Rolf Lindemann, Nok Nok Labs cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 1
Authentication in Context Single Sign-On Modern Authentication Federation Passwords Strong Risk Based Authentication User Management Physical-to-digital identity 2
Cloud Authentication 3
Password Problem Hacked from databases Phished Re-used across sites Key logged Ill-suited for mobile devices Easily broken 4
No Alternatives SMS-OTP usability (coverage, delay, cost) Device usability (one per site, fragile, cost) User experience Still phishable 5
Current Authentication Architectures Authentication Methods Applications RP 1 RP 1? 6
FIDO Approach Device 7
FIDO Approach challenge (signed) response Private key Public key 8
FIDO Approach SE 9
FIDO Approach Same User as enrolled before? Same Authenticator as registered before? Can recognize the user (i.e. user verification), but doesn t know identity attributes of the user. 10
FIDO Approach Same User as enrolled before? Same Authenticator as registered before? Identity binding to be done outside FIDO: This this John Doe with customer ID X. Can recognize the user (i.e. user verification), but doesn t know identity attributes of the user. 11
FIDO Approach How is the key protected (TPM, SE, TEE, )? What user verification method is used? SE 12
Attestation & Metadata FIDO AUTHENTICATOR FIDO SERVER Signed Attestation Object Verify using trust anchor included in Metadata Understand Authenticator security characteristic by looking into Metadata (from Metadata Service or other sources) Metadata 13
Binding Keys To Apps Use google.com key Use paypal.com key 14
FIDO Authenticator Concept Optional Components Injected at manufacturing, doesn t change User Verification / Presence FIDO Authenticator Attestation Key Transaction Confirmation Display Authentication Key(s) Generated at runtime (on Registration) 15
Security & Convenience Security Password Convenience 16
Security & Convenience Security Password + OTP Password Convenience 17
Security & Convenience Security In FIDO: Same user verification method for all servers FIDO Password + OTP Password In FIDO: Arbitrary user verification methods are supported (+ they are interoperable) Convenience 18
Security & Convenience Security In FIDO: Scalable security depending on Authenticator implementation FIDO Password + OTP Password In FIDO: Only public keys on server Not phishable Convenience 19
Classifying Threats Physical attacks possible on lost or stolen devices ( 3% in the US in 2013) 5 Physically attacking user devices steal data for impersonation 6 Physically attacking user devices misuse them for impersonation Scalable attacks 2 3 4 Remotely attacking lots of user devices Remotely attacking lots of user devices steal data for impersonation misuse them for impersonation Remotely attacking lots of user devices misuse authenticated sessions 1 Remotely attacking central servers steal data for impersonation 20
FIDO & Federation First Mile Second Mile FIDO USER DEVICE IdP Service Provider BROWSER / APP UAF Protocol FEDERATION SERVER Federation FIDO CLIENT Id DB FIDO AUTHENTICATOR FIDO SERVER Knows details about the Authentication strength Knows details about the Identity and its verification strength. 21
Example: FIDO Enterprise Integration Federated Login, e.g. OpenID Connect Cloud-hosted Appl. 1 Cloud-hosted Appl. 2 Cloud-hosted Appl. N Enterprise IT Enterprise Appl. 1 Enterprise Appl. 2 Enterprise Appl. N Internal User IdP FEDERATION SERVER External User Could be operated externally as well FIDO SERVER 22
Devices Deployed Today Customers Pat Johnson pat@example.com 23
FIDO in Snapdragon Market leader to ship FIDO Authenticators 85+ OEMs as of Q4 >1 billion Android devices shipped Innovative sensor 24
First healthcare deployment Physician access to health records up to 50 million Healthcare users FIDO in Healthcare 25
FIDO and Google for Work Google for Work announced Enterprise admin support for FIDO U2F Security Key April 21 Google for Work is used by over 5 million businesses worldwide The Security Keys are a great step forward, as they are very practical and more secure. Woolsworth IT 26
4 devices with native FIDO support First iris based authenticator in Arrows Docomo has more than 60m customers in Japan FIDO login to Docomo ID & carrier billing payments FIDO in Japan Arrows NX F-04 G Aquos SH-03 Galaxy S6 Galaxy S6 Edge Services with biometric authentication to be expanded sequentially 27
FIDO & Government Governments worldwide are looking at FIDO FIDO featured at White House Summit New collaboration framework: Updated Membership Agreement 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials. NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb-2014 28
Reduced Cost & Complexity Single Infrastructure Lower Cost & Complexity Any Device Risk Appropriate 29
Conclusion Different authentication use-cases lead to different authentication requirements Today, we have authentication silos FIDO separates user verification from authentication protocol and hence supports all user verification methods FIDO significantly improves authentication security FIDO supports scalable security and convenience User verification data is known to FIDO Authenticators only FIDO complements federation Consider piloting a FIDO-based authentication solution 30
END cv cryptovision GmbH T: +49 (0) 209.167-24 50 F: +49 (0) 209.167-24 61 info(at)cryptovision.com 31