The new model for stronger, simpler online authentication has implications beyond businesses and their consumers, including government policy and applications. FIDO was designed with security and privacy at the forefront, making it a natural ally for government initiatives in these areas. View slides from policy experts on the role of FIDO in policy, what the Alliance is doing in policy and how governments are working to implement FIDO.
Contents:
Review of FIDO Alliance
– FIDO’s mission and vision
– Key liaison relationships & government members
– How FIDO enhances privacy
FIDO in Government Services, a NIST Perspective
Introduction to FIDO’s Privacy and Public Policy Workgroup (P3WG) and some key outputs:
– Privacy White Paper
– EBA Response
FIDO’s fit in global regulatory approaches to security and privacy
– Supporting common policy goals
– Key differences from traditional 2-factor authentication
– Related activities, including Cybersecurtiy National Plan (US), and eIDAS (EU)
FIDO Webinar – A New Model for Online Authentication: Implications for Policy and Government Applications
1. Implications for Policy and Government Applications
Webinar – May 4, 2016
All Rights Reserved. FIDO Alliance. Copyright 2016.
A NEW MODEL FOR ONLINE
AUTHENTICATION
2. Our Speakers
Jeremy Grant Brett McDowell Paul Grassi
Chertoff Group FIDO Alliance NIST
Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 2
3. Authentication is Important to Government
1. Protects access to government assets
2. Enables more high-value citizen-facing services
3. Empowers private sector to provide a wider range of high
value services to consumers
4. Secures assets in regulated industries
5. Promotes good security practices in the private sector
Governments seek identity solutions that can deliver not just
improved Security – but also Privacy, Interoperability, and
better Customer Experiences
All Rights Reserved. FIDO Alliance. Copyright 2016.
4. FIDO Delivers on Key Policy Priorities
Security
• Authentication using strong
asymmetric Public Key
cryptography
• Superior to old “shared
secrets” model – there is
nothing to steal
• Biometrics as second factor
Privacy
• Privacy architected in up
front; supports EU Privacy
Principles, other national
privacy initiatives
• No linkability or tracking
• Biometric data never leaves
device
• Consumer control and
consent
Interoperability
• Open standards: FIDO 2.0
specs are in W3C
standardization process
• FIDO compliance/
conformance testing to
ensure interoperability of
“FIDO certified” products
Usability
• Designed with the user
experience (UX) first – with
a goal of making
authentication as easy as
possible.
• Security built to support the
user’s needs, not the other
way around
All Rights Reserved. FIDO Alliance. Copyright 2016.
5. FIDO Impact on Policy
FIDO specifications offer governments newer, better options for
strong authentication – but governments may need to update
some policies to support the ways in which FIDO is different.
As technology evolves, policy needs to evolve with it.
All Rights Reserved. FIDO Alliance. Copyright 2016.
6. All Rights Reserved. FIDO Alliance. Copyright 2016.
FIDO ALLIANCE: AN OVERVIEW
Brett McDowell
6
14. HOW OLD AUTHN WORKS
ONLINE
The user authenticates
themselves online by presenting a
human-readable “shared secret”
15. HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device
(by various means)
The device authenticates
the user online using
public key cryptography
16. FIDO Registration
Invitation Sent New Keys Created
Pubic Key Registered
With Online Server
User is in a Session
Or
New Account Flow
1 2 3
4
Registration Complete
User Approval
17. Login Complete
FIDO Authentication
FIDO Challenge Key Selected & Signs
Signed Response verified using
Public Key Cryptography
User needs to login or
authorize a transaction
1 2 3
4
User Approval
22. FIDO DEVELOPMENT TIMELINE
FIDO 1.0
FINALFirst
DeploymentsSpecification
Review Draft
FIDO Ready
Program
Alliance
Announced
FEB
2013
6 Members
DEC
2013
FEB
2014
FEB-OCT
2014
DEC 9
2014
MAY
2015
TODAY
>250
Members
Market
Adoption
JUNE
2015
Certification
Program
New U2F
Transports
26. Government & Research
“The fact that FIDO has now welcomed government
participation is a logical and exciting step toward
further advancement of the Identity Ecosystem;
we look forward to continued progress.”
-- Mike Garcia, NSTIC NPO
26
2640Confidential
27. Liaison Program
Our mission is highly
complementary to
many other
associations around
the world. We
welcome the
opportunity to
collaborate with this
growing list of
industry partner
organizations.
27
27
28. “PayPal and Samsung Enable Consumer
Payments with Fingerprint
Authentication on New Samsung
Galaxy S5”
Feb 24, 2014
“Secure Consumer Payments Enabled for
Alipay Customers with Easy-to-Use
Fingerprint Sensors on Recently-Launched
Samsung Galaxy S5”
September 17, 2014
“Google Launches Security Key,
World’s First Deployment of Fast
Identity Online Universal Second
Factor (FIDO U2F) Authentication”
October 21, 2014
2014 FIDO ADOPTION
29. “Microsoft Announces FIDO
Support Coming to Windows 10”
Feb 23, 2015
“Qualcomm launches
Snapdragon fingerprint
scanning technology”
March 2, 2015
“Google for Work announced
Enterprise admin support for
FIDO® U2F ‘Security Key’”
April 21, 2015
“Largest mobile network in
Japan becomes first wireless
carrier to enhance customer
experience with natural,
simple and strong ways to
authenticate to DOCOMO’s
services using FIDO
standards.”
May 26, 2015
2015 FIDO ADOPTION
“Today, we’re adding Universal 2nd Factor (U2F) security
keys as an additional method for two-step verification,
giving you stronger authentication protection.”
August 12, 2015
“[T]he technology
supporting fingerprint
sign-in was built
according to FIDO
(Fast IDentity Online)
standards.”
September 15, 2015
“GitHub says it
will now handle
what is called
the FIDO
Universal 2nd
Factor, or U2F,
specification.”
October 1, 2015
30. “NTT DOCOMO is now
offering FIDO-enabled
biometric authentication for
customers using Apple iOS
devices”
Mar 7, 2016
2016 FIDO ADOPTION
“FIDO Universal 2nd Factor (U2F) authentication is now
being used to allow all UK citizens to easily and securely
access GOV.UK Verify digital public services.
Mar 23, 2016
“BC Card provides Token
and FIDO services to
strengthen security and
safety of Samsung Pay”
March 1, 2016
“KEB Hana’s new solution
is notably FIDO Certified.”
February 3, 2016
46. Update on the Update
All Rights Reserved. FIDO Alliance. Copyright 2016.
47. PERSPECTIVES ON FIDO IN GLOBAL
POLICY
Jeremy Grant
Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 47
48. FIDO Engagement on Policy Issues
• FIDO Launched the Public Policy and Privacy Working Group
(P3WG) in 2014
• Mission:
• Focus on “Privacy by Design” approach to FIDO specifications,
providing privacy expertise and guidance
• Monitor global privacy and public policy issues that impact
authentication, engaging in education efforts where appropriate
• Co-Chairs: Hannes Tschofenig (ARM) and Stephan Somogyi
(Google)
All Rights Reserved. FIDO Alliance. Copyright 2016.
49. Why Policy Matters
• Governments around the world are focusing on identity and
authentication requirements, both for their own systems, as well as
systems in industries that they regulate
• Drivers for these enhanced requirements include both the increased
number of attacks tied to passwords in public and private sector, as well
as the need for more secure consumer/citizen-facing digital services
• As governments engage here, support for new approaches like FIDO is not
a given:
• Most governments are not aware of FIDO, or if they are, do not properly understand
it
• Natural gap between technology innovation and understanding of that innovation by
policymakers and regulators
All Rights Reserved. FIDO Alliance. Copyright 2016.
50. FIDO Engagement on Policy Issues
2016 Activities
• FIDO Privacy White Paper – January 2016
• Response to the European Banking Authority (EBA)
Discussion Paper on Future Draft Technical Standards on
Strong Customer Authentication and Secure
Communication Under the Revised Payment Services
Directive (PSD2) – February 2016
• Response to NIST RFI on updates to NIST “Framework for
Improving Critical Infrastructure Cybersecurity” – March
2016
• Active inventorying and monitoring of authentication-
related policies across the globe
All Rights Reserved. FIDO Alliance. Copyright 2016.
51. What Governments Should Know
1. Recognize that two-factor authentication no longer brings
higher burdens or costs.
All Rights Reserved. FIDO Alliance. Copyright 2016.
• While this statement was true of most “old” MFA
technology, FIDO specifically addresses these cost and
usability issues.
• FIDO enables simpler, stronger authentication
capabilities that governments, businesses and
consumers can easily adopt at scale.
52. What Governments Should Know
2. Recognize technology is now mature enough to enable two
secure, distinct authentication factors in a single device.
All Rights Reserved. FIDO Alliance. Copyright 2016.
• Recognized by the US government (NIST) in 2014…
• “OMB (White House) to update guidance on remote
electronic authentication” to remove requirements
that one factor be separate from the device
accessing the resource
• The evolution of mobile devices – in particular,
hardware architectures that offer highly robust and
isolated execution environments (such as TEE, SE
and TPM) – has allowed these devices to achieve
high-grade security without the need for a
physically distinct token
53. What Governments Should Know
3. As governments promote or require strong authentication,
make sure it is the “right” strong authentication.
The market is in the midst of a burst of innovation around authentication
technology – some solutions are better than others. Don’t push the
adoption of old authentication technology.
• Old authentication technologies impose significant costs and burdens on the user –
which decreases adoption
• Old authentication technologies have security (i.e., phishable) and privacy issues –
putting both users and online service providers at risk
All Rights Reserved. FIDO Alliance. Copyright 2016.
54. What Governments Should Know
4. FIDO is designed to enhance privacy
• Designed from the start to support the Privacy Principles of the European
Data Protection Directive and other government privacy initiatives
• No 3rd Party in the Protocol
• No Secrets on the Server Side
• Biometric Data (if used) Never Leaves Device
• No Linkability Between Services
• No Linkability Between Accounts
All Rights Reserved. FIDO Alliance. Copyright 2016.
55. FIDO and User Privacy - US
All Rights Reserved. FIDO Alliance. Copyright 2016.
FIDO Privacy Principle IDESG Privacy requirements
Require explicit, Informed consent for
any operation using personal data
PRIVACY-6. USAGE NOTICE
PRIVACY-8. THIRD PARTY LIMITATIONS
PRIVACY-9. USER NOTICE OF CHANGES
PRIVACY-10. USER OPTION TO DECLINE
PRIVACY-11. OPTIONAL INFORMATION
Provide clear context to the user for any
FIDO operations
PRIVACY-6. USAGE NOTICE
PRIVACY-8. THIRD PARTY LIMITATIONS
PRIVACY-9. USER NOTICE OF CHANGES
PRIVACY-10. USER OPTION TO DECLINE
PRIVACY-11. OPTIONAL INFORMATION
Limit collection of personal data to FIDO-
related purposes
PRIVACY-1. DATA MINIMIZATION
PRIVACY-2. PURPOSE LIMITATION
PRIVACY-3. ATTRIBUTE MINIMIZATION
PRIVACY-5. DATA AGGREGATION RISK
PRIVACY-8. THIRD PARTY LIMITATIONS
PRIVACY-12. ANONYMITY
PRIVACY-13. CONTROLS PROPORTIONATE
TO RISK
Use personal data only for FIDO
operations
PRIVACY-1. DATA MINIMIZATION
PRIVACY-2. PURPOSE LIMITATION
PRIVACY-5. DATA AGGREGATION RISK
PRIVACY-8. THIRD PARTY LIMITATIONS
FIDO Privacy Principle IDESG Privacy requirements
Prevent identification of a user outside of
FIDO operations
PRIVACY-1. DATA MINIMIZATION
PRIVACY-2. PURPOSE LIMITATION
PRIVACY-3. ATTRIBUTE MINIMIZATION
PRIVACY-5. DATA AGGREGATION RISK
PRIVACY-8. THIRD PARTY LIMITATIONS
PRIVACY-12. ANONYMITY
Biometric data must never leave the
user’s personal computing environment
PRIVACY-1. DATA MINIMIZATION
PRIVACY-2. PURPOSE LIMITATION
PRIVACY-3. ATTRIBUTE MINIMIZATION
PRIVACY-4. CREDENTIAL LIMITATION
PRIVACY-8. THIRD PARTY LIMITATIONS
PRIVACY-15 ATTRIBUTE SEGREGATION
Protect FIDO-related data from
unauthorized access or disclosure
Covered by IDESG Security Requirements
PRIVACY-14. DATA RETENTION
Allow users to easily view and manage
their FIDO Authenticators
PRIVACY-7. USER DATA CONTROL
PRIVACY-8. THIRD PARTY LIMITATIONS
PRIVACY-14. DATA RETENTION
FIDO Privacy Principles mapped to Identity Ecosystem Steering Group (IDESG) Requirements
56. FIDO and User Privacy - EU
All Rights Reserved. FIDO Alliance. Copyright 2016.
EU Privacy Principle FIDO Implementation of EU Privacy Principle
Personal data must be processed
fairly and lawfully
For a User to access a Relying Party’s services through FIDO Authentication, the User must first agree to register with that Relying Party. When the User wishes to access the online service, they must execute
the User Verification step, e.g. touching a sensor, entering a passcode, or providing their fingerprint, in order to execute the cryptographic computation. This ensures that malware installed on the User’s
device is unable to autonomously perform FIDO operations.
Personal data can only be processed
for one or more specified lawful
purpose(s)
The Personal Data required to access an online service, such as a fingerprint, can only be accessed by the FIDO Authenticator which is part of the User’s device. The FIDO Authenticator can only access such
data when it is required to perform an Authentication. The FIDO protocol requires a minimum amount of data stored by the Relying Party, for which the user is required to provide consent.
Personal data must be adequate,
relevant, and not excessive in relation
to the purposes for which it is being
used
The data needed to perform an Authentication is collected by the Relying Party when the User registers with it. This data is:
A public key: This allows the Relying Party to verify that the FIDO Authenticator being used is the one previously registered by the User.
Authenticator Attestation ID (AAID): This is a reference that allows the Relying Party to look-up the characteristics of the used FIDO Authenticator.
Key Handle: An identifier created by a FIDO Authenticator, potentially containing an encrypted private key, to refer to a specific key maintained the FIDO Authenticator.
Personal data must be accurate and
up to date
The data used for FIDO Authentication, such as the registered public key, must be accurate since cryptographic verification fails otherwise.
If the data becomes corrupted for any reason, the User needs to re-register with the Relying Party. Re-registration changes the registered public key.
Personal data must not be kept for
longer than necessary to fulfil the
purposes for which it was collected
The User may de-register from a Relying Party at any time. Once de-registration has taken place the Public key held by the Relying Party is of no further use.
Personal data must be kept secure Allowing users to authenticate using FIDO Authentication provides a greater level of security around accessing personal data than passwords alone.
Data required for local User Verification is stored locally on the FIDO Authenticator. FIDO-related data stored at the Relying Party is not confidential by itself. The FIDO Authenticator is required to protect
data required for User Verification and FIDO-related data, such as cryptographic keys, against unauthorized access by third parties.
Personal data must be processed in
accordance with rights of data
subjects
Personal data used to authenticate a User can only be accessed by that User when the User wishes to be authenticated.
Personal data cannot be transferred
outside a given geographical area,
such as the EEA, without specific
circumstances being in place.
Personal data held in a FIDO Authenticator will be protected by the same mechanisms irrespective of the device’s location and the device can only leave the EEA if the owner wishes it to do so.
The FIDO Server used by the Relying Party does not contain personal data.
57. Better security for online services
Reduced cost for the enterprise
Simpler and safer for consumers
All Rights Reserved. FIDO Alliance. Copyright 2016.
58. THANK YOU
Connect with Us:
@FIDOAlliance
linkedin.com/company/the-fido-alliance
slideshare.net/FIDOAlliance
All Rights Reserved. FIDO Alliance. Copyright 2016.
Notes de l'éditeur
But what specifically makes passwords such a problem? (lead into next slide)
Source of 781 breaches in 2015 = Identity Theft Resource Center Breach Report
Source of 170m records exposed in 2015 = Identity Theft Resource Center Breach Report (note >66% of these in healthcare)
Source of $3.8m / breach in 2015 = Ponemon Institute Cost of Data Breach Study
The only thing worse than a password is two passwords.
SMS is not always available / dedicated hardware is often service-specific / it’s cumbersome process users generally don’t like / and it is still vulnerable to phishing (it is still a symmetric shared secret, just short-lived, but malware tools have adjusted to this)
User convenience is so important that we put it in the very name of the technology itself - the “F” in FIDO stands for Fast.
Historically, “Fast” has always meant “Weak” – but it’s important to understand that FIDO was designed from the ground up to provide privacy protections in addition to providing strong authentication. Fundamentally, the solution that we developed replaces passwords, which are over 50 years old, with modern public key cryptography.
AMEX, VASCO and INFINEON announced today
One more prominent EU government agency is about to be announced.
One more prominent EU government agency is about to be announced.
Microsoft: 1.5 billion users, 190 countries in Q3, free upgrade for consumers
Qualcomm Snapdragon: drives >1 billion android devices, >85 OEM customers
Google: Full lifecycle management for >5 million businesses who use “Google for Work”
One more prominent EU government agency is about to be announced.
We support a growing number of fingerprint enabled Android devices that have in-built UAF capabilities
Most of the new Samsung high devices with FPSs support UAF
Newer devices from Fujitsu, Sharp and Sony increasingly include UAF support out of the box
Fujitsu Arrows NX supports UAF-enabled iris authentication.
We will see other types of authenticators also appear in coming devices
We support the Android M fingerprint API
Apart from these devices with native FIDO UAF support, we also support virtually any non-FPS Android device running Kit Kat or newer
using an embedded UAF PIN authenticator.
We support all Touch ID enabled iOS devices
These devices don’t have native FIDO UAF support
We have built a UAF authenticator using the Touch ID API and the secure enclave
We also support non-Touch ID devices(Eg iPhone 4s and 5) running iOS 8 or higher using device passcode (PIN) authenticator