FIDO Modern Authentication - Crypto Vision · FIDO –Modern Authentication 4 Password Problem...

31
1 FIDO Modern Authentication cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com FIDO Modern Authentication Rolf Lindemann, Nok Nok Labs

Transcript of FIDO Modern Authentication - Crypto Vision · FIDO –Modern Authentication 4 Password Problem...

1 FIDO – Modern Authentication cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com

FIDO – Modern Authentication

Rolf Lindemann, Nok Nok Labs

2 FIDO – Modern Authentication

Authentication in Context

Physical-to-digital identity

User Management

Authentication

Federation

Single Sign-On

Strong Risk Based Passwords

Modern Authentication

3 FIDO – Modern Authentication

Cloud Authentication

4 FIDO – Modern Authentication

Password Problem

Hacked from databases

Re-used across sites

Ill-suited for mobile devices

Phished

Key logged

Easily broken

5 FIDO – Modern Authentication

No Alternatives

SMS-OTP usability (coverage, delay, cost)

Device usability (one per site, fragile, cost)

User experience

Still phishable

6 FIDO – Modern Authentication

Current Authentication Architectures

?

RP 1 RP 1

Applications Authentication Methods

7 FIDO – Modern Authentication

FIDO Approach

Device

8 FIDO – Modern Authentication

FIDO Approach

challenge

(signed)

response

Private key Public key

9 FIDO – Modern Authentication

FIDO Approach

… SE

10 FIDO – Modern Authentication

FIDO Approach

Can recognize the user (i.e. user verification), but doesn’t know identity attributes of the user.

Same Authenticator as registered before?

Same User as enrolled before?

11 FIDO – Modern Authentication

FIDO Approach

Can recognize the user (i.e. user verification), but doesn’t know identity attributes of the user.

Same Authenticator as registered before?

Same User as enrolled before?

Identity binding to be done outside FIDO: This this “John Doe with customer ID X”.

12 FIDO – Modern Authentication

FIDO Approach

… SE

How is the key protected (TPM, SE, TEE, …)?

What user verification method is used?

13 FIDO – Modern Authentication

Attestation & Metadata

FIDO SERVER

Metadata

Signed Attestation Object

Verify using trust anchor included in Metadata

Understand Authenticator security characteristic by looking into Metadata (from Metadata Service or other sources)

FIDO AUTHENTICATOR

14 FIDO – Modern Authentication

Binding Keys To Apps

Use google.com key

Use paypal.com key

15 FIDO – Modern Authentication

FIDO Authenticator Concept

FIDO Authenticator

User Verification /

Presence Attestation Key

Authentication Key(s)

Injected at manufacturing, doesn’t change

Generated at runtime (on Registration)

Optional Components

Transaction Confirmation

Display

16 FIDO – Modern Authentication

Security & Convenience

Convenience

Security

Password

17 FIDO – Modern Authentication

Security & Convenience

Convenience

Security

Password

Password + OTP

18 FIDO – Modern Authentication

Security & Convenience

Convenience

Security

Password

Password + OTP

FIDO

In FIDO: • Same user verification

method for all servers

In FIDO: Arbitrary user verification methods are

supported (+ they are interoperable)

19 FIDO – Modern Authentication

Security & Convenience

Convenience

Security

Password

Password + OTP

FIDO

In FIDO: • Only public keys on server • Not phishable

In FIDO: Scalable security depending on Authenticator implementation

20 FIDO – Modern Authentication

Classifying Threats

Remotely attacking central servers steal data for impersonation

1

Physically attacking user devices

misuse them for impersonation

6

Physically attacking user devices

steal data for impersonation

5

Remotely attacking lots of

user devices

steal data for impersonation

Remotely attacking lots of

user devices

misuse them for impersonation

Remotely attacking lots of

user devices

misuse authenticated

sessions

2 3 4

Scalable attacks

Physical attacks possible on lost or stolen devices (3% in the US in 2013)

21 FIDO – Modern Authentication

FIDO & Federation

FIDO USER DEVICE

FIDO CLIENT

IdP

FIDO SERVER FIDO AUTHENTICATOR

FEDERATION SERVER BROWSER / APP UAF Protocol

Service Provider

Federation

Id DB

Knows details about the

Authentication strength

Knows details about the

Identity and its verification

strength.

First Mile Second Mile

22 FIDO – Modern Authentication

Enterprise IT

Example: FIDO Enterprise Integration

IdP

FIDO SERVER

FEDERATION SERVER

Enterprise Appl. 1

Cloud-hosted Appl. 1

Enterprise Appl. 2

Enterprise Appl. N

Cloud-hosted Appl. 2

Cloud-hosted Appl. N

“External” User

“Internal” User

Federated Login,

e.g. OpenID Connect

Could be operated

externally as well

23 FIDO – Modern Authentication

Deployed Today

Customers Devices

[email protected]

Pat Johnson

24 FIDO – Modern Authentication

FIDO in Snapdragon

Market leader to ship FIDO Authenticators

85+ OEMs as of Q4 >1 billion Android devices

shipped Innovative sensor

25 FIDO – Modern Authentication

FIDO in Healthcare

First healthcare deployment

Physician access to health records

up to 50 million Healthcare users

26 FIDO – Modern Authentication

FIDO and Google for Work

Google for Work announced Enterprise admin support for FIDO® U2F “Security Key” – April 21

Google for Work is used by over 5 million businesses worldwide

“The Security Keys are a great step forward, as

they are very practical and more secure.” – Woolsworth IT

27 FIDO – Modern Authentication

FIDO in Japan

Arrows NX F-04 G

Aquos SH-03

Services with biometric authentication to be expanded sequentially

4 devices with native FIDO support

First iris based authenticator in Arrows

Docomo has more than 60m customers in Japan

FIDO login to Docomo ID & carrier billing payments

Galaxy S6 Galaxy S6 Edge

28 FIDO – Modern Authentication

FIDO & Government

2013 Data Breach Investigations Report (conducted by Verizon in

concert with the U.S. Department of Homeland Security) noted that

76% of 2012 network intrusions exploited weak or stolen credentials.

NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb-2014

Governments worldwide

are looking at FIDO FIDO featured at White

House Summit New collaboration

framework: Updated Membership Agreement

29 FIDO – Modern Authentication

Reduced Cost & Complexity

Single Infrastructure

Any Device Risk Appropriate

Lower Cost & Complexity

30 FIDO – Modern Authentication

● Different authentication use-cases lead to different authentication

requirements

● Today, we have authentication silos

● FIDO separates user verification from authentication protocol and hence

supports all user verification methods

● FIDO significantly improves authentication security

● FIDO supports scalable security and convenience

● User verification data is known to FIDO Authenticators only

● FIDO complements federation

Consider piloting a FIDO-based authentication solution

Conclusion

31 FIDO – Modern Authentication cv cryptovision GmbH | T: +49 (0) 209.167-24 50 | F: +49 (0) 209.167-24 61 | info(at)cryptovision.com

END