The new model for stronger, simpler online authentication has implications beyond businesses and their consumers, including government policy and applications. FIDO authentication was designed with security and privacy at the forefront, making it a natural complement for government initiatives in these areas. Explore FIDO's role in policy, what the Alliance is doing in policy and how governments are working to implement FIDO authentication.
2. Featuring
Brett McDowell,
Executive Director, FIDO
Alliance
Jeremy Grant,
Managing Director, The
Chertoff Group
Adam Cooper, Technical
Architect, Identity
Assurance, UK
Government Digital
Service
Elaine Newton,
Standards Lead for
Applied Cybersecurity,
National Institute of
Standards and
Technology (NIST)
All Rights Reserved. FIDO Alliance. Copyright 2017. 2
3. All Rights Reserved. FIDO Alliance. Copyright 2017. 3
• FIDO Alliance Overview, Brett McDowell
• Strong Authentication Trends in Government, Jeremy Grant
• Safer, Faster, Simpler: A UK Perspective, Adam Cooper
• Developments in Biometric Guidance, Elaine Newton
• Q & A
4. Formed in 2012 to Solve the Password Problem
63% of data breaches
in 2015 involved
weak, default, or
stolen passwords
-Verizon Data Breach
Report
1,093 data breaches in
the US in 2016
up ~40% from 2015
-Identity Theft Resource
Center
Each data breach
costs $3.8 million
on average
up 23% from 2013
-Ponemon Institute
All Rights Reserved. FIDO Alliance. Copyright 2017. 4
5. The FIDO Alliance is an open industry
association of over 250 organizations
with a focused mission:
authentication standards
All Rights Reserved. FIDO Alliance. Copyright 2017. 5
6. FIDO Alliance Mission
Develop
Specifications
Operate
Adoption Programs
Pursue Formal
Standardization
1 2 3
define an open, scalable, interoperable set of
mechanisms that supplant reliance on passwords
to authenticate users of online services
All Rights Reserved. FIDO Alliance. Copyright 2017. 6
8. HOW “Shared Secrets” WORK
ONLINE
The user authenticates
themselves online by presenting a
human-readable “shared secret”
All Rights Reserved. FIDO Alliance. Copyright 2017. 8
9. HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device
(by various means)
The device authenticates
the user online using
public key cryptography
All Rights Reserved. FIDO Alliance. Copyright 2017. 9
10. OPEN STANDARDS R.O.I.
FIDO-ENABLE ONCE
GAIN EVERY DEVICE YOU TRUST
NO MORE ONE-OFF INTEGRATIONS
All Rights Reserved. FIDO Alliance. Copyright 2017. 10
12. No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No (*new*) Link-ability Between Services
No (*new*) Link-ability Between Accounts
All Rights Reserved | FIDO Alliance | Copyright 2016.All Rights Reserved. FIDO Alliance. Copyright 2017. 12
14. Global Leaders Deploy FIDO Standards
All Rights Reserved. FIDO Alliance. Copyright 2017. 14
15. Certification Growth
An open competitive market
Ensures interoperability
Sign of mature FIDO ecosystem
250+
FIDO® Certified
products available
today
230
74
32
62
74
108
162
216
253
304
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17
TOTAL
All Rights Reserved. FIDO Alliance. Copyright 2017. 15
16. FIDO Certified – Jan`17
All Rights Reserved. FIDO Alliance. Copyright 2017. 16
17. The Road Ahead
W3C Web
Authentication
Specification
Standards Effort
with EMVCo
Client-to-
Authenticator
Protocol (CTAP)
FIDO Universal
Server + New
Certification
Programs
All Rights Reserved. FIDO Alliance. Copyright 2017. 17
18. All Rights Reserved. FIDO Alliance. Copyright 2017. 18
• FIDO Alliance Overview, Brett McDowell
• Strong Authentication Trends in Government, Jeremy Grant
• Safer, Faster, Simpler: A UK Perspective, Adam Cooper
• Developments in Biometric Guidance, Elaine Newton
• Q & A
19. STRONG AUTHENTICATION TRENDS IN
GOVERNMENT
Jeremy Grant
Managing Director
The Chertoff Group
All Rights Reserved. FIDO Alliance. Copyright 2017.
20. Authentication is Important to Government
1. Protects access to government assets
2. Enables more high-value citizen-facing services
3. Empowers private sector to provide a wider range of high
value services to consumers
4. Secures critical assets and infrastructure
5. Promotes good security practices in the private sector
Governments seek identity solutions that can deliver not just
improved Security – but also Privacy, Interoperability, and
better Customer Experiences
All Rights Reserved. FIDO Alliance. Copyright 2017. 20
21. FIDO Is Impacting How Governments Think
About Authentication
• Enables support for “BYOC” (Bring Your Own Credential)
• Take advantage of the growing ecosystem of FIDO solutions and
standards
• No requirement to issue a separate token or app for MFA
• No need to create passwords for digital government services
• Better Security, Privacy + Interoperability
• Better Customer Experiences – simpler and safer
• Reduced Cost for the Government Enterprise
All Rights Reserved. FIDO Alliance. Copyright 2017. 21
22. FIDO Is Impacting How Governments
Think About Authentication
U.S. Commission on Enhancing
National Cybersecurity
• Bipartisan commission
established by the White House
in April – charged with crafting
recommendations for the next
President
• Major focus on Authentication
All Rights Reserved. FIDO Alliance. Copyright 2017. 22
23. U.S. Commission on Enhancing National
Cybersecurity
Focus on non-PIV solutions for USG Authentication
“The next Administration should provide agencies with updated
policies and guidance that continue to focus on increased adoption of
strong authentication solutions, including but, importantly, not
limited to personal identity verification (PIV) credentials.
“To ensure adoption of strong, secure authentication by federal
agencies, the requirements should be made performance based (i.e.,
strong) so they include other (i.e., non-PIV) forms of authentication,
and should mandate 100 percent adoption within a year.”
All Rights Reserved. FIDO Alliance. Copyright 2017. 23
24. U.S. Commission on Enhancing National
Cybersecurity
“Other important work that must be undertaken to
overcome identity authentication challenges includes the
development of open-source standards and specifications
like those developed by the Fast IDentity Online (FIDO)
Alliance. FIDO specifications are focused largely on the
mobile smartphone platform to deliver multifactor
authentication to the masses, all based on industry
standard public key cryptography.
Windows 10 has deployed FIDO specifications (known as
Windows Hello), and numerous financial institutions have
adopted FIDO for consumer banking. Today, organizations
complying with FIDO specifications are able to deliver
secure authentication technology on a wide range of
devices, including mobile phones, USB keys, and near-
field communications (NFC) and Bluetooth low energy
(BLE) devices and wearables.
This work, other standards activities, and new tools that
support continuous authentication provide a strong
foundation for opt-in identity management for the digital
infrastructure.”
All Rights Reserved. FIDO Alliance. Copyright 2017. 24
25. FIDO Is Impacting How Governments Think
About Authentication
Priorities:
• Ensuring that future online products
and services coming into use are
“secure by default”
• Empowering consumers to “choose
products and services that have built-
in security as a default setting.”
“[We will] invest in technologies like Trusted
Platform Modules (TPM) and emerging industry
standards such as Fast IDentity Online (FIDO),
which do not rely on passwords for user
authentication, but use the machine and other
devices in the user’s possession to authenticate.
The Government will test innovative authentication
mechanisms to demonstrate what they can offer,
both in terms of security and overall user
experience.”
All Rights Reserved. FIDO Alliance. Copyright 2017. 25
26. A Note on Policy
FIDO specifications offer governments newer, better options for
strong authentication – but governments may need to update
some policies to support the ways in which FIDO is different.
As technology evolves, policy needs to evolve with it.
All Rights Reserved. FIDO Alliance. Copyright 2017. 26
27. 1. Multi-factor authentication no longer brings
higher burdens or costs
• While this statement was true of most “old” MFA
technology, FIDO specifically addresses these cost and
usability issues.
• FIDO enables simpler, stronger authentication
capabilities that governments, businesses and
consumers can easily adopt at scale.
All Rights Reserved. FIDO Alliance. Copyright 2017. 27
28. European Banking Authority (EBA)
Draft Regulatory Technical Standards on PSD2 Strong Authentication
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
All Rights Reserved. FIDO Alliance. Copyright 2017. 28
29. 2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
• Recognized by the US government (NIST) in
2014…
• “OMB (White House) to update guidance on
remote electronic authentication” to remove
requirements that one factor be separate from
the device accessing the resource
• The evolution of mobile devices – in particular,
hardware architectures that offer highly robust
and isolated execution environments (such as
TEE, SE and TPM) – has allowed these devices
to achieve high-grade security without the
need for a physically distinct token
All Rights Reserved. FIDO Alliance. Copyright 2017. 29
30. • Reflected in new NIST Draft
Digital Identity Guidelines
(SP 800-63B)
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
All Rights Reserved. FIDO Alliance. Copyright 2017. 30
31. 3. Local-match biometrics has matured and is an
important authentication factor
• New guidance from
Taiwan’s Financial
Supervisory Commission
(FSC)
• Previously guidance forbid
local biometric match as an
authentication factor; new
guidance allows it, as part
of a FIDO solution
All Rights Reserved. FIDO Alliance. Copyright 2017. 31
32. FIDO Delivers on Key Government Priorities
Security
•Authentication using strong
asymmetric Public Key
cryptography
•Superior to old “shared
secrets” model – there is
nothing to steal on the server
•Biometrics as second factor
Privacy
•Privacy architected in up front;
No linkability or tracking
•Designed to support Privacy
Principles of the European Data
Protection Directive
•Biometric data never leaves
device
•Consumer control and consent
Interoperability
•Open standards: FIDO 2.0
specs are in W3C
standardization process
•FIDO compliance/
conformance testing to ensure
interoperability of “FIDO
certified” products
Usability
•Designed with the user
experience (UX) first – with a
goal of making authentication
as easy as possible.
•Security built to support the
user’s needs, not the other way
around
All Rights Reserved. FIDO Alliance. Copyright 2017. 32
33. All Rights Reserved. FIDO Alliance. Copyright 2017. 33
• FIDO Alliance Overview, Brett McDowell
• Strong Authentication Trends in Government, Jeremy Grant
• Safer, Faster, Simpler: A UK Perspective, Adam Cooper
• Developments in Biometric Guidance, Elaine Newton
• Q & A
34. SAFER, FASTER, SIMPLER:
A UK PERSPECTIVE
Adam Cooper, Technical Architect, Identity Assurance, UK
Government Digital Service
All Rights Reserved. FIDO Alliance. Copyright 2017.
41. GDSGOV.UK Verify
Regulation (EU) N°910/2014 on electronic
identification and trust services for electronic
transactions in the internal market (aka eIDAS).
Mutual acceptance of eID cross-border
Interoperability standards
Encourages cooperation between Member States
Huge potential: e.g. PSD2, AML4D
43. GDSGOV.UK Verify
“Objective 5.2.3.
The majority of online products
and services coming into use become
‘secure by default’ by 2021.”
- National Cyber Security Strategy 2016-2021
44. GDSGOV.UK Verify
To achieve this goal the Government
will…
Lead by example
Explore options for collaboration with industry
Adopt challenging new cyber security
technologies in government
45. GDSGOV.UK Verify
“invest in… emerging industry standards
such as Fast Identity Online (FIDO),
which do not rely on passwords for user
authentication, but use the machine and
other devices in the user’s possession to
authenticate.”
46. GDSGOV.UK Verify
For more information
visit the blog at
identityassurance.blog.gov.uk
or go to
gov.uk/verify
47. All Rights Reserved. FIDO Alliance. Copyright 2017. 47
• FIDO Alliance Overview, Brett McDowell
• Strong Authentication Trends in Government, Jeremy Grant
• Safer, Faster, Simpler: A UK Perspective, Adam Cooper
• Developments in Biometric Guidance, Elaine Newton
• Q & A
48. DEVELOPMENTS IN BIOMETRIC
GUIDANCE
Elaine Newton, PhD, Standards Lead for Applied Cybersecurity,
National Institute of Standards and Technology (NIST)
All Rights Reserved. FIDO Alliance. Copyright 2017.
49. The SOFA Project
• NIST is exploring a framework around Strength of Function for
Authenticators - Biometrics (SOFA-B) for measuring and
evaluating the strength of a biometric authentication on
mobile devices to:
• Determine how effectively they mitigate different levels of
transactional risk
• Understand how such biometric factors can be combined with, or
substituted for, other authentication factors
All Rights Reserved. FIDO Alliance. Copyright 2017. 49
50. System and Attack Analysis
Data Capture Signal Processing Comparison Decision
Data Storage
Override Capture
Device
Extract/Modify
Biometric
Sample
Override Signal
Processor
Modify Probe
Override
Comparator
Modify Score
Override
Decision
Engine
Override
Database
Modify Biometric
Reference
Presentation
Attack
Modify Decision
1 2
3
4
5
6
9
10
11
7
8
Many attacks can be mitigated by core
security controls: e.g., encryption,
mutual authentication, limiting of
unsuccessful attempts
Some areas require
specific focus in
biometrics: e.g., template
protection
All Rights Reserved. FIDO Alliance. Copyright 2017. 50
51. Recommendation: Analyze and quantify
factors specific to biometric systems.
Data Capture Signal Processing Comparison Decision
Data Storage
Override Capture
Device
Extract/Modify
Biometric
Sample
Override Signal
Processor
Modify Probe
Override
Comparator
Modify Score
Override
Decision
Engine
Override
Database
Modify Biometric
Reference
Presentation
Attack
Modify Decision
1 2
3
4
5
6
9
10
11
7
8
PAD Error Rate: Shorthand for Probability of a
successful presentation attack*
FMR: Probability of a
false match occurring
Matching
Performance
Two aspects stood out as unique to
biometric authN: Presentation Attacks
and the Matching Performance; each
carries potential metrics to contribute
to strength.
All Rights Reserved. FIDO Alliance. Copyright 2017. 51
52. Zero-Information and Targeted Attacks
• “Zero-information” and “targeted” attacks should be considered, as both
scenarios may affect Effort, as well as PADER and FMR.
ZeroInfo.Targeted
Shoulder surf Retrieve biometric
Create artefactNotepads
All Rights Reserved. FIDO Alliance. Copyright 2017. 52
53. Recommendation:
Quantify SOFA for Zero Information Attacks
• Goal is to move towards developing metrics that can be
compared and combined to better understand authentication
systems
• Ultimately, we would be able to determine the same type of
measure for most authentication systems
αSOFAZero Info
(Biometrics) FMR x PADER
Effort
αSOFAZero Info (PIN/PW) NL
Effort x
All Rights Reserved. FIDO Alliance. Copyright 2017. 53
54. Overview of Draft NIST SP 800-63-3
Biometric Requirements
• FMR less than or equal to 1 in 1000 or better.
• False non-match rate is left to applications to determine
their needs.
• To deal with presentation attacks
(aka spoofs or fakes at the sensor):
• Strict rate limiting is required OR
• Rate limiting plus PAD
(demonstrating at least 90% resistance to presentation
attacks for each relevant attack type (aka species)).
• Must authenticate something you have (always 2
factor).
• Protected channel required prior to capturing biometric
sample.
• Additional requirements for server/central matching.
• Memory wipe requirement.
All Rights Reserved. FIDO Alliance. Copyright 2017. 54
55. All Rights Reserved. FIDO Alliance. Copyright 2017. 55
• FIDO Alliance Overview, Brett McDowell
• Strong Authentication Trends in Government, Jeremy Grant
• Safer, Faster, Simpler: A UK Perspective, Adam Cooper
• Developments in Biometric Guidance, Elaine Newton
• Q & A
56. Questions for our Experts?
Brett McDowell,
Executive Director, FIDO
Alliance
Jeremy Grant,
Managing Director, The
Chertoff Group
Adam Cooper, Technical
Architect, Identity
Assurance, UK
Government Digital
Service
Elaine Newton,
Standards Lead for
Applied Cybersecurity,
National Institute of
Standards and
Technology (NIST)
All Rights Reserved. FIDO Alliance. Copyright 2017. 56