TECHNICAL WHITE PAPER FIDO APPROACHES: NOK NOK LABS S3 SUITE VS BUILD YOUR OWN FIDO

Similar documents
TECHNICAL WHITE PAPER ENABLING BIOMETRICS FOR MOBILE APPLICATION AUTHENTICATION

EMERGING TRENDS AROUND AUTHENTICATION

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

Who What Why

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

FIDO AND PAYMENTS AUTHENTICATION. Philip Andreae Vice President Oberthur Technologies

MODERNIZE INFRASTRUCTURE

BUILDING the VIRtUAL enterprise

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

A NEW MODEL FOR AUTHENTICATION

7 Things ISVs Must Know About Virtualization

Easily Managing Hybrid IT with Transformation Technology

THE SECURITY LEADER S GUIDE TO SSO

Securing Office 365 with MobileIron

The CISO s Guide to Deploying True Password-less Security. by Bojan Simic and Ed Amoroso

HARNESSING THE HYBRID CLOUD TO DRIVE GREATER BUSINESS AGILITY

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Developing Enterprise Cloud Solutions with Azure

Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Accelerate Your Enterprise Private Cloud Initiative

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

Linux Automation.

REDUCE TCO AND IMPROVE BUSINESS AND OPERATIONAL EFFICIENCY

Delivering Business-Critical IP Multicast Applications Securely

10 QUESTIONS, 10 ANSWERS. Get to know VMware Cloud on AWS The Best-in-Class Hybrid Cloud Service

THREE PATHS TO CLOUD CHOICE WITHOUT COMPLEXITY. Copyright 2013 EMC Corporation. All rights reserved.

Modern Identity Management Patterns for Microservices and Mobile

Securing Today s Mobile Workforce

RCS OVERVIEW. Fábio Moraes GSMA October 2018 Future Networks Programme

Kony MobileFabric. Release Notes. On-Premises. Release 6.5. Document Relevance and Accuracy

BUSTED! 5 COMMON MYTHS OF MODERN INFRASTRUCTURE. These Common Misconceptions Could Be Holding You Back

Fencing the Cloud. Roger Casals. Senior Director Product Management. Shared vision for the Identity: Fencing the Cloud 1

What to Look for in a Partner for Software-Defined Data Center (SDDC)

Getting Hybrid IT Right. A Softchoice Guide to Hybrid Cloud Adoption

THE RTOS AS THE ENGINE POWERING THE INTERNET OF THINGS

Cloud Mobility: Meraki Wireless & EMM

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

VMWARE CLOUD FOUNDATION: THE SIMPLEST PATH TO THE HYBRID CLOUD WHITE PAPER AUGUST 2018

VMWARE HORIZON 7. End-User Computing Today. Horizon 7: Delivering Desktops and Applications as a Service

What s New in VMware vsphere 5.1 VMware vcenter Server

HYPER-CONVERGED INFRASTRUCTURE 101: HOW TO GET STARTED. Move Your Business Forward with a Software-Defined Approach

PULSE CONNECT SECURE APPCONNECT

Datasheet. Only Workspaces delivers the features users want and the control that IT needs.

Hybrid WAN Operations: Extend Network Monitoring Across SD-WAN and Legacy WAN Infrastructure

VMworld 2015 Track Names and Descriptions

VMware Cloud Operations Management Technology Consulting Services

Oracle Exadata Statement of Direction NOVEMBER 2017

IBM and Juniper Networks

GET CLOUD EMPOWERED. SEE HOW THE CLOUD CAN TRANSFORM YOUR BUSINESS.

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

Convergence is accelerating the path to the New Style of Business

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

WHITE PAPER AUTHENTICATION YOUR WAY SECURING ACCESS IN A CHANGING WORLD

Sentinet for Microsoft Azure SENTINET

The Modern Web Access Management Platform from on-premises to the Cloud

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

VMWARE HORIZON CLOUD SERVICE HOSTED INFRASTRUCTURE ONBOARDING SERVICE SILVER

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Internet is Global. 120m. 300m 1.3bn Users. 160m. 300m. 289m

Accelerate Your Cloud Journey

Luckily, our enterprise had most of the back-end (services, middleware, business logic) already.

Going cloud-native with Kubernetes and Pivotal

The Power of Partnership

SIEM Solutions from McAfee

How to Evaluate a Next Generation Mobile Platform

Simplify Hybrid Cloud

Transforming IT: From Silos To Services

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Liferay Security Features Overview. How Liferay Approaches Security

Making hybrid IT simple with Capgemini and Microsoft Azure Stack

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Vision of the Software Defined Data Center (SDDC)

VMware vrealize Suite and vcloud Suite

OpenStack and Hadoop. Achieving near bare-metal performance for big data workloads running in a private cloud ABSTRACT

How A Cloud-Based Mobile Device Lab Accelerates Time To Market And ROI

Introduction to Big Data

Simplify Client Virtualization

Solution. Imagine... a New World of Authentication.

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

CONFIDENTLY INTEGRATE VMWARE CLOUD ON AWS WITH INTELLIGENT OPERATIONS

More than just being signed-in or signed-out. Parul Jain, Architect,

SAAS: THE RDP ADVANTAGE FOR ISVS AND USERS

BlackBerry Enterprise Identity

SAP Forum Lausanne. Workload-optimized systems designed for speed, flexibility & unmatched scalability by HPE. June 13th, 2016

GDPR Update and ENISA guidelines

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

Mobile Security Overview Rob Greer, VP Endpoint Management and Mobility Product Management Dave Cole, Sr. Director Consumer Mobile Product Management

Cloud Computing Private Cloud

The office for the anywhere worker!!! Your LCB SOFTPHONE: A powerful new take on the all-in-one for a more immersive experience.

Cisco HyperFlex and the F5 BIG-IP Platform Accelerate Infrastructure and Application Deployments

FIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.

2-4 April 2019 Taets Art and Event Park, Amsterdam CLICK TO KNOW MORE

TRUSTED SUPPLY CHAIN & REMOTE PROVISIONING WITH THE TRUSTED PLATFORM MODULE

Video Conferencing & Skype for Business: Your Need-to-Know Guide

Single Sign-On Best Practices

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Transcription:

TECHNICAL WHITE PAPER FIDO APPROACHES: NOK NOK LABS S3 SUITE VS BUILD YOUR OWN FIDO

TABLE OF CONTENTS Executive Summary... 3 FIDO Solution Requirements... 3 FIDO UAF Client infrastructure... 4 FIDO UAF Server Infrastructure... 4 Summary... 6

EXECUTIVE SUMMARY The FIDO specifications provide an open approach to strong authentication. Industry leaders from across the the industry have formed an alliance to cooperate defining technical specifications that deliver strong authentication interoperability. Organizations that deploy consumer-facing applications are able to leverage these FIDO specifications and can choose to deploy the Nok Nok Labs S3 Authentication Suite or can take a do it yourself approach to building FIDO authentication infrastructure. This paper focuses on the FIDO UAF protocol and highlights the main issues that organizations should consider in making this decision. It explains why the Nok Nok Labs S3 Suite provides better value, security and a proven approach to successful FIDO-based solution deployment. FIDO SOLUTION REQUIREMENTS Keeping Up With An Evolving FIDO Specification Like any other protocol, the FIDO specifications will continue to develop over time to add new capabilities and address new use cases. An organization s ability to leverage updated FIDO capabilities that appear on new FIDO-enabled devices will be dependent on the FIDO server s support for these new features. An organization that chooses to implement its own FIDO server will need to continue to monitor the evolution of the FIDO specification, and incorporate support for updated features. Without such continued investment, the capabilities of the FIDO server will fall behind the current specifications and may result in reduced functionality and limited interoperability with newer devices featuring FIDO support. The final draft of the FIDO UAF 1.0 specification was published in December 2014, and that is expected to be superseded by FIDO UAF 1.1 in late 2016. In addition, the prospect of FIDO 2.0 (including the W3C s Web Auth proposal for integrating FIDO with modern web browsers) is on the horizon, which may entail further changes to an organization building their own FIDO deployment. The Nok Nok Labs S3 Suite allows an organization to take advantage of the feature richness of FIDO without having to dedicate considerable development resources to keeping up with FIDO updates and changes. Development Issues The FIDO protocol is a specification, not a technology. Deploying a FIDO authentication solution involves resources and costs to implement the specification. While organizations can develop their own FIDO infrastructure to support FIDO-enabled devices and applications, required resources and costs in terms of development, testing and support can quickly mount. This involves both client-side (see Figure 1) and server side (see Figure 2) development. As shown in Figure 1, organizations need to address SDKs for each target platform that interface with the target mobile application and the FIDO client on the device, in addition to the authentication server infrastructure. 3 NOK NOK LABS OCTOBER 2016

FIDO UAF CLIENT INFRASTRUCTURE FIDO Certified Android Device Apple ios Device Google Android 6.0+ Device Future FIDO Device Requires SDK interfacing with FIDO UAF stack preloaded by the device manufacturer. Requires SDK to leverage platform s Touch ID API to implement FIDO UAF stack. Requires SDK leveraging Android s Fingerprint APIs to implement a FIDO UAF stack. Requires SDK leveraging future FIDO authenticators and interface to future FIDO UAF protocol. SDK (Java) SDK (Objective-C) SDK (Java) SDK (OS-specific) UAF 1.0/1.1 Client UAF 1.0 Client UAF 1.x Client UAF 1.0/1.1 ASM UAF 1.0 ASM UAF 1.x ASM UAF 1.0/1.1 Authenticator UAF 1.0 Authenticator FIDO UAF 1.0/1.1 Client Touch ID API FingerprintManager API Future FIDO Authenticator Figure 1 Organization Builds FIDO UAF Interface / Data Format Device Manufacturer Builds Platform Vendor Builds FIDO UAF SERVER INFRASTRUCTURE FIDO Certified Server Infrastructure Policy and Risk Engine Data Storage Layer Policy Validation Replay Attack Protection FIDO UAF User Keys FIDO UAF Metadata Transaction Validation Attestation Verification Database Abstraction Layer Cryptographic Provider FIDO UAF Protocol Handlers FIDO UAF 1.0 Handler FIDO UAF 1.1 Handler FIDO UAF 1.x Handler Transport Interface (REST API) Application Infrastructure Session Management Business Logic Policy Selection Risk Engine Integration FIDO Certified Android Device Apple ios Device Google Android 6.0+ Device Future FIDO Device Figure 2 Organization Builds FIDO UAF Interface / Data Format 4 NOK NOK LABS OCTOBER 2016

The FIDO specifications include a number of nonnormative elements that are left to the FIDO developer/implementor to design and deploy. Examples include how to (i) handle replay attack prevention, (ii) track information across authentications, and (iii) represent and manage policy on the server. The developer/implementor is required to address these issues, among others, which reside outside of the FIDO protocol. The Nok Nok Labs S3 addresses these elements so the deploying organization can deploy more quickly and with lower risk. While the FIDO specifications provide a roadmap to developing an authentication server, organizations need to consider a variety of design decisions when building their own FIDO server solution. The Nok Nok Labs S3 Suite provides a proven solution for both the client and the server that accelerates deployment, lowers project risk and avoids development costs. Heterogeneous Platform & Device Support Organizations deploying FIDO solutions will want to support a broad number of devices and authenticators in order to avoid authentication silos and reduce costs. While organizations deploying their own FIDO solution can take advantage of any FIDO Certified device, the Nok Nok Labs S3 Suite also provides support for any device, not just FIDO Certified devices. For example, Nok Nok Labs App SDK supports both ios using Touch ID or Device Passcode, as well as Android 6.0 or later devices equipped with a fingerprint sensor. An organization that builds their own FIDO solution that would like to take advantage of native platform APIs such as the Google Android 6.0 Fingerprint API or Apple Touch ID API will need to develop and maintain software to enable those platform APIs in the context of FIDO. This means building a FIDO Client to embed in an organization s mobile application, as well as an Authenticator Specific Module (ASM) and the authenticator (e.g. a fingerprint sensor, etc.) that leverages the native platform APIs to perform the underlying FIDO cryptographic and user verification operations. This development is required for each target platform. The Nok Nok S3 Suite provides a complete solution to support these multiple platforms with heterogeneous devices, saving the organization time and resources. A key issue when building a FIDO server is ensuring that the implementation complies with the FIDO specifications, and is interoperable with FIDO-enabled devices provided by third parties, such as mobile device manufacturers (OEMs). An organization that chooses to build its own FIDO server will need to perform qualification against FIDO-enabled devices to ensure their implementation meets FIDO specifications and is interoperable with other FIDO enabled devices. This may require the organization create a testbed, and then purchase and test a significant inventory of devices against their own FIDO server implementation. Without such rigorous interoperability testing, an organization will not be assured their server will interoperate correctly with third-party FIDO devices. Deployment Issues Deploying a FIDO solution requires skill and planning to ensure that the server infrastructure has sufficient scalability and is tuned to deliver exceptionally low latency that optimizes the customer authentication experience. Nok Nok Labs provides a highly tuned Nok Nok Authentication Server that benefits from years of development, testing, tuning and from the lessons learned from the many customer deployments that support millions of end users at scale. Security Developing a FIDO solution requires security preparations such as penetration testing and auditability. While developing a FIDO server would require such penetration testing, the Nok Nok solution has already completed the necessary penetration testing and avoids auditing. 5 NOK NOK LABS OCTOBER 2016

Intellectual Property Protection The FIDO Alliance framework involves a contractual intellectual property (IP) regime that relates to the FIDO Alliance specifications. Members of the FIDO Alliance promise not to assert IP rights against other Alliance members, as related to and required by the implementation of the FIDO specifications. An implementor of the FIDO specification who is not a member of the FIDO Alliance does not benefit from this promise not to assert IP rights, and could therefore assume IP risk. Using the Nok Nok Labs S3 Suite provides certain IP protection, because Nok Nok Labs is a founding member of the Alliance, and benefits from the promise not to assert patent rights; Nok Nok Labs has also developed its own patent portfolio to protect its innovations around the implementation of its FIDO solutions. Additional Feature Requirements Out of Band (OOB) Authentication The Nok Nok Labs S3 Suite builds on top of FIDO to enable the use of a FIDO -enabled mobile device as an Out of Band method of authentication. With this feature, users can use their phone to authenticate sessions and transactions initiated on another device (such as a desktop web browser, or a kiosk). This unique functionality in the Nok Nok Labs S3 Suite is beyond the scope of FIDO specifications, and is only provided by Nok Nok Labs. Authentication Policies The Nok Nok Labs S3 Suite provides lower risk and reduces fraud through dynamic authentication policy options for flexible authentication. Such functionality requires custom code development for an organization that builds its own FIDO server. Infrastructure Integration - Nok Nok Labs S3 Suite also provides lower costs and simplicity with integration with Identity and Access Management (IAM) and federation systems. Such functionality requires custom code development for an organization building its own FIDO server. SUMMARY The Nok Nok Labs S3 Suite is a proven solution that provides simplicity, lower costs, faster deployment and optimal security. While enterprises can develop their own SDKs and authentication servers, this approach increases initial project risk and costs and also carries an ongoing burden required to support and maintain FIDO interoperability as the specifications evolve. The Nok Nok S3 approach provides functionality beyond basic FIDO support including the ability to support devices from any vendor including Apple and Touch ID. Nok Nok Labs provides the shortest route to successful FIDO-based strong authentication. 6 NOK NOK LABS OCTOBER 2016

ABOUT NOK NOK LABS Backed by a team of security industry veterans from PGP, Netscape, PayPal, and Phoenix Technologies, Nok Nok Labs has deep experience in building internetscale security protocols and products. Our ambition is to fundamentally transform authentication, by unifying authentication into one standard protocol, giving business the power to make the utmost of the cloud, data, mobile, and business online. Nok Nok Labs 2100 Geng Road, Suite 105 Palo Alto, CA 94303 www.noknok.com TO LEARN MORE ABOUT NOK NOK LABS, VISIT NOKNOK.COM OR CONTACT US AT INFO@NOKNOK.COM Nok Nok Labs, Nok Nok, and NNL are all trademarks of Nok Nok Labs, Inc. 2016 Nok Nok Labs, Inc. All Rights Reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback