7. Cost Effectiveness Cost to develop and maintain?
Ease of Deployment Effort to implement and support?
Risk
Biometric information storing and
protection?
Security
Fraud reduction, e.g. man-in-the-middle
and phishing attacks?
Future Proofing
Effort to incorporate additional
modalities?
Scalability
Support for millions of users and diverse
use cases?
Customer Experience Seamless and frictionless experience?
DECISIONSABOUTSECURITYARENOTALWAYSRATIONAL
COMPLEXITYPARALYSIS,EMOTIONALDRIVERS,FEARHAZARDS
7NOK NOK LABS
Considerations
$
9. MASTERINGAUTHENTICATION:BESTPRACTICES
9NOK NOK LABS
Recognition or Authentication?
What’s at stake? Consent?
Active or Passive? Single or
Multi-Modal?
Recovery? Lifecycle model?
Documented Threat Model?
How are templates &
matcher protected? Attack
vectors?
Failure modes, Predictability,
Operational variations?
Is there PII? Who
owns the biometric?
Operating multiple
authentication silos
or standards-based
approach?
ü Run a POC
ü Develop a framework for use (beware shiny objects)
ü Build a 3-5 year roadmap
ü Consider a standards-based approach with FIDO
10. KEY THINGS TO KNOW ABOUT FIDO
…whatmanygetwrong
10NOK NOK LABS
18. PROJECTED PATH OF EVOLUTION
PHASES TO UBIQUITY– THE NNLPERSPECTIVE
18NOK NOK LABS
OEMs, Security Chip and SOC vendors include FIDO Security
profiles vary by vendor, Interop & Conformance Testing
Phase
22014-15
Operating Systems include “scaffolding” for FIDO Converging
security profiles in hardware, Security Certification Testing, GOLD
Server (all protocol versions supported)
Phase
32015-18
Phase 4 Operating Systems, Browsers ship native FIDO support - Ubiquitous
security, EMVCo, Global Platform, NIST/NCCOE, UK, Germany,
Korean Citizen ID Initiatives other reference architectures
2017-2022
2013
FIDO delivered “over the top” in software
Whitebox security
Phase
1
Referenced by Regulators & Policy-Makers, Adopted by Industry Bodies
19. AUTHENTICATION HAS TO DELIVER INTEGRITY END TO END
HASTOSCALEFROMSILICONTOTHECLOUDWITHOUTDEVELOPER,USER,ITCOMPLEXITY
19
Hardware Integrity
OS Integrity
App Integrity
Network Integrity
User Integrity & Consent
Easy for Users, Easy for Developers, Easy for IT Operators
Completing
The
Chain of Trust
NOK NOK LABS
20. INFLUENCINGFIDO
FIDOUNIQUEINBALANCINGTECHVENDORSWITHRELYINGPARTIES
•More than buying membership – you have to vote with
your presence and persistence for what you care about
•Volunteer organization
-Asgoodasparticipation
-RPsneedtocontinueparticipationattechnicalandbusinesslevelto
balancevendorinterest
-Standardsareaboutcreatingconstituencies,lininguptheactivity&the
votestomovethingsforward
•WelcometojointheFIDOAlliance
20NOK NOK LABS
21. STATEOFTRUST&SECURITY
NOK NOK LABS 21
Would you take pills for every waterborne disease
every time you took a drink of water or would you
rather chlorinate the water?
Current state of security: Its like drinking water from the tap in 1800s