FIDOs place in the eID ecosystem
Maarten Wegdam, managing partner
PIMN Seminar on FIDO Alliance
23 January 2015
Identity, privacy
& trust
Strategy
realization
Business
models
Digitalization in networks of organizations
Research-based advice & software
Without FIDO
Separate authenticators for every websites/identity
No choice between authenticators
Rarely use the embedded authenticators of your mobile (e.g., fingerprint sensor)
With FIDO
Select own authenticator at registration time
Less passwords and/or more 2nd factors
End-user perspective
Without FIDO
Costs and user friction for non-password/2nd factor authentication
Vendor lock-in to authenticator
Often use one-time-password like 2nd factors (SMS, TOTP app etc)
With FIDO
No biometric data on premise
Flexibility & easy integration
Allow wide range of authenticators
No (?) branding on authenticators
Relying party perspective
BYOId vs BYOAuthn
FIDO is about BYOAuthn, not BYOId
(trusted ?)attributes
authenti-cation
BYOId
verication/
issuing process
authenti-cation means
level of assurance
[STORK, ISO29115]
BYOId – e.g. OpenID, eID Framework NL, SAML federations, trust frameworks etc
FIDO vs social login
Social login is often associated with BYOId, but is more BYOAuthn in reality
FIDO may reduce usage of social logins
But not very popular in NL anyway …
FIDO vs eID Framework NL
FIDO can be used by Authentication providers
Potentially easier to adopt new authentication means
NO impact on service providers (websites): they simply use SAML
FIDO vs Oath
OATH - Initiative for Open Authentication
TOTP is often used, e.g., Google authenticator
Aimed at one-time passwords
FIDO a hype?
Gartner (17 nov 2014): “beyondSamsung Galaxy S5-Paypal no significant implementations yet”
Kuppinger Cole (10 dec 2014): frommore skeptical to “the initiative is gaining more traction”
A perspective on FIDO
What it does offer
• For relying parties: flexibility, ease of integration, less vendor lock-in
• For users: re-use of authentication means aka BYOAuthn
• Easier to move to non-password
• No ‘spillover’ of hacks (anti-phishing, MITM, mutual authn)
What it doesn’t offer
• No attributes, no identity: no BYOId
• No cross device authentication (yet ? USB + NFC), re-registration needed
• No passwords, no one-time-passwords
• No context-based or continuous authentication
What remains to be seen
• Will it confuse people? One authenticator for many identities?
• Adoption is key: chicken-egg, especially browser and smartphone vendors
Take aways
FIDO is about BYOAuthn, not BYOId
FIDO enables non-password, non-OTP authenticationfactors
As always, adoption is key, especially by browser and smartphone vendors
[email protected] | +31 6 51993485 | @maartenwegdam | http://innovalor.nl |
http://www.linkedin.com/in/wegdam
Top Related