FIDO Munich Seminar: FIDO Tech Principles.pptx

© FIDO Alliance 2024
1 © FIDO Alliance 2024
1
FIDO Technical
Principles
Rolf Lindemann
Nok Nok

2
Authentication Security

3
Attacks require physical action → not scalable
Things are never 100% secure, so focus on robust security.
Focus on the scalable attacks first.
Scalable Attacks
Authentication Security

4
FIDO Authentication
User gesture
Require user gesture before
private key can be used
Authenticator
FIDO
Authentication
Private key dedicated
to one app
Public key stored at
service provider
FIDO
MDS
Lookup
authenticator
characteristics

5
Security
Usability
Poor Easy
Weak
Strong
=
Single Gesture
Possession-based
Phishing-resistant
Authentication
Open standards for simpler,
stronger authentication using
public key cryptography
FIDO since 2013: Simpler and stronger

6
2
1
3
Provide great alternative to traditional smart card deployments in high-risk
environments
Offer phishing-resistant MFA via a single authenticator and single gesture
Increase the security + usability of consumer MFA
The very positives …

7
2
1
3
Inconvenience of physical security keys
Higher barrier to adoption for users who don’t (want to) use two-factor
authentication at all, and are stuck with passwords
Platform authenticators are lost with the device
But challenges for scale

8
Lifecycle
Traditional FIDO
Register 1st Authenticator
Use non-FIDO, then
register authenticator
Re-Authenticate Single gesture for MFA
Bootstrap new device
Authenticator
lost/stolen
Authenticator
available
Use non-FIDO or
security key (+ reg. new)
Use non-FIDO, then
register authenticator No need to think
about devices when
using passwords
Strong device binding
provides strong MFA

9
We haven’t solved the main problem
Because our primary factor is passwords…
of hacking-related breaches
are caused by weak or stolen
passwords
(Ping Identity)
81%
76%
gave up on a purchase because they
forgot their password
(FIDO Alliance)
43%
rise in direct financial loss from
successful phishing attacks from
2022-2023
(Proofpoint)
either use weak passwords or repeat
variations of passwords
(Keeper)
64%
Easily phished or socially engineered, difficult to use and maintain

10
Focus on fixing the foundation
What if we could replace the outdated legacy model of
“password + something else” and could replace it with a single
factor that was much more secure – and easier to use?”
If phishing is now the primary threat - a single phishing-resistant
authenticator is more valuable (in most cases) than two factors
which are both easily phished.

11
Enter: Synced passkeys
Passkey
/’pas, kē/
noun
A FIDO Authentication credential that provides passwordless sign-ins
to online services.
A passkey may be synced across a secure cloud so that it’s readily
available on all of a user’s devices, or it can be bound to a dedicated
device such as a FIDO security key, or a laptop.

12
A bit deeper on new(er) terminology
A passkey is any passwordless FIDO credential
Raises the bar for both security and UX
Is most commonly synchronized across a user’s devices – but doesn’t have to be
A passkey provider might be provided by platform/OS vendor, or 3rd-
party software such as a password manager.
Facilitates new device bootstrapping and simplifies account recovery
Security of synced passkeys is the responsibility of the passkey provider
Live passkey providers include Apple, Google, Dashlane, 1Password

13
Lifecycle
Register 1st Authenticator
Bootstrap new device
Authenticator
lost/stolen
Re-Authenticate
Authenticator
available
Use non-FIDO, then
Use security key or
FIDO-CDA (+ reg. new)
Use non-FIDO, then
Single gesture for MFA
Traditional FIDO Synced Passkeys
Use existing passkey
provider
Use non-FIDO, then
create passkey
Use existing passkey
Complex device management
and user gesture “outsourced”
to passkey provider – similar to
password managers

14
Same standards-based approach, new capabilities
User gesture
Require user gesture before
private key can be used
Authenticator
FIDO
Authentication
Private key dedicated
to one app
Some private keys can be securely
stored in cloud for
synchronization across devices
Public key stored at
service provider
FIDO
MDS
Lookup
authenticator
characteristics
+ passkey provider
name & icon

15
Synced passkeys Device-bound passkeys
D
Z
Device-bound key

16
Synced passkeys Device-bound passkeys
D
Z
Device-bound key
Current Initiative

17
Cross-device authentication (CDA)
Enables passkeys to be
used to sign-not to
services not only on
their device, but on
nearby devices, too.
Private key isn’t copied
to nearby device.
Image Credit: Google

18
Stronger, More Usable – Now More Scalable
Security
Weak
Strong
Usability

19
Stronger, More Usable – Now More Scalable
Security
Weak
Strong
Usability

20
Some commonly needed clarifications
Are passkeys a new specification or standard from FIDO Alliance?
The same FIDO and WebAuthn standards are leveraged to deploy FIDO with passkeys for sign-in. The
WebAuthn standard covers the browser API that manages passkeys.
Are passkeys vendor-specific?
Vendors support passkeys, but the passkey sign-ins are enabled by open standards.
Are all passkeys synced?
Device-bound passkeys can be provided by FIDO security keys and are available on selected platforms.
Can passkeys only be used to sign-in on phones?
Passkeys can sync to or be used via CDA on other device – phone to PC, to your TV, gaming console, etc.

21
Takeaways
Passkeys are…
Phishing-resistant passwordless FIDO credentials
Add features to reduce with account recovery the need for password
resets
A superior alternative to passwords and legacy MFA, and a path
towards passwordless
Supported by all major platforms (OSes and web browsers)
Already being used at scale!

23
Questions?

24
Thank You

FIDO Munich Seminar: FIDO Tech Principles.pptx

Related slideshows

More Related Content

Similar to FIDO Munich Seminar: FIDO Tech Principles.pptx

Similar to FIDO Munich Seminar: FIDO Tech Principles.pptx (20)

More from FIDO Alliance

More from FIDO Alliance (20)

Recently uploaded

Recently uploaded (20)

FIDO Munich Seminar: FIDO Tech Principles.pptx