FIDO and the Future of Simpler and Stronger Authentication...Dr. Andrea Höller Infineon...
Transcript of FIDO and the Future of Simpler and Stronger Authentication...Dr. Andrea Höller Infineon...
Dr. Andrea HöllerInfineon Technologies Austria AG
FIDO and the Future of Simpler and Stronger Authentication
RISE Spring School29 March 2018
Copyright © Infineon Technologies AG 2018. All rights reserved. 2
Agenda
Introduction
The FIDO Standard
The FIDO Ecosystem
The Future of FIDO
1
2
3
4
2018-03-29
Copyright © Infineon Technologies AG 2018. All rights reserved. 3
Agenda
Introduction
The FIDO Standard
The FIDO Ecosystem
The Future of FIDO
1
2
3
4
2018-03-29
User authentication
Three possible factors of user authentication
42017-10-25 Copyright © Infineon Technologies AG 2017. All rights reserved.
› Password
› PIN code
› …
Something
you KNOW
› SmartCard
› USB token
› Smartphone
› Wearables
› …
Something
you HAVE
› Fingerprint
› Voice recognition
› Face recognition
› …
Something
you ARE
Remote Server
Copyright © Infineon Technologies AG 2018. All rights reserved. 5
User authentication to a remote server
2018-03-29
Device
Something Authentication
Remote Server
Copyright © Infineon Technologies AG 2018. All rights reserved. 6
The password problem
2018-03-29
Device
Something Authentication
Password could be stolen
from the server
1
Password might be entered
into untrusted Websites/Apps
(“phishing”)
2
Inconvenient to type
password on some devices
(e.g. phone)
3
Too many passwords
to remember
4
The idea of FIDO
› Fast IDentiy Online
› The core ideas of the FIDO Alliance are
– ease of use
– high security
– good privacy
USABILITY
Poor Easy
Weak
Str
ong
SEC
UR
IT
Y
Copyright © Infineon Technologies AG 2018. All rights reserved. 8
Basic working principle of FIDO
2018-03-29
Remote Server
Device
Authenticator
Challenge
(Signed)Response
Require user gesture
before private key
can be used
User
verification
Platform (e.g. TPM) or
removable token
What’s new?
92018-03-29 Copyright © Infineon Technologies AG 2018. All rights reserved.
Ecosystem Standardization
Copyright © Infineon Technologies AG 2018. All rights reserved. 10
Agenda
Introduction
The FIDO Standard
The FIDO Ecosystem
The Future of FIDO
1
2
3
4
2018-03-29
Copyright © Infineon Technologies AG 2018. All rights reserved. 11
FIDO 1.0
2018-03-29
Passwordless Experience (UAF Standards)
Biometric User
Verification*
21
?Authentication
Challenge
Authenticated Online
3
*There are other types of authenticators
Authenticated
Online
3
Second Factor
Challenge
Insert Dongle* / Press
Button
Second Factor Experience (U2F Standards)
21
https://www.slideshare.net/FIDOAlliance/getting-to-know-the-fido-specifications-technical-tutorial
Copyright © Infineon Technologies AG 2018. All rights reserved. 12
U2F registration
2018-03-29
Relying
Party
AppID, challenge
a
generate:
key kpub
key kpriv
handle h
fc, kpub, h, attestation cert, s
store:
key kpub
handle h
kpub, h, attestation cert, signature(a,fc,kpub,h)
s
U2F
Authenticator
a; challenge, origin, channel id,etc.
fc
FIDO Client /
Browser
Copyright © Infineon Technologies AG 2018. All rights reserved. 13
U2F authentication
2018-03-29
U2F
Authenticator
FIDO Client /Browser
Relying
Party
retrieve: key kpriv
from handle h;
cntr++
cntr, fc, s
check
signature using
key kpub
cntr, signature(a,fc,cntr)
s
h, a; challenge, origin, channel id, etc.
fc
handle, AppID, challenge
h a
Copyright © Infineon Technologies AG 2018. All rights reserved. 14
FIDO authenticator concept
2018-03-29
FIDO Authenticator
UserVerification /
Presence
Attestation Key
Authentication Key(s)Transaction
Confirmation Display
Injected at manufacturing, doesn’t change
Generated at runtime (on Registration)
APDU-like commands
Security-critical operations
Key generation
Key storage
Cryptographic calculations
Copyright © Infineon Technologies AG 2018. All rights reserved. 15
Agenda
Introduction
The FIDO Standard
The FIDO Ecosystem
The Future of FIDO
Ongoing Research
1
2
3
4
5
2018-03-29
Copyright © Infineon Technologies AG 2018. All rights reserved. 16
The FIDO History
– 2012: Foundation of the FIDO Alliance
https://fidoalliance.org/about/history
FIDO Alliance board members
17June 2016 Copyright © Infineon Technologies AG 2016. All rights reserved.
https://fidoalliance.org/about/board
FIDO certification
182016-09-08 restricted Copyright © Infineon Technologies AG 2016. All rights reserved.
› Available to everyone
› Ensures interoperability
› Promotes the FIDO ecosystem
https://fidoalliance.org/certification
Copyright © Infineon Technologies AG 2018. All rights reserved. 19
FIDO U2F adoption
2018-03-29
"Microsoft Announces FIDO Support Coming to Windows 10"Feb 23, 2015
"Qualcomm launches Snapdragon fingerprint scanning technology" March 2, 2015
"Google for Work announced Enterprise admin support for FIDO® U2F 'Security Key'"April 21, 2015
"Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO's services using FIDO standards."May 26, 2015
"Today, we're adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection." August 12, 2015
"[T]he technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards."September 15, 2015
"GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification."October 1, 2015
“Well, today, a
HUGE thumbs
up has
happened —
Facebook has
upgraded the
login security for
its 1.8 billion
users by
integrating
…FIDO U2F
Security Key into
its social
platform.”
January 26, 2017
The U2F user experience
202016-09-08 restricted Copyright © Infineon Technologies AG 2016. All rights reserved.
Copyright © Infineon Technologies AG 2018. All rights reserved. 21
Agenda
Introduction
The FIDO Standard
The FIDO Ecosystem
The Future of FIDO
1
2
3
4
2018-03-29
Copyright © Infineon Technologies AG 2018. All rights reserved. 22
FIDO 2.0
2018-03-29
https://fidoalliance.org/events/rsac-2018/
› Developed since February 2016
› Official announcement at April 16, 2018 at the RSA Conference
Copyright © Infineon Technologies AG 2018. All rights reserved. 23
Authentication for industrial applications
2018-03-29
› FIDO for industry
› Robotic security
› Contactless user/device authentication
Copyright © Infineon Technologies AG 2018. All rights reserved. 24
Open PhD Position
2018-03-29
https://www.infineon.com/cms/en/careers/jobsearch/jobsearch/24752-PhD-Thesis-Secure-Industrial-IoT/
Contact: [email protected]
Contact:[email protected]
Copyright © Infineon Technologies AG 2018. All rights reserved. 25
Summary
› An ecosystem and standardization are essential
› The goals of FIDO are
– good usability
– high privacy and security
– standardization
› FIDO 2.0 will be presented at the RSA conference, April 16 2018
2018-03-29
USABILITY
Poor EasyW
eak
Str
ong
SEC
UR
IT
Y