Not Built On Sand

IT Has Scaled

$$$

Technological capabilities: (1971 2013)Clock speed x4700#transistors x608kStructure size /450

Price: (1980 2013)HDD $/MB /12k

NV RAM $/MB /1.3m

Ubiquity:More than 7bn mobile connected devices by

end of 2013

Networked: (2013)34% of all people ww have internet access

Relevance: (2012)$1 trillion eCommerce

Social media: (2013)>10% of all people ww active

Authentication hasn‘t

Passwords Don’t Work

1. Most people use words from a small set of simple passwords

2. People reuse passwords3. Passwords are hard to use4. Passwords get phished5. Websites don’t protect passwords

properly

There are alternatives…

Implementation is the challenge

Each new authentication solution requires:

• New Software• New Hardware• New Infrastructure• Consumer education

We’re building ‘Silos’ of authentication

FIDO Goals

• Support for a broad range of authentication methods, leverage existing hardware capabilities.

• Support for a broad range of assurance levels, let relying party know the authentication method.

• Built-in privacy.

How does FIDO work?

FIDO SERVER

FIDO Authenticators

Authenticator

FIDO Functionality

• Discover supported authenticators on the client

• Register authenticators to a relying party

• Authenticate (a session)• Transaction confirmation

Registration Overview

FIDO AUTHENTICATOR

FIDO SERVERFIDO CLIENT

Send Registration Request:- Policy- Random Challenge

Start registration

Authenticate userGenerate key pairSign attestation object:• Public key• AAID• Random Challenge• Name of relying partySigned by attestation key

Verify signatureCheck AAID against policyStore public key

AAID = Authenticator Attestation ID, i.e. model ID

Authentication Overview

FIDO AUTHENTICATOR

FIDO SERVERFIDO CLIENT

Send Authentication Request:- Policy- Random Challenge

Start authentication

Authenticate userSign authentication object:• Random Challenge• Name of relying partySigned by authentication key for this relying party

Verify signaturecheck AAID against policy

FIDO Building Blocks

FIDO USER DEVICE

FIDO CLIENT

RELYING PARTY

FIDO SERVER

FIDO Repository

FIDO AUTHENTICATOR

  WEB ApplicationBROWSER / APP

Cryptographic authentication key reference

DB

Authenticator attestation trust store

Attestation key

Authentication keys

Update

OSTP

TLS Server Key

FIDO and IAM

Physical-to-digital identity

User Management

Authentication

Federation

SingleSign-On

Passwords Risk-BasedStrong

Modern Authentication

Modern Authentication

IMPLICITAUTHENTICATION

EXPLICITAUTHENTICATION

FIDO and Federation

FIDO

PASSWORDSSSO/FEDERATION

First Mile Second Mile

SAML

OpenID

FIDO and Federation

FIDO USER DEVICE

FIDO CLIENT

IdP

FIDO SERVERFIDO

AUTHENTICATOR

FEDERATION SERVER

BROWSER / APP  OSTP

Service Provider

 Federation

Id DB

Knows details about the Authentication strength (based on attestation)

Knows details about the Identity verification

strength.

Thank You

FIDO Alliance MembersBoard of Directors• CrucialTec• Google• Nok Nok Labs• PayPal• Lenovo• NXP Semiconductor• Validity Sensors• Yubico• BlackBerrySponsor Members• Entersekt• EyeLock• FingerPrint Cards• Infineon• Ping Identity• SecureKey• WWTT

Associate Members• AktivSoft• Agnitio• AllWeb Technologies• Authentify• Certus• Check2Protect• Cloud Security Corp• Crocus Technology• Diamond Fortress• Discretix• Insyndia• ItsMe! Security• PassBan• SurePassID• Toopher

Founding members underlined

The Authenticator Concept

FIDO Authenticator

User Authentication

/ Presence

Secure Display

Attestation Key

Authentication Key(s)

User

Injected at manufacturing, doesn’t change

Generated at runtime (on

Registration)

Regarding AAIDs

FIDO Authenticator

FIDO Authenticator

Using HW based crypto

Pure SW based implementation

Based on FP Sensor X

Based on Face Recognition alg. Y

AAID 1

AAID 2

Registration Overview (2)

Physical Identity

Virtual Identity

FIDO AUTHENTICATOR FIDO SERVER

WEB Application

{ userid=1234, jane@mail.com, known since 03/05/04, payment history=xx, … }

{ userid=1234, pubkey=0x43246, AAID=x+pubkey=0xfa4731, AAID=y}

RegistrationAAID ykey for foo.com: 0xfa4731

Relying Party foo.com

Link new Authenticator to existing userid

“Know Your Customer” rules

Legacy Authentication