natu

ral i

d

Markus Jakobsson

SebastienTaveau

The Case for Replacing Passwords with Biometrics

validity

Why? The Use Cases

PERSONAL CLOUD

WHERE IS THE WALLET? TWO SCHOOLS OF THOUGHT

• Remote Payment• Digital Wallet• Card Not Present• Alternative Payment Networks

• Proximity Payment• Mobile Wallet• Card Present• Classic Payment Networks

PERSONAL CLOUD

Megatrend No. 1:

Consumerization — You Ain’t Seen Nothing Yet

Megatrend No. 2:

Virtualization — Changing How the Game Is Played

Megatrend No. 3:

“App-ification” — From Applications to Apps

Megatrend No. 4:

The Ever-Available Self-Service Cloud

Megatrend No. 5:

The Mobility Shift — Wherever and Whenever You Want

Gartner: http://www.wired.com/cloudline/2012/03/personal-cloud-2014/

BYODBring Your Own Device

BEYOND INDIVIDUALS, CORPORATE IT MUST ADAPT

BYOD

BYODBring Your Own Device

BYODBring Your Own Device

THE PROBLEM: FRAUD AND UNAUTHORIZED ACCESS

Malware PhishingFriendly

Fraud

Access to secure areaIs limited

Without password to steal, Phishing is eliminated

My kids know my iPad PIN But can’t swipe my finger

validity

How? The tech options

Natural Authentication Computed Authentication

Two Methods: Who You Are & What You Know

Natural Authentication

Computed Authentication

Value proposition to mobile ecosystem

Device Authentication User Authentication

TEE SCENARIO 1

Normal World Secure World

Secure OSMONITOR

FPS

ApplicationProfile

VaultTrustlet

Trust Credential Engine

+ Security

TEE SCENARIO 2

Normal World Secure World

Secure OSMONITOR FPS

Application Trustlet

Secure Storage

ApplicationProfile

VaultTrustlet

TEE SCENARIO 3

Normal World Secure World

Secure OSMONITORFPS

Application Trustlet

Encrypted Vault Security

ApplicationProfile Trustlet

SECURITY IN A NUTSHELL

Malware PhishingFriendly

Fraud

Secure area has processor and storage.

Biometrics and credentials encrypted outside secure area.Restricted API to secure area.

Nothing to steal!

No typed credentials, except special cases –this limits exposure.

“You cannot give out What you do not know.”

My kids know my iPad PIN but can’t swipe my finger.Easy to create and remove

guest accounts.

Executive summary: a secure password manager with secure access.New device / failed authentication / coerced authentication – see paper.

THE NEW SECURITY AROUND PAYMENTS

WHO YOU ARE

WHERE YOU ARE

THANK YOU

staveau@validityinc.comTwitter: frogtwitt