FIDO CERTIFICATION2015-06-24 WEBINAR
Certification Program Overview and Status
Brett McDowell, David Rivera, Adam Powers
AGENDA
2
Why FIDO
What is FIDO
Who is FIDO
What’s New (Certification)
783 data breaches in 2014
Data Breaches…
>1 billion records since 2012
3
$3.5 million cost/breach
“76% of 2012 network
intrusions exploited weak
or stolen credentials”2013 Data Breach Investigations Report4
The world has a PASSWORD PROBLEM
5
WE NEED A NEW MODEL
6
WE CALL OURNEW MODEL
Fast IDentity Onlineonline authentication using
public key cryptography
7
8
AGENDA
Why FIDO
What is FIDO
Who is FIDO
What’s New (Certification)
9
HOW THE OLD AUTHN WORKS
ONLINE
The user authenticates themselves online by presenting
a human-readable secret
10
HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates “locally” to their device
by various means
The device authenticates the user online using
public key cryptography
Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
11*There are other types of authenticators
Second Factor Challenge
1
Authenticated Online
3
Insert Dongle* / Press Button
2
Biometric Verification*
2
Authentication Challenge
1
?
Authenticated Online
3
online authentication usingpublic key cryptography
12
13
No 3rd Party in the Protocol
No Secrets on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services
No Link-ability Between Accounts
Better Security for online services
Reduced cost for the enterprise
Simpler and Safer for consumers14
15
AGENDA
Why FIDO
What is FIDO
Who is FIDO
What’s New (Certification)
The Fast IDentity Online (FIDO)
Alliance is an open industry
association of over 200 global
member organizations
16
Board Members
17
Services/Networks
Devices/Platforms
Vendors/Enablers
17 1717
FIDO Alliance Mission
DevelopSpecifications
OperateAdoption Programs
Pursue Formal Standardization
18
1 2 3
19
AGENDA
Why FIDO
What is FIDO
Who is FIDO
What’s New (Certification)
20
“PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5”, Feb 24, 2014
“Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5”, September 17, 2014
“Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication”,October 21, 2014
2014 FIDO ADOPTION
21
“Microsoft Announces FIDO Support Coming to Windows 10”, Feb 23, 2015
“Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015
“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”,April 21, 2015
DOCOMO announced *many* FIDO Ecosystem “firsts” on May 26, 2015…
2015 FIDO ADOPTION
Deployments are enabled by
FIDO Certified™ Productsavailable today
22
• Ensure interoperability between FIDO officially recognized implementations
Certification Goals
• Enable implementations to be identified as officially FIDO certified
• Promote the adoption of the FIDO ecosystem
Certification Overview
• Available to both members and non-members
• Four steps to certification:1. Conformance Self-Validation
2. Interoperability Testing
3. Certification Request
4. Certification Mark Usage (optional)
Getting Ready
• Standards: UAF and U2F• UAF & U2F 1.0 implementations certified and
in market now
• Strongly encourage servers to supportboth UAF & U2F
• Prep note to UAF Authenticators• Get a Vendor ID• Register your metadata• Only required for UAF Authenticators!
Self-Conformance
• Goal: test implementations using online tools to ensure conformance with specifications• Both positive and negative testing• Check corner-cases that might occur only rarely in the real world
• Self-Conformance Validation Process• Request access to test tools• Review online help• Run tests – as many as you would like• Perform official test and submit results
• Next step: interop interoperability testing
• Pro tip:• UTHS – code development required• UTHS - Requires registration with gmail account: create one for your team• UAF – partners required for generating messages
Interoperability Testing
• Goals: implementations work together, no problems in the “real world”
• Separate events for UAF and U2F, same format
• Interop Logistics• Registration open ~4-6 weeks ahead of time
• Registration closes 14 days ahead of event
• Must pass self-conformance validation first
• In-person attendance preferred, remote attendance if necessary
Interop Criteria
• What happens at interoperability event• Test with every other implementer at the event
(interoperability)• Perform normal, real-world actions: register,
authenticate, etc.
• How to pass• Show that each action with every other
implementer works• Should issues arise: adjust and retest
• After passing interop: Certification registration
• Pro-tip:• Pre-testing is the key to success – don’t wait for the interop to start testing
• Pre-testing opt-in available during registration and begins 14 days ahead of event
Certification
• Requires passing the test tool and attending an interop
• Certificate will be granted ASAP, pending documentation verification; plan on 10 business days to be conservative
• All certifications will be public (on FIDO website) unless confidentiality is requested
Derivatives
• Same implementation, different product• Reasonable caveats apply: bug fixes, etc.
• Designed to lower cost and effort in FIDO certification• Hundreds of SKUs; not hundreds of interops
• Lower registration fee for derivatives (next slide)
• Self-Validation and Interop not required• Uses “derivative test plan” instead
• Must reference original certificate
Certification Fees
• Non-Member Resource Access Fee: $3,000 (annual)
• Offset test tool costs, management, interop, etc.!
• Certification:• Member: $5,000• Non-Member: $6,500• Per certification
• Derivatives:• Member: $500• Non-Member: $750• Per Derivative
• Vendor ID : $3,000 (one-time)
• Credited towards first certification
• Interop: Free!
• Test Tools: Free!
CERTIFICATION FEES OTHER FEES
Certification Mark Usage
• Authenticators / Clients• Execute Trademark Licensing Agreement (TMLA)
• Relying parties• “Clickless” license for logo usage (based on node.js / OpenID)
• Enables millions of logo users without the logistical overhead
• One logo, two badges:
What to with your FIDO logos
• Put FIDO logos on your website
• Write a press release
• Put FIDO in your apps
• Put FIDO on your product briefs
• Put FIDO in your tradeshow booth
CERTIFICATION STATISTICS
35
By The Numbers:
Number of Companies
11
20
FID
O
Re
ad
y
FID
O C
ert
ifie
d
By The Numbers:
Number of Implementations
5
10 10
23
FID
O
Re
ad
y FID
O
Ce
rtifie
d
FID
O C
ert
ifie
d
FID
O
Re
ad
y
By The Numbers:
Implementation Types
0
2
4
6
8
10
Client
Authenticator
Server
Call To Action
• Get certified now!
• Get started with specifications at:https://fidoalliance.org/specifications/download/
• Register for Test Tool access:http://fidoalliance.org/test-tool-access-request/
• Next interops:• UAF, July 14-16th, Silicon Valley (venue TBD)• U2F, July 29th, Silicon Valley (venue TBD)• Registration open now: https://fidoalliance.org/interop-registration/
• Contact us for help and answers:[email protected]
FAQ
• Do I need a Vendor ID?• Only if you are a UAF Authenticator• U2F implementers and UAF Servers / Clients do not require a Vendor ID
• Where do I find the form for…?• https://fidoalliance.org/certification/
• What is the cost for…?• Test Tools: free (non-member access: $3,000)• Interop Events: free• Certification: $5,000 member, $6,500 non-member• Derivative Certification: $500 member, $750 non-member• Trademark License Agreement: free
• Where do I start?• Register for test tool access here:
https://fidoalliance.org/test-tool-access-request/
Questions?41