SlideShare una empresa de Scribd logo

FIDO & Strong Authentication Technology Landscape

FIDO Alliance
FIDO Alliance

Paul Madsen, Senior Technical Architect at Ping ID, discusses types and trends of authentication as well as FIDO and federation.

Tecnología
1 de 27
Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. FIDO & STRONG AUTH TECHNOLOGY LANDSCAPE Paul Madsen, Senior Technical Architect, Ping ID
Copyright © 2014 Ping Identity Corp. All rights reserved. 2
FIDO in context Federation Authentication Trends FIDO
FIDO & Authentication TRENDS
Authentication Trends 1. Mobile phone as authentication factor 2. Local authentication to device 3. Device identity 4. Continuous authentication Copyright © 2013 Ping Identity Corp. All rights reserved.
Phones make great *have* factors •Connected •Computation •Storage •UI Copyright © 2013 Ping Identity Corp. All rights reserved. In a package a user won’t leave at home
Copyright © 2014 Ping Identity Corp. All rights reserved. Authn server MFA server Mobile MFA
Local authentication • Capabilities of phones also make practical a model the verification check is performed locally, ie on the device • Result of local verification on device communicated to server (typically via demonstration of knowledge of a previously established secret) • Evolution of ‘device unlock’ mechanisms, e.g. PIN or pattern • Particularly for biometrics, advantages to keeping sensitive secrets off the server
Apple ‘Selfie for authn’ patent
Authenticating device & user yes no Is device authenticated? no yes User authenticated? Enjoy partial application access Enjoy full application access Device Registration User logs in from untrusted device. User logs out User logs in from trusted device. Enjoy partial application access Enjoy limited application access
Explicit giving way to implicit Copyright © 2014 Ping Identity Corp. All rights reserved. Explicit factors Implicit factors Trend Explicit factors Implicit factors
Contextual authentication • Replaces single ‘does user know password?’ query with multiple ‘Is this signal consistent with what I expected?’ checks • Any anomalies cause system to adapt accordingly • Collection of different X signals passive & invisible to user so few UX implications • Assumption is that attacker unlikely to be able to simulate all signals in order to impersonate valid user Copyright © 2014 Ping Identity Corp. All rights reserved.
Adaptive Authentication Copyright © 2014 Ping Identity Corp. All rights reserved. • Systems that can, based on an assessment of risk (determined by multiple criteria), choose between available overt login mechanisms and contextual factors • Adaptive Authentication == Contextual Verification + Logins • If we have a user “John”, answers the question: • Is the user trying to access the system still “John”? Contextual checks Overt login (only when necessary)
Sweet spot Continuous Authentication Local Authentication Mobile device as factor Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 14 FIDO
FIDO & Federation
Federation • A model of identity management where the different components of a given transaction are distributed across actors • One actor relies on the identity data that another actor provides • Manifests in issuance, storage, presentation, and validation of ‘security tokens’ • Archetypical manifestation is Web SSO • May cross policy boundaries, e.g. business partners, enterprise/SaaS, education institutions, social providers • Federation standards define • semantics of token (authn, authz, attributes) • Token format (XML -> JSON) • Protocols for moving tokens over network (SOAP -> REST) Copyright © 2014 Ping Identity Corp. All
Complementary • Insulates authentication server from specific authenticators • Focused solely on primary authentication • Does not support attribute sharing • Can communicate details of authentication from device to server • Insulates application from specific identity providers • Does not address primary authentication • Does enable secondary authentication & attribute sharing • Can communicate details of authentication from IdP to SP FIDO Federation
Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance
Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance status quo
Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance status quo Mobile 2FA
Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance status quo Mobile 2FA federation SSO slide
Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance Status quo Mobile 2FA Federation continuum FIDO
Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance Status quo Mobile 2FA Federation FIDO FIDO + Federation
Making it real • FIDO Enterprise Adoption WG drafting guideline doc defining how to compose FIDO & Federation • How to express in a federation flow that the authentication was FIDO-based • SAML AuthenticationContext • OpenID Connect ‘acr’ • OpenID Foundation Enhanced Authentication Profile WG doing the same with focus on OpenID Connect Copyright © 2014 Ping Identity Corp. All
Mobile Connect • Mobile Connect is GSMA effort designed to leverage phones for authentication & identity into applications • Technically, manifests as a profile of OpenID Connect • operators act as ASs • Web sites act as Clients • Defines how to use a FIDO based authentication as an alternative to SIM, followed by Connect-based SSO Copyright © 2014 Ping Identity Corp. All rights reserved.
FIDO in context Federation Authentication Trends FIDO
THANK YOU Copyright © 2014 Ping Identity Corp. All rights reserved. 27

Recomendados

Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
FIDO Alliance
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Alliance
 
Fido China Working Group (FCWG)
Fido China Working Group (FCWG)Fido China Working Group (FCWG)
Fido China Working Group (FCWG)
FIDO Alliance
 
FIDO & GSMA Mobile Connect
FIDO & GSMA Mobile ConnectFIDO & GSMA Mobile Connect
FIDO & GSMA Mobile Connect
FIDO Alliance
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
FIDO Alliance
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in Germany
FIDO Alliance
 
FIDO Overview: Status and Future
FIDO Overview: Status and FutureFIDO Overview: Status and Future
FIDO Overview: Status and Future
FIDO Alliance
 

Recomendados

Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
FIDO Alliance
 
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...
FIDO Alliance
 
Fido China Working Group (FCWG)
Fido China Working Group (FCWG)Fido China Working Group (FCWG)
Fido China Working Group (FCWG)
FIDO Alliance
 
FIDO & GSMA Mobile Connect
FIDO & GSMA Mobile ConnectFIDO & GSMA Mobile Connect
FIDO & GSMA Mobile Connect
FIDO Alliance
 
Introduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for AuthenticationIntroduction to FIDO: A New Model for Authentication
Introduction to FIDO: A New Model for Authentication
FIDO Alliance
 
FIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - PresentationFIDO® for Government & Enterprise - Presentation
FIDO® for Government & Enterprise - Presentation
FIDO Alliance
 
FIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in GermanyFIDO, Strong Authentication and elD in Germany
FIDO, Strong Authentication and elD in Germany
FIDO Alliance
 
FIDO Overview: Status and Future
FIDO Overview: Status and FutureFIDO Overview: Status and Future
FIDO Overview: Status and Future
FIDO Alliance
 
Google Case Study: Becoming Unphishable
Google Case Study: Becoming UnphishableGoogle Case Study: Becoming Unphishable
Google Case Study: Becoming Unphishable
FIDO Alliance
 
Introduction to FIDO Authentication
Introduction to FIDO AuthenticationIntroduction to FIDO Authentication
Introduction to FIDO Authentication
FIDO Alliance
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
FIDO Alliance
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
FIDO Alliance
 
Global Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong AuthenticationGlobal Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong Authentication
FIDO Alliance
 
Worldpay – FIDO-enabled Point of Sale
Worldpay – FIDO-enabled Point of SaleWorldpay – FIDO-enabled Point of Sale
Worldpay – FIDO-enabled Point of Sale
FIDO Alliance
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
FIDO Alliance
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO Alliance
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
FIDO Alliance
 
FIDO - The Value of Membership
FIDO - The Value of Membership FIDO - The Value of Membership
FIDO - The Value of Membership
FIDO Alliance
 
KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...
KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...
KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...
FIDO Alliance
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonGoogle Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
FIDO Alliance
 
FIDO Authentication in a Mobile Network
FIDO Authentication in a Mobile NetworkFIDO Authentication in a Mobile Network
FIDO Authentication in a Mobile Network
FIDO Alliance
 
Authentication and ID Proofing in Education
Authentication and ID Proofing in EducationAuthentication and ID Proofing in Education
Authentication and ID Proofing in Education
FIDO Alliance
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
FIDO Alliance
 
Protecting IDAAS with FIDO Authentication
Protecting IDAAS with FIDO AuthenticationProtecting IDAAS with FIDO Authentication
Protecting IDAAS with FIDO Authentication
FIDO Alliance
 
Google Case Study: Strong Authentication for Employees and Consumers
Google Case Study: Strong Authentication for Employees and ConsumersGoogle Case Study: Strong Authentication for Employees and Consumers
Google Case Study: Strong Authentication for Employees and Consumers
FIDO Alliance
 
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance OverviewFIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
FIDO Alliance
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
FIDO Alliance
 
FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
FIDO Alliance
 
Bio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaBio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in Korea
FIDO Alliance
 

Más contenido relacionado

La actualidad más candente

FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
FIDO Alliance
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
FIDO Alliance
 

La actualidad más candente (20)

Google Case Study: Becoming Unphishable
Google Case Study: Becoming UnphishableGoogle Case Study: Becoming Unphishable
Google Case Study: Becoming Unphishable
 
Introduction to FIDO Authentication
Introduction to FIDO AuthenticationIntroduction to FIDO Authentication
Introduction to FIDO Authentication
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
Global Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong AuthenticationGlobal Regulatory Landscape for Strong Authentication
Global Regulatory Landscape for Strong Authentication
 
Worldpay – FIDO-enabled Point of Sale
Worldpay – FIDO-enabled Point of SaleWorldpay – FIDO-enabled Point of Sale
Worldpay – FIDO-enabled Point of Sale
 
FIDO Specifications Overview
FIDO Specifications OverviewFIDO Specifications Overview
FIDO Specifications Overview
 
FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification FIDO, PKI & beyond: Where Authentication Meets Identification
FIDO, PKI & beyond: Where Authentication Meets Identification
 
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
Google Case Study: Becoming Unphisable: Towards Simpler, Stronger Authenticat...
 
FIDO - The Value of Membership
FIDO - The Value of Membership FIDO - The Value of Membership
FIDO - The Value of Membership
 
KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...
KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...
KICA Case Study: Bio-Authentication and PKI Trends in Korea -FIDO Alliance -T...
 
FIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDOFIDO Alliance Webinar: Catch Up WIth FIDO
FIDO Alliance Webinar: Catch Up WIth FIDO
 
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger AuthenticatonGoogle Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
Google Case Sudy: Becoming Unphishable: Towards Simpler, Stronger Authenticaton
 
FIDO Authentication in a Mobile Network
FIDO Authentication in a Mobile NetworkFIDO Authentication in a Mobile Network
FIDO Authentication in a Mobile Network
 
Authentication and ID Proofing in Education
Authentication and ID Proofing in EducationAuthentication and ID Proofing in Education
Authentication and ID Proofing in Education
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
 
Protecting IDAAS with FIDO Authentication
Protecting IDAAS with FIDO AuthenticationProtecting IDAAS with FIDO Authentication
Protecting IDAAS with FIDO Authentication
 
Google Case Study: Strong Authentication for Employees and Consumers
Google Case Study: Strong Authentication for Employees and ConsumersGoogle Case Study: Strong Authentication for Employees and Consumers
Google Case Study: Strong Authentication for Employees and Consumers
 
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance OverviewFIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
FIDO Workshop at the Cloud Identity Summit: FIDO Alliance Overview
 
FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things FIDO, Federation and the Internet of Things
FIDO, Federation and the Internet of Things
 

Destacado

FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
Nov Matake
 
Account Chooser #idit2012
Account Chooser #idit2012Account Chooser #idit2012
Account Chooser #idit2012
Nov Matake
 
Landscape of Web Identity Management
Landscape of Web Identity ManagementLandscape of Web Identity Management
Landscape of Web Identity Management
Fraunhofer AISEC
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
FIDO Alliance
 

Destacado (19)

FIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2FFIDO Specifications Overview: UAF & U2F
FIDO Specifications Overview: UAF & U2F
 
Bio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in KoreaBio-Authentication (FIDO) and PKI Trends in Korea
Bio-Authentication (FIDO) and PKI Trends in Korea
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
Strong Authentication Trends in Government
Strong Authentication Trends in GovernmentStrong Authentication Trends in Government
Strong Authentication Trends in Government
 
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
FIDO Authentication: Its Evolution and Opportunities in Business -FIDO Allian...
 
FIDO Alliance Activity in Japan
FIDO Alliance Activity in Japan FIDO Alliance Activity in Japan
FIDO Alliance Activity in Japan
 
FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18FIDO alliance #idcon vol.18
FIDO alliance #idcon vol.18
 
Account Chooser #idit2012
Account Chooser #idit2012Account Chooser #idit2012
Account Chooser #idit2012
 
Reduce Friction and Risk with Device Authentication
Reduce Friction and Risk with Device AuthenticationReduce Friction and Risk with Device Authentication
Reduce Friction and Risk with Device Authentication
 
Mobile Connect and the FIDO standards
Mobile Connect and the FIDO standardsMobile Connect and the FIDO standards
Mobile Connect and the FIDO standards
 
New Trends in Mobile Authentication
New Trends in Mobile AuthenticationNew Trends in Mobile Authentication
New Trends in Mobile Authentication
 
NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22NIST SP 800-63-3 #idcon vol.22
NIST SP 800-63-3 #idcon vol.22
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) SpecificationCIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
 
TTA’s approach to promoting FIDO standards in Korea
TTA’s approach to promoting FIDO standards in Korea TTA’s approach to promoting FIDO standards in Korea
TTA’s approach to promoting FIDO standards in Korea
 
Introduction to the FIDO Alliance: Vision and Status
Introduction to the FIDO Alliance: Vision and StatusIntroduction to the FIDO Alliance: Vision and Status
Introduction to the FIDO Alliance: Vision and Status
 
Landscape of Web Identity Management
Landscape of Web Identity ManagementLandscape of Web Identity Management
Landscape of Web Identity Management
 
Introduction to FIDO Alliance
Introduction to FIDO AllianceIntroduction to FIDO Alliance
Introduction to FIDO Alliance
 
Getting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical TutorialGetting to Know the FIDO Specifications - Technical Tutorial
Getting to Know the FIDO Specifications - Technical Tutorial
 
FIDO’s fit for Key Industries in Korea
FIDO’s fit for Key Industries in Korea FIDO’s fit for Key Industries in Korea
FIDO’s fit for Key Industries in Korea
 

Similar a FIDO & Strong Authentication Technology Landscape

Identity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer RelationshipsIdentity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer Relationships
ForgeRock
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
Sumana Mehta
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CloudIDSummit
 

Similar a FIDO & Strong Authentication Technology Landscape (20)

How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted SubjectsHow to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
How to Make Your IoT Devices Secure, Act Autonomously & Trusted Subjects
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications
 
You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA You Can't Spell Enterprise Security without MFA
You Can't Spell Enterprise Security without MFA
 
Identity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer RelationshipsIdentity Live Paris 2017 | Monetising Digital Customer Relationships
Identity Live Paris 2017 | Monetising Digital Customer Relationships
 
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
CIS14: FIDO 101 (What, Why and Wherefore of FIDO)
 
FIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and InsightsFIDO UAF 1.0 Specs: Overview and Insights
FIDO UAF 1.0 Specs: Overview and Insights
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
 
FIDOAlliance
FIDOAllianceFIDOAlliance
FIDOAlliance
 
Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3Monage.io identity presentation 3.22.17 v3
Monage.io identity presentation 3.22.17 v3
 
Identity Assertions Draftv5
Identity Assertions Draftv5Identity Assertions Draftv5
Identity Assertions Draftv5
 
Mobilize your workforce with secure identity services
Mobilize your workforce with secure identity servicesMobilize your workforce with secure identity services
Mobilize your workforce with secure identity services
 
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul MadsenCIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
CIS 2015- IoT? The ‘I’ needs to be ‘Identity’- Paul Madsen
 
User Authentication for Government
User Authentication for GovernmentUser Authentication for Government
User Authentication for Government
 
ISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de EntrustISS SA le presenta IdentityGuard de Entrust
ISS SA le presenta IdentityGuard de Entrust
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
Security On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of ThingsSecurity On The Edge - A New Way To Think About Securing the Internet of Things
Security On The Edge - A New Way To Think About Securing the Internet of Things
 
CIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity ServicesCIS14: Mobilize Your Workforce with Secure Identity Services
CIS14: Mobilize Your Workforce with Secure Identity Services
 
Authentication.Next
Authentication.NextAuthentication.Next
Authentication.Next
 

Más de FIDO Alliance

Introduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS ServicesIntroduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS Services
FIDO Alliance
 

Más de FIDO Alliance (20)

FIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptxFIDO Alliance: Welcome and FIDO Update.pptx
FIDO Alliance: Welcome and FIDO Update.pptx
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
OTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptxOTIS: Our Journey to Passwordless.pptx
OTIS: Our Journey to Passwordless.pptx
 
FIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptxFIDO Workshop-Demo Breakdown.pptx
FIDO Workshop-Demo Breakdown.pptx
 
CISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptxCISA: #MoreThanAPassword.pptx
CISA: #MoreThanAPassword.pptx
 
FIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for AllFIDO Authentication: Unphishable MFA for All
FIDO Authentication: Unphishable MFA for All
 
Introducing FIDO Device Onboard (FDO)
Introducing FIDO Device Onboard (FDO)Introducing FIDO Device Onboard (FDO)
Introducing FIDO Device Onboard (FDO)
 
新しい認証技術FIDOの最新動向
新しい認証技術FIDOの最新動向新しい認証技術FIDOの最新動向
新しい認証技術FIDOの最新動向
 
日立PBI技術を用いた「デバイスフリーリモートワーク」構想
日立PBI技術を用いた「デバイスフリーリモートワーク」構想日立PBI技術を用いた「デバイスフリーリモートワーク」構想
日立PBI技術を用いた「デバイスフリーリモートワーク」構想
 
Introduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS ServicesIntroduction to FIDO and eIDAS Services
Introduction to FIDO and eIDAS Services
 
富士通の生体認証ソリューションと提案
富士通の生体認証ソリューションと提案富士通の生体認証ソリューションと提案
富士通の生体認証ソリューションと提案
 
テレワーク本格導入におけるID認証考察
テレワーク本格導入におけるID認証考察テレワーク本格導入におけるID認証考察
テレワーク本格導入におけるID認証考察
 
「開けゴマ!」からYubiKeyへ
「開けゴマ!」からYubiKeyへ「開けゴマ!」からYubiKeyへ
「開けゴマ!」からYubiKeyへ
 
YubiOnが目指す未来
YubiOnが目指す未来YubiOnが目指す未来
YubiOnが目指す未来
 
FIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみたFIDO2導入してみたを考えてみた
FIDO2導入してみたを考えてみた
 
中小企業によるFIDO導入事例
中小企業によるFIDO導入事例中小企業によるFIDO導入事例
中小企業によるFIDO導入事例
 
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセスVPNはもう卒業!FIDO2認証で次世代リモートアクセス
VPNはもう卒業!FIDO2認証で次世代リモートアクセス
 
CloudGate UNOで安全便利なパスワードレスリモートワーク
CloudGate UNOで安全便利なパスワードレスリモートワークCloudGate UNOで安全便利なパスワードレスリモートワーク
CloudGate UNOで安全便利なパスワードレスリモートワーク
 
数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート数々の実績:迅速なFIDO認証の展開をサポート
数々の実績:迅速なFIDO認証の展開をサポート
 
FIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards Authentication
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

FIDO & Strong Authentication Technology Landscape

  • 1. Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. FIDO & STRONG AUTH TECHNOLOGY LANDSCAPE Paul Madsen, Senior Technical Architect, Ping ID
  • 2. Copyright © 2014 Ping Identity Corp. All rights reserved. 2
  • 5. Authentication Trends 1. Mobile phone as authentication factor 2. Local authentication to device 3. Device identity 4. Continuous authentication Copyright © 2013 Ping Identity Corp. All rights reserved.
  • 6. Phones make great *have* factors •Connected •Computation •Storage •UI Copyright © 2013 Ping Identity Corp. All rights reserved. In a package a user won’t leave at home
  • 7. Copyright © 2014 Ping Identity Corp. All rights reserved. Authn server MFA server Mobile MFA
  • 8. Local authentication • Capabilities of phones also make practical a model the verification check is performed locally, ie on the device • Result of local verification on device communicated to server (typically via demonstration of knowledge of a previously established secret) • Evolution of ‘device unlock’ mechanisms, e.g. PIN or pattern • Particularly for biometrics, advantages to keeping sensitive secrets off the server
  • 9. Apple ‘Selfie for authn’ patent
  • 10. Authenticating device & user yes no Is device authenticated? no yes User authenticated? Enjoy partial application access Enjoy full application access Device Registration User logs in from untrusted device. User logs out User logs in from trusted device. Enjoy partial application access Enjoy limited application access
  • 11. Explicit giving way to implicit Copyright © 2014 Ping Identity Corp. All rights reserved. Explicit factors Implicit factors Trend Explicit factors Implicit factors
  • 12. Contextual authentication • Replaces single ‘does user know password?’ query with multiple ‘Is this signal consistent with what I expected?’ checks • Any anomalies cause system to adapt accordingly • Collection of different X signals passive & invisible to user so few UX implications • Assumption is that attacker unlikely to be able to simulate all signals in order to impersonate valid user Copyright © 2014 Ping Identity Corp. All rights reserved.
  • 13. Adaptive Authentication Copyright © 2014 Ping Identity Corp. All rights reserved. • Systems that can, based on an assessment of risk (determined by multiple criteria), choose between available overt login mechanisms and contextual factors • Adaptive Authentication == Contextual Verification + Logins • If we have a user “John”, answers the question: • Is the user trying to access the system still “John”? Contextual checks Overt login (only when necessary)
  • 14. Sweet spot Continuous Authentication Local Authentication Mobile device as factor Confidential. All Rights Reserved. FIDO Alliance. Copyright 2016. 14 FIDO
  • 16. Federation • A model of identity management where the different components of a given transaction are distributed across actors • One actor relies on the identity data that another actor provides • Manifests in issuance, storage, presentation, and validation of ‘security tokens’ • Archetypical manifestation is Web SSO • May cross policy boundaries, e.g. business partners, enterprise/SaaS, education institutions, social providers • Federation standards define • semantics of token (authn, authz, attributes) • Token format (XML -> JSON) • Protocols for moving tokens over network (SOAP -> REST) Copyright © 2014 Ping Identity Corp. All
  • 17. Complementary • Insulates authentication server from specific authenticators • Focused solely on primary authentication • Does not support attribute sharing • Can communicate details of authentication from device to server • Insulates application from specific identity providers • Does not address primary authentication • Does enable secondary authentication & attribute sharing • Can communicate details of authentication from IdP to SP FIDO Federation
  • 18. Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance
  • 19. Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance status quo
  • 20. Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance status quo Mobile 2FA
  • 21. Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance status quo Mobile 2FA federation SSO slide
  • 22. Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance Status quo Mobile 2FA Federation continuum FIDO
  • 23. Copyright © 2014 Ping Identity Corp. All rights reserved. HighLow High Low Frequency of login Assurance Status quo Mobile 2FA Federation FIDO FIDO + Federation
  • 24. Making it real • FIDO Enterprise Adoption WG drafting guideline doc defining how to compose FIDO & Federation • How to express in a federation flow that the authentication was FIDO-based • SAML AuthenticationContext • OpenID Connect ‘acr’ • OpenID Foundation Enhanced Authentication Profile WG doing the same with focus on OpenID Connect Copyright © 2014 Ping Identity Corp. All
  • 25. Mobile Connect • Mobile Connect is GSMA effort designed to leverage phones for authentication & identity into applications • Technically, manifests as a profile of OpenID Connect • operators act as ASs • Web sites act as Clients • Defines how to use a FIDO based authentication as an alternative to SIM, followed by Connect-based SSO Copyright © 2014 Ping Identity Corp. All rights reserved.
  • 27. THANK YOU Copyright © 2014 Ping Identity Corp. All rights reserved. 27

Notas del editor

  1. Being able to authenticate both device & user is powerful model
  2. Some use this term only for login assessments, some use this as a general term both for login and post-login assessments. Some use this term for the traditional online fraud detection (OFD) tools, some use also for enterprise remote access for partners and the workforce.