© 2

017

Yub

ico

© 2017 Yubico

FIDO, ID Proofing and FederationJerrod Chong, VP Solutions

2© 2

017

Yub

ico

FIDO U2F AKA Security KeysGlobal open authentication standard co-created by Yubico & Google

# of ServicesAny Shared SecretsNoOne Authenticator

3

Google Security Key Login 1 2 3

Secure Unphishable / UnMITMableSimple Insert and press buttonScalable One device, many servicesPrivacy No Link-ability between services

4© 2

017

Yub

ico

4

1st Government to offer citizens

opt-in U2F Secured Digital ID

© 2

017

Yub

ico

5

Why are we solving this?● Strong authentication not always tied to identity of user

● FIDO authentication mostly decoupled from ID Proofing

● ID Proofing required for higher assurance levels

● ID Proofing and strong authentication at odds with privacy

● Remote ID Proofing tied to Knowledge Based Verification (KBV)

● Reduce the reliance on weak recovery options

© 2

017

Yub

ico

“Individuals and organizations utilize secure, efficient, easy‐to‐use and interoperable identity solutions to access online services in a

manner that promotes confidence, privacy, choice, and innovation.”

-NIST Trusted Identity Group (TIG)

6

7© 2

017

Yub

ico

NIST SP 800-63-3Digital Identity Guidelines 800-63 Revision 3

Highlighting 3 Policy Recommendations- Decouple Identity assurance from Authenticator assurance

- Deprecate the use of SMS as Out-of-Band verifier

- Approves FIDO U2F for use at highest Authenticator assurance level (AAL3)

© 2

017

Yub

ico

8

The ProjectYubico awarded US NIST grant collaborating with various Identity Providers

● Extend benefits of FIDO U2F to federated identity environments

● Integrate ID Proofing with FIDO U2F authentication

● Share attributes securely, conveniently and privacy-enhancing

© 2

017

Yub

ico

9

ID verified FIDO Authenticators

U2F Authenticator sent to the address on ID

Secure access to any number of services

Mobile ID scanning, Driver’s license or state ID

● Successful Remote Proofing issues Pre-registered authenticator

● Pre-registration of authenticator ensures authenticity and integrity (first FIDO credential must be ID verified)

© 2

017

Yub

ico

10

ID Proofing and Verification (IPV)

2

1

2

3

4

5

68

9

Token Issuance7

10

11© 2

017

Yub

ico

Remote ID Proofing Mobile App

12© 2

017

Yub

ico

Token Issuance with Pre-Registration

IdP

13

U2F Device Client

Relying Party

app id, challenge

a; challenge, origin, channel id, etc.

c

aCheckapp id

Generate: kpub kpriv handle h kpub, h, attestation cert, signature(a,c,kpub,h)

c, kpub, h, attestation cert, s

Release kpub with handle hfor user

s

Pre-Registration of Key Handle

© 2

017

Yub

ico

14

Request access to Service Provider (SP)

WebsiteUSER

SP

Redirect user to home institution Identity

Provider (IdP)

SP

Deliver content to user

SP

Purge user attribute per

IdP-SP contract

IdP

Prompt user to login +Send attributes to SP

Attribute Assertion

IdP data store

Authentication Flow

15

U2F Device Client

Relying Party

handle, app id, challenge

h, a; challenge, origin, channel id, etc.

c

aCheckapp id

Lookupthe kprivassociated with h

Sign with kpriv

counter++

counter, signature(a,c, counter)

counter, c, sCheck susing kpub

Verify origin, channel id & counter

s

h

Lookup the kpub associated with h

Authentication

© 2

017

Yub

ico

16

Identity Ecosystem using Open Standards

● Extend FIDO to services connected via these federation protocols

• U2F Shibboleth (SAML) and OpenID Connect plug-in

• Open source reference implementation

● Build ID Proofing engine using OpenID Connect• Allows for multiple proofing solutions/providers• Part of the Identity toolkit

© 2

017

Yub

ico

● Protecting PII is time and resource intensive

● Difficult to achieve highest identity assurance with Remote ID proofing

● High level of trust required in integrations with third-party vendors

● Compatibility challenges across diverse operating systems and devices

● Additional techniques needed to onboard special needs individuals

17

Lessons Learned

18© 2

017

Yub

ico

Questions?

© 2

017

Yub

ico

© 2017 Yubico19