FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO Alliance
The PSD2 (the Revised Payment Service Directive) from the European Commission requires financial institutions to deploy Strong Customer Authentication. FIDO offers a solution to the challenges created by this new regulation.
The document discusses technical specifications for device authentication provided by FIDO. It describes issues with traditional password authentication and how FIDO addresses these through standards that separate user verification from authentication. FIDO uses public key cryptography and relies on authenticators that can be integrated into devices to enable strong, passwordless authentication across multiple websites and applications.
Google Case Study: Strong Authentication for Employees and ConsumersFIDO Alliance
With 50,000 employees and more than a billion users, security and privacy are of critical importance to the Internet giant, Google. Two years ago, they set out with the goal of improving authentication through stronger security, increasing user satisfaction and lowering support costs. In that time, Google deployed FIDO Certified ® security keys. A detailed analysis by this data-driven company has demonstrated clear confirmation of how well FIDO’s approach is suited to making stronger, simpler authentication for employees and consumers.
With both FIDO authentication and blockchain based on the cornerstones of strong cryptography, the two are a natural fit to help propel secure, user-centric applications.
Introduction to the FIDO Alliance: Vision & StatusFIDO Alliance
This document summarizes the FIDO Alliance's vision and status. It discusses how authentication has become a major problem and how over 250 organizations are working together through the FIDO Alliance to solve this problem by developing open standards for simpler and stronger authentication using public key cryptography. The FIDO Alliance aims to deliver security, privacy, interoperability and usability through specifications such as FIDO UAF, FIDO U2F and the upcoming FIDO2/WebAuthn specifications. The Alliance has seen strong growth in functional certifications and aims to also offer security and biometric certifications to validate authenticator safety and accurate user identification.
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO Alliance
The PSD2 (the Revised Payment Service Directive) from the European Commission requires financial institutions to deploy Strong Customer Authentication. FIDO offers a solution to the challenges created by this new regulation.
The document discusses technical specifications for device authentication provided by FIDO. It describes issues with traditional password authentication and how FIDO addresses these through standards that separate user verification from authentication. FIDO uses public key cryptography and relies on authenticators that can be integrated into devices to enable strong, passwordless authentication across multiple websites and applications.
Google Case Study: Strong Authentication for Employees and ConsumersFIDO Alliance
With 50,000 employees and more than a billion users, security and privacy are of critical importance to the Internet giant, Google. Two years ago, they set out with the goal of improving authentication through stronger security, increasing user satisfaction and lowering support costs. In that time, Google deployed FIDO Certified ® security keys. A detailed analysis by this data-driven company has demonstrated clear confirmation of how well FIDO’s approach is suited to making stronger, simpler authentication for employees and consumers.
With both FIDO authentication and blockchain based on the cornerstones of strong cryptography, the two are a natural fit to help propel secure, user-centric applications.
Introduction to the FIDO Alliance: Vision & StatusFIDO Alliance
This document summarizes the FIDO Alliance's vision and status. It discusses how authentication has become a major problem and how over 250 organizations are working together through the FIDO Alliance to solve this problem by developing open standards for simpler and stronger authentication using public key cryptography. The FIDO Alliance aims to deliver security, privacy, interoperability and usability through specifications such as FIDO UAF, FIDO U2F and the upcoming FIDO2/WebAuthn specifications. The Alliance has seen strong growth in functional certifications and aims to also offer security and biometric certifications to validate authenticator safety and accurate user identification.
The FIDO Alliance is an open industry association with over 250 member organizations focused on developing authentication standards to address the password problem. It has developed authentication standards based on public key cryptography as a stronger and simpler alternative to passwords. The FIDO ecosystem now includes over 350 certified solutions that can protect over 3.5 billion user accounts worldwide. The document discusses the password problem and outlines how FIDO authentication works to provide both security and usability through standards-based, interoperable authentication.
An overview of the Alliance, the problem we are addressing the password problem, how FIDO is addressing it, the new ecosystem we are creating and the road ahead.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
This document discusses how FIDO authentication helps organizations meet the requirements of the General Data Protection Regulation (GDPR). It explains that FIDO uses public key cryptography and stores keys locally, avoiding shared secrets and preventing third parties from accessing data. FIDO also protects against phishing and man-in-the-middle attacks. The document notes that biometric templates are stored only on devices and not transmitted, avoiding the need for impact assessments when used privately. It concludes that FIDO offers a standardized solution that balances convenience and security while meeting privacy-by-design principles.
FIDO And the Future of User AuthenticationFIDO Alliance
The document discusses the problems with passwords and introduces FIDO as a solution. It notes that consumers have many online accounts but reuse few passwords, while businesses lose over $1 billion to credential theft annually. FIDO uses public key cryptography and requires a second factor, like a fingerprint, to log in securely. It has seen growing adoption with hundreds of implementations and support from governments and companies around the world working to replace passwords with stronger FIDO authentication.
FIDO, PKI & beyond: Where Authentication Meets IdentificationFIDO Alliance
Explore new directions for authentication and identification. Learn the inner workings of FIDO and PKI, and how to integrate these two worlds into one token.
The update to NIST Special Publication 800-63 Revision 3 covers guidelines on digital identity management, identity proofing and authentication of users working with government IT systems over open networks – and serves as de facto guidance far beyond government and into many industries that are depending on secure user authentication.
Part of the guidelines recommend higher-assurance authentication, including the use of multi-factor authentication with public key cryptography, where private keys are tightly bound to the device. This, of course, is the core of the FIDO approach which has been implemented in over 300 FIDO certified products worldwide that are powering authentication solutions from top service providers such as Google, Facebook, Aetna and more.
In this presentation, experts review the NIST guidelines and their relationship to FIDO Authentication.
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
This document provides instructions for implementing passwordless authentication for a web application using WebAuthn and FIDO2 security keys. It describes setting up a sample Spring Boot web app with traditional username/password authentication and then enhancing it with passwordless authentication. The workshop is split into modules, with this module focusing on implementing the authentication REST endpoints and updating the UI to allow passwordless sign-in. It provides code examples and diagrams to explain how the authentication flow works when a user attempts to sign in using a previously registered security key.
FIDO® for Government & Enterprise - PresentationFIDO Alliance
With FIDO 1.0 standards published in December, 2015, mainstream product adoption and service deployment has begun with more announcement planned for the RSA Security Conference 2015. This webinar will feature FIDO highlights from the conference and a discussion of how governments and enterprises are engaging with FIDO Alliance and the new wave of innovative authentication solutions FIDO standards enable, with a special focus on how the US Government is positioning FIDO within the context of NSTIC (National Strategy for Trusted Identities in Cyberspace).
Google has deployed FIDO U2F security keys for two-factor authentication at scale within their organization. They found security keys to be faster and cause fewer support incidents than one-time passwords. Google has also made security keys available to consumers as an optional second factor for their accounts. Other companies like Dropbox, GitHub, and Facebook have also adopted FIDO security keys. Google's experience shows that security keys can provide stronger authentication that is also more usable for users and enterprises.
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Alliance
This document discusses an account recovery framework for FIDO deployments. It proposes a generic account recovery model that covers a wide variety of recovery methods and addresses requirements for service providers. The framework defines recovery claims as abstractions of any types of data used for account recovery. It also describes recovery claim management involving credentials, attributes, and assertions bound to user accounts. Finally, the document outlines several example account recovery methods that could be implemented using this framework, including methods using multiple authenticators, collaborative recovery tokens, or a trusted person's authenticator.
Answering all of your questions about FIDO Certification, including: what is FIDO certification?, types of certification, meta data service, security certification and the value of deploying certified solutions.
A detailed look at the "Your Security, More Simple" d ACCOUNT initiative at NTT DOCOMO, including design principles, solution architecture, security architecture, FIDO standards and deployment of FIDO Authentication. Presented by Koichi Moriyama, Senior Director, Product Department, NTT DOCOMO, Inc.
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
FIDO Authentication: Unphishable MFA for AllFIDO Alliance
This document discusses the growing adoption of FIDO authentication standards for passwordless, phishing-resistant multi-factor authentication. It predicts that in 2022, enterprise passwordless deployments will grow rapidly as mobile platforms provide consumer-ready solutions at scale. The document outlines how FIDO specifications offer simpler and stronger authentication using public key cryptography backed by major technology companies. It notes that over 5 billion devices now support FIDO and more than 150 million people are using passwordless methods each month. Government policies are evolving to recognize FIDO authentication as the preferred choice and gold standard for phishing-resistant multi-factor authentication.
The document discusses FIDO authentication and its advantages over passwords. It describes how FIDO works by separating user verification and authentication using public/private key pairs. FIDO allows for scalable security and convenience depending on the authenticator, supports different user verification methods, and protects against phishing by only transmitting public keys to servers.
This document summarizes a presentation on FIDO specifications and authentication. It discusses password issues like passwords being stolen from servers or entered into untrusted sites. It also classifies threats to authentication like remotely or physically attacking user devices. The document explains how FIDO works using authenticators, user verification, and public/private keys. It covers registration, attestation, metadata, and how authenticators work with platforms. It compares password and FIDO authentication in terms of convenience and security.
The FIDO Alliance is an open industry association with over 250 member organizations focused on developing authentication standards to address the password problem. It has developed authentication standards based on public key cryptography as a stronger and simpler alternative to passwords. The FIDO ecosystem now includes over 350 certified solutions that can protect over 3.5 billion user accounts worldwide. The document discusses the password problem and outlines how FIDO authentication works to provide both security and usability through standards-based, interoperable authentication.
An overview of the Alliance, the problem we are addressing the password problem, how FIDO is addressing it, the new ecosystem we are creating and the road ahead.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
This document discusses how FIDO authentication helps organizations meet the requirements of the General Data Protection Regulation (GDPR). It explains that FIDO uses public key cryptography and stores keys locally, avoiding shared secrets and preventing third parties from accessing data. FIDO also protects against phishing and man-in-the-middle attacks. The document notes that biometric templates are stored only on devices and not transmitted, avoiding the need for impact assessments when used privately. It concludes that FIDO offers a standardized solution that balances convenience and security while meeting privacy-by-design principles.
FIDO And the Future of User AuthenticationFIDO Alliance
The document discusses the problems with passwords and introduces FIDO as a solution. It notes that consumers have many online accounts but reuse few passwords, while businesses lose over $1 billion to credential theft annually. FIDO uses public key cryptography and requires a second factor, like a fingerprint, to log in securely. It has seen growing adoption with hundreds of implementations and support from governments and companies around the world working to replace passwords with stronger FIDO authentication.
FIDO, PKI & beyond: Where Authentication Meets IdentificationFIDO Alliance
Explore new directions for authentication and identification. Learn the inner workings of FIDO and PKI, and how to integrate these two worlds into one token.
The update to NIST Special Publication 800-63 Revision 3 covers guidelines on digital identity management, identity proofing and authentication of users working with government IT systems over open networks – and serves as de facto guidance far beyond government and into many industries that are depending on secure user authentication.
Part of the guidelines recommend higher-assurance authentication, including the use of multi-factor authentication with public key cryptography, where private keys are tightly bound to the device. This, of course, is the core of the FIDO approach which has been implemented in over 300 FIDO certified products worldwide that are powering authentication solutions from top service providers such as Google, Facebook, Aetna and more.
In this presentation, experts review the NIST guidelines and their relationship to FIDO Authentication.
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
This document provides instructions for implementing passwordless authentication for a web application using WebAuthn and FIDO2 security keys. It describes setting up a sample Spring Boot web app with traditional username/password authentication and then enhancing it with passwordless authentication. The workshop is split into modules, with this module focusing on implementing the authentication REST endpoints and updating the UI to allow passwordless sign-in. It provides code examples and diagrams to explain how the authentication flow works when a user attempts to sign in using a previously registered security key.
FIDO® for Government & Enterprise - PresentationFIDO Alliance
With FIDO 1.0 standards published in December, 2015, mainstream product adoption and service deployment has begun with more announcement planned for the RSA Security Conference 2015. This webinar will feature FIDO highlights from the conference and a discussion of how governments and enterprises are engaging with FIDO Alliance and the new wave of innovative authentication solutions FIDO standards enable, with a special focus on how the US Government is positioning FIDO within the context of NSTIC (National Strategy for Trusted Identities in Cyberspace).
Google has deployed FIDO U2F security keys for two-factor authentication at scale within their organization. They found security keys to be faster and cause fewer support incidents than one-time passwords. Google has also made security keys available to consumers as an optional second factor for their accounts. Other companies like Dropbox, GitHub, and Facebook have also adopted FIDO security keys. Google's experience shows that security keys can provide stronger authentication that is also more usable for users and enterprises.
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Alliance
This document discusses an account recovery framework for FIDO deployments. It proposes a generic account recovery model that covers a wide variety of recovery methods and addresses requirements for service providers. The framework defines recovery claims as abstractions of any types of data used for account recovery. It also describes recovery claim management involving credentials, attributes, and assertions bound to user accounts. Finally, the document outlines several example account recovery methods that could be implemented using this framework, including methods using multiple authenticators, collaborative recovery tokens, or a trusted person's authenticator.
Answering all of your questions about FIDO Certification, including: what is FIDO certification?, types of certification, meta data service, security certification and the value of deploying certified solutions.
A detailed look at the "Your Security, More Simple" d ACCOUNT initiative at NTT DOCOMO, including design principles, solution architecture, security architecture, FIDO standards and deployment of FIDO Authentication. Presented by Koichi Moriyama, Senior Director, Product Department, NTT DOCOMO, Inc.
Getting to Know the FIDO Specifications - Technical TutorialFIDO Alliance
What if we could replace passwords with authentication that is stronger and simpler? Web service providers and enterprises worldwide are looking for a solution to move beyond the frustrating user experience and less-than-stellar security of single-factor password authentication systems. Today FIDO is that solution, providing a rich set of specifications and certifications for an emerging and interoperable ecosystem of hardware, mobile and biometrics-based devices. This ecosystem enables enterprises and web service providers to easily deploy strong authentication solutions that reduce password dependencies and provide a superior, simpler and trusted user experience.
- Learn the ins and outs of FIDO’s specifications, including their applicability to both passwordless (UAF) and second factor (U2F) authentication use cases.
- Learn how FIDO separates user verification from authentication along with other details on the FIDO registration and login process.
- Learn how FIDO authentication protects user privacy and prevents phishing and man-in-the-middle attacks.
FIDO Authentication: Unphishable MFA for AllFIDO Alliance
This document discusses the growing adoption of FIDO authentication standards for passwordless, phishing-resistant multi-factor authentication. It predicts that in 2022, enterprise passwordless deployments will grow rapidly as mobile platforms provide consumer-ready solutions at scale. The document outlines how FIDO specifications offer simpler and stronger authentication using public key cryptography backed by major technology companies. It notes that over 5 billion devices now support FIDO and more than 150 million people are using passwordless methods each month. Government policies are evolving to recognize FIDO authentication as the preferred choice and gold standard for phishing-resistant multi-factor authentication.
The document discusses FIDO authentication and its advantages over passwords. It describes how FIDO works by separating user verification and authentication using public/private key pairs. FIDO allows for scalable security and convenience depending on the authenticator, supports different user verification methods, and protects against phishing by only transmitting public keys to servers.
This document summarizes a presentation on FIDO specifications and authentication. It discusses password issues like passwords being stolen from servers or entered into untrusted sites. It also classifies threats to authentication like remotely or physically attacking user devices. The document explains how FIDO works using authenticators, user verification, and public/private keys. It covers registration, attestation, metadata, and how authenticators work with platforms. It compares password and FIDO authentication in terms of convenience and security.
Identifies security authentication issues and explains how FIDO works to resolve these issues. Gives an overview of how FIDO separates user verification from authentication, supports scalable convenience & security and complements federation.
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit
This document provides an overview of the FIDO UAF (Universal Authentication Framework) protocol. It describes common password and one-time password issues like phishing, theft, and inconvenience. It then explains how FIDO UAF works by using a cryptographic authenticator device to verify the user and sign authentication responses. The document outlines the registration and authentication flows and describes how metadata is used to understand the authenticator's security characteristics. It also discusses various implementation options for the authenticator including hardware-based devices, software authenticators, and leveraging trusted execution environments.
Introduction to FIDO: A New Model for AuthenticationFIDO Alliance
An overview of FIDO authentication with a special section on government and policy. This was presented at the European Policy Forum by Jeremy Grant, managing director of The Chertoff Group.
Technical Principles of FIDO AuthenticationFIDO Alliance
The document provides an overview of FIDO authentication including:
1. How FIDO authentication works by using an authenticator to verify the user and perform the authentication without revealing identity attributes.
2. The FIDO ecosystem involves authenticators, clients, servers, and metadata to understand authenticator security characteristics.
3. FIDO supports a range of authenticators from platform-based to roaming and different user verification methods while keeping user verification data private.
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works, how to perform FIDO registration, and how FIDO is used in the world today, as well as the process from start to finish of UAF authentication.
From FIDO Alliance Seminar in Washington, D.C., October, 2015.
Technical Principles of FIDO AuthenticationFIDO Alliance
The document discusses technical principles of FIDO authentication. It provides an overview of how FIDO works, including the FIDO ecosystem with authenticators, clients, servers and relying parties. It also summarizes the FIDO registration and authentication processes, which separate user verification from authentication through the use of public and private keys.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
1. Passwords are insecure and inconvenient, especially on mobile devices, while alternative authentication methods are siloed and don't scale well.
2. FIDO separates user verification from authentication, supporting all verification methods and providing scalable convenience and security.
3. In FIDO, only public keys are stored on servers and authentication relies on private keys protected in authenticators, making it resistant to phishing and password theft.
FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance
Explore how FIDO UAF works and how FIDO is used in the world today.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience.
The FIDO Alliance invites you to learn how simplify strong authentication for web services. FIDO specifications can help all organizations, especially service providers who want to scale these features for consumer services over the web. Essentially, FIDO offers a simple, low-cost way to improve security and the online experience. From FIDO Alliance Seminar in Tokyo, Japan, November, 2015.
The Second Payment Services Directive (PSD2) and the associated Regulatory Technical Standards (RTS) on strong customer authentication and secure communication impose stringent requirements on multi-factor authentication and on the security of implementations. Payment Service Providers will want to know whether the authentication solutions they put in place conform to the RTS both in terms of functionality and security.
The FIDO Alliance standards are based on multi-factor authentication and are a strong fit for PSD2 compliance. The FIDO Alliance’s certification program provides an independent evaluation of functional compliance to the standards as well as of the achieved level of security of FIDO authenticators.
Featuring industry experts, this presentation explores how FIDO can resolve key issues, including:
• How the FIDO standards conform to the RTS
• How FIDO’s certification program guarantees this conformity
• How FIDO’s certification program provides for the mandatory security evaluation imposed by the RTS
Tokyo Seminar: FIDO Alliance Vision and StatusFIDO Alliance
Brett McDowell, the Executive Director of the FIDO Alliance, gave a presentation on the vision and status of the FIDO Alliance in Tokyo. The presentation discussed how authentication is a major problem, how over 250 organizations are working together through the FIDO Alliance to solve this problem, and the FIDO Alliance's mission to create simpler and stronger authentication standards using public key cryptography. It provided an overview of how old and FIDO authentication works, the specifications roadmap, growing certification programs, and support across platforms. In closing, McDowell announced news of expanded FIDO support on Android 8.0 devices and a new FIDO certified implementation from NTT DOCOMO.
The rapid expansion of the Internet of Things has fostered convenience and connectedness for consumers. It has also opened the door for creative hackers. Recently, hackers used hundreds of thousands of common internet-connected devices in consumers’ homes, without the owners’ knowledge, to launch a DDoS attack that temporarily brought down crucial parts of the internet’s infrastructure.
Attacks in the past have shown that passwords in IoT devices provide insufficient security. Additionally, IoT devices are too constrained for implementing biometric functions.
The question then becomes how to authenticate to such devices and can the industry adopt a standardized approach despite a highly fragmented IoT landscape. This presentation by Rolf Lindemann of Nok Nok Labs, explores how FIDO Authentication can provide convenient and strong authentication in an array of IoT use cases.
Brett McDowell, the Executive Director of the FIDO Alliance, gave a presentation on the FIDO Alliance's vision and status. The presentation discussed how authentication is a major problem, and how over 250 organizations are working together through the FIDO Alliance to solve this problem using open standards for simpler and stronger authentication. It provided an overview of the FIDO Alliance's scope and mission, as well as how FIDO authentication works compared to traditional authentication methods. The presentation concluded with an update on the FIDO Alliance's specifications roadmap and the formation of a new FIDO Korea Working Group.
Similar to UAF Tutorial: Passwordless, Biometric Authentication for Native Apps (20)
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
UAF Tutorial: Passwordless, Biometric Authentication for Native Apps
1. 1
UAF TUTORIAL: BIOMETRICS
FOR NATIVE APPS
REVISED JANUARY 17TH 2018
All Rights Reserved | FIDO Alliance | Copyright 2017
2. All Rights Reserved | FIDO Alliance | Copyright 20172
HOW SECURE IS AUTHENTICATION?
3. All Rights Reserved | FIDO Alliance | Copyright 20173
CLOUD AUTHENTICATION
DeviceSomething Authentication
Risk Analytics
Internet
4. All Rights Reserved | FIDO Alliance | Copyright 20174
PASSWORD ISSUES
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to
remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4
5. All Rights Reserved | FIDO Alliance | Copyright 20175
OTP ISSUES
DeviceSomething Authentication
Internet
OTP vulnerable to real-
time MITM and MITB
attacks
1
SMS security questionable,
especially when Device is
the phone
2
OTP HW tokens are
expensive and people don’t
want another device
3
Inconvenient to type
OTP into phone
4
6. All Rights Reserved | FIDO Alliance | Copyright 20176
CLASSIFYING THREATS
Attacks not focused on the client system, e.g. steal data from servers for
impersonation, phishing pwds, or MITM attacks
Remotely attacking
lots of user devices
steal data for
impersonation
Remotely attacking
lots of user devices
misuse them for
impersonation
Remotely attacking
lots of user devices
misuse authenticated
sessions
Physically attacking user devices
steal data for impersonation
Physically attacking user devices
misuse them for impersonation
1
2 3 4
5 6
Physical attacks
possible on lost or
stolen devices
(3% in the US in 2013)
Scalable attacks
8. All Rights Reserved | FIDO Alliance | Copyright 20178
HOW DOES FIDO WORK?
Device
Authenticator
User verification FIDO Authentication
9. All Rights Reserved | FIDO Alliance | Copyright 20179
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one
app Public key
10. All Rights Reserved | FIDO Alliance | Copyright 201710
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
… …SE
11. All Rights Reserved | FIDO Alliance | Copyright 201711
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
Can recognize the user (i.e.
user verification), but doesn’t
know its identity attributes.
12. All Rights Reserved | FIDO Alliance | Copyright 201712
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
Can recognize the user (i.e.
user verification), but doesn’t
know its identity attributes.
Identity binding to be
done outside FIDO: This
this “John Doe with
customer ID X”.
13. All Rights Reserved | FIDO Alliance | Copyright 201713
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
… …SE
How is the key protected
(TPM, SE, TEE, …)?
Which user verification
method is used?
14. All Rights Reserved | FIDO Alliance | Copyright 201714
ATTESTATION + METADATA
Private
attestation key
Signed Attestation Object
Metadata
Understand Authenticator
security characteristic by
looking into Metadata from
mds.fidoalliance.org
FIDO Registration
Verify using trust anchor
included in Metadata
15. All Rights Reserved | FIDO Alliance | Copyright 201715
FIDO AUTHENTICATOR CONCEPT
FIDO Authenticator
User
Verification /
Presence
Attestation Key
Authentication Key(s)
Injected at
manufacturing,
doesn’t change
Generated at
runtime (on
Registration)
Optional
Components
Transaction
Confirmation
Display
16. All Rights Reserved | FIDO Alliance | Copyright 201716
CLIENT SIDE BIOMETRICS
Trusted Execution Environment (TEE)
FIDO Authenticator as Trusted Application (TA)
User Verification / Presence
Attestation Key
Authentication Key(s)
Store at Enrollment
Compare at Authentication
Unlock after comparison
17. All Rights Reserved | FIDO Alliance | Copyright 201717
FIDO USE CASES
Passwordless Experience (UAF Standards)
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience (U2F Standards)
*There are other types of authenticators
21
18. Relying Party
username, challenge, policy
appID, username, hash(fcp), [exts]
verify user
generate:
key kpub
key kpriv
keyID
fcp,ac,kpub,fcpHash,keyID,keyAlg,cntr,AAID[,exts],
signature(tbs)
fcp,ac,tbs, s
store:
key kpub
keyID
s
PlatformAuthenticator
select Authenticator according to policy;
determine facetID, check appID, get tlsData;
fcp := {challenge, facetID, appID, tlsData}
FIDO UAF REGISTRATION
tbs
ac: attestation certificate chain
19. Authenticator Platform Relying Party
appID, [keyID], hash(fcp)
select Authenticator according to policy;
determine facetID, check appID, get tlsData;
fcp := {challenge, facetID, appID, tlsData}
AAID,keyID,fcp,cntr,exts,
signature(AAID,keyID,fcpHash,cntr,exts)
AAID, keyID, fcp, cntr,exts, s
lookup kpub
from DB
check:
exts +
signature
using
key kpub
s
challenge, policy
FIDO UAF AUTHENTICATION
verify user
find
key kpriv
cntr++;
process exts
20. All Rights Reserved | FIDO Alliance | Copyright 201720
FIDO UAF AUTHENTICATION:
TYPICAL IMPLEMENTATION
21. All Rights Reserved | FIDO Alliance | Copyright 201721
FIDO BUILDING BLOCKS
(External)
Authenticator
FIDO USER DEVICE
FIDO Client
(Bound)
Authenticator
ASM
RP App FIDO Authentication
RP App Server
FIDO Server
Metadata
22. All Rights Reserved | FIDO Alliance | Copyright 201722
TYPICAL IMPLEMENTATION APPROACH
FIDO Authentication
RP App Server
FIDO Server
Metadata
(External)
Authenticator
FIDO USER DEVICE
FIDO Client
(Bound)
Authenticator
ASM
RP App
AppSDKAppSDK
interfaces to
FIDO Clients
on the devices
(if present).
AppSDK
contains FIDO
Client and
potentially
ASM.
UAF APDU
23. All Rights Reserved | FIDO Alliance | Copyright 201723
FIDO AUTHENTICATION:
SECURITY & CONVENIENCE
24. All Rights Reserved | FIDO Alliance | Copyright 201724
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
25. All Rights Reserved | FIDO Alliance | Copyright 201725
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
FIDO
In FIDO
• Same user verification method
for all servers
In FIDO: Arbitrary user verification
methods are supported
(+ they are interoperable)
26. All Rights Reserved | FIDO Alliance | Copyright 201726
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
FIDO
In FIDO: Scalable security
depending on Authenticator
implementation
In FIDO:
• Only public keys on server
• Not phishable
27. All Rights Reserved | FIDO Alliance | Copyright 201727
CONCLUSION
• Different authentication use-cases lead to different
authentication requirements
• FIDO separates user verification from authentication and
hence supports all user verification methods
• FIDO supports scalable convenience & security
• User verification data is known to Authenticator only
• FIDO complements federation
Editor's Notes
We have seen several attacks on existing authentication methods in the past:
Server side attack were used to steal 1.2bn passwords from various servers.
2. Phishing attacks were launched to make users reveal their passwords to the attackers.
3. Orchestrated malware attacks were launched on PCs and smartphone in order to steal money.
See EuroGrabber or the MITM attack on CITI bank in 2006 (http://www.banktech.com/phishers-beat-citiandrsquos-two-factor-authentication-/d/d-id/1290948)
So existing authentication schemes seem to be broken at this time.
In order to understand how we can improve authentication, let’s have a closer look into it…
How does authentication work today?
Since we are not born with WIFI interfaces in our heads, we cannot directly authenticate ourselves to a cloud server.
We need some kind of proxy device. For example, we type our password into a computer running some application. If we believe this is the right application, we are willing to enter our password into it.
The server takes some explicit authentication signal like the password as input and adds additional back-end computed signals, e.g. geolocation derived from the IP address, packet round-trip times etc. The risk engine computes a resulting risk score using all input signals.
Note that the strength of a password signal depends on the characteristics of the “proxy-device” or App. If the password is entered into a malicious application, then a Phisher or man-in-the-middle might now be able to mis-use it.
The predominant Authentication method today is username+password. But it has several issues.
Passwords are symmetric bearer tokens. This means that anyone who knows the password can send it to the cloud server and gets authenticated. It also means that the server needs to know either the password directly or something which is derived from the password (e.g. the hash). And even if you cannot directly reverse this hash function, you can hash millions of passwords until the hash is identical to the one found on the server. Rainbow tables are an efficient method to do that. Note that the most passwords are not as strong as they could be. By knowing the 1000 most popular passwords you could break 90% of the accounts. By knowing the 10000 most popular passwords you could break 98,5% of the accounts.
But passwords might also be entered into the wrong application. This phishing application could then send the password to the attacker and let the attacker misuse it or it could itself misuse it for performing malicious transactions.
For security reasons, passwords shouldn‘t be re-used on other web sites. But how could I remember different passwords for all my accounts. I counted my accounts a while ago and ended up with well above 500. There is no way for me to remember them all.
And passwords are inconvenient to type on mobile phones using the touch keyboards.
The predominant Authentication method today is username+password. But it has several issues.
Passwords are symmetric bearer tokens. This means that anyone who knows the password can send it to the cloud server and gets authenticated. It also means that the server needs to know either the password directly or something which is derived from the password (e.g. the hash). And even if you cannot directly reverse this hash function, you can hash millions of passwords until the hash is identical to the one found on the server. Rainbow tables are an efficient method to do that. Note that the most passwords are not as strong as they could be. By knowing the 1000 most popular passwords you could break 90% of the accounts. By knowing the 10000 most popular passwords you could break 98,5% of the accounts.
But passwords might also be entered into the wrong application. This phishing application could then send the password to the attacker and let the attacker misuse it or it could itself misuse it for performing malicious transactions.
For security reasons, passwords shouldn‘t be re-used on other web sites. But how could I remember different passwords for all my accounts. I counted my accounts a while ago and ended up with well above 500. There is no way for me to remember them all.
And passwords are inconvenient to type on mobile phones using the touch keyboards.
These are the attack classes we see being most important for authentication:
Remotely attacking servers and stealing passwords. Remember the 1.1 billion stolen passwords. This attack is really bad as users cannot protect against it – the relying parties would have to do it. But users can make it even worse: if they share passwords across multiple relying parties, the least secure relying party could be hacked affecting all others.
Once threat class 1 wouldn’t work any longer, the attackers would focus on other attacks. For example trying to steal data from the device in order to impersonate the user. Or
Misuse data on the user device in order to impersonate the user. Or
Remotely attacking lots of user devices (e.g. using stagefreight attack, see http://www.techworm.net/2015/07/stagefright-attack-it-takes-only-a-single-text-message-to-hack-an-android-smartphone.html) in order to misuse strongly authenticated session. This is known as the man-in-the-browser (MITB) attack.
It is interesting to see that smartcards alone do not protect against the misuse of credentials as the smartcard cannot know whether a PIN was entered by the user or injected by some malware which phished the PIN from the user before.
All these attacks are “scalable”, that means whether 1000 or 1m targets are attacked doesn’t have an impact on the attack costs.
Once we have protected against such scalable attacks, we should focus on protection against the physical attacks, i.e. attacks where physical access to the device is required.
Physical attacks are not scalable as stealing (active) smartphones has significant costs per target.
In the US, there are 156m people owning smartphones in 2013 (see http://www.comscore.com/Insights/Press-Releases/2014/2/comScore-Reports-December-2013-US-Smartphone-Subscriber-Market-Share).
Thereof 3.1m smartphones (2%) have been stolen in 2013 and another 1.4m smartphones (0.9%) were lost in 2013
(see http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm#).
In FIDO we acknowledge the fact that we need a local or “proxy”-device in order to authenticate to a cloud server.
We call this proxy device “Authenticator”.
We call the “something” (see before) user verification and we have a standardize authentication protocol between the client side and the server.
So we split the authentication into user verification and a standardized authenticator to server protocol.
We use private keys generated and maintained by the authenticator to sign server generated challenges.
The server uses the public key from the registered authenticator to verify the signature.
Each private key is dedicated to a single relying party.
So we only store public keys on the server-no user private keys. So hacking the server is less attractive to hackers.
With this concept of the Authenticator, we get two dimensions of scalability.
Scalability in terms of Authenticator implementation. We can leverage TPMs, embedded Secure Elements, SIM Cards and Trusted Execution Environments (TEE in short) to implement the Authenticator. And
Scalability in terms of user verification methods. The Authenticator can support passcodes to verify the user or face recognition, or speaker recognition, Iris, fingerprint and even method not invented yet. We also can combine various user verification methods, e.g. fingerprint with an alternative PIN. And this is done in most existing implementations.
The Authenticator verifies whether it is being used by the same user as enrolled initially.
And the Authenticator proofs to the server whether it is the same Authenticator as registered before.
The Authenticator doesn’t know whether the user is John Doe or Donald Duck. It just verifies whether it is still the user who enrolled.
Since the RP wants to know WHO the user is that uses the Authenticator, we need an identity binding step.
This step is not standardized in FIDO. Each RP can continue following its established know your customer (KYC) procedure.
So in FIDO we separated the Authentication aspect from the Identity aspect.
Authentication is a global problem which needs a global solution.
Identity is inherently regional as different countries have different regulations on privacy and identity verification procedures for different verticals.
For example, the know-you-customer-rules for European banks are different than the ones for Nigerian banks.
And people Europe have different privacy expectations than Nigerian people.
FIDO provides a global solution for Authentication that can be combined with any method of Identity binding that is acceptable in each region.
FIDO provides great flexibility for Authenticator implementation. The specific implementation determines the resulting security level of the Authentication.
So the FIDO Server needs to know such implementation details: The FIDO Server needs to know whether the Authenticator is implemented in a trusted execution environment or in normal software running in the rich operating system. It typically wants to know whether the user was verified using a 4 character passcode or using fingerprint verification.
In FIDO we call this method Attestation.
In FIDO, the Authenticator is a concept.
The Authenticator owns the Authentication keys and typically owns one attestation key injected at manufacturing time.
The Authenticator can optionally support a user presence check (e.g. button) or a user verification method.
Additionally the Authenticator can implement a Transaction Confirmation Display.
There are various ways to implement an authenticator.
Typical Authenticators are (a) embedded into a smartphone or (b) separate hardware tokens
The principles we just explained apply to all FIDO protocol families.
In FIDO we support two major set of use-cases:
Using the Authenticator for „passwordless experience“ and
Using the Authenticator as a second factor.
Let‘s look into how these use-cases are addressed in FIDO. We start with the generic cryptographic scheme
Traditionally there always was a tradeoff between convenience and security.
If you could get it either more secure or more convenient – but not both at the same time.
Passwords are not very secure and their convenience is – let‘s say – improvable.
Requiring one-time-passwords in addition to the password doesn‘t make it more convenient.
So we can increase the security slightly if we give-up even more convenience.
FIDO fundamentally changes this model.
Since the user verification method (e.g. the finger swipe, or the PIN in case of PIN based authenticators) is the SAME for all relying parties it is more convenient just by using FIDO (worst case: only a single PIN to remember instead of hundred passwords).
Additionally FIDO supports scalability in terms of convenience depending on the user verification method implemented by the authenticator.
Just touching a fingerprint sensor is much more convenient than typing anything on touch keyboards.
Similarly for the security.
Just by using FIDO, you get protection against the server-side password stealing attacks (remember only public keys are stored on the server).
Additionally phishing attacks don‘t work as there are no bearer tokens known by the user anymore.
So the user cannot enter something into a phishing site which would allow impersonation (remember: only the legitimate authenticator knows the private key related to the public key which was registered at the server. So knowing a PIN wouldn‘t be sufficient for the attacker. Access to the authenticator would be required in addition).