mobile connections – fido alliance and gsma presentation
TRANSCRIPT
783 data breaches
IN 2014...
>1 billionrecords stolen since 2012
3
$3.5 millionaverage cost per breach
ONE-TIME PASSCODESImprove security but aren’t easy enough
Still Phishable
Poor User Experience
TokenNecklace
SMS Reliability
7
Fido Registration
2
Registration Begins
1
12
User Approval
3
New Key Created
4
Key Registered using Public Key
Cryptography
Fido Login
2
Login
1
13
Login Challenge
3
Key Selected
4
Login Response using Public Key
Cryptography
User Approval
Login Complete
Passwordless Experience (FIDO UAF Standards)
Second Factor Experience (FIDO U2F Standards)
Transaction Detail User Authentication Done
1 2 3
Success
$10,000
Transfer Now
Login & Password
1
Insert donglePress Button
2
Done
3
Success
15
2014 Deployments
16
PayPal continues FIDO enablement in
improved mobile wallet app.
Google has FIDO in Chrome and
2-Step Verification.
Samsung adds FIDO enabled Touch
authentication to Galaxy® S6
FIDO UNIVERSAL 2ND FACTOR
AUTHENTICATOR
Is a user present?
Same authenticator as registered
before?
USER VERIFICATION FIDO AUTHENTICATION
17
AUTHENTICATOR
USER VERIFICATION FIDO AUTHENTICATION
FIDO UNIVERSAL
AUTHENTICATION FRAMEWORK UAF
22
Same User as enrolled
before?
Same Authenticator as registered
before?
28
No 3rd Party in the Protocol
No Secrets on the Server side
Biometric data (if used) never leaves device
No link-ability between Services or Accounts
31
Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION
10
Board Members
32
Online Services
Chip Providers
Device Providers
Biometrics Vendors
Enterprise Servers
Platform Providers
FIDO TIMELINE
FIDO 1.0 FINALSpecification
First UAF & U2F Deployments
SpecificationReview Draft
FIDO Ready Program
AllianceAnnounced
FEB2013
(6 Members)
DEC2013
(59 Members)
FEB2014
(84 Members)
FEB-OCT2014
(129 Members)
DEC 92014
(152 Members)
33
36
Implementing 1.0 Specifications(this is only a subset of active implementations)
Online Services
Chip Providers
Device Providers
Biometrics Technology Providers
Enterprise Servers
Open Source
Mobile Apps/Clients
WWW Browsers
FIDO in Windows 10
37
Windows used by
1.5 billion users
Windows 10 in 190
countries by Q3
Free upgrade for
consumer
FIDO in Snapdragon
38
Market leader to
ship FIDO client
85+ OEMs as of Q4
>1 billion Android
devices shipped
Innovative sensor
FIDO in Healthcare
39
First healthcare
deployment
Physician access
to health records
up to 50 million
Healthcare users
FIDO in Enterprise
40
Google for Work announced Enterprise
admin support for FIDO® U2F “Security
Key” – April 21
Google for Work is used by over 5
million businesses worldwide
“The Security Keys are a great step
forward, as they are very practical and
more secure.” – Woolsworth IT
FIDO & Government
41
2013 Data Breach Investigations Report (conducted
by Verizon in concert with the U.S. Department of
Homeland Security) noted that 76% of 2012 network
intrusions exploited weak or stolen credentials.
-- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-
Feb-2014
Governments
worldwide are
looking at FIDO
FIDO featured at
White House Summit
New collaboration
framework…
InfineonNSP
NNL
New Government
Membership Class
Reflecting an increased
focus on Government
collaboration worldwide
Details are now published in
the new FIDO Alliance
Membership Agreement
42
About the GSMA
The GSMA represents the interests of mobile operators worldwide
Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 230 companies in the broader mobile ecosystem
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Mobile Connect: a convenient and secure alternative to passwords that also Protects consumers privacy
• Easy to use as it uses the mobile phone for
authentication (i.e. no passwords)
• Anonymous but secure log-in (no passwords to
steal, improved user experience, reduce friction)
• Adds trust into digital transactions (e.g. by
confirming location, user identity, usage)
• Protects privacy (operator confirm credentials,
user gives consent for sharing)
• Reduce SP fraud through assurance that there
is as real person behind the account
• Simple and cost effective for MNOs to deploy,
leveraging existing operator assets
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Something I Know
Something I Have
Something I Have+
Something I Know
Something I Have+
Something I Am
Or
Mobile Connect and FIDO both seek to replace passwords
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Both FIDO and Mobile Connect are addressing the same problem: easier, safer online authentication
Both FIDO and Mobile Connect leverage the mobile phone to achieve this
Whilst Mobile Connect uses existing MNO services for authentication (SMS, USSD, SIM Toolkit)
… FIDO leverages the local device authentication on the phone itself
In doing so, both provide easy, secure two-factor authentication
Both also provide a pluggable framework that can support a variety of security levels as well as supporting new authentication methods as they arise
FIDO objectives align well with those of Mobile Connect
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Synergistic fit using FIDO for the first mile of Mobile Connect
FIDO UAF protocol
Mobile phonewith FIDO client AuthN server
MNO
Tablet/desktop
Service access request
Service Provider
Authentication request
Identity GW
First mile
Second mileSIM applet protocol (CPAS8)
AuthNserver
SIM applet
A key difference between FIDO and Mobile Connect is that FIDO purposefully focuses solely on the first mile –authentication itself – whilst Mobile Connect also provides a federation layer via OpenID Connect
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
MNO
Leveraging FIDO enables users to authenticate using existing authentication mechanisms on their mobile phone
…including biometrics – the user becomes the credential (Something I am)
FIDO can be integrated into Mobile Connect to extend the range of authenticators
Authentication
Mobile phonewith FIDO client MFAS Identity GW
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Mobile Connect and FIDO UAF integration: White Paper
Main objective:
– Overview of FIDO Architecture and use cases
– Integration of FIDO UAF authenticators into Mobile Connect arch
Status:
– Co-developed between GSMA, MNOs and FIDO members
– First draft finished and out for review within FIDO Alliance and GSMA; targeting publication by end June
Left for a second phase:
– UICC based FIDO authenticator
– Use of UICC to enhance FIDO implementation security
– FIDO U2F integration
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
Service Providers need to be able to both specify and receive feedback on the type of authenticator used
Mobile Connect
– uses Level of Assurance (LoA) values (ISO 29115) in the OIDC request acr_valuesparams, so the SP can indicate the authenticator class that should be used
FIDO
– uses the FIDO Policy to describe the required authenticator characteristics for accepted authenticators
Options:
– Expand the list of acr_values to accommodate additional LoA/policies
– Capture SP requirements at registration to the Mobile Connect service and propagate via the Mobile Connect federation
Matching of FIDO policies to OpenID Connect ‘acr_values’
© GSMA 2014
All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy
GSMA White paper
– Continue Working on open issues related to the integration of the FIDO authentication framework with Mobile Connect
– Improve the document with feedback from the PoC
FIDO/GSMA/MNO PoC (June/July)
– Prototype of FIDO integration into an end-end Mobile Connect implementation: Telefonica + Nok Nok Labs
– Targeted for Mobile World Congress Shanghai
MNO/SP beta trial (post MWCS)
– Live implementation and trial of FIDO authenticators within a Mobile Connect service provided to an SP
Next steps