8. Local authentication
• Capabilities of phones also make
practical a model the verification
check is performed locally, ie on
the device
• Result of local verification on
device communicated to server
(typically via demonstration of
knowledge of a previously
established secret)
• Evolution of ‘device unlock’
mechanisms, e.g. PIN or pattern
• Particularly for biometrics,
advantages to keeping sensitive
secrets off the server
10. Authenticating device & user
yes
no
Is device authenticated?
no
yes
User
authenticated?
Enjoy
partial
application
access
Enjoy full
application
access
Device
Registration
User logs in
from
untrusted
device.
User logs
out
User logs in
from
trusted
device.
Enjoy
partial
application
access
Enjoy
limited
application
access
17. Complementary
• Insulates authentication
server from specific
authenticators
• Focused solely on primary
authentication
• Does not support attribute
sharing
• Can communicate details of
authentication from device
to server
• Insulates application from
specific identity providers
• Does not address primary
authentication
• Does enable secondary
authentication & attribute
sharing
• Can communicate details of
authentication from IdP to SP
FIDO Federation
Being able to authenticate both device & user is powerful model
Some use this term only for login assessments, some use this as a general term both for login and post-login assessments. Some use this term for the traditional online fraud detection (OFD) tools, some use also for enterprise remote access for partners and the workforce.