FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi

Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016

FIDO AUTHENTICATION: ITS EVOLUTION AND OPPORTUNITIES

IN YOUR BUSINESS

Hidehito GomiSenior Chief Researcher, Yahoo! JAPAN Research

2Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016

Ø Recap: FIDO Authentication ModelØ Web Authentication & CTAPØ Solutions using FIDO AuthenticationØ Summary


Recap: FIDO Authentication Model

Trend of Authentication

Copyright (C) 2016 Yahoo Japan Corporation. All Rights Reserved.FIDO Seminar in Tokyo #3 12/08/2016 4

Accurate and realtime user context can be captured so that the nature of authentication is changing.

High-reliability sensors and secure storages enable the following types of authentications:• Local authn: user verification is operated at his own device with which he can interact easily.• Continuous authn: user behavior continues to be monitored for authentication.• Implicit authn: user is authenticated without explicit gesture or ceremony.• Context-aware authn: data on context to which user belongs is used for user authentication.

User

User contextSecure storage

GeolocationOrientationTemperatureSoundAccelerationStepsWalking distanceEtc.

Data on user context

Authentication Models: local vs. remote


ID・PWD

OKPWD inputIdentification

AuthenticationTraditional authn model (e.g. password) for web applications

Verification

Verification results

OK

FIDO Authentication

separationFIDO Server

FIDO authn modelFIDO Client

Verification Identification

Authenticator

User

Credential

Concept: Pluggable Authentication (Recap)


FIDO ServerFIDO ClientFIDO Authenticator

Fingerprint

Iris

Face

USB Key

Smart Card

New Method

Plugged authenticators provide you with scalability for authentication.Updated specs UAF & U2F 1.1 have been released.

FIDO standard messages

Service 3

Service 1

Service 2

Service N


Web Authentication & CTAP

*CTAP (Client To Authenticator Protocol)

Scoped Credential in Web Authentication


Relying Party (RP)User Authenticator

Public key

“Cryptographic” credential for web applications

(Static) link

Private key(Credential)

particular for authenticator and RP

(Static) linkLink (to be verified)

particular for user

ID

cf. Anthony Nadalin’s slides for more detail.

Trust chain

Another userAnother RP

Web Authentication API


Relying Party (RP)

User

AuthenticatorBrowser

• makeCredential() • getAssertion()

Server sideUser side

User devices

Abstract API for browser accessing credential using Javascript

Web Authn API

Credential

Authenticator Registration


Relying Party (RP)

User AuthenticatorBrowser

Private key forAuthentication

3. Creation of private/public keys

* A pair of keys for attestation are omitted in this picture.

Public key forAuthentication

6. Registering public keyfor FIDO authentication

ID

1. makeCredential() request

Web Authn API

5. Response with signed dataabout credential4. Producing the following data:

Credential info.AttestationPublic keySignature

2. User verification

Web Authentication using Authenticator


Relying Party (RP)

AuthenticatorBrowser

Private key

1. getAssertion() request

3. Producing the following data:

Credential Info.AssertionSignature

4. Response with signed dataabout assertion

Public key

5. Verifying signature

* A pair of keys for attestation are omitted in this picture.

ID

Web Authn API

2. Verification of user using a particular method

User

6. Discovering user ID

Mobile Phone as Authenticator


FIDO ServerWeb Authn API

Fingerprint

Iris

Face

USB Key

“Mobile phone authenticator” advances the scalability for authentication more.

Smart Card

Authenticators

Service 3

Service 1

Service 2

Service NMobile Phone

Smart watch

Authenticator Variation


Authenticator

Embedded authenticator External authenticator

Wireless communication type

Removable type

ClientWeb Authn API

CTAP (Client To Authenticator Protocol)

User device

Authenticator Web Authn API Client


Solutions using FIDO Authentication

Authentication: Foundation of trusted applications


User

Single sign-on

Server

Traditional identity and access management system

Authentication

Verifying user privileges(Access control)

ID

Access response（OK/NG）

Access request

Personal attributes sharing

Personal service provisioning

User activities after authentication

Server

Authentication is the first step that is required to do various online activities.

• User verification that the user is who he/she claims to be• User presence nearby authenticator• User confirmation of (consent to) his/her identity/transaction/context

Semantics for Assertion


User

User context Credential

Authenticator

Relying Party (RP)

Signed challenge(Assertion)

challenge

Proofing

FIDO authentication is a mechanism for proofing user’s identity and context.

Authenticator Adoption


Authenticator implementing existing/legacy/new authentication methods/devices• Biometrics• Behavioral characteristics• Wearable devices

cf. Jae Jung Kim’s slides for more detail.

Authenticator implementing certificate-based authentication (KICA’s case study)

Relying Party (RP)

Certificate Authority (CA)

PKI Module

Authenticator

certificate

Fingerprint sensor Iris sensor

Certificate verification(Online certificate status protocol,OCSP)

FIDO Authentication(without any modification)

Certificate Issuance(Legacy protocol)

Biometric APIEncrypted private key

FIDO Authentication and Federation


User

FIDO Authentication

FIDO Server

RP/IdP (Identity Provider)

Assertionissueing

Identityservice

Federated RP

Federation

FIDO Client

Authenticator

AuthenticationAssertion

Simpler and StrongerAuthentication

More seamless and secure service

AuthnContext

AuthnContext

Authn context transits from authenticator to federated RP.cf. https://fidoalliance.org/assets/images/general/FIDOTokyoSeminar101014_gomi.pdf

Proof Information Transition


Federated RPRP/IdP

User proof generated by authenticator can be used to provide user with trusted applications at Internet scale

User

User context

Credential

Authenticator

IdentityContextTransaction

Proof Proof

Proof

Proof

Transaction Confirmation


Bank for transfer: AAA BankRecipient Account #: 1234567Amount: 10000 yen

Bank for transfer: XXX BankRecipient Account #: 7654321Amount: 1000000 yen

Protecting against MITM (Man-in-the-Middle) attacks by detecting falsified transaction data (already in UAF spec and deployed by several banks)

RP (Bank)Malware

User

User device

Authenticator

Falsified transaction data

Original transaction data

Client

Transaction data presentedis signed using private key Signature of original transaction data

RP can prevent illegal money transfer by verifying the signature of transaction data even if it is falsified.

signature

Identity Proofing Offline


User IDE-tickets

E-Ticket Server FIDO Server

AuthnLog

Realtime biometric FIDO authentication enables “identity proofing” when accessing physical service.

User(online)

FIDO Authentication online

(visit Yahoo Japan’s demo booth)

Entrance gate at eventPresenting identity proof With e-ticket offline

Proof verification

Protecting from impersonationMalicious user(offline)

User(offline)

Same person?(to be verified)

E-ticket use case

身分証明書

氏名：山田太郎住所：東京都港区赤坂９－７－１年齢： 30歳性別：男

証明書発行元：ヤフー株式会社証明書配布先： ABCサービス株式会社証明書発行時刻： 2013年8月10日13時証明書有効期限： 2014年8月10日13時まで証明書識別番号： s8e3d5y9z0g3

本人画像（2013年1月10日撮影）

身分証明書

氏名：山田太郎

住所：東京都港区赤坂９－７－１

年齢：30歳

性別：男

証明書発行元：ヤフー株式会社

証明書配布先：ABCサービス株式会社

証明書発行時刻：2013年8月

10日13時

証明書有効期限：2014年8月

10日13時まで

証明書識別番号：s8e3d5y9z0g3

本人画像（2013年1月10日撮影）

User Verification Caching Spec (New)


Developing a new spec to fulfill use cases provided by EMVCo.Supporting CDCVM, enabling consumers to conveniently use on-device authenticators.

User FIDO authentication (online)

Server

Private key

User Device

Authenticator

App1App2

X

User verification(App1)

Do not ask user for verification to authorizepayment for app2 if the user completed verification within last 5 minutes.

Policy example

User verification process can be simplified for offline by authenticator referring to previous verification results depending on user’s policy.

*CDCVM: Consumer Device Cardholder Verification Method

User verification(App2)

• FIDO authentication model• Local authentication using pluggable authenticators• Consistent in specifications

• Web authentication & CTAP• Scoped cryptographic credential• Abstract API for various types of authenticators via browsers

• Solutions using FIDO authentication• Authenticator adoption• Enhancement of identity federated systems• Identity/context proofing offline as well as online

Summary


FIDO authentication is encouraged to be adopted for developing secure and trust systems both online and offline.

FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi

Technology

Transcript of FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Alliance -Tokyo Seminar -Gomi