The FIDO Alliance Today Brett Mc Dowell Executive
“The FIDO Alliance Today” Brett Mc. Dowell, Executive Director, FIDO Alliance brett@fidoalliance. org 1
AGENDA The Problem The Solution The Alliance Updates 2
Data Breaches… 783 data breaches in 2014 >1 billion records since 2012 $3. 5 million cost/breach 3
“ 76% of 2012 network intrusions exploited weak or stolen credentials” 2013 Data Breach Investigations Report 4
The world has a PASSWORD PROBLEM 5
ONE-TIME PASSCODES Improve security but aren’t easy enough to use SMS Reliability 6 Token Necklace User Confusion Still Phishable
WE NEED A NEW MODEL 7
WE CALL OUR NEW MODEL Fast IDentity Online online authentication using public key cryptography 8
AGENDA The Problem The Solution The Alliance Updates 9
THE OLD PARADIGM SECURITY 10 USABILITY
Strong Weak SECURITY THE FIDO PARADIGM Poor Easy USABILITY 11
HOW OLD AUTHN WORKS The user authenticates themselves online by presenting a human-readable secret ONLINE 12
HOW FIDO AUTHN WORKS The user authenticates “locally” to their device by various means The device authenticates the user online using public key cryptography LOCAL ONLINE AUTHENTICATOR 13
online authentication using public key cryptography 14
Passwordless Experience (UAF Standards) 2 3 Biometric Verification* Authenticated Online 1 ? Authentication Challenge Second Factor Experience (U 2 F Standards) 1 2 3 Second Factor Challenge Insert Dongle* / Press Button Authenticated Online *There are other types of authenticators 15
FIDO Registration 1 Invitation Sent User is in a Session Or New Account Flow Registration Complete 16 3 2 New Keys Created User Approval 4 Pubic Key Registered With Online Server
FIDO Authentication 1 3 2 FIDO Challenge User needs to login or authorize a transaction Key Selected & Signs User Approval 4 Login Complete 17 Signed Response verified using Public Key Cryptography
18 USABILITY, SECURITY and PRIVACY
No 3 rd Party in the Protocol No Secrets on the Server side Biometric Data (if used) Never Leaves Device No Link-ability Between Services No Link-ability Between Accounts 19
Better Security for online services Reduced cost for the enterprise Simpler and Safer for consumers 20
AGENDA The Problem The Solution The Alliance Updates 21
The Fast IDentity Online (FIDO) Alliance is an open industry association of over 220 global member organizations 22
ü Services/Networks ü Devices/Platforms ü Vendors/Enablers Board Members 23 23 23
FIDO Alliance Mission 24 1 2 3 Develop Specifications Operate Adoption Programs Pursue Formal Standardization
FIDO SCOPE Single Sign-On MODERN AUTHENTICATION Federation Authentication User Management Physical-to-digital identity 25 Passwords Strong Risk-Based
AGENDA The Problem The Solution The Alliance Updates 26
FIDO TIMELINE Alliance Announced FEB 2013 6 Members 27 FIDO Ready Program DEC 2013 Specification Review Draft FEB 2014 First Deployments FEB-OCT 2014 FIDO 1. 0 FINAL DEC 9 2014 Certification Program MAY 2015 New U 2 F Transports JUNE 2015 Broad Adoption TODAY >220 Members
2014 FIDO ADOPTION “Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S 5”, September 17, 2014 “Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U 2 F) Authentication”, October 21, 2014 “Pay. Pal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S 5”, Feb 24, 2014 28
2015 FIDO ADOPTION “Today, we’re adding Universal 2 nd Factor (U 2 F) security keys as an additional method for two-step verification, giving you stronger authentication protection. ” August 12, 2015 “Google for Work announced Enterprise admin support for FIDO® U 2 F “Security Key”, April 21, 2015 “Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015 “Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO’s services using “Microsoft Announces FIDO Support Coming to Windows 10” FIDO standards” May 26, 2015 Feb 23, 2015 29 “the technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards. ” September 15, 2015 “Git. Hub says it will now handle what is called the FIDO Universal 2 nd Factor, or U 2 F, specification” October 1, 2015
Deployments are enabled by FIDO Certified™ Products available today 30
31
ü Available to anyone ü Ensures interoperability ü Promotes the FIDO ecosystem Steps to certification: 1. 2. 3. 4. Conformance Self-Validation Interoperability Testing Certification Request Trademark License (optional) fidoalliance. org/certification 32
New in 2015 FIDO Alliance Announces Government Membership Program – US and UK Government Agencies are First to Join Government Agencies to Participate in Development of FIDO Standards for Universal Strong Authentication “The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress. ” Government Members 33 33 33
JOIN THE FIDO ECOSYSTEM 34
JOIN THE FIDO ALLIANCE 35
EXPERIENCE SIMPLER, STRONGER AUTHENTICATION 36
- Slides: 36