Not Built On Sand
IT Has Scaled
Technological capabilities:
(1971  2013)
Clock speed x4700
#transistors x608k
Structure size /450
Social media: (2013)
>10% of all people
ww active
$$$
Price: (1980  2013)
HDD $/MB /12k
NV RAM $/MB /1.3m
Authentication hasn‘t
Relevance: (2012)
$1 trillion eCommerce
Ubiquity:
More than 7bn mobile
connected devices by
end of 2013
Networked: (2013)
34% of all people ww have
internet access
Passwords Don’t Work
1. Most people use words from a small
set of simple passwords
2. People reuse passwords
3. Passwords are hard to use
4. Passwords get phished
5. Websites don’t protect passwords
properly
There are alternatives…
Implementation is the
challenge
Each new
authentication
solution requires:
•
•
•
•
New Software
New Hardware
New Infrastructure
Consumer education
We’re building
‘Silos’ of
authentication
FIDO Goals
• Support for a broad range of
authentication methods, leverage
existing hardware capabilities.
• Support for a broad range of
assurance levels, let relying party
know the authentication method.
• Built-in privacy.
How does FIDO work?
FIDO Authenticators
Authenticator
FIDO SERVER
FIDO Functionality
• Discover supported authenticators on
the client
• Register authenticators to a relying
party
• Authenticate (a session)
• Transaction confirmation
Registration Overview
FIDO CLIENT
FIDO AUTHENTICATOR
Send Registration Request:
- Policy
- Random Challenge
Start
registration
Authenticate user
Generate key pair
Sign attestation object:
• Public key
• AAID
• Random Challenge
• Name of relying party
Signed by attestation key
FIDO SERVER
Verify signature
Check AAID against policy
Store public key
AAID = Authenticator
Attestation ID, i.e. model ID
Authentication Overview
FIDO CLIENT
FIDO AUTHENTICATOR
Send Authentication
Request:
- Policy
- Random Challenge
Start
authentication
Authenticate user
Sign authentication object:
• Random Challenge
• Name of relying party
Signed by authentication
key for this relying party
FIDO SERVER
Verify signature
check AAID against policy
FIDO Building Blocks
FIDO USER DEVICE
TLS Server Key
RELYING PARTY
BROWSER / APP
OSTP
WEB Application
FIDO CLIENT
FIDO AUTHENTICATOR
Cryptographic
authentication
key reference
DB
FIDO SERVER
Authentication
keys
Attestation
key
Authenticator
attestation
trust store
Update
FIDO Repository
FIDO and IAM
Modern Authentication
Single
Sign-On
Passwords
Federation
Authentication
User Management
Physical-to-digital identity
Strong
Risk-Based
Modern Authentication
EXPLICIT
AUTHENTICATION
IMPLICIT
AUTHENTICATION
FIDO and Federation
SAML
PASSWORDS
SSO/FEDERATION
FIDO
OpenI
D
First Mile
Second Mile
FIDO and Federation
IdP
FIDO USER DEVICE
BROWSER / APP
OSTP
FEDERATION
SERVER
Service Provider
Federation
FIDO CLIENT
Id DB
FIDO
AUTHENTICATOR
Knows details about the
Authentication strength
(based on attestation)
FIDO SERVER
Knows details about the
Identity verification
strength.
Thank You
FIDO Alliance Members
Board of Directors
• CrucialTec
• Google
• Nok Nok Labs
• PayPal
• Lenovo
• NXP Semiconductor
• Validity Sensors
• Yubico
• BlackBerry
Sponsor Members
• Entersekt
• EyeLock
• FingerPrint Cards
• Infineon
• Ping Identity
• SecureKey
• WWTT
Associate Members
• AktivSoft
• Agnitio
• AllWeb Technologies
• Authentify
• Certus
• Check2Protect
• Cloud Security Corp
• Crocus Technology
• Diamond Fortress
• Discretix
• Insyndia
• ItsMe! Security
• PassBan
• SurePassID
• Toopher
Founding members underlined
The Authenticator Concept
Injected at
manufacturing,
doesn’t change
FIDO Authenticator
User
Authentication
/ Presence
Secure
Display
Attestation Key
Authentication Key(s)
User
Generated at
runtime (on
Registration)
Regarding AAIDs
FIDO Authenticator
Using HW based crypto
AAID 1
Based on FP Sensor X
FIDO Authenticator
Pure SW based implementation
Based on Face Recognition alg. Y
AAID 2
Registration Overview (2)
Physical Identity
Virtual Identity
Relying Party foo.com
“Know Your Customer” rules
WEB Application
{ userid=1234,
jane@mail.com,
known since 03/05/04,
payment history=xx,
…
}
Legacy Authentication
FIDO SERVER
FIDO AUTHENTICATOR
Registration
AAID y
key for foo.com: 0xfa4731
Link new
Authenticator to
{ userid=1234,
pubkey=0x43246, AAID=x
+pubkey=0xfa4731, AAID=y
}