1 FIDO – Modern Authentication cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com
FIDO – Modern Authentication
Rolf Lindemann, Nok Nok Labs
2 FIDO – Modern Authentication
Authentication in Context
Physical-to-digital identity
User Management
Authentication
Federation
Single Sign-On
Strong Risk Based Passwords
Modern Authentication
4 FIDO – Modern Authentication
Password Problem
Hacked from databases
Re-used across sites
Ill-suited for mobile devices
Phished
Key logged
Easily broken
5 FIDO – Modern Authentication
No Alternatives
SMS-OTP usability (coverage, delay, cost)
Device usability (one per site, fragile, cost)
User experience
Still phishable
6 FIDO – Modern Authentication
Current Authentication Architectures
?
RP 1 RP 1
Applications Authentication Methods
10 FIDO – Modern Authentication
FIDO Approach
Can recognize the user (i.e. user verification), but doesn’t know identity attributes of the user.
Same Authenticator as registered before?
Same User as enrolled before?
11 FIDO – Modern Authentication
FIDO Approach
Can recognize the user (i.e. user verification), but doesn’t know identity attributes of the user.
Same Authenticator as registered before?
Same User as enrolled before?
Identity binding to be done outside FIDO: This this “John Doe with customer ID X”.
12 FIDO – Modern Authentication
FIDO Approach
…
… SE
How is the key protected (TPM, SE, TEE, …)?
What user verification method is used?
13 FIDO – Modern Authentication
Attestation & Metadata
FIDO SERVER
Metadata
Signed Attestation Object
Verify using trust anchor included in Metadata
Understand Authenticator security characteristic by looking into Metadata (from Metadata Service or other sources)
FIDO AUTHENTICATOR
15 FIDO – Modern Authentication
FIDO Authenticator Concept
FIDO Authenticator
User Verification /
Presence Attestation Key
Authentication Key(s)
Injected at manufacturing, doesn’t change
Generated at runtime (on Registration)
Optional Components
Transaction Confirmation
Display
18 FIDO – Modern Authentication
Security & Convenience
Convenience
Security
Password
Password + OTP
FIDO
In FIDO: • Same user verification
method for all servers
In FIDO: Arbitrary user verification methods are
supported (+ they are interoperable)
19 FIDO – Modern Authentication
Security & Convenience
Convenience
Security
Password
Password + OTP
FIDO
In FIDO: • Only public keys on server • Not phishable
In FIDO: Scalable security depending on Authenticator implementation
20 FIDO – Modern Authentication
Classifying Threats
Remotely attacking central servers steal data for impersonation
1
Physically attacking user devices
misuse them for impersonation
6
Physically attacking user devices
steal data for impersonation
5
Remotely attacking lots of
user devices
steal data for impersonation
Remotely attacking lots of
user devices
misuse them for impersonation
Remotely attacking lots of
user devices
misuse authenticated
sessions
2 3 4
Scalable attacks
Physical attacks possible on lost or stolen devices (3% in the US in 2013)
21 FIDO – Modern Authentication
FIDO & Federation
FIDO USER DEVICE
FIDO CLIENT
IdP
FIDO SERVER FIDO AUTHENTICATOR
FEDERATION SERVER BROWSER / APP UAF Protocol
Service Provider
Federation
Id DB
Knows details about the
Authentication strength
Knows details about the
Identity and its verification
strength.
First Mile Second Mile
22 FIDO – Modern Authentication
Enterprise IT
Example: FIDO Enterprise Integration
IdP
FIDO SERVER
FEDERATION SERVER
Enterprise Appl. 1
Cloud-hosted Appl. 1
Enterprise Appl. 2
Enterprise Appl. N
Cloud-hosted Appl. 2
Cloud-hosted Appl. N
“External” User
“Internal” User
Federated Login,
e.g. OpenID Connect
Could be operated
externally as well
24 FIDO – Modern Authentication
FIDO in Snapdragon
Market leader to ship FIDO Authenticators
85+ OEMs as of Q4 >1 billion Android devices
shipped Innovative sensor
25 FIDO – Modern Authentication
FIDO in Healthcare
First healthcare deployment
Physician access to health records
up to 50 million Healthcare users
26 FIDO – Modern Authentication
FIDO and Google for Work
Google for Work announced Enterprise admin support for FIDO® U2F “Security Key” – April 21
Google for Work is used by over 5 million businesses worldwide
“The Security Keys are a great step forward, as
they are very practical and more secure.” – Woolsworth IT
27 FIDO – Modern Authentication
FIDO in Japan
Arrows NX F-04 G
Aquos SH-03
Services with biometric authentication to be expanded sequentially
4 devices with native FIDO support
First iris based authenticator in Arrows
Docomo has more than 60m customers in Japan
FIDO login to Docomo ID & carrier billing payments
Galaxy S6 Galaxy S6 Edge
28 FIDO – Modern Authentication
FIDO & Government
2013 Data Breach Investigations Report (conducted by Verizon in
concert with the U.S. Department of Homeland Security) noted that
76% of 2012 network intrusions exploited weak or stolen credentials.
NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb-2014
Governments worldwide
are looking at FIDO FIDO featured at White
House Summit New collaboration
framework: Updated Membership Agreement
29 FIDO – Modern Authentication
Reduced Cost & Complexity
Single Infrastructure
Any Device Risk Appropriate
Lower Cost & Complexity
30 FIDO – Modern Authentication
● Different authentication use-cases lead to different authentication
requirements
● Today, we have authentication silos
● FIDO separates user verification from authentication protocol and hence
supports all user verification methods
● FIDO significantly improves authentication security
● FIDO supports scalable security and convenience
● User verification data is known to FIDO Authenticators only
● FIDO complements federation
Consider piloting a FIDO-based authentication solution
Conclusion
Top Related