• No results found

Scalable Authentication

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Scalable Authentication"

Copied!
38
0
0

Loading.... (view fulltext now)

Download now ( 38 Page )

Full text

(1)

Rolf Lindemann

Nok Nok Labs, Inc.

(2)

IT Has Scaled

$$$

Technological capabilities: (1971

2013)

Clock speed x4700 #transistors x608k Structure size /450

Price: (1980 2013) HDD $/MB /12k NV RAM $/MB /1.3m

Ubiquity: More than 7bn mobile connected devices by end of 2013

Connectivity: (2013)

Relevance: (2012) $1 trillion eCommerce Social media: (2013)

(3)
(4)

Passwords

Too many to remember, difficult to type, and not secure

(5)

One Time Passcodes

Improve security, but not easy to use

SMS USABILITY

DEVICE USABILITY

USER EXPERIENCE STILL

PHISHABLE

(6)
(7)

Implementation is the Challenge

Vendor A

Vendor B

Silos by Vendor

Technology A

Technology B

Silos by Technology

X

X

Each new authentication solution requires new HW, SW, and Infrastructure.

(8)

FIDO Goals

►Support for a broad range of authentication methods,

leverage existing hardware capabilities.

►Support for a broad range of assurance levels, let relying party know the authentication method.

(9)

Abstract View

FIDO SERVER

FIDO Authenticators

(10)

FIDO Functionality

►Discover supported authenticators on the client

►Register authenticators to a relying party (and bind it to an existing identity)

►Authenticate (a session)

(11)

Registration

FIDO AUTHENTICATOR

FIDO SERVER FIDO CLIENT

Send Registration Request: - Policy

- Random Challenge

Start

registration Authenticate user

Generate key pair

Sign attestation object: • Public key

• AAID

• Random Challenge • Name of relying party Signed by attestation key

Verify signature

Check AAID against policy Store public key

AAID = Authenticator Attestation ID, i.e. model

(12)

Regarding AAIDs

FIDO Authenticator

FIDO Authenticator Using HW based crypto

Pure SW based implementation Based on FP Sensor X

Based on Face Recognition alg. Y

AAID 1

AAID 2 Attestation Key 1

(13)

Privacy & Attestation

Bob’s FIDO Authenticator Using HW based crypto

Based on FP Sensor X Model A

FIDO SERVER RP1

FIDO SERVER RP2 Model A

Model A Serial #

(14)

Authenticator Meta-Data

File available to FIDO Server with Authenticator descriptions

►AAID as an index

►Attestation trust anchor

►Implements Secure Display

►Key Protection

(15)

Binding Authenticator to User

Login with legacy credential

User A Cloud

Service

1

Perform FIDO Register function

Authenticator 1 ServiceCloud

2

User A

Authenticator 1

(16)

Binding Authenticator to User

Create new account

User B Cloud

Service

1

Perform FIDO Register function

Authenticator 2 ServiceCloud

2

User B

Authenticator 2

Case B: New User

Opt.: verify attrs. with 3rd party

(17)

Authentication

FIDO AUTHENTICATOR FIDO SERVER FIDO CLIENT Send Authentication Request: - Policy

- Random Challenge

Start

authentication Authenticate user

Sign authentication object: • Random Challenge • Name of relying party Signed by authentication key for this relying party

Verify signature

(18)

Transaction Confirmation

Like Authentication, but Authenticator displays Transaction Text

FIDO AUTHENTICATOR

FIDO SERVER FIDO CLIENT

Verify Transaction Text Hash Verify signature

check AAID against policy Authenticate user

Sign transaction object: • Random Challenge • Name of relying party • Transaction Text Hash Signed by authentication key for this relying party

Transfer $10000 to John Doe‘s account 1234567

(19)

FIDO Building Blocks

FIDO USER DEVICE

FIDO CLIENT RELYING PARTY FIDO SERVER FIDO Repository FIDO AUTHENTICATOR WEB SERVER BROWSER / APP

Cryptographic authentication key

reference DB

Authenticator attestation trust store + meta data Attestation key Authentication

keys

Update

UAF Protocol

(20)

The Authenticator Concept

FIDO Authenticator

User Verification / Presence

Secure Display

Attestation Key

Authentication Key(s)

User

Injected at manufacturing, doesn’t change

(21)

Scalability of Authentication

►Scalable for Users

►Scalable User Verification Methods

(22)

Scalable for Users

Overall complexity doesn’t grow with the number of relying parties:

►Choosing & remembering one password per RP is not

scalable

►Carrying one (dedicated) OTP token or smart card per RP

is not scalable

►In FIDO, the Authenticator maintains one key per RP. This

(23)

Scalable User Verification Methods

Various User Verification Methods can be implemented without updating server software

►Various cryptographic hardware, e.g. smart cards, USB

tokens, …

►All kinds of biometrics ► Fingerprints

► Face recognition

► Typing behavior

► Gait

► Cardiac rhythm recognition and more…

(24)

Client Side Biometrics

FIDO Authenticator

User Verification / Presence

Attestation Key

Authentication Key(s) Store

Various User Verification Methods can be implemented without updating server software

(25)

Scalable Security

Broad range of assurance levels

►Login to online account

►Change shipping address

►Transfer $10,000 to Account 1234

Low

(26)

Scalable Security (2)

Authenticator

User Verification Crypto Layer

Authenticator

User Verification Crypto Layer

Authenticator

User Verification Crypto Layer

Secure HW Normal HW

(27)

Scalable Security (3)

Source: NIST Interagency Report 7477

Scale the accuracy of the user verification algorithm, e.g. better finger print sensor/algorithm, longer PINs

(28)

Scalable Security (4)

Scale security by adding enhanced anti spoofing methods, e.g. enhanced

liveness detection for face recognition.

Or by requiring PIN entry. Source: Liveness Detection for

(29)

FIDO and IAM

Physical-to-digital identity User Management

Authentication Federation

Single Sign-On

Passwords Strong Risk-Based

(30)

Complementary

IMPLICIT AUTHENTICATION EXPLICIT

(31)

FIDO and Federation

FIDO PASSWORDS

SSO/FEDERATION

First Mile

Second Mile

SAML SAML

OpenID OpenID

(32)

FIDO and Federation

FIDO USER DEVICE

FIDO CLIENT

IdP

FIDO SERVER FIDO AUTHENTICATOR

FEDERATION SERVER

BROWSER / APP OSTP

Service Provider

Federation

Id DB

(33)

FIDO Today

Technical Working Groups active

o Public Spec Drafts early 2014

o Early Pilots late 2013

o Complement existing standards & efforts

 NSTIC/Federation: OpenID, SAML etc.

FIDO Alliance membership is growing

o Members set requirements and design the technology

o Internet Services

o Client Platform Owners

o Device & Component Vendors

(34)

FIDO Alliance Members

AFTER FEB. 2013 FOUNDERS

(35)

What‘s the benefit

For Users

Easy to use local auth options

No more worrying about passwords

Feel safer on the Internet

For Internet Services

Greatly improved security, Increased

user engagement

User brings own device

Build server once: leverage all auth

methods

For Vendors

Standardization ignites market

Solve fragmentation issues with

(36)
(37)

Summary

►Passwords don’t work

►Current alternatives don’t scale

►FIDO Alliance works on an open specification separating

user verification method from cryptographic authentication protocol

►With that protocol

► relying parties can define policy for risk appropriate authentication

► relying parties know the authenticator model and its characteristics through attestation

► adoption of new authentication methods will be significantly easier

(38)

Thank

 

you!

Rolf Lindemann Nok Nok Labs, Inc.

[email protected] www.noknok.com www.fidoalliance.org [email protected]

References

Download now ( PDF - 38 Page - 1.35 MB )

Related documents

Policy-Speci c Information and Informal Agenda Power

Rule Decision If the ‡oor’s choice of rule is not pivotal for the committee’s investment decision, the ‡oor unambiguously prefers an open rule, because it receives its own ideal

Considering Online Career Interventions

In my own practice, I have been involved in the development of e-learning software, the design of online career interventions, the delivery of e-career services to clients, and

A Guide to Medicaid Reimbursement for Online Speech Language Pathology Services in Schools

The time has come for states to ensure equity of access for speech-language pathology services delivered online by allowing Medicaid reimbursement for this mode of delivery

Virtual Payment Client Integration Reference. April 2009 Software version:

Mode 3b - 2-Party Style Pre-Authenticated Payment transaction - the merchant may use the 3-Party - Authentication only transaction through the Payment Server or an

COMODO RELYING PARTY WARRANTY

(b) The Warranty shall cover a monetary loss equal to the lesser of 1) the amount directly paid by the Covered Person in reliance on the Certificate as offset by any amount

The Cultural Life of Karlovac during the Croatian National Reviva

Za izbor teme ovog rada najvažnija je bila činjenica slabe istraženosti razdoblja kraja 18. stoljeća mojega rodnog grada Karlovca, posebno zbog njegove značajne uloge

Aerobic Biodegradation of Methyl tert-Butyl Ether by Aquifer Bacteria from Leaking Underground Storage Tank Sites

The potential for aerobic methyl tert-butyl ether (MTBE) degradation was investigated with microcosms containing aquifer sediment and groundwater from four MTBE-contaminated

How effective is central bank communication in emerging economies? An empirical analysis of the Chinese money markets responses to the People’s Bank of China’s policy communications

Compared with percentages of domestic economic outlook indexes in Figs.  3 , 4 shows that the Chinese central bank communications on world economic outlook are more con-