EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Transcription

1 1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

2 2 Data Breaches are out of control

3 3 IN data breaches >1 billion records stolen since 2012 $3.5 million average cost per breach

4 4 We have a PASSWORD PROBLEM

5 5 TOO MANY TO REMEMBER, DIFFICULT TO TYPE, AND TOO VULNERABLE Re-used Phished Keylogged

6 6 Adding more authentication has largely been rejected by users

7 7 ONE-TIME PASSCODES Improve security but aren t easy enough SMS Reliability Token Necklace Poor User Experience Still Phishable

8 8 THE OLD PARADIGM OTP 2FA Passwords PINs SECURITY USABILITY

9 9 WE NEED A NEW MODEL Fast IDentity Online

10 10 SECURITY Weak Strong THE FIDO PARADIGM OTP 2FA Passwords PINs Poor Good USABILITY

11 11 HOW DOES FIDO WORK? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR

12 12 Fido Registration User Approval New Key Created Registration Begins 4 Key Registered using Public Key Cryptography

13 13 Fido Login Login Challenge Key Selected Login User Approval 4 Login Complete Login Response using Public Key Cryptography

14 14 online authentication using public key cryptography

15 15 Passwordless Experience (FIDO UAF Standards) $10,000 Success Transfer Now Transaction Detail User Authentication Done Second Factor Experience (FIDO U2F Standards) 1 2 Success 3 Login & Password Insert dongle Press Button Done

16 16 PayPal continues FIDO enablement in improved mobile wallet app. Google has FIDO in Chrome and 2-Step Verification. Samsung adds FIDO enabled Touch authentication to Galaxy S Deployments

17 17 FIDO UNIVERSAL 2 ND FACTOR Is a user present? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR Same authenticator as registered before?

18 18 Step 1 U2F AUTHENTICATION DEMO EXAMPLE

19 19 Step 2 U2F AUTHENTICATION DEMO EXAMPLE

20 20 Step 3 U2F AUTHENTICATION DEMO EXAMPLE

21 21 Step 4 U2F AUTHENTICATION DEMO EXAMPLE +Bob

22 22 FIDO UNIVERSAL AUTHENTICATION FRAMEWORK UAF Same User as enrolled before? Same Authenticator as registered before? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR

23 23 STEP 1 UAF AUTHENTICATION DEMO EXAMPLE

24 24 STEP 2 UAF AUTHENTICATION DEMO EXAMPLE

25 25 STEP 3 UAF AUTHENTICATION DEMO EXAMPLE

26 26 STEP 4 UAF AUTHENTICATION DEMO EXAMPLE

27 27 USABILITY, SECURITY and PRIVACY

28 28 No 3rd Party in the Protocol No Secrets on the Server side Biometric data (if used) never leaves device No link-ability between Services or Accounts

29 29 Better Security for online services Reduced cost for the enterprise Simple & Safe for consumers

30 30 The FIDO Alliance is an open association of more than 180 diverse member organizations

31 10 Single Sign-On Federation MODERN AUTHENTICATION Authentication Passwords Strong Risk-Based User Management Physical-to-digital identity 31

32 32 Online Services Chip Providers Device Providers Biometrics Vendors Enterprise Servers Platform Providers Board Members

33 33 FIDO TIMELINE FIDO 1.0 FINAL Specification FIDO Ready Program Specification Review Draft First UAF & U2F Deployments Alliance Announced FEB 2013 (6 Members) DEC 2013 (59 Members) FEB 2014 (84 Members) FEB-OCT 2014 (129 Members) DEC (152 Members)

34 34 FIDO in 2015 FIDO implementations and deployments

35 35 A range of FIDO PRODUCTS is now available

36 36 Online Services Chip Providers Device Providers Biometrics Technology Providers Implementing 1.0 Specifications (this is only a subset of active implementations) Enterprise Servers Open Source Mobile Apps/Clients WWW Browsers

37 37 Windows used by 1.5 billion users Windows 10 in 190 countries by Q3 Free upgrade for consumer FIDO in Windows 10

38 38 Market leader to ship FIDO client 85+ OEMs as of Q4 >1 billion Android devices shipped Innovative sensor FIDO in Snapdragon

39 39 First healthcare deployment Physician access to health records up to 50 million Healthcare users FIDO in Healthcare

40 40 Google for Work announced Enterprise admin support for FIDO U2F Security Key April 21 Google for Work is used by over 5 million businesses worldwide The Security Keys are a great step forward, as they are very practical and more secure. Woolsworth IT FIDO in Enterprise

41 41 Governments worldwide are looking at FIDO FIDO featured at White House Summit New collaboration framework FIDO & Government 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials. -- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12- Feb-2014

42 42 New Government Membership Class Reflecting an increased NNL focus on Government Infineon NSP collaboration worldwide Details are now published in the new FIDO Alliance Membership Agreement

43 43 JOIN THE FIDO ALLIANCE

44 Mobile Connect & FIDO

45 About the GSMA The GSMA represents the interests of mobile operators worldwide Spanning more than 220 countries, the GSMA unites nearly 800 of the world s mobile operators, as well as more than 230 companies in the broader mobile ecosystem

46 Mobile Connect: a convenient and secure alternative to passwords that also Protects consumers privacy Easy to use as it uses the mobile phone for authentication (i.e. no passwords) Anonymous but secure log-in (no passwords to steal, improved user experience, reduce friction) Adds trust into digital transactions (e.g. by confirming location, user identity, usage) Protects privacy (operator confirm credentials, user gives consent for sharing) Reduce SP fraud through assurance that there is as real person behind the account Simple and cost effective for MNOs to deploy, leveraging existing operator assets GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

47 Mobile Connect and FIDO both seek to replace passwords Or Something I Know Something I Have Something I Have + Something I Know Something I Have + Something I Am GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

48 FIDO objectives align well with those of Mobile Connect Both FIDO and Mobile Connect are addressing the same problem: easier, safer online authentication Both FIDO and Mobile Connect leverage the mobile phone to achieve this Whilst Mobile Connect uses existing MNO services for authentication (SMS, USSD, SIM Toolkit) FIDO leverages the local device authentication on the phone itself In doing so, both provide easy, secure two-factor authentication Both also provide a pluggable framework that can support a variety of security levels as well as supporting new authentication methods as they arise GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

49 Synergistic fit using FIDO for the first mile of Mobile Connect Service access request Service Provider Tablet/desktop Authentication request SIM applet protocol (CPAS8) MNO Second mile SIM applet AuthN server Identity GW FIDO UAF protocol Mobile phone with FIDO client First mile AuthN server A key difference between FIDO and Mobile Connect is that FIDO purposefully focuses solely on the first mile authentication itself whilst Mobile Connect also provides a federation layer via OpenID Connect GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

50 FIDO can be integrated into Mobile Connect to extend the range of authenticators Authentication MNO Mobile phone with FIDO client MFAS Identity GW Leveraging FIDO enables users to authenticate using existing authentication mechanisms on their mobile phone including biometrics the user becomes the credential (Something I am) GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

51 Mobile Connect and FIDO UAF integration: White Paper Main objective: Overview of FIDO Architecture and use cases Integration of FIDO UAF authenticators into Mobile Connect arch Status: Co-developed between GSMA, MNOs and FIDO members First draft finished and out for review within FIDO Alliance and GSMA; targeting publication by end June Left for a second phase: UICC based FIDO authenticator Use of UICC to enhance FIDO implementation security FIDO U2F integration GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

52 Matching of FIDO policies to OpenID Connect acr_values Service Providers need to be able to both specify and receive feedback on the type of authenticator used Mobile Connect FIDO uses Level of Assurance (LoA) values (ISO 29115) in the OIDC request acr_values params, so the SP can indicate the authenticator class that should be used uses the FIDO Policy to describe the required authenticator characteristics for accepted authenticators Options: Expand the list of acr_values to accommodate additional LoA/policies Capture SP requirements at registration to the Mobile Connect service and propagate via the Mobile Connect federation GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

53 Next steps GSMA White paper Continue Working on open issues related to the integration of the FIDO authentication framework with Mobile Connect Improve the document with feedback from the PoC FIDO/GSMA/MNO PoC (June/July) Prototype of FIDO integration into an end-end Mobile Connect implementation: Telefonica + Nok Nok Labs Targeted for Mobile World Congress Shanghai MNO/SP beta trial (post MWCS) Live implementation and trial of FIDO authenticators within a Mobile Connect service provided to an SP GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy

54 54 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION