Last year was a year of great progress for the FIDO Alliance and standards-based strong authentication. Tens of millions of FIDO-enabled devices are now in use worldwide. There are over 100 FIDO Certified™ products available, and nearly 250 organizations are now taking part in the Alliance, including more than a dozen trade association partners. The market is clearly showing that now is the time to deploy FIDO authentication to modernize failing password systems. These slides address: – The uptake in global momentum – Details on FIDO’s recent submission to the World Wide Web Consortium – The Alliance’s plans and strategy for 2016 and what this means to you and your organization in the upcoming year We encourage you and your colleagues to view these slides to catch up on what happened in 2015 and to learn how FIDO’s explosive growth can benefit your organization in 2016. You can listen to the webinar audio here: https://fidoalliance.org/events/fido-alliance-year-in-review-webinar/

1. EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

2. AGENDA
The Problem
The Solution
The Alliance
Updates

3. 781 data breaches in 2015
Data Breaches…
170m records in 2015 (up 50%)
$3.8m/breach (up 23% f/2013)

4. “95% of these incidents involve
harvesting credentials stolen
from customer devices, then
logging into web applications
with them.”
2015 Data Breach Investigations Report

5. “A look through the details of these incidents
shows a common sequence of
phish customer ≥
get credentials ≥
abuse web application ≥
empty bank/bitcoin account.”
2015 Data Breach Investigations Report

6. The world has a PASSWORD PROBLEM

7. ONE-TIME PASSCODES
Improve security but aren’t easy enough to use
Still
Phishable
User
Confusion
Token
Necklace
SMS
Reliability

8. WE NEED A
NEW MODEL

9. WE CALL OUR
NEW MODEL
Fast IDentity Online
online authentication using
public key cryptography

10. AGENDA
The Problem
The Solution
The Alliance
Updates

11. THE OLD
PARADIGM
USABILITYSECURITY

12. THE FIDO
PARADIGM
Poor Easy
WeakStrong USABILITY
SECURITY

13. HOW OLD AUTHN WORKS
ONLINE
The user authenticates
themselves online by presenting
a human-readable secret

14. HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device
by various means
The device authenticates
the user online using
public key cryptography

15. Introduction to FIDO 1.0 standards
Universal Authentication Framework (UAF)
Universal 2nd Factor (U2F)

16. Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
*There are other types of authenticators
Second Factor Challenge
1
Authenticated
Online
3
Insert Dongle* / Press Button
2
Biometric Verification*
2
Authentication Challenge
1
?
Authenticated Online
3

17. FIDO Registration
Invitation Sent New Keys Created
Pubic Key Registered
With Online Server
User is in a Session
Or
New Account Flow
1 2 3
4
Registration Complete
User Approval

18. Login Complete
FIDO Authentication
FIDO Challenge Key Selected & Signs
Signed Response verified using
Public Key Cryptography
User needs to login or
authorize a transaction
1 2 3
4
User Approval

19. FIDO UAF
UNIVERSAL AUTHENTICATION FRAMEWORK
AUTHENTICATOR
Same users as
enrolled before?
Same authenticator
as registered
before?

20. FIDO ServerFIDO
Authenticator
Metadata
Signed Attestation
Object
Verify Trust Anchor
Understand Authenticator Characteristic
ATTESTATION & METADATA

21. UAF AUTHENTICATION
DEMO EXAMPLE
STEP 1

22. UAF AUTHENTICATION
DEMO EXAMPLE
STEP 2

23. UAF AUTHENTICATION
DEMO EXAMPLE
STEP 3

24. UAF AUTHENTICATION
DEMO EXAMPLE
STEP 4

25. FIDO U2F
UNIVERSAL 2ND FACTOR
AUTHENTICATOR
USER VERIFICATION FIDO AUTHENTICATION
Same authenticator
as registered
before?
Is a user
present?

26. Step 1
U2F AUTHENTICATION DEMO EXAMPLE

27. Step 2
U2F AUTHENTICATION DEMO EXAMPLE

28. Step 3
U2F AUTHENTICATION DEMO EXAMPLE

29. Step 4
U2F AUTHENTICATION DEMO EXAMPLE
+Bob

30. USABILITY, SECURITY
and
PRIVACY by Design

31. Privacy by Design History
31
• Ann Cavoukian, the former Information and Privacy
Commissioner of Ontario/Canada, coined the term
“Privacy by Design” back in the late 90’s.
• Idea was to take privacy into account already early in
the design process.
• Cavoukian went a step further and developed 7
principles.
• It took years to investigate the idea further and to
become familiar with privacy as an engineering
concept.

32. Privacy Principles
32
https://fidoalliance.org/wp-content/uploads/2014/12/FIDO_Alliance_Whitepaper_Privacy_Principles.pdf

33. No 3rd Party in the Protocol
No Secrets generated/stored on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services and Accounts
De-register at any time
No release of information without consent

34. FIDO & Privacy
AUTHENTICATOR
USER VERIFICATION FIDO AUTHENTICATION

35. Prepare0
STEP 1
FIDO
Authenticator
FIDO
Server
App Web
App
FIDO REGISTRATION

36. FIDO REGISTRATION
Prepare0
STEP 2
FIDO
Authenticator
FIDO
Server
App Web
App
TLS Channel
Establishment
1
No 3rd Party in the Protocol

37. FIDO REGISTRATION
Prepare0
STEP 2FIDO
Authenticator
FIDO
Server
App Web
App
User is invited by Online Service to register their FIDO device
(Specific to Online Service Providers)
Legacy Auth.
+ Initiate Reg.
Reg. Request
+ Policy
1
2
No release of information without consent

38. FIDO REGISTRATION
Prepare0
STEP 3
FIDO
Authenticator
FIDO
Server
App Web
App
38
3
Legacy Auth.
+ Initiate Reg.
Reg. Request
[Policy]
1
2
Verify User & Generate New Key Pair
(Specific to Account with Online Service Provider)
No Secrets generated/stored on the Server side

39. FIDO REGISTRATION
Prepare0
STEP 4
FIDO
Authenticator
FIDO
Server
App Web
App
3
Register public key with FIDO Server for verifying signed challenges
(Specific to Account with Online Service Provider)
Legacy Auth.
+ Initiate Reg.
Reg. Request
+ Policy
1
2
Reg. Response4
Biometric Data (if used) Never Leaves Device

40. No Link-ability Between Accounts and Services
Website A
Website B
FIDO REGISTRATION
(On Multiple Sites)

41. PERSONAL DATA
Application-specific Data
Depending on the service
(e.g., shipping address, credit card details)
User Verification Data
Biometric data
(e.g., fingerprint or voice template,
heart-rate variation data)
FIDO-related Data
Identifiers used by
the FIDO authenticator protocols
(e.g., public key, key handle)
Data
Minimization,
Purpose
Limitation
and
protection
against
unauthorized
access
Outside the
scope of
FIDO

42. Better security for online services
Reduced cost for the enterprise
Simpler and safer for consumers

43. AGENDA
The Problem
The Solution
The Alliance
Updates

44. The FIDO Alliance is an open industry
association of over 250
global member organizations

45. Physical-to-digital identity
User Management
Authentication
Federation
Single
Sign-On
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION
FIDO SCOPE

46. FIDO Alliance Mission
Develop
Specifications
Operate
Adoption Programs
Pursue Formal
Standardization
1 2 3

47. Board Members
47 47 4747
 Services/Apps
 Vendors/Enablers
 Devices/Platforms

48. AGENDA
The Problem
The Solution
The Alliance
Updates

49. Government Members
49
 Public Sector
49 4949
“The fact that FIDO has now welcomed government
participation is a logical and exciting step toward further
advancement of the Identity Ecosystem; we look forward to
continued progress.” -- Mike Garcia, NSTIC NPO

50. Liaison Program
50
 Industry Partners
50 5050
Our mission is highly complementary to many other associations
around the world. We welcome the opportunity to collaborate
with this growing list of industry partner organizations.

51. “Microsoft Announces FIDO
Support Coming to Windows 10”
Feb 23, 2015
“Qualcomm launches
Snapdragon fingerprint
scanning technology”,
March 2, 2015
“Google for Work announced
Enterprise admin support for
FIDO® U2F “Security Key”,
April 21, 2015
“Largest mobile network in
Japan becomes first
wireless carrier to enhance
customer experience with
natural, simple and strong
ways to authenticate to
DOCOMO’s services using
FIDO standards”
May 26, 2015
2015 FIDO ADOPTION“Today, we’re adding Universal 2nd Factor (U2F) security
keys as an additional method for two-step verification,
giving you stronger authentication protection.”
August 12, 2015
“the technology
supporting fingerprint
sign-in was built
according to FIDO
(Fast IDentity Online)
standards.”
September 15, 2015
“GitHub says it
will now handle
what is called the
FIDO Universal
2nd Factor, or
U2F,
specification”
October 1, 2015

52. Deployments are enabled by
FIDO Certified™ Products
available today

53. 53

54. 54
 Available to anyone
 Ensures interoperability
 Promotes the FIDO ecosystem
Steps to certification:
1. Conformance Self-Validation
2. Interoperability Testing
3. Certification Request
4. Trademark License (optional)
fidoalliance.org/certification

55. 20-NOV-2015
FIDO Authentication Poised for Continued Growth as Alliance Submits
FIDO 2.0 Web API to W3C
• W3C has accepted our submission
• Specifications required to define a FIDO-compliant Web API
• Designed to extend FIDO’s existing reach to all platforms
• OEM community should begin to plan their support now
• RP community should deploy FIDO 1.x now knowing FIDO
standards are “future proof” --strategically positioned as the de
facto authentication scheme for the Web & OS Platforms

56. FIDO in 2015
FEB MAYMAR APR MAY NOVJUNE AUG SEP OCTJUN OCT

57. Relying Parties – deploy FIDO 1.X now
OEMs – plan for FIDO 2.x now
Vendors – get FIDO Certified™

58. JOIN THE
FIDO ECOSYSTEM

59. JOIN THE
FIDO ALLIANCE

60. EXPERIENCE SIMPLER, STRONGER AUTHENTICATION