1 / 20

Not Built On Sand

Not Built On Sand. IT Has Scaled. Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450. $$$. Social media: (2013) >10% of all people ww active. Price: (1980  2013) HDD $/MB /12k NV RAM $/MB /1.3m. Authentication hasn‘t.

gafna
Download Presentation

Not Built On Sand

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Not Built On Sand

  2. IT Has Scaled Technological capabilities: (1971  2013) Clock speed x4700 #transistors x608k Structure size /450 $$$ Social media: (2013) >10% of all people ww active Price: (1980  2013) HDD $/MB /12k NV RAM $/MB /1.3m Authentication hasn‘t Relevance: (2012) $1 trillion eCommerce Ubiquity: More than 7bn mobile connected devices by end of 2013 Networked: (2013) 34% of all people ww have internet access

  3. Passwords Don’t Work • Most people use words from a small set of simple passwords • People reuse passwords • Passwords are hard to use • Passwords get phished • Websites don’t protect passwords properly

  4. There are alternatives…

  5. Implementation is the challenge • Each new authentication solution requires: • New Software • New Hardware • New Infrastructure • Consumer education • We’re building ‘Silos’ of authentication

  6. FIDO Goals • Support for a broad range of authentication methods, leverage existing hardware capabilities. • Support for a broad range of assurance levels, let relying party know the authentication method. • Built-in privacy.

  7. How does FIDO work? FIDO Authenticators FIDO SERVER Authenticator

  8. FIDO Functionality • Discover supported authenticators on the client • Register authenticators to a relying party • Authenticate (a session) • Transaction confirmation

  9. Registration Overview • Send Registration Request: • Policy • Random Challenge FIDO CLIENT FIDO SERVER Verify signature Check AAID against policy Store public key Start registration FIDO AUTHENTICATOR • Authenticate user • Generate key pair • Sign attestation object: • Public key • AAID • Random Challenge • Name of relying party • Signed by attestation key AAID = Authenticator Attestation ID, i.e. model ID

  10. Authentication Overview • Send Authentication Request: • Policy • Random Challenge FIDO CLIENT FIDO SERVER Verify signature check AAID against policy Start authentication FIDO AUTHENTICATOR • Authenticate user • Sign authentication object: • Random Challenge • Name of relying party • Signed by authentication key for this relying party

  11. FIDO Building Blocks TLS Server Key RELYING PARTY FIDO USER DEVICE BROWSER / APP WEB Application OSTP FIDO CLIENT Cryptographic authentication key reference DB FIDO SERVER FIDO AUTHENTICATOR Authentication keys Attestation key Update FIDO Repository Authenticator attestation trust store

  12. FIDO and IAM Modern Authentication Single Sign-On Passwords Risk-Based Strong Federation Authentication User Management Physical-to-digital identity

  13. Modern Authentication EXPLICIT AUTHENTICATION IMPLICIT AUTHENTICATION

  14. FIDO and Federation SAML Passwords SSO/Federation FIDO OpenID First Mile Second Mile

  15. FIDO and Federation IdP FIDO USER DEVICE Service Provider BROWSER / APP FEDERATION SERVER Federation OSTP FIDO CLIENT Id DB FIDO AUTHENTICATOR FIDO SERVER Knows details about the Identity verification strength. Knows details about the Authentication strength (based on attestation)

  16. Thank You

  17. FIDO Alliance Members Board of Directors • CrucialTec • Google • NokNok Labs • PayPal • Lenovo • NXP Semiconductor • Validity Sensors • Yubico • BlackBerry Sponsor Members • Entersekt • EyeLock • FingerPrint Cards • Infineon • Ping Identity • SecureKey • WWTT Associate Members • AktivSoft • Agnitio • AllWeb Technologies • Authentify • Certus • Check2Protect • Cloud Security Corp • Crocus Technology • Diamond Fortress • Discretix • Insyndia • ItsMe! Security • PassBan • SurePassID • Toopher Founding members underlined

  18. The Authenticator Concept Injected at manufacturing, doesn’t change FIDO Authenticator User Authentication / Presence Attestation Key Secure Display Authentication Key(s) User Generated at runtime (on Registration)

  19. Regarding AAIDs FIDO Authenticator AAID 1 Using HW based crypto Based on FP Sensor X FIDO Authenticator AAID 2 Pure SW based implementation Based on Face Recognition alg. Y

  20. Registration Overview (2) Relying Party foo.com WEB Application “Know Your Customer” rules Physical Identity { userid=1234, jane@mail.com, known since 03/05/04, payment history=xx, … } Legacy Authentication FIDO SERVER FIDO AUTHENTICATOR Registration Virtual Identity AAID y key for foo.com: 0xfa4731 { userid=1234, pubkey=0x43246, AAID=x+pubkey=0xfa4731, AAID=y} Link new Authenticator to existing userid

More Related