mobile connections – fido alliance and gsma presentation

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

1

Data Breachesare out of control

2

783 data breaches

IN 2014...

>1 billionrecords stolen since 2012

3

$3.5 millionaverage cost per breach

We have a PASSWORD PROBLEM

4

Re-used Phished Keylogged

TOO MANY TO REMEMBER,

DIFFICULT TO TYPE,

AND TOO VULNERABLE

5

Adding more authentication

has largely been rejected by users

6

ONE-TIME PASSCODESImprove security but aren’t easy enough

Still Phishable

Poor User Experience

TokenNecklace

SMS Reliability

7

THE OLDPARADIGM

8

USABILITYSECURITY

PasswordsOTP

2FAPINs

WE NEED A NEW MODELFast IDentity Online

9

THE FIDO PARADIGM

10

Poor Good

We

ak

Str

on

g

USABILITY

SEC

UR

ITY

Passwords

™

PINs

OTP

2FA

HOW DOES FIDO WORK?

USER VERIFICATION FIDO AUTHENTICATION

AUTHENTICATOR

11

Fido Registration

2

Registration Begins

1

12

User Approval

3

New Key Created

4

Key Registered using Public Key

Cryptography

Fido Login

2

Login

1

13

Login Challenge

3

Key Selected

4

Login Response using Public Key

Cryptography

User Approval

Login Complete

online authentication usingpublic key cryptography

14

Passwordless Experience (FIDO UAF Standards)

Second Factor Experience (FIDO U2F Standards)

Transaction Detail User Authentication Done

1 2 3

Success

$10,000

Transfer Now

Login & Password

1

Insert donglePress Button

2

Done

3

Success

15

2014 Deployments

16

PayPal continues FIDO enablement in

improved mobile wallet app.

Google has FIDO in Chrome and

2-Step Verification.

Samsung adds FIDO enabled Touch

authentication to Galaxy® S6

FIDO UNIVERSAL 2ND FACTOR

AUTHENTICATOR

Is a user present?

Same authenticator as registered

before?


17

18

Step 1U2F AUTHENTICATION DEMO EXAMPLE

19


20


21


+Bob

AUTHENTICATOR


FIDO UNIVERSAL

AUTHENTICATION FRAMEWORK UAF

22

Same User as enrolled

before?

Same Authenticator as registered

before?

UAF AUTHENTICATION

DEMO EXAMPLE

23

STEP 1

24

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 2

25

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 3

26

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 4

USABILITY, SECURITYand

PRIVACY27

28

No 3rd Party in the Protocol

No Secrets on the Server side

Biometric data (if used) never leaves device

No link-ability between Services or Accounts

Better Security for online services

Reduced cost for the enterprise

Simple & Safe for consumers

29

The FIDO Alliance is an open

association of more than 180

diverse member organizations30

31

Physical-to-digital identity

User Management

Authentication

Federation

Single

Sign-On

Passwords Risk-BasedStrong

MODERN

AUTHENTICATION

10

Board Members

32

Online Services

Chip Providers

Device Providers

Biometrics Vendors

Enterprise Servers

Platform Providers

FIDO TIMELINE

FIDO 1.0 FINALSpecification

First UAF & U2F Deployments

SpecificationReview Draft

FIDO Ready Program

AllianceAnnounced

FEB2013

(6 Members)

DEC2013

(59 Members)

FEB2014

(84 Members)

FEB-OCT2014

(129 Members)

DEC 92014

(152 Members)

33

FIDO implementations and deployments

34

FIDO in 2015

35

A range of

FIDO PRODUCTS is now available

36

Implementing 1.0 Specifications(this is only a subset of active implementations)

Online Services

Chip Providers

Device Providers

Biometrics Technology Providers

Enterprise Servers

Open Source

Mobile Apps/Clients

WWW Browsers

FIDO in Windows 10

37

Windows used by

1.5 billion users

Windows 10 in 190

countries by Q3

Free upgrade for

consumer

FIDO in Snapdragon

38

Market leader to

ship FIDO client

85+ OEMs as of Q4

>1 billion Android

devices shipped

Innovative sensor

FIDO in Healthcare

39

First healthcare

deployment

Physician access

to health records

up to 50 million

Healthcare users

FIDO in Enterprise

40

Google for Work announced Enterprise

admin support for FIDO® U2F “Security

Key” – April 21

Google for Work is used by over 5

million businesses worldwide

“The Security Keys are a great step

forward, as they are very practical and

more secure.” – Woolsworth IT

FIDO & Government

41

2013 Data Breach Investigations Report (conducted

by Verizon in concert with the U.S. Department of

Homeland Security) noted that 76% of 2012 network

intrusions exploited weak or stolen credentials.

-- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-

Feb-2014

Governments

worldwide are

looking at FIDO

FIDO featured at

White House Summit

New collaboration

framework…

InfineonNSP

NNL

New Government

Membership Class

Reflecting an increased

focus on Government

collaboration worldwide

Details are now published in

the new FIDO Alliance

Membership Agreement

42

JOIN THE FIDO ALLIANCE

43

Mobile Connect & FIDO

About the GSMA

The GSMA represents the interests of mobile operators worldwide

Spanning more than 220 countries, the GSMA unites nearly 800 of the world’s mobile operators, as well as more than 230 companies in the broader mobile ecosystem

© GSMA 2014

All GSMA meetings are conducted in full compliance with the GSMA’s anti-trust compliance policy

Mobile Connect: a convenient and secure alternative to passwords that also Protects consumers privacy

• Easy to use as it uses the mobile phone for

authentication (i.e. no passwords)

• Anonymous but secure log-in (no passwords to

steal, improved user experience, reduce friction)

• Adds trust into digital transactions (e.g. by

confirming location, user identity, usage)

• Protects privacy (operator confirm credentials,

user gives consent for sharing)

• Reduce SP fraud through assurance that there

is as real person behind the account

• Simple and cost effective for MNOs to deploy,

leveraging existing operator assets

© GSMA 2014


Something I Know

Something I Have

Something I Have+

Something I Know

Something I Have+

Something I Am

Or

Mobile Connect and FIDO both seek to replace passwords

© GSMA 2014


Both FIDO and Mobile Connect are addressing the same problem: easier, safer online authentication

Both FIDO and Mobile Connect leverage the mobile phone to achieve this

Whilst Mobile Connect uses existing MNO services for authentication (SMS, USSD, SIM Toolkit)

… FIDO leverages the local device authentication on the phone itself

In doing so, both provide easy, secure two-factor authentication

Both also provide a pluggable framework that can support a variety of security levels as well as supporting new authentication methods as they arise

FIDO objectives align well with those of Mobile Connect

© GSMA 2014


Synergistic fit using FIDO for the first mile of Mobile Connect

FIDO UAF protocol

Mobile phonewith FIDO client AuthN server

MNO

Tablet/desktop

Service access request

Service Provider

Authentication request

Identity GW

First mile

Second mileSIM applet protocol (CPAS8)

AuthNserver

SIM applet

A key difference between FIDO and Mobile Connect is that FIDO purposefully focuses solely on the first mile –authentication itself – whilst Mobile Connect also provides a federation layer via OpenID Connect

© GSMA 2014


MNO

Leveraging FIDO enables users to authenticate using existing authentication mechanisms on their mobile phone

…including biometrics – the user becomes the credential (Something I am)

FIDO can be integrated into Mobile Connect to extend the range of authenticators

Authentication

Mobile phonewith FIDO client MFAS Identity GW

© GSMA 2014


Mobile Connect and FIDO UAF integration: White Paper

Main objective:

– Overview of FIDO Architecture and use cases

– Integration of FIDO UAF authenticators into Mobile Connect arch

Status:

– Co-developed between GSMA, MNOs and FIDO members

– First draft finished and out for review within FIDO Alliance and GSMA; targeting publication by end June

Left for a second phase:

– UICC based FIDO authenticator

– Use of UICC to enhance FIDO implementation security

– FIDO U2F integration

© GSMA 2014


Service Providers need to be able to both specify and receive feedback on the type of authenticator used

Mobile Connect

– uses Level of Assurance (LoA) values (ISO 29115) in the OIDC request acr_valuesparams, so the SP can indicate the authenticator class that should be used

FIDO

– uses the FIDO Policy to describe the required authenticator characteristics for accepted authenticators

Options:

– Expand the list of acr_values to accommodate additional LoA/policies

– Capture SP requirements at registration to the Mobile Connect service and propagate via the Mobile Connect federation

Matching of FIDO policies to OpenID Connect ‘acr_values’

© GSMA 2014


GSMA White paper

– Continue Working on open issues related to the integration of the FIDO authentication framework with Mobile Connect

– Improve the document with feedback from the PoC

FIDO/GSMA/MNO PoC (June/July)

– Prototype of FIDO integration into an end-end Mobile Connect implementation: Telefonica + Nok Nok Labs

– Targeted for Mobile World Congress Shanghai

MNO/SP beta trial (post MWCS)

– Live implementation and trial of FIDO authenticators within a Mobile Connect service provided to an SP

Next steps

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

54