Upload
trevin-dansie
View
215
Download
2
Tags:
Embed Size (px)
Citation preview
Not Built On Sand
IT Has Scaled
$$$
Technological capabilities: (1971 2013)Clock speed x4700#transistors x608kStructure size /450
Price: (1980 2013)HDD $/MB /12k
NV RAM $/MB /1.3m
Ubiquity:More than 7bn mobile connected devices by
end of 2013
Networked: (2013)34% of all people ww have internet access
Relevance: (2012)$1 trillion eCommerce
Social media: (2013)>10% of all people ww active
Authentication hasn‘t
Passwords Don’t Work
1. Most people use words from a small set of simple passwords
2. People reuse passwords3. Passwords are hard to use4. Passwords get phished5. Websites don’t protect passwords
properly
There are alternatives…
Implementation is the challenge
Each new authentication solution requires:
• New Software• New Hardware• New Infrastructure• Consumer education
We’re building ‘Silos’ of authentication
FIDO Goals
• Support for a broad range of authentication methods, leverage existing hardware capabilities.
• Support for a broad range of assurance levels, let relying party know the authentication method.
• Built-in privacy.
How does FIDO work?
FIDO SERVER
FIDO Authenticators
Authenticator
FIDO Functionality
• Discover supported authenticators on the client
• Register authenticators to a relying party
• Authenticate (a session)• Transaction confirmation
Registration Overview
FIDO AUTHENTICATOR
FIDO SERVERFIDO CLIENT
Send Registration Request:- Policy- Random Challenge
Start registration
Authenticate userGenerate key pairSign attestation object:• Public key• AAID• Random Challenge• Name of relying partySigned by attestation key
Verify signatureCheck AAID against policyStore public key
AAID = Authenticator Attestation ID, i.e. model ID
Authentication Overview
FIDO AUTHENTICATOR
FIDO SERVERFIDO CLIENT
Send Authentication Request:- Policy- Random Challenge
Start authentication
Authenticate userSign authentication object:• Random Challenge• Name of relying partySigned by authentication key for this relying party
Verify signaturecheck AAID against policy
FIDO Building Blocks
FIDO USER DEVICE
FIDO CLIENT
RELYING PARTY
FIDO SERVER
FIDO Repository
FIDO AUTHENTICATOR
WEB ApplicationBROWSER / APP
Cryptographic authentication key reference
DB
Authenticator attestation trust store
Attestation key
Authentication keys
Update
OSTP
TLS Server Key
FIDO and IAM
Physical-to-digital identity
User Management
Authentication
Federation
SingleSign-On
Passwords Risk-BasedStrong
Modern Authentication
Modern Authentication
IMPLICITAUTHENTICATION
EXPLICITAUTHENTICATION
FIDO and Federation
FIDO
PASSWORDSSSO/FEDERATION
First Mile Second Mile
SAML
OpenID
FIDO and Federation
FIDO USER DEVICE
FIDO CLIENT
IdP
FIDO SERVERFIDO
AUTHENTICATOR
FEDERATION SERVER
BROWSER / APP OSTP
Service Provider
Federation
Id DB
Knows details about the Authentication strength (based on attestation)
Knows details about the Identity verification
strength.
Thank You
FIDO Alliance MembersBoard of Directors• CrucialTec• Google• Nok Nok Labs• PayPal• Lenovo• NXP Semiconductor• Validity Sensors• Yubico• BlackBerrySponsor Members• Entersekt• EyeLock• FingerPrint Cards• Infineon• Ping Identity• SecureKey• WWTT
Associate Members• AktivSoft• Agnitio• AllWeb Technologies• Authentify• Certus• Check2Protect• Cloud Security Corp• Crocus Technology• Diamond Fortress• Discretix• Insyndia• ItsMe! Security• PassBan• SurePassID• Toopher
Founding members underlined
The Authenticator Concept
FIDO Authenticator
User Authentication
/ Presence
Secure Display
Attestation Key
Authentication Key(s)
User
Injected at manufacturing, doesn’t change
Generated at runtime (on
Registration)
Regarding AAIDs
FIDO Authenticator
FIDO Authenticator
Using HW based crypto
Pure SW based implementation
Based on FP Sensor X
Based on Face Recognition alg. Y
AAID 1
AAID 2
Registration Overview (2)
Physical Identity
Virtual Identity
FIDO AUTHENTICATOR FIDO SERVER
WEB Application
{ userid=1234, [email protected], known since 03/05/04, payment history=xx, … }
{ userid=1234, pubkey=0x43246, AAID=x+pubkey=0xfa4731, AAID=y}
RegistrationAAID ykey for foo.com: 0xfa4731
Relying Party foo.com
Link new Authenticator to existing userid
“Know Your Customer” rules
Legacy Authentication