FIDO CERTIFICATION2015-06-24 WEBINAR

Certification Program Overview and Status

Brett McDowell, David Rivera, Adam Powers

info@fidoalliance.org

AGENDA

2

Why FIDO

What is FIDO

Who is FIDO

What’s New (Certification)

783 data breaches in 2014

Data Breaches…

>1 billion records since 2012

3

$3.5 million cost/breach

“76% of 2012 network

intrusions exploited weak

or stolen credentials”2013 Data Breach Investigations Report4

The world has a PASSWORD PROBLEM

5

WE NEED A NEW MODEL

6

WE CALL OURNEW MODEL

Fast IDentity Onlineonline authentication using

public key cryptography

7

8

AGENDA

Why FIDO

What is FIDO

Who is FIDO

What’s New (Certification)

9

HOW THE OLD AUTHN WORKS

ONLINE

The user authenticates themselves online by presenting

a human-readable secret

10

HOW FIDO AUTHN WORKS

AUTHENTICATOR

LOCAL ONLINE

The user authenticates “locally” to their device

by various means

The device authenticates the user online using

public key cryptography

Passwordless Experience (UAF Standards)

Second Factor Experience (U2F Standards)

11*There are other types of authenticators

Second Factor Challenge

1

Authenticated Online

3

Insert Dongle* / Press Button

2

Biometric Verification*

2

Authentication Challenge

1

?

Authenticated Online

3

online authentication usingpublic key cryptography

12

13

No 3rd Party in the Protocol

No Secrets on the Server side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services

No Link-ability Between Accounts

Better Security for online services

Reduced cost for the enterprise

Simpler and Safer for consumers14

15

AGENDA

Why FIDO

What is FIDO

Who is FIDO

What’s New (Certification)

The Fast IDentity Online (FIDO)

Alliance is an open industry

association of over 200 global

member organizations

16

Board Members

17

Services/Networks

Devices/Platforms

Vendors/Enablers

17 1717

FIDO Alliance Mission

DevelopSpecifications

OperateAdoption Programs

Pursue Formal Standardization

18

1 2 3

19

AGENDA

Why FIDO

What is FIDO

Who is FIDO

What’s New (Certification)

20

“PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5”, Feb 24, 2014

“Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5”, September 17, 2014

“Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication”,October 21, 2014

2014 FIDO ADOPTION

21

“Microsoft Announces FIDO Support Coming to Windows 10”, Feb 23, 2015

“Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015

“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”,April 21, 2015

DOCOMO announced *many* FIDO Ecosystem “firsts” on May 26, 2015…

2015 FIDO ADOPTION

Deployments are enabled by

FIDO Certified™ Productsavailable today

22

• Ensure interoperability between FIDO officially recognized implementations

Certification Goals

• Enable implementations to be identified as officially FIDO certified

• Promote the adoption of the FIDO ecosystem

Certification Overview

• Available to both members and non-members

• Four steps to certification:1. Conformance Self-Validation

2. Interoperability Testing

3. Certification Request

4. Certification Mark Usage (optional)

Getting Ready

• Standards: UAF and U2F• UAF & U2F 1.0 implementations certified and

in market now

• Strongly encourage servers to supportboth UAF & U2F

• Prep note to UAF Authenticators• Get a Vendor ID• Register your metadata• Only required for UAF Authenticators!

Self-Conformance

• Goal: test implementations using online tools to ensure conformance with specifications• Both positive and negative testing• Check corner-cases that might occur only rarely in the real world

• Self-Conformance Validation Process• Request access to test tools• Review online help• Run tests – as many as you would like• Perform official test and submit results

• Next step: interop interoperability testing

• Pro tip:• UTHS – code development required• UTHS - Requires registration with gmail account: create one for your team• UAF – partners required for generating messages

Interoperability Testing

• Goals: implementations work together, no problems in the “real world”

• Separate events for UAF and U2F, same format

• Interop Logistics• Registration open ~4-6 weeks ahead of time

• Registration closes 14 days ahead of event

• Must pass self-conformance validation first

• In-person attendance preferred, remote attendance if necessary

Interop Criteria

• What happens at interoperability event• Test with every other implementer at the event

(interoperability)• Perform normal, real-world actions: register,

authenticate, etc.

• How to pass• Show that each action with every other

implementer works• Should issues arise: adjust and retest

• After passing interop: Certification registration

• Pro-tip:• Pre-testing is the key to success – don’t wait for the interop to start testing

• Pre-testing opt-in available during registration and begins 14 days ahead of event

Certification

• Requires passing the test tool and attending an interop

• Certificate will be granted ASAP, pending documentation verification; plan on 10 business days to be conservative

• All certifications will be public (on FIDO website) unless confidentiality is requested

Derivatives

• Same implementation, different product• Reasonable caveats apply: bug fixes, etc.

• Designed to lower cost and effort in FIDO certification• Hundreds of SKUs; not hundreds of interops

• Lower registration fee for derivatives (next slide)

• Self-Validation and Interop not required• Uses “derivative test plan” instead

• Must reference original certificate

Certification Fees

• Non-Member Resource Access Fee: $3,000 (annual)

• Offset test tool costs, management, interop, etc.!

• Certification:• Member: $5,000• Non-Member: $6,500• Per certification

• Derivatives:• Member: $500• Non-Member: $750• Per Derivative

• Vendor ID : $3,000 (one-time)

• Credited towards first certification

• Interop: Free!

• Test Tools: Free!

CERTIFICATION FEES OTHER FEES

Certification Mark Usage

• Authenticators / Clients• Execute Trademark Licensing Agreement (TMLA)

• Relying parties• “Clickless” license for logo usage (based on node.js / OpenID)

• Enables millions of logo users without the logistical overhead

• One logo, two badges:

What to with your FIDO logos

• Put FIDO logos on your website

• Write a press release

• Put FIDO in your apps

• Put FIDO on your product briefs

• Put FIDO in your tradeshow booth

CERTIFICATION STATISTICS

35

By The Numbers:

Number of Companies

11

20

FID

O

Re

ad

y

FID

O C

ert

ifie

d

By The Numbers:

Number of Implementations

5

10 10

23

FID

O

Re

ad

y FID

O

Ce

rtifie

d

FID

O C

ert

ifie

d

FID

O

Re

ad

y

By The Numbers:

Implementation Types

0

2

4

6

8

10

Client

Authenticator

Server

Call To Action

• Get certified now!

• Get started with specifications at:https://fidoalliance.org/specifications/download/

• Register for Test Tool access:http://fidoalliance.org/test-tool-access-request/

• Next interops:• UAF, July 14-16th, Silicon Valley (venue TBD)• U2F, July 29th, Silicon Valley (venue TBD)• Registration open now: https://fidoalliance.org/interop-registration/

• Contact us for help and answers:info@fidoalliance.org

FAQ

• Do I need a Vendor ID?• Only if you are a UAF Authenticator• U2F implementers and UAF Servers / Clients do not require a Vendor ID

• Where do I find the form for…?• https://fidoalliance.org/certification/

• What is the cost for…?• Test Tools: free (non-member access: $3,000)• Interop Events: free• Certification: $5,000 member, $6,500 non-member• Derivative Certification: $500 member, $750 non-member• Trademark License Agreement: free

• Where do I start?• Register for test tool access here:

https://fidoalliance.org/test-tool-access-request/

Questions?41