Presentation on theme: "Fast IDentity Online – a new industry alliance formed to develop technical standards that enable Internet Services to use Simpler Stronger Auth solutions."— Presentation transcript:
2 Who… What… Why…Repeat that we are growing the Alliance now, if you represent any of these constituencies please join!
3 Slide deck includes members from all parts of the value chain: authenticator vendors, device OEMs, OS vendors, authentication players and relying partiesStrong motivation for multiple players to support FIDOFor example, Microsoft’s customers are increasingly having to deal with non-Windows devices
6 To Change Authentication Online by: (a) Developing unencumbered Specifications that define interoperable mechanisms that supplant reliance on passwords(b) Operating programs to help ensure industry adoption(c) Submitting mature Specifications for formal standardizationEmphasize this is the User eXperience, acknowledge that most of us do much more on the backend with risk-based techniques, but the UX is password/OTP
7 FIDO Alliance’s Role… “Paper” Specifications Interoperability and Conformance testingTrademark licensing against criteriaThought leadership, nurture ecosystemThe Alliance does not ship products!Implementations left to commercial vendorsEmphasize this is the User eXperience, acknowledge that most of us do much more on the backend with risk-based techniques, but the UX is password/OTP
9 Why Authentication is Cybersecurity Priority #1 Poor authentication mechanisms are a commonly exploited vector of attack by adversaries; the 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials.-- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb-2014The Internet Services need Simpler, Stronger authentication online, the devices are coming with Simpler, Stronger local auth innovations, why not put them together (which will require open, interoperable wire protocols that can be implemented to by any device and any online service) – that’s what FIDO is!
10 Today’s Passwords REUSED PHISHED KEYLOGGED We all know the inherent problems with passwords…REUSEDPHISHEDKEYLOGGED
11 Today’s Password Alternatives One Time Codes with SMS or DeviceSMS USABILITYDEVICE USABILITYUSER EXPERIEN CESTILL PHISHABL EIn spite of the recent trend to bolt-on optional OTP solutions (aka “2-step verification”) f/Google, Twitter, etc. – this is a temp. fix, only makes UX worse Improves security but not easy enoughCoverage | Delay | CostOne per site | $$ | FragileUser find it hardKnown attacks today
12 Major Industry Trend PERSONAL DEVICES LOCAL LOCKING Simpler, Stronger Local Device AuthPERSONAL DEVICESLOCAL LOCKINGNEW WAVE: CONVENIENT SECURITYCarry Personal DataPins & Patterns todaySimpler, Stronger local authenticationWith so many people carrying mobile devices full of personal information, they are locking their devices, now with PIN & Gesture, but even more convenient and stronger solutions are on the horizon: finger scan, keychain devices, voice, facial recognition, etc. with an underpinning of silicon-based security
13 Putting It Together The problem: Simpler, Stronger online The trend: Simpler, Stronger local device authWhy not:Use local device auth for online auth?The Internet Services need Simpler, Stronger authentication online, the devices are coming with Simpler, Stronger local auth innovations, why not put them together (which will require open, interoperable wire protocols that can be implemented to by any device and any online service) – that’s what FIDO is!This is the core idea behind FIDO standards!
14 FIDO Experiences ONLINE AUTH REQUEST LOCAL DEVICE AUTH SUCCESS PASSWORDLESS EXPERIENCE (UAF standards)Transaction DetailShow a biometricDoneSECOND FACTOR EXPERIENCE (U2F standards)We are enabling two fundamental use cases/user experiences: Passwordless w/UAF (requires native device support), PW+token w/U2F (FIDO-enable any device with an innovative “driverless PKI” keychain-type device)FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.Passwordless UX: The passwordless FIDO experience is supported by the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. The UAF protocols allows the service to select which mechanisms are presented to the user.Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.Second Factor UX: The second factor FIDO experience is supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords (eg. 4-digit PIN) without compromising security.During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their FIDO U2F device across all online services that support the protocol leveraging built-in support in web browsers.Login & PasswordInsert Dongle, Press buttonDone
15 State of Market Adoption Repeat that we are growing the Alliance now, if you represent any of these constituencies please join!
17 13+ products have participated in and satisfied the requirements of our testing program and are conferred the right to use the FIDO Ready™ mark.
18 OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors OEMs SHIPPING FIDO-READY ™ PRODUCTS New and existing devices are supportedOEM Enabled: Lenovo ThinkPads with Fingerprint SensorsOEM Enabled: Samsung Galaxy S5- On the authenticator side, we are working with dozens of authenticator manufacturers- Here are three that we have publicly demonstratedClients available for these operating systems :Software Authenticator Examples:Voice/Face recognition, PIN, QR Code, etc.Aftermarket Hardware Authenticator Examples:USB fingerprint scanner, MicroSD Secure ElementDOCUMENT & TITLE
19 First FIDO Deployment already live… Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready™ software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique cryptographic “public key” that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers.
20 From July 2014… Alipay – formerly a part of Alibaba Group in China Processed $519 Billion in transactions in 2013Launched FIDO-based payments using Galaxy S5
21 How it worksRepeat that we are growing the Alliance now, if you represent any of these constituencies please join!
27 Key Benefit for Service Providers CHA-BOA IN-LJ-v1
28 FIDO’s Focus on User Privacy Biometric data (if used) never leaves deviceNo link-ability between ServicesNo link-ability between Accounts
29 Call to Action FIDO is ready for use Get involved: launch a Proof-of-Concept & PilotGet involved:Adapt your strategy & roadmap to include FIDOJoin the Alliance – we are non-profit & volunteerContact Brett McDowell –Come to the plenary, meet and mingle, speak with the pioneers, select your partners
30 THANK YOURepeat that we are growing the Alliance now, if you represent any of these constituencies please join!