All Rights Reserved | FIDO Alliance | Copyright 20171

THE FUTURE OF AUTHENTICATION FOR THE

INTERNET OF THINGS

FIDO ALLIANCE WEBINARMARCH 28, 2017

All Rights Reserved | FIDO Alliance | Copyright 20172

INTRODUCTION TO THE FIDO ALLIANCE

ANDREW SHIKIARSENIOR DIRECTOR OF MARKETING

MARCH 28, 2017

All Rights Reserved | FIDO Alliance | Copyright 20173

THE FACTS ON FIDO

The FIDO Alliance is an open, global industry association of250+ organizations with a focused mission:

300+FIDO Certified solutions

3 BILLION+Available to protect

user accounts worldwide

Today, its members provide the world’s largest ecosystem for standards-based, interoperable authentication

AUTHENTICATION STANDARDS

based on public key cryptography to solve the password problem

All Rights Reserved | FIDO Alliance | Copyright 20174

DRIVEN BY 250 MEMBERSBoard of Directors comprised of leading global brands and technology providers

+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS

All Rights Reserved | FIDO Alliance | Copyright 20175

WHY FIDO?The World Has a Password Problem

Security

Usability

63% of data breaches in 2015 involved weak, default, or stolen passwords-Verizon 2016 Data Breach Report

For users, they’re clumsy, hard to remember and they need to be changed all the time

65% Increase in phishing attacks over the number of attacks recorded in 20152

-Anti-Phishing Working Group

There were 1093 data breaches in 2016, a 40% increase from 2015- Identity Theft Resource Center, 2016

SECU

RITY

USABILITYPoor Easy

Wea

kSt

rong

PASSWORDS

All Rights Reserved | FIDO Alliance | Copyright 20176

WHY FIDO?OTPs improve security but aren’t easy enough to use -and are still phishable

SMS RELIABILITYTOKEN NECKLACE USER CONFUSION STILL PHISHABLESECU

RITY

USABILITYPoor Easy

Wea

kSt

rong

OTPs

SecurityUsability

THE WORLD HAS A “SHARED SECRETS” PROBLEMAll Rights Reserved | FIDO Alliance | Copyright 20177

WE NEED ANEW MODEL

All Rights Reserved | FIDO Alliance | Copyright 20178

All Rights Reserved | FIDO Alliance | Copyright 20179

HOW ARE WE DOING IT?

ECOSYSTEMSTANDARDS

DEPLOYMENTS

USER EXPERIENCE

All Rights Reserved | FIDO Alliance | Copyright 201710

HOW OLD AUTHENTICATION WORKS

ONLINE CONNECTION

The user authenticates themselves online by presenting a human-readable “shared secret”

All Rights Reserved | FIDO Alliance | Copyright 201711

HOW FIDO AUTHENTICATION WORKSLOCAL CONNECTION

ONLINE CONNECTION

The device authenticates the user online using

public key cryptography

The user authenticates “locally” to their device

(by various means)

All Rights Reserved | FIDO Alliance | Copyright 201712

SIMPLER AUTHENTICATION

Reduces reliance on complex passwords

Single gestureto log on

Same authentication on multiple devices

Works with commonly used devices

Fast and convenient

All Rights Reserved | FIDO Alliance | Copyright 201713

STRONGERAUTHENTICATION

Based on public key cryptography

No server-side shared secrets

Keys stay on device

No 3rd party in the protocol

Biometrics, if used, never leave device

No link-ability between services or accounts

USABILITY

SECU

RITY

Poor Easy

Wea

kSt

rong

All Rights Reserved | FIDO Alliance | Copyright 201714

FIDO — A NEW PARADIGM:

=authentication

STRONGER& SIMPLER

All Rights Reserved | FIDO Alliance | Copyright 201715

FIDO-ENABLED APPS + SERVICES

3 BILLIONAVAILABLE TO PROTECT

ACCOUNTS WORLDWIDE

All Rights Reserved | FIDO Alliance | Copyright 201716

BUT WAIT…

All Rights Reserved | FIDO Alliance | Copyright 201717

THE WORLD HAS AN IOT SECURITY PROBLEM

All Rights Reserved | FIDO Alliance | Copyright 201719

WE NEED A NEW AUTHENTICATION MODEL FOR CONNECTED USERS & DEVICES

All Rights Reserved | FIDO Alliance | Copyright 201720

THANK YOUANDREW SHIKIAR

SR. DIRECTOR OF MARKETINGANDREW@FIDOALLIANCE.ORG

All Rights Reserved | FIDO Alliance | Copyright 2017

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS

ROLF LINDEMANN, NOK NOK LABS

Thanks to this app you can

maneuver the new Forpel using your

smartphone!

Too bad it’s not my car.

What‘s the challenge

All Rights Reserved | FIDO Alliance | Copyright 2017

Source: HP Enterprise IoT Home Security Systems

22

Context

Secure firmware protects one

“healthy” part from infected

partsStrong

authentication makes sure only

legitimate entities get

accessNeed strong

fundament, e.g. a CPU supporting ARM TrustZone, Intel SGX, etc.

Focus of today‘s

presentation

All Rights Reserved | FIDO Alliance | Copyright 201723

Scope

Cloud Services

All Rights Reserved | FIDO Alliance | Copyright 201724

Addressed by FIDO & W3C Web Authentication, not the

core focus of this talk

Scope

Cloud Services

“Primary interaction” devices, i.e. devicesa) which we typically have in our possession andb) that have a user interface

Devices that are not primary interaction devices, e.g. smart light bulbs, WIFI routers, smart fridges, smart thermostats, connected cars, smart door locks, …

Devices that are not primary interaction devices, e.g. smart light bulbs, WIFI routers, smart fridges, smart thermostats, connected cars, smart door locks, …

All Rights Reserved | FIDO Alliance | Copyright 201725

Primary Interaction Devices

• Primary interaction device have the capability to verify the user through their user interface.

• They can connect to another device or to a cloud service• They can implement a FIDO Authenticator allowing the

user to strongly and conveniently authenticate to devices or cloud services. Trust Execution Environments and/or Secure Elements add security.

All Rights Reserved | FIDO Alliance | Copyright 201726

Scope

Focus of this talk

User to standalone devices

All Rights Reserved | FIDO Alliance | Copyright 201727

Scope

Cloud Services

User to cloud-connected devices

Focus of this talk

All Rights Reserved | FIDO Alliance | Copyright 201728

Scope

Cloud Services

Device-to-DeviceAuthentication

All Rights Reserved | FIDO Alliance | Copyright 2017

Device-to-CloudAuthentication

29

IoT Device

IoT Device

Background

Perimeter

Internet

Infected Device

Attacks

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

IoT Device

All Rights Reserved | FIDO Alliance | Copyright 201730

Background

All Rights Reserved | FIDO Alliance | Copyright 201731

Attack Scenarios

IoT Device IoT Device

1. Exploit firmware vulnerabilities

2. Enter at the front-door: Impersonate user

Need Strong Authentication to protect against such attacks. Our focus.

Legitimate authentication

TrustZone for ARMv8-M provides protection layers that help keeping attacks local to one software module (“enclave”). Not in focus of this talk

All Rights Reserved | FIDO Alliance | Copyright 201732

User to Device Authentication

All Rights Reserved | FIDO Alliance | Copyright 201733

User to Device interaction

Device

Without keyboard

and display

?

All Rights Reserved | FIDO Alliance | Copyright 201734

User to Device interaction

IoT Device

Without keyboard

and display

User needs some computing device with

user input interface and display

1

Security: Device could be infected, so users don’t want to reveal bearer tokens (like passwords, etc.) to it

2

The Device only “sees” some other Device – no user.

How can the Device know whether there is a user and whether the

other device is trusted?

Convenience: Devices want to support arbitrary user verification methods, e.g. PINs, Fingerprint, Face, … - with limited computing power

All Rights Reserved | FIDO Alliance | Copyright 201735

… did we see that before?

DeviceTLS / DTLS or

other secure channel

All Rights Reserved | FIDO Alliance | Copyright 2017

See https://fidoalliance.org/events/fido-alliance-seminar-hongkong/

36

User to Device Authentication

AuthenticatorUser verification FIDO Authentication

Require user gesture before private key can be used

Challenge

(Signed) ResponsePrivate key

dedicated to one appPublic key

IoT Device

All Rights Reserved | FIDO Alliance | Copyright 201737

First Authenticator Registration (Example)

IoT Device

Device in factory default settings state

1

2Press

“register button”

3Start registration process (for first authenticator)

All Rights Reserved | FIDO Alliance | Copyright 201738

Standalone Devices

Cloud Services

Smart Light Bulbs

WIFI Router

…

All Rights Reserved | FIDO Alliance | Copyright 2017

User to standalone devices

39

Devices with Cloud Dependency

Cloud Services

User to cloud-connected devices

Rental Cars

Door locks

…

Parcel Lockers

Thermostats

Cloud Dependency: We want the cloud service being able to grant access to the device to a specific user

But: Do not rely on stable internet connection at time of access

All Rights Reserved | FIDO Alliance | Copyright 201740

How does it work with central authorization infrastructure?

FIDO Stack

Mobile App

SDK

1. Traditional FIDO Registration (one-time)

Cloud Service

Device

0. (OOB) Inject trust anchor

2. Traditional FIDO Authentication

3. Signed JWT w/PoP (FIDO Uauth) Public Key(see RFC7800)

All Rights Reserved | FIDO Alliance | Copyright 201741

How does it work with central authorization infrastructure?

FIDO Stack

Mobile App

SDK

1. Traditional FIDO Registration (one-time)

Cloud Service

Device

0. (OOB) Inject trust anchor

2. Traditional FIDO Authentication

3. Signed JWT w/PoP (FIDO Uauth) Public Key(see RFC7800)

All Rights Reserved | FIDO Alliance | Copyright 2017

JOSE Payload:

JWS signature, computed by Cloud Service

{“kid”:“1e8gfc4”,“alg”:“ES256”}

JOSE Header:

{"iss": "https://server.example.com","aud": "https://client.example.org","exp": 1361398824,"cnf":{

"jwk":{"kty": "EC","use": "sig","crv": "P-256","x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM","y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA"

}}

}

42

How does it work with central authorization infrastructure?

FIDO Stack

Mobile App

SDK

1. Traditional FIDO Registration (one-time)

Cloud Service

Device

0. (OOB) Inject trust anchor

2. Traditional FIDO Authentication

3. Signed JWT w/PoP (FIDO Uauth) Public Key(see RFC7800)

4. FIDO Authentication to device with signed JWT w/ PoP (FIDO) Public Key as additional data

All Rights Reserved | FIDO Alliance | Copyright 201743

Gallagher Unlocks the Internet of Things with Nok Nok

44

Source: Philafrenzy, Wikipedia45

Source: Klaus Mueller, wikipedia46

Device to Device & Device to Cloud Authentication

All Rights Reserved | FIDO Alliance | Copyright 201747

Scope

Device to deviceauthentication

All Rights Reserved | FIDO Alliance | Copyright 2017

User to device authentication

48

User to Device Authentication

AuthenticatorUser verification FIDO Authentication

Require user gesture before private key can be used

Challenge

(Signed) ResponsePrivate key

dedicated to one RPPublic key

IoT Device

How an Authenticator verifies the user and whether it

verifies the user depends on the Authenticator model and is represented in the Metadata

Statement.

All Rights Reserved | FIDO Alliance | Copyright 201749

Device to Device Authentication

Authenticator FIDO Authentication

Challenge

(Signed) ResponsePublic key

IoT Device

There are “Silent” Authenticators, never requiring

any user interaction.

… and such Authenticator might be embedded in a

device

All Rights Reserved | FIDO Alliance | Copyright 201750

Device to Cloud Authentication

Authenticator FIDO Authentication

Challenge

(Signed) ResponsePublic key

It makes no difference to the IoT device nor to the FIDO Authenticator whether it authenticates to another

device or to a cloud service

Cloud Service

All Rights Reserved | FIDO Alliance | Copyright 201751

Device to Cloud Authentication

Authenticator FIDO Authentication

Challenge

(Signed) ResponsePublic key

It makes no difference to the IoT device nor to the FIDO Authenticator whether it authenticates to another

device or to a cloud service

Cloud Service

… and the Authenticator can be embedded in smart

fridges, smart thermostats and other IoT devices.

All Rights Reserved | FIDO Alliance | Copyright 201752

Conclusion

1. Authentication is the first experience of users with services and several device types.

2. Authentication needs to be convenient for the user and strong enough for the purpose.

3. We can do better than passwords + OTP. Look at the FIDO specifications for strong & convenient authentication, see www.fidoalliance.org.

4. FIDO supports “silent” Authenticators. These Authenticators can be implemented in IoT devices.

5. FIDO authentication responses can be verified in small devices, allowing FIDO authentication to those IoT device.

6. FIDO can be combined with PoP Keys (RFC7800) in order to support authentication to “cloud connected” IoT devices

All Rights Reserved | FIDO Alliance | Copyright 201753

FIDO Authenticator Concept

FIDO Authenticator

UserVerification /

PresenceAttestation Key

Authentication Key(s)

Injected at manufacturing, doesn’t change

Generated at runtime (on Registration)

Optional Components

Transaction Confirmation

Display

All Rights Reserved | FIDO Alliance | Copyright 201754

Silent Authenticators

1. Definition, see FIDO Glossary

2. User Verification Method, see FIDO Registry

3. Metadata Statement, see FIDO Metadata Statements

All Rights Reserved | FIDO Alliance | Copyright 201755

Relying Party (example.com)

accountInfo, challenge, [cOpts]

rpId, ai, hash(clientData), cryptoP, [exts]verify usergenerate:key kpub

key kpriv

credential c c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts], signature(tbs)

c,kpub,clientData,ac,tbs, s

store:key kpub

c

s

PlatformAuthenticatorselect Authenticator according to cOpts;

determine rpId, get tlsData;clientData := {challenge, origin, rpId, hAlg, tlsData}

cOpts: crypto params, credential black list, extensions

cdh

FIDO Registration

ai

tbs

ac: attestation certificate chain

All Rights Reserved | FIDO Alliance | Copyright 201756

Authenticator Platform Relying Party

rpId, [c,] hash(clientData)

select Authenticator according to policy;check rpId, get tlsData (i.e. channel id, etc.);

lookup key handle h;clientData := {challenge, rpId, tlsData}

clientData,cntr,[exts],signature(cdh,cntr,exts)

clientData, cntr, exts, s

lookup kpub

from DBcheck:exts +signatureusingkey kpub

s

cdh

challenge, [aOpts]

FIDO Authentication

verify userfind key kpriv

cntr++;process exts

All Rights Reserved | FIDO Alliance | Copyright 2017

All Rights Reserved | FIDO Alliance | Copyright 201757