EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Transcription

1 1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

2 2 Data Breaches are out of control

3 3 IN data breaches 82 million personal records stolen $3.5 million average cost per breach

4 4 We have a PASSWORD PROBLEM

5 5 TOO MANY TO REMEMBER, DIFFICULT TO TYPE, AND TOO VULNERABLE Re-used Phished Keylogged

6 6 Adding more authentication has largely been rejected by users

7 7 ONE-TIME PASSCODES Improve security but aren t easy enough SMS Reliability Token Necklace Poor User Experience Still Phishable

8 8 WE NEED A NEW MODEL Fast IDentity Online

9 9 THE OLD PARADIGM OTP 2FA Passwords PINs SECURITY USABILITY

10 10 THE FIDO PARADIGM SECURITY Weak Strong OTP 2FA Passwords PINs Poor Good USABILITY

11 10 Single Sign-On Federation MODERN AUTHENTICATION Authentication Passwords Strong Risk-Based User Management Physical-to-digital identity 11

12 12 HOW DOES FIDO WORK? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR

13 13 Passwordless Experience (FIDO UAF Standards) $10,000 Success Transfer Now Transaction Detail User Authentication Done Second Factor Experience (FIDO U2F Standards) 1 2 Success 3 Login & Password Insert dongle Press Button Done

14 14 Fido Registration User Approval New Key Created Registration Begins 4 Key Registered using Public Key Cryptography

15 15 Fido Login Login Challenge Key Selected Login User Approval 4 Login Complete Login Response using Public Key Cryptography

16 16 online authentication using public key cryptography

17 17 THE BUILDING BLOCKS FIDO USER DEVICE BROWSER/APP RELYING PARTY WEB SERVER FIDO CLIENT TLS Server Key FIDO SERVER FIDO UPDATE ASM FIDO AUTHENTICATOR Cryptographic authentication key reference DB Authenticator Metadata & attestation trust store Authentication keys Attestation keys METADATA SERVICE

18 18 ATTESTATION & METADATA Signed Attestation Object Verify using trust anchor Included in Metadata FIDO Authenticator FIDO Server Metadata Understand Authenticator security characteristic by looking into Metadata (and potentially other sources)

19 19 FIDO UNIVERSAL 2 ND FACTOR Is a user present? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR Same authenticator as registered before?

20 20 Step 1 U2F AUTHENTICATION DEMO EXAMPLE

21 21 Step 2 U2F AUTHENTICATION DEMO EXAMPLE

22 22 Step 3 U2F AUTHENTICATION DEMO EXAMPLE

23 23 Step 4 U2F AUTHENTICATION DEMO EXAMPLE +Bob

24 24 FIDO UNIVERSAL AUTHENTICATION FRAMEWORK UAF Same User as enrolled before? Same Authenticator as registered before? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR

25 25 STEP 1 UAF AUTHENTICATION DEMO EXAMPLE

26 26 STEP 2 UAF AUTHENTICATION DEMO EXAMPLE

27 27 STEP 3 UAF AUTHENTICATION DEMO EXAMPLE

28 28 STEP 4 UAF AUTHENTICATION DEMO EXAMPLE

29 29 USABILITY, SECURITY and PRIVACY

30 30 No 3rd Party in the Protocol No Secrets on the Server side Biometric data (if used) never leaves device No link-ability between Services or Accounts

31 31 Better Security for online services Reduced cost for the enterprise Simple & Safe for consumers

32 32 The FIDO Alliance is an open association of more than 180 diverse member organizations

33 33 Online Services Chip Providers Device Providers Biometrics Vendors Enterprise Servers Platform Providers Board Members

34 34 FIDO TIMELINE FIDO 1.0 FINAL Specification FIDO Ready Program Specification Review Draft First UAF & U2F Deployments Alliance Announced FEB 2013 (6 Members) DEC 2013 (59 Members) FEB 2014 (84 Members) FEB-OCT 2014 (129 Members) DEC (152 Members)

35 35 News from the front The significance of early 2015 announcements

36 36 Windows used by 1.5 billion users Windows 10 in 190 countries by Q3 Free upgrade FIDO in Windows 10

37 37 First healthcare deployment Physician access to health records up to 50 million Healthcare users FIDO in Healthcare

38 38 PayPal continues FIDO enablement in improved mobile wallet app. Google has FIDO in Chrome and 2-Step Verification. Samsung adds touch to Galaxy S6 and ships FIDO on all Galaxy devices 2014 Deployments

39 39 A range of FIDO PRODUCTS is now available

40 40 Online Services Chip Providers Device Providers Biometrics Technology Providers Implementing 1.0 Specifications (this is only a subset of active implementations) Enterprise Servers Open Source Mobile Apps/Clients WWW Browsers

41 41 JOIN THE FIDO ALLIANCE

42 42 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION