CIS14: Filling the “authentication goes here” Hole in Identity

Michael Barrett, president of the FIDO Alliance

Cloud  Iden*ty  Summit  July,  2014  

www.fidoalliance.org Copyright 2014, The FIDO Alliance

All Rights Reserved 1  

Problems,  problems,  problems

Rampant online attacks

3  

•  Major hacks have been targeted at password databases within Online Gaming, Financial Services, Social Media organizations

•  Password Re-use is a

significant problem – technical analysis of data breaches have shown that 76% of passwords used across multiple sites.

Opportunity for Better Authentication is Upon Us

For  Users   For  Organiza0ons  

Painful to Use  

•  25  Accounts  •  8  Logins  /  Day  •  6.5  Passwords  

Difficult to Secure  

•  $5.5M  /  Data  Breach  •  $15M  /  PWD  Reset  •  $60+    /    Token  

For  the  Ecosystem  

Impossible to Scale  

•  Fragmented  •  Inflexible  •  Slow  to  Adopt  

3  

JUST EASY

“BETTER AUTHENTICATION”

JUST BAD

Hig

h Se

curit

y Lo

w

UNPLEASANT

Low High Usability

Authentication is not a Continuum…

5  

What  is  FIDO?

Common authentication plumbing

Users

Cloud/Enterprise

Devices

Federation

Open Standard Plug-In Approach

Interoperable Ecosystem

Usable Authentication

WHAT IS NEEDED

FIDO  -­‐  Unique  Approach  Any Device. Any Application. Any Authenticator.

Standardized Protocols

Local authentication unlocks app specific key

Key used to authenticate to server

Improved  security    

Unique cryptographic secret created per user account + device + site

•  Protection against brute force attacks •  Segmentation of risk •  Protection against unintentional disclosure

FIDO’s  Explosive  growth

Industry Standard

Feb 2013 May 2014 Next

6     118  

Companies Companies

Public Launch

Public Review Spec

Companies

TODAY

Marrying  FIDO  to  IdenGty

With  thanks  to  Paul  Madsen  (whose  slides  I  stole…)  

Generic  federaGon  flow  diagram

Copyright © 2014 Ping Identity Corp. All rights reserved. 13

Complementary

. 14

•  FIDO •  Insulates authentication

server from specific authenticators

•  Focused solely on primary authentication

•  Does not support attribute sharing

•  Can communicate details of authentication from device to server

•  Federation –  Insulates application from

specific identity providers

–  Does not address primary authentication

–  Does enable secondary authentication & attribute sharing

–  Can communicate details of authentication from IdP to SP

High  

 Low  

High    

Low    Frequency  

of  login  

Assurance  

status  quo    

High  

 Low  

High   Low    Frequency  

of  login  

Assurance  

status  quo  

 federa0on  

SSO  slide  

No  more    ‘Passsword123’  bump  

High  

 Low  

High    

Low    Frequency  

of  login  

Assurance  

status  quo    

 federa0on  

               FIDO  

Con0nuum  

FIDO  implicaGons

•  FIDO supports a range of assurance – determined by the specifics of the local authentication

•  Recall – “Unique cryptographic secret created per user account + device + site”

•  Implication is multiple registrations & authentications – which may be sub-optimal from the user’s PoV

High  

 Low  

High    

Low    Frequency  

of  login  

Assurance  

status  quo    

 federa0on  

       FIDO  +  federa0on  

               FIDO  

CALL TO ACTION •  AUTHENTICATION IS A FUNDAMENTAL PROBLEM AND

IT IS AN INDUSTRY PROBLEM •  NO ONE COMPANY CAN FIX THIS PROBLEM •  JOIN FIDO ALLIANCE – HELP FIX •  OPPORTUNITY TO CREATE NEW SERVICES, NEW

MARKETS, NEW INNOVATIONS, NEW BUSINESSES AND NEW REVENUE MODELS

•  TAKE THE LEADERSHIP, INCLUDE FIDO SUPPORT AT THE SOURCE ON YOUR DEVICES

•  FIDO READY COMMERCIAL PRODUCTS ARE AVAILABLE IN THE MARKET

•  MAKE THE CONNECTED WORLD SECURE, PRIVATE, FRAUD FREE , EASY TO USE AND STAY CONNECTED