1 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION
2 Data Breaches are out of control
3 IN 2014... 783 data breaches >1 billion records stolen since 2012 $3.5 million average cost per breach
4 We have a PASSWORD PROBLEM
5 TOO MANY TO REMEMBER, DIFFICULT TO TYPE, AND TOO VULNERABLE Re-used Phished Keylogged
6 Adding more authentication has largely been rejected by users
7 ONE-TIME PASSCODES Improve security but aren t easy enough SMS Reliability Token Necklace Poor User Experience Still Phishable
8 THE OLD PARADIGM OTP 2FA Passwords PINs SECURITY USABILITY
9 WE NEED A NEW MODEL Fast IDentity Online
10 SECURITY Weak Strong THE FIDO PARADIGM OTP 2FA Passwords PINs Poor Good USABILITY
11 HOW DOES FIDO WORK? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR
12 Fido Registration 1 2 3 User Approval New Key Created Registration Begins 4 Key Registered using Public Key Cryptography
13 Fido Login 1 2 3 Login Challenge Key Selected Login User Approval 4 Login Complete Login Response using Public Key Cryptography
14 online authentication using public key cryptography
15 Passwordless Experience (FIDO UAF Standards) 1 2 3 $10,000 Success Transfer Now Transaction Detail User Authentication Done Second Factor Experience (FIDO U2F Standards) 1 2 Success 3 Login & Password Insert dongle Press Button Done
16 PayPal continues FIDO enablement in improved mobile wallet app. Google has FIDO in Chrome and 2-Step Verification. Samsung adds FIDO enabled Touch authentication to Galaxy S6 2014 Deployments
17 FIDO UNIVERSAL 2 ND FACTOR Is a user present? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR Same authenticator as registered before?
18 Step 1 U2F AUTHENTICATION DEMO EXAMPLE
19 Step 2 U2F AUTHENTICATION DEMO EXAMPLE
20 Step 3 U2F AUTHENTICATION DEMO EXAMPLE
21 Step 4 U2F AUTHENTICATION DEMO EXAMPLE +Bob
22 FIDO UNIVERSAL AUTHENTICATION FRAMEWORK UAF Same User as enrolled before? Same Authenticator as registered before? USER VERIFICATION FIDO AUTHENTICATION AUTHENTICATOR
23 STEP 1 UAF AUTHENTICATION DEMO EXAMPLE
24 STEP 2 UAF AUTHENTICATION DEMO EXAMPLE
25 STEP 3 UAF AUTHENTICATION DEMO EXAMPLE
26 STEP 4 UAF AUTHENTICATION DEMO EXAMPLE
27 USABILITY, SECURITY and PRIVACY
28 No 3rd Party in the Protocol No Secrets on the Server side Biometric data (if used) never leaves device No link-ability between Services or Accounts
29 Better Security for online services Reduced cost for the enterprise Simple & Safe for consumers
30 The FIDO Alliance is an open association of more than 180 diverse member organizations
10 Single Sign-On Federation MODERN AUTHENTICATION Authentication Passwords Strong Risk-Based User Management Physical-to-digital identity 31
32 Online Services Chip Providers Device Providers Biometrics Vendors Enterprise Servers Platform Providers Board Members
33 FIDO TIMELINE FIDO 1.0 FINAL Specification FIDO Ready Program Specification Review Draft First UAF & U2F Deployments Alliance Announced FEB 2013 (6 Members) DEC 2013 (59 Members) FEB 2014 (84 Members) FEB-OCT 2014 (129 Members) DEC 9 2014 (152 Members)
34 FIDO in 2015 FIDO implementations and deployments
35 A range of FIDO PRODUCTS is now available
36 Online Services Chip Providers Device Providers Biometrics Technology Providers Implementing 1.0 Specifications (this is only a subset of active implementations) Enterprise Servers Open Source Mobile Apps/Clients WWW Browsers
37 Windows used by 1.5 billion users Windows 10 in 190 countries by Q3 Free upgrade for consumer FIDO in Windows 10
38 Market leader to ship FIDO client 85+ OEMs as of Q4 >1 billion Android devices shipped Innovative sensor FIDO in Snapdragon
39 First healthcare deployment Physician access to health records up to 50 million Healthcare users FIDO in Healthcare
40 Google for Work announced Enterprise admin support for FIDO U2F Security Key April 21 Google for Work is used by over 5 million businesses worldwide The Security Keys are a great step forward, as they are very practical and more secure. Woolsworth IT FIDO in Enterprise
41 Governments worldwide are looking at FIDO FIDO featured at White House Summit New collaboration framework FIDO & Government 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials. -- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12- Feb-2014
42 New Government Membership Class Reflecting an increased NNL focus on Government Infineon NSP collaboration worldwide Details are now published in the new FIDO Alliance Membership Agreement
43 JOIN THE FIDO ALLIANCE
Mobile Connect & FIDO
About the GSMA The GSMA represents the interests of mobile operators worldwide Spanning more than 220 countries, the GSMA unites nearly 800 of the world s mobile operators, as well as more than 230 companies in the broader mobile ecosystem
Mobile Connect: a convenient and secure alternative to passwords that also Protects consumers privacy Easy to use as it uses the mobile phone for authentication (i.e. no passwords) Anonymous but secure log-in (no passwords to steal, improved user experience, reduce friction) Adds trust into digital transactions (e.g. by confirming location, user identity, usage) Protects privacy (operator confirm credentials, user gives consent for sharing) Reduce SP fraud through assurance that there is as real person behind the account Simple and cost effective for MNOs to deploy, leveraging existing operator assets GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
Mobile Connect and FIDO both seek to replace passwords Or Something I Know Something I Have Something I Have + Something I Know Something I Have + Something I Am GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
FIDO objectives align well with those of Mobile Connect Both FIDO and Mobile Connect are addressing the same problem: easier, safer online authentication Both FIDO and Mobile Connect leverage the mobile phone to achieve this Whilst Mobile Connect uses existing MNO services for authentication (SMS, USSD, SIM Toolkit) FIDO leverages the local device authentication on the phone itself In doing so, both provide easy, secure two-factor authentication Both also provide a pluggable framework that can support a variety of security levels as well as supporting new authentication methods as they arise GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
Synergistic fit using FIDO for the first mile of Mobile Connect Service access request Service Provider Tablet/desktop Authentication request SIM applet protocol (CPAS8) MNO Second mile SIM applet AuthN server Identity GW FIDO UAF protocol Mobile phone with FIDO client First mile AuthN server A key difference between FIDO and Mobile Connect is that FIDO purposefully focuses solely on the first mile authentication itself whilst Mobile Connect also provides a federation layer via OpenID Connect GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
FIDO can be integrated into Mobile Connect to extend the range of authenticators Authentication MNO Mobile phone with FIDO client MFAS Identity GW Leveraging FIDO enables users to authenticate using existing authentication mechanisms on their mobile phone including biometrics the user becomes the credential (Something I am) GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
Mobile Connect and FIDO UAF integration: White Paper Main objective: Overview of FIDO Architecture and use cases Integration of FIDO UAF authenticators into Mobile Connect arch Status: Co-developed between GSMA, MNOs and FIDO members First draft finished and out for review within FIDO Alliance and GSMA; targeting publication by end June Left for a second phase: UICC based FIDO authenticator Use of UICC to enhance FIDO implementation security FIDO U2F integration GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
Matching of FIDO policies to OpenID Connect acr_values Service Providers need to be able to both specify and receive feedback on the type of authenticator used Mobile Connect FIDO uses Level of Assurance (LoA) values (ISO 29115) in the OIDC request acr_values params, so the SP can indicate the authenticator class that should be used uses the FIDO Policy to describe the required authenticator characteristics for accepted authenticators Options: Expand the list of acr_values to accommodate additional LoA/policies Capture SP requirements at registration to the Mobile Connect service and propagate via the Mobile Connect federation GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
Next steps GSMA White paper Continue Working on open issues related to the integration of the FIDO authentication framework with Mobile Connect Improve the document with feedback from the PoC FIDO/GSMA/MNO PoC (June/July) Prototype of FIDO integration into an end-end Mobile Connect implementation: Telefonica + Nok Nok Labs Targeted for Mobile World Congress Shanghai MNO/SP beta trial (post MWCS) Live implementation and trial of FIDO authenticators within a Mobile Connect service provided to an SP GSMA 2014 All GSMA meetings are conducted in full compliance with the GSMA s anti-trust compliance policy
54 EXPERIENCE SIMPLER, STRONGER AUTHENTICATION