“The FIDO Alliance Today” Brett McDowell, Executive Director, FIDO Alliance brett@fidoalliance.org Hear FIDO leadership detail the market/enterprise/consumer opportunities, current deployment use cases, the structure and participants inside the Alliance, how FIDO capabilities and protocols layer into the current IAM stack, and where the technology fits in with desktops, devices and smartphones.
AGENDA The Problem The Solution The Alliance Updates
Data Breaches… 783 data breaches in 2014 >1 billion records since 2012 $3.5 million cost/breach Source of 783 breaches = Identity Theft Resource Center Breach Report Source of $3.5m / breach = Ponemon Institute Source of >1 billion records stolen since 2012 = WSJ Breaches since 2012, by industry (source WSJ): Misc. businesses (443m records) / Financial & Insurance (350m) / Retail (183m) / Gov (20m) etc. Top data breaches since 2012 (source WSJ): Experian (200m) / eBay (145m) / JPMC (76m) / Target (70m + 40m) / Home Depot (56m) / Evernote (50m) / Adobe (33m) etc.
“76% of 2012 network intrusions exploited weak or stolen credentials” 2013 Data Breach Investigations Report Source: 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security)
The world has a PASSWORD PROBLEM But what specifically makes passwords such a problem? (lead into next slide) 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that
ONE-TIME PASSCODES Improve security but aren’t easy enough to use SMS Reliability Token Necklace User Confusion Still Phishable The only thing worse than a password is two passwords. SMS is not always available / dedicated hardware is often service-specific / it’s cumbersome process users generally don’t like / and it is still vulnerable to phishing (it is still a symmetric shared secret, just short-lived, but malware tools have adjusted to this)
WE NEED A NEW MODEL
NEW MODEL Fast IDentity Online WE CALL OUR online authentication using public key cryptography User convenience is so important that we put it in the very name of the technology itself - the “F” in FIDO stands for Fast. Historically, “Fast” has always meant “Weak” – but it’s important to understand that FIDO was designed from the ground up to provide privacy protections in addition to providing strong authentication. Fundamentally, the solution that we developed replaces passwords, which are over 50 years old, with modern public key cryptography. 8
AGENDA The Problem The Solution The Alliance Updates
THE OLD PARADIGM SECURITY USABILITY
SECURITY Strong THE FIDO PARADIGM Weak Poor Easy USABILITY
HOW OLD AUTHN WORKS The user authenticates themselves online by presenting a human-readable secret ONLINE
HOW FIDO AUTHN WORKS The user authenticates “locally” to their device by various means The device authenticates the user online using public key cryptography AUTHENTICATOR LOCAL ONLINE
public key cryptography online authentication using public key cryptography
? 2 1 3 1 2 3 Passwordless Experience (UAF Standards) Biometric Verification* 2 Authentication Challenge 1 ? Authenticated Online 3 Second Factor Experience (U2F Standards) Second Factor Challenge 1 Insert Dongle* / Press Button 2 Authenticated Online 3 *There are other types of authenticators
FIDO Registration 1 2 3 4 Registration Complete Invitation Sent New Keys Created User is in a Session Or New Account Flow User Approval 4 Registration Complete Pubic Key Registered With Online Server
FIDO Authentication 1 2 3 4 Login Complete FIDO Challenge Key Selected & Signs User needs to login or authorize a transaction User Approval 4 Login Complete Signed Response verified using Public Key Cryptography
USABILITY, SECURITY and PRIVACY
No 3rd Party in the Protocol No Secrets on the Server side Biometric Data (if used) Never Leaves Device No Link-ability Between Services No Link-ability Between Accounts
Better Security for online services Reduced cost for the enterprise Simpler and Safer for consumers
AGENDA The Problem The Solution The Alliance Updates
The Fast IDentity Online (FIDO) Alliance is an open industry association of over 220 global member organizations The FIDO Alliance is an open industry association of nearly 200 global member organizations from many different types of industries. Our mission is to end the world’s reliance on passwords by developing and promoting the use of our innovative, open technology standards that enable simpler and stronger authentication for consumers, citizens, governments and businesses. 22
Services/Networks Devices/Platforms Vendors/Enablers Board Members Online Services: Visa, PayPal, Discover, Mastercard, Bank of America, Alibaba (Microsoft and Google) Chips and Device Providers: NXP, ARM, Samsung, Qualcomm, Oberthur, Yubico, Lenovo, Intel Biometrics Providers: Synaptics, Identity X (Daon), CrucialTec, (Microsoft) Enterprise Server/Security Vendors: RSA, Nok Nok Labs, Mobile Network Operators: NTT DOCOMO 23 23 23
Pursue Formal Standardization FIDO Alliance Mission 1 2 3 Develop Specifications Operate Adoption Programs Pursue Formal Standardization
Physical-to-digital identity FIDO SCOPE Physical-to-digital identity User Management Authentication Federation Single Sign-On Passwords Risk-Based Strong MODERN AUTHENTICATION
AGENDA The Problem The Solution The Alliance Updates
FIDO TIMELINE FEB 2013 DEC 2013 FEB 2014 FEB-OCT 2014 DEC 9 2014 MAY Broad Adoption New U2F Transports Certification Program FIDO 1.0 FINAL First Deployments Specification Review Draft FIDO Ready Program Alliance Announced FEB 2013 6 Members DEC 2013 FEB 2014 FEB-OCT 2014 DEC 9 2014 MAY 2015 JUNE 2015 TODAY >220 Members
2014 FIDO ADOPTION “Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5”, September 17, 2014 “Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication”, October 21, 2014 “PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5”, Feb 24, 2014
2015 FIDO ADOPTION “Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015 “Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”, April 21, 2015 “Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015 “the technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards.” September 15, 2015 “GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification” October 1, 2015 “Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO’s services using FIDO standards” May 26, 2015 Microsoft: 1.5 billion users, 190 countries in Q3, free upgrade for consumers Qualcomm Snapdragon: drives >1 billion android devices, >85 OEM customers Google: Full lifecycle management for >5 million businesses who use “Google for Work” “Microsoft Announces FIDO Support Coming to Windows 10” Feb 23, 2015
FIDO Certified™ Products Deployments are enabled by FIDO Certified™ Products available today
33 Products from 19 companies (21 counting Sharp and Fujitsu)
Ensures interoperability Promotes the FIDO ecosystem Available to anyone Ensures interoperability Promotes the FIDO ecosystem Steps to certification: Conformance Self-Validation Interoperability Testing Certification Request Trademark License (optional) fidoalliance.org/certification
New in 2015 Government Members FIDO Alliance Announces Government Membership Program – US and UK Government Agencies are First to Join Government Agencies to Participate in Development of FIDO Standards for Universal Strong Authentication “The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.” Government Members One more prominent EU government agency is about to be announced. 33 33 33
JOIN THE FIDO ECOSYSTEM
JOIN THE FIDO ALLIANCE
EXPERIENCE SIMPLER, STRONGER AUTHENTICATION