Introduction to FIDO Alliance

PowerPoint Presentation

Introduction to fido allianceBrett McDowell, Executive [email protected]

All Rights Reserved. FIDO Alliance. Copyright 2016.

The ProblemThe SolutionThe AllianceThe Market

2

781 data breaches in 2015Data Breaches170 million records in 2015 (up 50%)$3.8 million cost/breach (up 23% f/2013)All Rights Reserved. FIDO Alliance. Copyright 2016.3

Source of 781 breaches in 2015 = Identity Theft Resource Center Breach Report Source of 170m records exposed in 2015 = Identity Theft Resource Center Breach Report (note >66% of these in healthcare)Source of $3.8m / breach in 2015 = Ponemon Institute Cost of Data Breach Study

3

95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them.

2015 Data Breach Investigations Report

Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.4

A look through the details of these incidents shows a common sequence of

phish customer get credentials abuse web application empty bank/bitcoin account. 2015 Data Breach Investigations Report

Source: 2015 Data Breach Investigations Report published by Verizon with contributions from 70 organizations around the world.5

The world has a PASSWORD PROBLEM

5Confidential

But what specifically makes passwords such a problem? (lead into next slide)6

ONE-TIME PASSCODESImprove security but arent easy enough to useStill PhishableUser ConfusionTokenNecklaceSMS Reliability

6Confidential

All Rights Reserved. FIDO Alliance. Copyright 2016.7

The only thing worse than a password is two passwords.

SMS is not always available / dedicated hardware is often service-specific / its cumbersome process users generally dont like / and it is still vulnerable to phishing (it is still a symmetric shared secret, just short-lived, but malware tools have adjusted to this)

7

The world has a SHARED SECRETS PROBLEM

5Confidential

But what specifically makes passwords such a problem? (lead into next slide)8

WE NEED ANEW MODELAll Rights Reserved. FIDO Alliance. Copyright 2016.9


Topic #1Topic #2Topic #3Topic #4

10

THE NEW MODELFast IDentity Onlineonline authentication usingpublic key cryptography

User convenience is so important that we put it in the very name of the technology itself - the F in FIDO stands for Fast.

Historically, Fast has always meant Weak but its important to understand that FIDO was designed from the ground up to provide privacy protections in addition to providing strong authentication. Fundamentally, the solution that we developed replaces passwords, which are over 50 years old, with modern public key cryptography.

11

THE OLDPARADIGM

USABILITY

SECURITY

12

THE FIDO PARADIGM

PoorEasyWeakStrongUSABILITY

SECURITY


HOW Shared Secrets WORK

ONLINE

The user authenticates themselves online by presenting a human-readable shared secret

HOW FIDO WORKSAUTHENTICATOR

LOCAL

ONLINE

The user authenticates locally to their device (by various means)

The device authenticates the user online using public key cryptographyAll Rights Reserved. FIDO Alliance. Copyright 2016.15

FIDO RegistrationInvitation SentNew Keys CreatedPubic Key RegisteredWith Online ServerUser is in a Session Or New Account Flow

1

2

3

4

Registration Complete User ApprovalAll Rights Reserved. FIDO Alliance. Copyright 2016.16

Login Complete FIDO AuthenticationFIDO ChallengeKey Selected & SignsSigned Response verified usingPublic Key CryptographyUser needs to login or authorize a transaction

1

2

3

4

User ApprovalAll Rights Reserved. FIDO Alliance. Copyright 2016.17

OPEN STANDARDS R.O.I.

FIDO-ENABLE ONCEGAIN EVERY DEVICE YOU TRUSTNO MORE ONE-OFF INTEGRATIONSAll Rights Reserved. FIDO Alliance. Copyright 2016.18

18

USABILITY, SECURITY, R.O.I. andPRIVACYAll Rights Reserved. FIDO Alliance. Copyright 2016.19

No 3rd Party in the ProtocolNo Secrets on the Server SideBiometric Data (if used) Never Leaves DeviceNo Link-ability Between ServicesNo Link-ability Between Accounts

FIDO Delivers on Key Priorities

Better security for online services Reduced cost for the enterpriseSimpler and safer for consumersAll Rights Reserved. FIDO Alliance. Copyright 2016.22


23

The FIDO Alliance is an open industry association of over 250 organizations with a focused mission: authentication standards

24

Physical-to-digital identity User ManagementAuthenticationFederation

SingleSign-On

Passwords

Risk-BasedStrong

MODERNAUTHENTICATION

FIDO SCOPE

FIDO Alliance MissionDevelopSpecificationsOperateAdoption ProgramsPursue Formal Standardization

1

2

3

26

Board Members


AMEX, VASCO and INFINEON announced today

Sponsor Members


Associate Members


29

Government & Research30

30


One more prominent EU government agency is about to be announced.

Liaison Program31

31

One more prominent EU government agency is about to be announced.

FIDO DEVELOPMENT TIMELINEFIDO 1.0 FINALFirstDeploymentsSpecificationReview DraftFIDO Ready ProgramAllianceAnnouncedFEB2013DEC2013FEB2014FEB-OCT2014DEC2014

MAY2015

NOV2015

Submission of FIDO Web API into W3CJUNE2015

CertificationProgram

New U2FTransportsAll Rights Reserved. FIDO Alliance. Copyright 2016.32

32


33

Example: PayPal & samsung (fido Deployment #1)

Value Proposition Video34


PayPal


More FIDO Adoption/AnnouncementsAll Rights Reserved. FIDO Alliance. Copyright 2016.36

Deployments are enabled by over 200 FIDO Certified productsavailable today


Certification Growth38

TOTALAll Rights Reserved. FIDO Alliance. Copyright 2016.

38

39


Leading OEMs Shipping FIDO Certified Devices

S5, MiniAlphaNote 4,5Note EdgeTab S, Tab S2S6,S6 EdgeS7,S7 EdgeVerneeThorAquos ZetaXperia Z5Xperia Z5 CompactXperia Z5 PremiumMate 8V10G5Phab2 ProPhab2 PlusZ2, Z2 Pro

Arrows NXArrows FitArrows Tab


We support a growing number of fingerprint enabled Android devices that have in-built UAF capabilities Most of the new Samsung high devices with FPSs support UAF Newer devices from Fujitsu, Sharp and Sony increasingly include UAF support out of the boxFujitsu Arrows NX supports UAF-enabled iris authentication.We will see other types of authenticators also appear in coming devices We support the Android M fingerprint API Apart from these devices with native FIDO UAF support, we also support virtually any non-FPS Android device running Kit Kat or newer using an embedded UAF PIN authenticator. 40

iPhone 5s

iPhone 6, 6+

iPad Air 2, Mini 3

iPhone 6s, 6s+

iPad Mini 4

iPad ProFIDO Applications Now Run on iOSSupported iOS Fingerprint Devices


We support all Touch ID enabled iOS devices These devices dont have native FIDO UAF supportWe have built a UAF authenticator using the Touch ID API and the secure enclave We also support non-Touch ID devices(Eg iPhone 4s and 5) running iOS 8 or higher using device passcode (PIN) authenticator

41

JOIN THE FIDO ECOSYSTEM

JOIN THE FIDO ALLIANCE

Thank YoU!

Questions?

[email protected] | [email protected] All Rights Reserved. FIDO Alliance. Copyright 2016.

Introduction to FIDO Alliance

Technology

Transcript of Introduction to FIDO Alliance