strong authentication trends in government
TRANSCRIPT
![Page 1: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/1.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017.
STRONG AUTHENTICATION
TRENDS IN GOVERNMENT
![Page 2: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/2.jpg)
2All Rights Reserved. FIDO Alliance. Copyright 2017.
Featuring
Brett McDowell, Executive Director, FIDO Alliance
Jeremy Grant, Managing Director, The Chertoff Group
Adam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service
Elaine Newton, Standards Lead for Applied Cybersecurity, National Institute of Standards and Technology (NIST)
![Page 3: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/3.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 3
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
![Page 4: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/4.jpg)
4All Rights Reserved. FIDO Alliance. Copyright 2017.
Formed in 2012 to Solve the Password Problem
63% of data breaches in 2015 involved weak,
default, or stolen
passwords-Verizon Data Breach
Report
1,093 data breaches in the US
in 2016 up ~40% from 2015-Identity Theft Resource
Center
Each data breach costs
$3.8 million on average
up 23% from 2013-Ponemon Institute
![Page 5: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/5.jpg)
5All Rights Reserved. FIDO Alliance. Copyright 2017.
The FIDO Alliance is an open industry association of over 250 organizations with a focused mission: authentication standards
![Page 6: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/6.jpg)
6All Rights Reserved. FIDO Alliance. Copyright 2017.
FIDO Alliance Mission
Develop Specifications
Operate Adoption Programs
Pursue Formal Standardization
1 2 3
define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to authenticate users of online services
![Page 7: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/7.jpg)
7All Rights Reserved. FIDO Alliance. Copyright 2017.
Board Members
![Page 8: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/8.jpg)
HOW “Shared Secrets” WORK
ONLINE
The user authenticates themselves online by presenting a human-
readable “shared secret”
All Rights Reserved. FIDO Alliance. Copyright 2017. 8
![Page 9: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/9.jpg)
HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device (by various
means)
The device authenticates the user online using
public key cryptography
All Rights Reserved. FIDO Alliance. Copyright 2017. 9
![Page 10: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/10.jpg)
OPEN STANDARDS R.O.I.FIDO-ENABLE ONCEGAIN EVERY DEVICE YOU
TRUSTNO MORE ONE-OFF
INTEGRATIONSAll Rights Reserved. FIDO Alliance. Copyright 2017. 10
![Page 11: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/11.jpg)
USABILITY, SECURITY, R.O.I. and
PRIVACYAll Rights Reserved. FIDO Alliance. Copyright 2017. 11
![Page 12: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/12.jpg)
No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No (*new*) Link-ability Between Services
No (*new*) Link-ability Between Accounts
All Rights Reserved | FIDO Alliance | Copyright 2016.All Rights Reserved. FIDO Alliance. Copyright 2017. 12
![Page 13: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/13.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 13
FIDO Authentication:
Adoption & Ecosystem
![Page 14: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/14.jpg)
14All Rights Reserved. FIDO Alliance. Copyright 2017.
Global Leaders Deploy FIDO Standards
![Page 15: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/15.jpg)
15All Rights Reserved. FIDO Alliance. Copyright 2017.
Certification Growth An open competitive market Ensures interoperability Sign of mature FIDO
ecosystem
250+
FIDO® Certified products available today
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17
230
7432
62 74108
162
216253
304 TOTAL
![Page 16: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/16.jpg)
16
FIDO Certified – Jan`17
All Rights Reserved. FIDO Alliance. Copyright 2017.
![Page 17: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/17.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 17
The Road Ahead
W3C Web Authentication Specification
Standards Effort with
EMVCo
Client-to-Authenticator
Protocol (CTAP)
FIDO Universal
Server + New Certification
Programs
![Page 18: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/18.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 18
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
![Page 19: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/19.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017.
STRONG AUTHENTICATION TRENDS IN GOVERNMENTJeremy Grant
Managing DirectorThe Chertoff Group
![Page 20: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/20.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 20
Authentication is Important to Government
1. Protects access to government assets2. Enables more high-value citizen-facing services3. Empowers private sector to provide a wider range of
high value services to consumers4. Secures critical assets and infrastructure5. Promotes good security practices in the private sector
Governments seek identity solutions that can deliver not just improved Security – but also Privacy,
Interoperability, and better Customer Experiences
![Page 21: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/21.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 21
FIDO Is Impacting How Governments Think
About Authentication• Enables support for “BYOC” (Bring Your Own
Credential) • Take advantage of the growing ecosystem of FIDO solutions
and standards• No requirement to issue a separate token or app for MFA• No need to create passwords for digital government services
• Better Security, Privacy + Interoperability
• Better Customer Experiences – simpler and safer
• Reduced Cost for the Government Enterprise
![Page 22: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/22.jpg)
FIDO Is Impacting How Governments Think About Authentication
U.S. Commission on Enhancing National Cybersecurity• Bipartisan commission established by the White House in April – charged with crafting recommendations for the next President
• Major focus on Authentication
All Rights Reserved. FIDO Alliance. Copyright 2017. 22
![Page 23: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/23.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 23
U.S. Commission on Enhancing National Cybersecurity
Focus on non-PIV solutions for USG Authentication
“The next Administration should provide agencies with updated policies and guidance that continue to focus on increased adoption of strong authentication solutions, including but, importantly, not limited to personal identity verification (PIV) credentials.
“To ensure adoption of strong, secure authentication by federal agencies, the requirements should be made performance based (i.e., strong) so they include other (i.e., non-PIV) forms of authentication, and should mandate 100 percent adoption within a year.”
![Page 24: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/24.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 24
U.S. Commission on Enhancing National Cybersecurity
“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry standard public key cryptography. Windows 10 has deployed FIDO specifications (known as Windows Hello), and numerous financial institutions have adopted FIDO for consumer banking. Today, organizations complying with FIDO specifications are able to deliver secure authentication technology on a wide range of devices, including mobile phones, USB keys, and near-field communications (NFC) and Bluetooth low energy (BLE) devices and wearables. This work, other standards activities, and new tools that support continuous authentication provide a strong foundation for opt-in identity management for the digital infrastructure.”
![Page 25: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/25.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 25
FIDO Is Impacting How Governments Think About Authentication
Priorities:• Ensuring that future online products and
services coming into use are “secure by default”
• Empowering consumers to “choose products and services that have built-in security as a default setting.”
“[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.”
![Page 26: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/26.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 26
A Note on Policy
FIDO specifications offer governments newer, better options for strong authentication – but governments may
need to update some policies to support the ways in which FIDO is different.
As technology evolves, policy needs to evolve with it.
![Page 27: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/27.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 27
1. Multi-factor authentication no longer brings higher burdens or costs
• While this statement was true of most “old” MFA technology, FIDO specifically addresses these cost and usability issues.
• FIDO enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale.
![Page 28: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/28.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 28
European Banking Authority (EBA) Draft Regulatory Technical Standards on PSD2 Strong Authentication
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
![Page 29: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/29.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 29
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
• Recognized by the US government (NIST) in 2014…
• “OMB (White House) to update guidance on remote electronic authentication” to remove requirements that one factor be separate from the device accessing the resource
• The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token
![Page 30: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/30.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 30
• Reflected in new NIST Draft Digital Identity Guidelines (SP 800-63B)
2. Technology is now mature enough to enable two
secure, distinct AuthN factors in a single device
![Page 31: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/31.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 31
3. Local-match biometrics has matured and is an important authentication factor
• New guidance from Taiwan’s Financial Supervisory Commission (FSC)
• Previously guidance forbid local biometric match as an authentication factor; new guidance allows it, as part of a FIDO solution
![Page 32: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/32.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 32
FIDO Delivers on Key Government Priorities
Security•Authentication using strong asymmetric Public Key cryptography
•Superior to old “shared secrets” model – there is nothing to steal on the server
•Biometrics as second factor
Privacy•Privacy architected in up front; No linkability or tracking
•Designed to support Privacy Principles of the European Data Protection Directive
•Biometric data never leaves device
•Consumer control and consent
Interoperability•Open standards: FIDO 2.0 specs are in W3C standardization process
•FIDO compliance/ conformance testing to ensure interoperability of “FIDO certified” products
Usability•Designed with the user experience (UX) first – with a goal of making authentication as easy as possible.
•Security built to support the user’s needs, not the other way around
![Page 33: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/33.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 33
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
![Page 34: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/34.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017.
SAFER, FASTER, SIMPLER:
A UK PERSPECTIVEAdam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service
![Page 35: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/35.jpg)
GDSGOV.UK Verify
GOV.UK Verify is the new way to prove who you are online.
[insert new logo]
![Page 36: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/36.jpg)
GDSGOV.UK Verify
A certified company verifies you on behalf of government
![Page 37: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/37.jpg)
GDSGOV.UK Verify *
There are a range of high quality companies certified to verify identity for GOV.UK Verify
![Page 38: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/38.jpg)
GDSGOV.UK Verify
Adopting outcome based standards has led to innovation, choice and opportunity.
![Page 39: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/39.jpg)
GDSGOV.UK Verify
We publish them on GOV.UK…
https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions
![Page 40: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/40.jpg)
GDSGOV.UK Verify
eIDAS Regulation – promoting the use of national eID internationally
![Page 41: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/41.jpg)
GDSGOV.UK Verify
Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (aka eIDAS).
Mutual acceptance of eID cross-border
Interoperability standards
Encourages cooperation between Member States
Huge potential: e.g. PSD2, AML4D
![Page 42: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/42.jpg)
GDSGOV.UK Verify
Building a more secure internet
![Page 43: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/43.jpg)
GDSGOV.UK Verify
“Objective 5.2.3. The majority of online productsand services coming into use become ‘secure by default’ by 2021.”- National Cyber Security Strategy 2016-2021
![Page 44: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/44.jpg)
GDSGOV.UK Verify
To achieve this goal the Government will…Lead by exampleExplore options for collaboration with industryAdopt challenging new cyber security technologies in government
![Page 45: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/45.jpg)
GDSGOV.UK Verify
“invest in… emerging industry standards such as Fast Identity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate.”
![Page 46: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/46.jpg)
GDSGOV.UK Verify
For more information visit the blog at identityassurance.blog.gov.ukor go to gov.uk/verify
![Page 47: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/47.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 47
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
![Page 48: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/48.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017.
DEVELOPMENTS IN BIOMETRIC GUIDANCE
Elaine Newton, PhD, Standards Lead for Applied Cybersecurity, National Institute of Standards and
Technology (NIST)
![Page 49: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/49.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 49
The SOFA Project• NIST is exploring a framework around Strength of Function for Authenticators - Biometrics (SOFA-B) for measuring and evaluating the strength of a biometric authentication on mobile devices to:
• Determine how effectively they mitigate different levels of transactional risk
• Understand how such biometric factors can be combined with, or substituted for, other authentication factors
![Page 50: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/50.jpg)
50All Rights Reserved. FIDO Alliance. Copyright 2017.
System and Attack Analysis
Data Capture Signal Processing Comparison Decision
Data Storage
Override Capture Device
Extract/Modify Biometric
SampleOverride Signal
Processor
Modify Probe
Override Comparator
Modify Score
Override DecisionEngine
Override Database
Modify Biometric Reference
Presentation Attack
Modify Decision1 2
3
4
5
6
9
10
11
7
8
Many attacks can be mitigated by core security controls: e.g., encryption, mutual authentication, limiting of unsuccessful attempts
Some areas require specific focus in biometrics: e.g., template protection
![Page 51: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/51.jpg)
51All Rights Reserved. FIDO Alliance. Copyright 2017.
Recommendation: Analyze and quantify factors specific to biometric systems.
Data Capture Signal Processing Comparison Decision
Data Storage
Override Capture Device
Extract/Modify Biometric
SampleOverride Signal
Processor
Modify Probe
Override Comparator
Modify Score
Override DecisionEngine
Override Database
Modify Biometric Reference
Presentation Attack
Modify Decision1 2
3
4
5
6
9
10
11
7
8
PAD Error Rate: Shorthand for Probability of a successful presentation attack*
FMR: Probability of a false match occurring
Matching Performance
Two aspects stood out as unique to biometric authN: Presentation Attacks and the Matching Performance; each carries potential metrics to contribute to strength.
![Page 52: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/52.jpg)
52All Rights Reserved. FIDO Alliance. Copyright 2017.
Zero-Information and Targeted Attacks
• “Zero-information” and “targeted” attacks should be considered, as both scenarios may affect Effort, as well as PADER and FMR.
Password/Pin BiometricsSample size and
complexity
Access to sensor/device
Computational complexity of matching
Length and complexity
Zero
Info
.Ta
rget
ed Shoulder surf Retrieve biometric
Create artefactNotepads
![Page 53: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/53.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 53
Recommendation: Quantify SOFA for Zero Information Attacks
• Goal is to move towards developing metrics that can be compared and combined to better understand authentication systems
• Ultimately, we would be able to determine the same type of measure for most authentication systems
αSOFAZero Info (Biometrics) FMR x PADER
Effort
αSOFAZero Info (PIN/PW)
NL Effort x
![Page 54: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/54.jpg)
54All Rights Reserved. FIDO Alliance. Copyright 2017.
Overview of Draft NIST SP 800-63-3 Biometric Requirements
• FMR less than or equal to 1 in 1000 or better.• False non-match rate is left to applications to
determine their needs.• To deal with presentation attacks (aka spoofs or fakes at the sensor):
• Strict rate limiting is required OR• Rate limiting plus PAD (demonstrating at least
90% resistance to presentation attacks for each relevant attack type (aka species)).
• Must authenticate something you have (always 2 factor).
• Protected channel required prior to capturing biometric sample.
• Additional requirements for server/central matching.• Memory wipe requirement.
Revocability
Something you are,
Distinctiveness
Something you are,
Liveness
Other Security &
Privacy Measures
![Page 55: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/55.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017. 55
• FIDO Alliance Overview, Brett McDowell• Strong Authentication Trends in Government, Jeremy Grant• Safer, Faster, Simpler: A UK Perspective, Adam Cooper• Developments in Biometric Guidance, Elaine Newton• Q & A
![Page 56: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/56.jpg)
56All Rights Reserved. FIDO Alliance. Copyright 2017.
Questions for our Experts?
Brett McDowell, Executive Director, FIDO Alliance
Jeremy Grant, Managing Director, The Chertoff Group
Adam Cooper, Technical Architect, Identity Assurance, UK Government Digital Service
Elaine Newton, Standards Lead for Applied Cybersecurity, National Institute of Standards and Technology (NIST)
![Page 57: Strong Authentication Trends in Government](https://reader035.vdocuments.mx/reader035/viewer/2022070517/58cfa68b1a28ab6b088b557d/html5/thumbnails/57.jpg)
All Rights Reserved. FIDO Alliance. Copyright 2017.
THANK YOUfidoalliance.org@fidoalliance