Post on 09-Oct-2020
© 2
017
Yub
ico
© 2017 Yubico
FIDO, ID Proofing and FederationJerrod Chong, VP Solutions
2© 2
017
Yub
ico
FIDO U2F AKA Security KeysGlobal open authentication standard co-created by Yubico & Google
# of ServicesAny Shared SecretsNoOne Authenticator
3
Google Security Key Login 1 2 3
Secure Unphishable / UnMITMableSimple Insert and press buttonScalable One device, many servicesPrivacy No Link-ability between services
4© 2
017
Yub
ico
4
1st Government to offer citizens
opt-in U2F Secured Digital ID
© 2
017
Yub
ico
5
Why are we solving this?● Strong authentication not always tied to identity of user
● FIDO authentication mostly decoupled from ID Proofing
● ID Proofing required for higher assurance levels
● ID Proofing and strong authentication at odds with privacy
● Remote ID Proofing tied to Knowledge Based Verification (KBV)
● Reduce the reliance on weak recovery options
© 2
017
Yub
ico
“Individuals and organizations utilize secure, efficient, easy‐to‐use and interoperable identity solutions to access online services in a
manner that promotes confidence, privacy, choice, and innovation.”
-NIST Trusted Identity Group (TIG)
6
7© 2
017
Yub
ico
NIST SP 800-63-3Digital Identity Guidelines 800-63 Revision 3
Highlighting 3 Policy Recommendations- Decouple Identity assurance from Authenticator assurance
- Deprecate the use of SMS as Out-of-Band verifier
- Approves FIDO U2F for use at highest Authenticator assurance level (AAL3)
© 2
017
Yub
ico
8
The ProjectYubico awarded US NIST grant collaborating with various Identity Providers
● Extend benefits of FIDO U2F to federated identity environments
● Integrate ID Proofing with FIDO U2F authentication
● Share attributes securely, conveniently and privacy-enhancing
© 2
017
Yub
ico
9
ID verified FIDO Authenticators
U2F Authenticator sent to the address on ID
Secure access to any number of services
Mobile ID scanning, Driver’s license or state ID
● Successful Remote Proofing issues Pre-registered authenticator
● Pre-registration of authenticator ensures authenticity and integrity (first FIDO credential must be ID verified)
© 2
017
Yub
ico
10
ID Proofing and Verification (IPV)
2
1
2
3
4
5
68
9
Token Issuance7
10
11© 2
017
Yub
ico
Remote ID Proofing Mobile App
12© 2
017
Yub
ico
Token Issuance with Pre-Registration
IdP
13
U2F Device Client
Relying Party
app id, challenge
a; challenge, origin, channel id, etc.
c
aCheckapp id
Generate: kpub kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h)
c, kpub, h, attestation cert, s
Release kpub with handle hfor user
s
Pre-Registration of Key Handle
© 2
017
Yub
ico
14
Request access to Service Provider (SP)
WebsiteUSER
SP
Redirect user to home institution Identity
Provider (IdP)
SP
Deliver content to user
SP
Purge user attribute per
IdP-SP contract
IdP
Prompt user to login +Send attributes to SP
Attribute Assertion
IdP data store
Authentication Flow
15
U2F Device Client
Relying Party
handle, app id, challenge
h, a; challenge, origin, channel id, etc.
c
aCheckapp id
Lookupthe kprivassociated with h
Sign with kpriv
counter++
counter, signature(a,c, counter)
counter, c, sCheck susing kpub
Verify origin, channel id & counter
s
h
Lookup the kpub associated with h
Authentication
© 2
017
Yub
ico
16
Identity Ecosystem using Open Standards
● Extend FIDO to services connected via these federation protocols
• U2F Shibboleth (SAML) and OpenID Connect plug-in
• Open source reference implementation
● Build ID Proofing engine using OpenID Connect• Allows for multiple proofing solutions/providers• Part of the Identity toolkit
© 2
017
Yub
ico
● Protecting PII is time and resource intensive
● Difficult to achieve highest identity assurance with Remote ID proofing
● High level of trust required in integrations with third-party vendors
● Compatibility challenges across diverse operating systems and devices
● Additional techniques needed to onboard special needs individuals
17
Lessons Learned
18© 2
017
Yub
ico
Questions?
© 2
017
Yub
ico
© 2017 Yubico19