Last year was a year of great progress for the FIDO Alliance and standards-based strong authentication. Tens of millions of FIDO-enabled devices are now in use worldwide. There are over 100 FIDO Certified™ products available, and nearly 250 organizations are now taking part in the Alliance, including more than a dozen trade association partners. The market is clearly showing that now is the time to deploy FIDO authentication to modernize failing password systems.
These slides address:
– The uptake in global momentum
– Details on FIDO’s recent submission to the World Wide Web Consortium
– The Alliance’s plans and strategy for 2016 and what this means to you and your organization in the upcoming year
We encourage you and your colleagues to view these slides to catch up on what happened in 2015 and to learn how FIDO’s explosive growth can benefit your organization in 2016. You can listen to the webinar audio here: https://fidoalliance.org/events/fido-alliance-year-in-review-webinar/
3. 781 data breaches in 2015
Data Breaches…
170m records in 2015 (up 50%)
$3.8m/breach (up 23% f/2013)
4. “95% of these incidents involve
harvesting credentials stolen
from customer devices, then
logging into web applications
with them.”
2015 Data Breach Investigations Report
5. “A look through the details of these incidents
shows a common sequence of
phish customer ≥
get credentials ≥
abuse web application ≥
empty bank/bitcoin account.”
2015 Data Breach Investigations Report
13. HOW OLD AUTHN WORKS
ONLINE
The user authenticates
themselves online by presenting
a human-readable secret
14. HOW FIDO AUTHN WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device
by various means
The device authenticates
the user online using
public key cryptography
16. Passwordless Experience (UAF Standards)
Second Factor Experience (U2F Standards)
*There are other types of authenticators
Second Factor Challenge
1
Authenticated
Online
3
Insert Dongle* / Press Button
2
Biometric Verification*
2
Authentication Challenge
1
?
Authenticated Online
3
17. FIDO Registration
Invitation Sent New Keys Created
Pubic Key Registered
With Online Server
User is in a Session
Or
New Account Flow
1 2 3
4
Registration Complete
User Approval
18. Login Complete
FIDO Authentication
FIDO Challenge Key Selected & Signs
Signed Response verified using
Public Key Cryptography
User needs to login or
authorize a transaction
1 2 3
4
User Approval
31. Privacy by Design History
31
• Ann Cavoukian, the former Information and Privacy
Commissioner of Ontario/Canada, coined the term
“Privacy by Design” back in the late 90’s.
• Idea was to take privacy into account already early in
the design process.
• Cavoukian went a step further and developed 7
principles.
• It took years to investigate the idea further and to
become familiar with privacy as an engineering
concept.
33. No 3rd Party in the Protocol
No Secrets generated/stored on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services and Accounts
De-register at any time
No release of information without consent
37. FIDO REGISTRATION
Prepare0
STEP 2FIDO
Authenticator
FIDO
Server
App Web
App
User is invited by Online Service to register their FIDO device
(Specific to Online Service Providers)
Legacy Auth.
+ Initiate Reg.
Reg. Request
+ Policy
1
2
No release of information without consent
39. FIDO REGISTRATION
Prepare0
STEP 4
FIDO
Authenticator
FIDO
Server
App Web
App
3
Register public key with FIDO Server for verifying signed challenges
(Specific to Account with Online Service Provider)
Legacy Auth.
+ Initiate Reg.
Reg. Request
+ Policy
1
2
Reg. Response4
Biometric Data (if used) Never Leaves Device
40. No Link-ability Between Accounts and Services
Website A
Website B
FIDO REGISTRATION
(On Multiple Sites)
41. PERSONAL DATA
Application-specific Data
Depending on the service
(e.g., shipping address, credit card details)
User Verification Data
Biometric data
(e.g., fingerprint or voice template,
heart-rate variation data)
FIDO-related Data
Identifiers used by
the FIDO authenticator protocols
(e.g., public key, key handle)
Data
Minimization,
Purpose
Limitation
and
protection
against
unauthorized
access
Outside the
scope of
FIDO
42. Better security for online services
Reduced cost for the enterprise
Simpler and safer for consumers
49. Government Members
49
Public Sector
49 4949
“The fact that FIDO has now welcomed government
participation is a logical and exciting step toward further
advancement of the Identity Ecosystem; we look forward to
continued progress.” -- Mike Garcia, NSTIC NPO
50. Liaison Program
50
Industry Partners
50 5050
Our mission is highly complementary to many other associations
around the world. We welcome the opportunity to collaborate
with this growing list of industry partner organizations.
51. “Microsoft Announces FIDO
Support Coming to Windows 10”
Feb 23, 2015
“Qualcomm launches
Snapdragon fingerprint
scanning technology”,
March 2, 2015
“Google for Work announced
Enterprise admin support for
FIDO® U2F “Security Key”,
April 21, 2015
“Largest mobile network in
Japan becomes first
wireless carrier to enhance
customer experience with
natural, simple and strong
ways to authenticate to
DOCOMO’s services using
FIDO standards”
May 26, 2015
2015 FIDO ADOPTION“Today, we’re adding Universal 2nd Factor (U2F) security
keys as an additional method for two-step verification,
giving you stronger authentication protection.”
August 12, 2015
“the technology
supporting fingerprint
sign-in was built
according to FIDO
(Fast IDentity Online)
standards.”
September 15, 2015
“GitHub says it
will now handle
what is called the
FIDO Universal
2nd Factor, or
U2F,
specification”
October 1, 2015
54. 54
Available to anyone
Ensures interoperability
Promotes the FIDO ecosystem
Steps to certification:
1. Conformance Self-Validation
2. Interoperability Testing
3. Certification Request
4. Trademark License (optional)
fidoalliance.org/certification
55. 20-NOV-2015
FIDO Authentication Poised for Continued Growth as Alliance Submits
FIDO 2.0 Web API to W3C
• W3C has accepted our submission
• Specifications required to define a FIDO-compliant Web API
• Designed to extend FIDO’s existing reach to all platforms
• OEM community should begin to plan their support now
• RP community should deploy FIDO 1.x now knowing FIDO
standards are “future proof” --strategically positioned as the de
facto authentication scheme for the Web & OS Platforms
Source of 781 breaches in 2015 = Identity Theft Resource Center Breach Report
Source of 170m records exposed in 2015 = Identity Theft Resource Center Breach Report (note >66% of these in healthcare)
Source of $3.8m / breach in 2015 = Ponemon Institute Cost of Data Breach Study
Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.
Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.
But what specifically makes passwords such a problem? (lead into next slide)
The only thing worse than a password is two passwords.
SMS is not always available / dedicated hardware is often service-specific / it’s cumbersome process users generally don’t like / and it is still vulnerable to phishing (it is still a symmetric shared secret, just short-lived, but malware tools have adjusted to this)
User convenience is so important that we put it in the very name of the technology itself - the “F” in FIDO stands for Fast.
Historically, “Fast” has always meant “Weak” – but it’s important to understand that FIDO was designed from the ground up to provide privacy protections in addition to providing strong authentication. Fundamentally, the solution that we developed replaces passwords, which are over 50 years old, with modern public key cryptography.
AMEX, VASCO and INFINEON announced today
One more prominent EU government agency is about to be announced.
One more prominent EU government agency is about to be announced.
Microsoft: 1.5 billion users, 190 countries in Q3, free upgrade for consumers
Qualcomm Snapdragon: drives >1 billion android devices, >85 OEM customers
Google: Full lifecycle management for >5 million businesses who use “Google for Work”