FIDO Standards
Providing a Foundation for simpler, Stronger AAL2 Authentication in Health Care JEREMY GRANTVENABLE LLP
©2019 LEAVITT PARTNERS 2
The Challenge: How to Deliver Authentication at AAL2?
All Rights Reserved | FIDO Alliance | Copyright 2019
©2019 LEAVITT PARTNERS 3
1B+ Android Devices Have FIDO “Built In”
All Rights Reserved | FIDO Alliance | Copyright 2019
©2019 LEAVITT PARTNERS 4
800M+ Windows Devices Have FIDO “Built IN”
All Rights Reserved | FIDO Alliance | Copyright 2019
©2019 LEAVITT PARTNERS 5
LEADING THE EFFORT
All Rights Reserved | FIDO Alliance | Copyright 2019
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES
©2019 LEAVITT PARTNERS 6
FIDO Specifications
All Rights Reserved | FIDO Alliance | Copyright 2019
FIDO UAFFIDO U2F
(@FIDO)
CTAP(@FIDO)
WebAuthn(@W3C)
FIDO2
©2019 LEAVITT PARTNERS 7
Experiences address array of use cases
FIDO standards provide support for user-friendly, privacy-aware user experiences across platforms to meet varying requirements
PASSWORDLESS EXPERIENCES (UAF & FIDO2) SECOND FACTOR EXPERIENCES (U2F & FIDO2) • Biometrics authn via mobile device• Biometric authn via PC• Biometrics authn to PC via mobile device
• External token to PC (USB, BLE)• External token to mobile device (NFC/BLE)• Embedded second factor on PC
All Rights Reserved | FIDO Alliance | Copyright 2019
©2019 LEAVITT PARTNERS 8
NEW NIST guidance (SP 800-63-3)
NIST AUTHENTICATOR ASSURANCE LEVEL 1
NIST AUTHENTICATOR
ASSURANCE LEVEL 3
NIST AUTHENTICATOR
ASSURANCE LEVEL 2
• Easily compromised credentials
• Credentials stored in the cloud
• Example: passwords (“memorized secrets”)
• Public Key Cryptography -Credentials stored ON DEVICE
• Focus on Verifier Impersonation Resistance
“Authenticators that involve the manual entry of an authenticator output, such as out-of-band and OTP authenticators, SHALL NOT be considered verifier impersonation-resistant because the manual entry does not bind the authenticator output to the specific session being authenticated.”
• SMS OTPs now RESTRICTED
• Single and Multi-Factor Cryptographic Devices
All Rights Reserved | FIDO Alliance | Copyright 2019
©2019 LEAVITT PARTNERS 9
One more item – IAL and new OMB memo
• Key question with Remote Identity Proofing at new account opening – how do you know if someone is who they claim to be?• Government documents work in the in-person world – how to tackle
online?• KBA, other legacy tools have challenges
• New OMB Memo 19-17 – released May 21 • “Agencies that are authoritative sources for attributes (e.g., SSN) utilized in identity proofing events,
as selected by OMB and permissible by law, shall establish privacy enhanced data validation APIs for public and private sector identity proofing services to consume, providing a mechanism to improve the assurance of digital identity verification transactions based on consumer consent.
These selected agencies, in coordination with OMB, shall establish standard processes and terms of use for public and private sector identity proofing services that want to consume the APIs.”
All Rights Reserved | FIDO Alliance | Copyright 2019