Successfully reported this slideshow.
Your SlideShare is downloading. ×

FIDOs place in the identity ecosystem

FIDOs place in the identity ecosystem

Download to read offline

A presentation on the FIDO authentication specification, as presented at a PIMN event on 23 January 2015 in The Hague (NL). Please note there is no introduction on FIDO, this was done by speakers earlier in the program.

A presentation on the FIDO authentication specification, as presented at a PIMN event on 23 January 2015 in The Hague (NL). Please note there is no introduction on FIDO, this was done by speakers earlier in the program.

More Related Content

FIDOs place in the identity ecosystem

  1. 1. FIDOs place in the eID ecosystem Maarten Wegdam, managing partner PIMN Seminar on FIDO Alliance 23 January 2015
  2. 2. Identity, privacy & trust Strategy realization Business models Digitalization in networks of organizations Research-based advice & software
  3. 3. Without FIDO Separate authenticators for every websites/identity No choice between authenticators Rarely use the embedded authenticators of your mobile (e.g., fingerprint sensor) With FIDO Select own authenticator at registration time Less passwords and/or more 2nd factors End-user perspective
  4. 4. Without FIDO Costs and user friction for non-password/2nd factor authentication Vendor lock-in to authenticator Often use one-time- password like 2nd factors (SMS, TOTP app etc) With FIDO No biometric data on premise Flexibility & easy integration Allow wide range of authenticators No (?) branding on authenticators Relying party perspective
  5. 5. BYOId vs BYOAuthn FIDO is about BYOAuthn, not BYOId (trusted ?) attributes authenti- cation BYOId verication/ issuing process authenti- cation means level of assurance [STORK, ISO29115] BYOId – e.g. OpenID, eID Framework NL, SAML federations, trust frameworks etc
  6. 6. FIDO vs social login Social login is often associated with BYOId, but is more BYOAuthn in reality FIDO may reduce usage of social logins But not very popular in NL anyway …
  7. 7. FIDO vs eID Framework NL FIDO can be used by Authentication providers Potentially easier to adopt new authentication means NO impact on service providers (websites): they simply use SAML
  8. 8. FIDO vs Oath OATH - Initiative for Open Authentication TOTP is often used, e.g., Google authenticator Aimed at one-time passwords
  9. 9. FIDO a hype? Gartner (17 nov 2014): “beyond Samsung Galaxy S5-Paypal no significant implementations yet” Kuppinger Cole (10 dec 2014): from more skeptical to “the initiative is gaining more traction”
  10. 10. A perspective on FIDO What it does offer • For relying parties: flexibility, ease of integration, less vendor lock-in • For users: re-use of authentication means aka BYOAuthn • Easier to move to non-password • No ‘spillover’ of hacks (anti-phishing, MITM, mutual authn) What it doesn’t offer • No attributes, no identity: no BYOId • No cross device authentication (yet ? USB + NFC), re-registration needed • No passwords, no one-time-passwords • No context-based or continuous authentication What remains to be seen • Will it confuse people? One authenticator for many identities? • Adoption is key: chicken-egg, especially browser and smartphone vendors
  11. 11. Take aways FIDO is about BYOAuthn, not BYOId FIDO enables non-password, non-OTP authentication factors As always, adoption is key, especially by browser and smartphone vendors maarten.wegdam@innovalor.nl | +31 6 51993485 | @maartenwegdam | http://innovalor.nl | http://www.linkedin.com/in/wegdam

×