FIDO authentication is usually not positioned as a means of achieving high assurance Identity proofing but it can be a critical component in best-of-breed remote identity verification. Join this session for a look at how FIDO, Federation and ID Proofing can work together to create a robust identity ecosystem. The solution lays out an architecture for remote identity proofing to create a privacy-preserving credential, using an identity proofing engine based on OpenID Connect, and issuing a FIDO credential used for strong authentication.
Featured Speaker:
Jerrod Chong, CISSP, VP Solutions, Yubico
3. 3
Google Security Key Login
1 2 3
Secure Unphishable / UnMITMable
Simple Insert and press button
Scalable One device, many services
Privacy No Link-ability between services
13. 13
U2F
Device Client
Relying
Party
app id, challenge
a; challenge, origin, channel id, etc.
c
a
Check
app id
Generate:
kpub
kpriv
handle h kpub
, h, attestation cert, signature(a,c,kpub
,h)
c, kpub
, h, attestation cert, s
Release
kpub
with
handle h
for user
s
Pre-Registration of Key Handle
15. 15
U2F
Device Client
Relying
Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
a
Check
app id
Lookup
the kpriv
associated
with h
Sign
with kpriv
counter++
counter, signature(a,c, counter)
counter, c, s
Check s
using kpub
Verify origin,
channel id &
counter
s
h
Lookup
the kpub
associated
with h
Authentication