fido overview: status and future
TRANSCRIPT
783 data breaches
IN 2014...>1 billionrecords stolen since 2012
3
$3.5 millionaverage cost per breach
ONE-TIME PASSCODESImprove security but aren’t easy enough
Still Phishable
Poor User Experience
TokenNecklace
SMS Reliability
7
Fido Registration
2
Registration Begins
1
12
User Approval
3
New Key Created
4
Key Registered using Public Key
Cryptography
Fido Login
2
Login
1
13
Login Challenge
3
Key Selected
4
Login Response using Public Key
Cryptography
User Approval
Login Complete
Passwordless Experience (FIDO UAF Standards)
Second Factor Experience (FIDO U2F Standards)
Transaction Detail User Authentication Done
1 2 3Success
$10,000Transfer Now
Login & Password
1
Insert donglePress Button
2
Done
3Success
15
2014 Deployments
16
ü PayPal continues FIDO enablement in improved mobile wallet app.
ü Google has FIDO in Chrome and2-Step Verification.
ü Samsung adds FIDO enabled Touch authentication to Galaxy® S6
FIDO UNIVERSAL 2ND FACTOR
AUTHENTICATOR
Is a user present?
Same authenticator as registered
before?
USER VERIFICATION FIDO AUTHENTICATION
17
AUTHENTICATOR
USER VERIFICATION FIDO AUTHENTICATION
FIDO UNIVERSAL AUTHENTICATION FRAMEWORK UAF
22
Same User as enrolled
before?
Same Authenticator as registered
before?
28
No 3rd Party in the Protocol
No Secrets on the Server side
Biometric data (if used) never leaves device
No link-ability between Services or Accounts
31
Physical-to-digital identity
User Management
Authentication
Federation
SingleSign-On
Passwords Risk-BasedStrong
MODERNAUTHENTICATION
10
Board Members
32
ü Online Servicesü Chip Providersü Device Providersü Biometrics Vendorsü Enterprise Serversü Platform Providers
FIDO TIMELINE
FIDO 1.0 FINALSpecification
First UAF & U2F Deployments
SpecificationReview DraftFIDO Ready
ProgramAlliance
Announced
FEB2013
(6 Members)
DEC2013
(59 Members)
FEB2014
(84 Members)
FEB-OCT2014
(129 Members)
DEC 92014
(152 Members)
33
36
Implementing 1.0 Specifications(this is only a subset of active implementations)
Online Services
Chip Providers
Device Providers
Biometrics Technology Providers
Enterprise Servers
Open Source
Mobile Apps/Clients
WWW Browsers
FIDO in Windows 10
37
ü Windows used by 1.5 billion users
ü Windows 10 in 190 countries by Q3
ü Free upgrade for consumer
FIDO in Snapdragon
38
ü Market leader to ship FIDO client
ü 85+ OEMs as of Q4ü >1 billion Android
devices shippedü Innovative sensor
FIDO in Healthcare
39
ü First healthcare deployment
ü Physician access to health records
ü up to 50 million Healthcare users
FIDO in Enterprise
40
ü Google for Work announced Enterprise admin support for FIDO® U2F “Security Key” – April 21
ü Google for Work is used by over 5 million businesses worldwide
ü “The Security Keys are a great step forward, as they are very practical and more secure.” – Woolsworth IT
FIDO & Government
41
2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials.
-- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb-2014
ü Governments worldwide are looking at FIDO
ü FIDO featured at White House Summit
ü New collaboration framework…
InfineonNSP
NNL
New Government Membership Class
Ø Reflecting an increased focus on Government collaboration worldwide
Ø Details are now published in the new FIDO Alliance Membership Agreement
42