyright 201912 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes.
  • 13.
    All Rights Reserved| FIDO Alliance | Copyright 201913 HOW DOES FIDO WORK? AuthenticatorUser verification FIDO Authentication Same Authenticator as registered before? Same User as enrolled before? Can recognize the user (i.e. user verification), but doesn’t know its identity attributes. Identity binding to be done outside FIDO: This this “John Doe with customer ID X”.
  • 14.
    All Rights Reserved| FIDO Alliance | Copyright 201914 FIDO BUILDING BLOCKS (Roaming) Authenticator USER DEVICE FIDO Client (Bound) Authenticator ASM RP App FIDO Authentication RP App Server FIDO Server Metadata
  • 15.
    All Rights Reserved| FIDO Alliance | Copyright 201915 FIDO BUILDING BLOCKS (Roaming) Authenticator User Device Browser (Bound) Authenticator Platform RP App FIDO Authentication RP App Server FIDO Server Metadata Web Authentication JS API CTAP
  • 16.
    FIDO USER DEVICE FIDOCLIENT IdP FIDO SERVER FIDO AUTHENTICATOR FEDERATION SERVERBROWSER / APP FIDO Protocol Service Provider Federation Id DB Knows details about the Authentication strength Knows details about the Identity and its verification strength. First Mile Second Mile 16 FIDO & FEDERATION All Rights Reserved | FIDO Alliance | Copyright 2019
  • 17.
    All Rights Reserved| FIDO Alliance | Copyright 201917 WEB AUTHENTICATION Supported In: JavaScript API that enables FIDO Authentication directly in web browsers
  • 18.
    All Rights Reserved| FIDO Alliance | Copyright 201918 FIDO AUTHENTICATION: SECURITY & CONVENIENCE
  • 19.
    All Rights Reserved| FIDO Alliance | Copyright 201919 CONVENIENCE & SECURITY Security Convenience Password
  • 20.
    All Rights Reserved| FIDO Alliance | Copyright 201920 CONVENIENCE & SECURITY Security Convenience Password + OTP Password
  • 21.
    All Rights Reserved| FIDO Alliance | Copyright 201921 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO • Same user verification method for all servers In FIDO: Arbitrary user verification methods are supported (+ they are interoperable)
  • 22.
    All Rights Reserved| FIDO Alliance | Copyright 201922 CONVENIENCE & SECURITY Security Convenience Password + OTP Password FIDO In FIDO: Scalable security depending on Authenticator implementation In FIDO: • Only public keys on server • Not phishable
  • 23.
    All Rights Reserved| FIDO Alliance | Copyright 201923 CONCLUSION • Different authentication use-cases lead to different authentication requirements • FIDO separates user verification from authentication and hence supports all user verification methods • FIDO supports scalable convenience & security • User verification data is known to Authenticator only • FIDO complements federation
  • 24.
    24 FIDO TECHNICAL OVERVIEW Rolf Lindemann, NokNok Labs Thank You All Rights Reserved | FIDO Alliance | Copyright 2019
  • 25.
    All Rights Reserved| FIDO Alliance | Copyright 201925 FIDO REGISTRATION accountInfo, challenge, [cOpts] rpId, ai, hash(clientData), cryptoP, [exts] verify user generate: key kpub key kpriv credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs) c,kpub,clientData,ac,tbs, s store: key kpub c s Authenticator select Authenticator according to cOpts; determine rpId, get tlsData; clientData := {challenge, origin, rpId, hAlg, tlsData} cOpts: crypto params, credential black list, extensions cdh ai tbs ac: attestation certificate chain
  • 26.
    All Rights Reserved| FIDO Alliance | Copyright 201926 FIDO AUTHENTICATION Authenticator Relying Party rpId, [c,] hash(clientData) select Authenticator according to policy; check rpId, get tlsData (i.e. channel id, etc.); lookup key handle h; clientData := {challenge, rpId, tlsData} clientData,cntr,[exts],signature(cdh,cntr,exts) clientData, cntr, exts, s lookup kpub from DB check: exts + signature using key kpub s cdh challenge, [aOpts] verify user find key kpriv cntr++; process exts