2. SAFRAN IDENTITY AND SECURITY RESTRICTED
SAFRAN IDENTITY AND SECURITY
Safran Identity and Security / 15-07-2016 / Direction2
R&D
Investment equal to nearly
7%
of revenue
Workforce
8,700+
EMPLOYEES
in 57
COUNTRIES
€1.9 BILLION
of revenue
#1
worldwide in biometric
IDENTITY
SOLUTIONS
(fingerprint, iris and face)
Systems deployed in
MORE THAN
100 COUNTRIES
A GLOBAL LEADER
IN IDENTITY
AND SECURITY
3. SAFRAN IDENTITY AND SECURITY RESTRICTED
Intro
Safran Identity & Security / 23 Mars 20173
1. FIDO en bref
2. Les cas d’usages FIDO UAF, U2F, 2.0
4. SAFRAN IDENTITY AND SECURITY RESTRICTED
Safran Identity & Security / 23 Mars 20174
FIDO EN BREF
1
5. SAFRAN IDENTITY AND SECURITY RESTRICTED
The FIDO Alliance is an open industry
association of over 250 organizations
with a focused mission:
authentication standards
5
All Rights Reserved | FIDO Alliance | Copyright 2017.
6. SAFRAN IDENTITY AND SECURITY RESTRICTED
FIDO Alliance Mission
Develop
Specifications
Operate
Adoption Programs
Pursue Formal
Standardization
1 2 3
define an open, scalable, interoperable set of
mechanisms that supplant reliance on passwords
to authenticate users of online services
All Rights Reserved | FIDO Alliance | Copyright 2017.
7. SAFRAN IDENTITY AND SECURITY RESTRICTED
Board Members
7
All Rights Reserved | FIDO Alliance | Copyright 2017.
8. SAFRAN IDENTITY AND SECURITY RESTRICTED
HOW “Shared Secrets” WORK
ONLINE
The user authenticates themselves online
by presenting a human-readable “shared
secret”
All Rights Reserved | FIDO Alliance | Copyright 2017.
9. SAFRAN IDENTITY AND SECURITY RESTRICTED
HOW FIDO WORKS
AUTHENTICATOR
LOCAL ONLINE
The user authenticates
“locally” to their device (by
various means)
The device authenticates the
user online using public key
cryptography
All Rights Reserved | FIDO Alliance | Copyright 2017.
10. SAFRAN IDENTITY AND SECURITY RESTRICTED
No 3rd Party in the Protocol
No Secrets on the Server Side
Biometric Data (if used) Never Leaves Device
No (*new*) Link-ability Between Services
No (*new*) Link-ability Between Accounts
All Rights Reserved | FIDO Alliance | Copyright 2017.
11. SAFRAN IDENTITY AND SECURITY RESTRICTED
Certification Growth
An open competitive market
Ensures interoperability
Sign of mature FIDO ecosystem
250+
FIDO® Certified
products available
today
230
74
32
62
74
108
162
216
253
304
Apr-15 Jul-15 Sep-15 Dec-15 Mar-16 May-16 Aug-16 Jan-17
TOTAL
11
All Rights Reserved | FIDO Alliance | Copyright 2017.
12. SAFRAN IDENTITY AND SECURITY RESTRICTED
Safran Identity & Security / 23 Mars 201712
LES CAS D’USAGE
FIDO UAF
FIDO U2F
FIDO 2.0
2
13. SAFRAN IDENTITY AND SECURITY RESTRICTED
UAF (Universal Authentication Framework)
• Specifications
• V1.0 : Final
• V1.1 : implementation draft
U2F (Universal Second Factor)
• Specifications
• V1.0 : Final
• V1.1 : implementation draft
FIDO 2.0 (ex UFS)
• Technical improvement
• CTAP : interfaces with Authenticator
• WebAuthn : Browser API defined by W3C
• Specifications
• Draft
FIDO Specifications
13
14. SAFRAN IDENTITY AND SECURITY RESTRICTED
ATTENTION : FIDO = AUTHENTIFICATION (et non identité)
14
=
(site.com)
jdoe ->
Phase 1: l’enregistrement Phase 2: l’authentification
01001…
10110…
15. SAFRAN IDENTITY AND SECURITY RESTRICTED
A Fido Server is the backend service that cryptographically authenticate an application
user through a FIDO authenticator.
Main features
• Compliance with FIDO protocol (U2F/UAF/Fido 2.0)
• Authenticator policy management
• API with the user Agent (Registration)
FIDO Server
Safran Identity & Security / 23 Mars 201715
16. SAFRAN IDENTITY AND SECURITY RESTRICTED
FIDO Standard : Compatibility Aspects
U2F
FIDO “Gold”
Server
FIDO2
FIDO2
FIDO2
UAF
U2F
Interoperability
still to finalize
Roaming Authenticator
through CTAP
bound
authenticator
WebAuthn/U2F
U2F JS API
UAF JS API
UAF
WebAuthn/CTAP
Safran Identity & Security / 23 Mars 201716
17. SAFRAN IDENTITY AND SECURITY RESTRICTED
Fido 2.0 (WebAuthn + CTAP)
Safran Identity & Security / 23 Mars 201719
IDP
User Device
Browser
Roaming
Authenticators
with transport
channels and
CTAP payload
Relying Party
WebApplication
FIDO
Server
HTTPS
Registration,
Authentication &
Transaction
Confirmation
FIDO
Alliance
Metadata
Service
BLE USB NFC
Mobile Apps
OS
Bound
authenticators
18. SAFRAN IDENTITY AND SECURITY RESTRICTED
• Technical:
• UAF: decreasing to almost stalled activity, trying to bring keystore as level 2 authenticators and bridging to WebAuthn
• U2F: most of the work bridging to WebAuthn
• CTAP: stalled waiting for a final status on WebAuthn
• Related: WebAuthn very active development effort on Chrome, Edge and Mozilla
• Working Groups
• SRWG: Move initial levels 1=>4 to 2=>5 with an initial level for compliance and high level security overview (include
software and TouchID authenticators)
• CWG: Continue the biometric certification without PAD, rely upon TEE certification levels for 2+ levels
• P3WG: Influence US NIST, EU for identity and banking standards
Status update
Safran Identity & Security / 23 Mars 201720
19. SAFRAN IDENTITY AND SECURITY RESTRICTED
Safran Identity & Security / 23 Mars 201721