Fido U2F PROTOCOL
Transcript of Fido U2F PROTOCOL
1. The FIDO (Fast IDentity Online) Alliance is a non-profit organization nominally formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords.
2. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services.
3. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.
Agenda
1. Introduction2. Threats 3. Todays Solutions4. U2F Solution5. Fido Ready Device6. Demo7. Behind the Scene8. How to implement
SMS USABILITYCoverage Issues - Delay - User Cost
DEVICE USABILITYOne Per Site - Expensive - Fragile
USER EXPERIENCEUsers find it hard
Today's solution: One time codes: SMS or Device
● One device, many services● Easy: Insert and press button● Safe: Un-phishable Security
The U2F solution: How it works
Core idea: Standard public key cryptography:User's device mints new key pair, gives public key to serverServer asks user's device to sign data to verify the user.One device, many services, "bring your own device" enabled
Lots of refinement for this to be consumer facing: Privacy: Site Specific Keys, No unique ID per device Security: No phishing, man-in-the-middles
Trust: Verify who made the device(Attestation Certificate)
Pragmatics: Affordable today, ride hardware cost curve down
Speed for user: Fast crypto in device (Elliptic Curve)
Think "Smartcard re-designed for modern consumer web"
U2F PROTOCOL
FIDO READY SECURITY KEY
http://www.amazon.in/gp/offer-listing/B00NLKA0D8/ref=sr_1_1_olp?ie=UTF8&qid=1434738887&sr=8-1&keywords=fido+key&condition=new
“I promise a user is here”,“the server challenge was: 337423”, “the origin was: accounts.google.com”,“the TLS connection state was: 342384”
Signe
dproofThatUserIsThere
https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-overview-ps-20141009.html#goal-strong-authentication-and-privacy-for-the-web
1. How it works2. How handle generated3. How it secure by Mitm, phishing , malware etc.4. Device is Genuine 5. Etc
Folllow the link
If you want to cover them in details the topics below
Thanks!E-mail: [email protected]