Steve KirschFounder & CTOstk@oneid.com

Meet your new digital identity

Security today

Endpoints: unrealistic Users care about convenience

Data: straightforward AuthN/Z: hard and important

2

Identity remains badly broken; nobody has solved it Inconvenient: 100’s of

usernames/passwords Insecure: Today’s security paradigms

are fundamentally flawed leading to never ending breaches and forced password changes

Will get worseas EMV rolls out

Unsustainable # of pwd # of breaches

3

My 300+ usernames and passwords

Two largest causes of never ending security breaches1. Use of shared secrets (for >50

years): Passwords Credit card numbers, CVV OTP including RSA SecurID Voltage Identity Based Encryption (IBE) KBA Misc: “Safety images”/Passmark,

biometrics

2. Centralized storage of sharedsecrets creates centralized risk

4

Number of consumer websites allowing login w/o a shared secret

05

We are still nowhere 30 years after the invention ofpublic key crypto!

User authentication: TodayShared secrets

6

Enterprise Apps

External Websites

Desktop, Mobile Apps

Offline (QR or NFC ID)

Steve

I have >300 different usernames and passwords!This is unsustainable

Digital identity done right: no shared secrets

7

Convince your device

URU

Steve

Websites

Enterprise Apps

Desktop, Mobile Apps

Offline (QR or NFC ID)Your device digitally asserts

your ID to everyone else using PK

(with your express approval)

8

DEMO

OneID Login Signature Flow

9

1

2

3

✓ Signature A 4✓

5

✓ Signature B✓ ✓

✓ Signature C✓ ✓ ✓

6

WebsiteVerifiesSignatures

After verification, user is logged in

Pairing technology

10

End to end secure transfer of crypto secrets between devices

End-to-end secure credit card transactions w/o PCI risk

11User

OneIDpaymentgateway

Issuer(OneIDcompatible)

“INVOICE:Pay JC Penney$32.42”

“INVOICE:Pay JC Penney$32.42”Using “Steve’s Personal VISA card”--a438ef3103439afe20…

Send signed invoice to participating Issuer as credit or debit ; else verify signature, lookup card and send “old fashioned way” as credit card

Verifies signature against public keys of user

Benefits

Consumers Merchants Reduce user frustration

Eliminate need for uname/password

No more lost pwd Eliminate manual form fill,

CAPTCHA

Increase security Can even use public terminals w/o

risk Attacks (phish, malware, MITM,

…) and identity theft difficult Credit cards number isn’t given

out

Increase privacy RP can’t see repo and vice-versa No PII on user device

Put user in control Identity can’t be asserted w/o user

participation

Higher sales Since easy to login and

register w/o typeing

Better security Public keys on file aren’t a

security risk AuthN/Z no longer relies on

shared secrets

Lower costs Reduce lost password support

costs

Reduced PCI liability No need to handle credit

cards

Reduced charge backs Burden is on the consumer

12

Integrated touch points

OneID allows a unified customer experience across multiple touch points: On-line In-store Mobile Over the phone

13

Mobile app authN/Z

14

Log into OneID app => all other apps logged in

OneID in-store

Tap to Identify Confirm on Phone

15

Pay Starbucks$9.45?

Over the phone authN/Z

1. Punch in 3 digit number on phone

2. Confirm on mobile

16

Confirm youridentity

OR

In-person AuthN

Tap static NFC tag at hotel check-in disk Confirm on mobile

17

OK to releasecontact info?

Confirm youridentity

Mobile pay

“Identify” to merchant E.g., tap phone to static NFC tag at register

Confirm on phone

18

OK to pay?

$15.24

OneID capabilities

Authentication Filling out forms Secure credit card transactions Authorization Information sharing including

updates Proving digital claims (age>x,

student, …) Repository of non-forgeable “digital

proof” (software RTU, music licenses, physical good receipts, proof of purchase)

On-line In-personOver the phone

Key features

Easy to use Convenient Secure against most all attacks:

physical, phishing, malware Private User-centric/User in control No shared secrets with cloud repository Portable “Have it your way” security vs.

convenience: Device, Site, Transaction (+type). Max

{user,RP}

20

Two-Factor Auth: More secure & convenient than SecurID

21

Insecure• In-band (vulnerable to MITM)• Vulnerable shared secret• Can’t see what you are approving

Inconvenient• Another device to carry• Hard to use• Wastes time• Everyone hates them• Terrible GUI/UX

vs

OneID mobile phone app

Recipient: Sasha OrloffAmount: $5,000 USDBank: CitiBank

Outgoing Wire Transfer“Blank check”

OneID is unique

Username: OPTIONAL Password: OPTIONAL

Even I do not define a password, you cannot break into my account

It has to be that way since we know passwords are too easily divulged through social engineering, phishing, key logging, and guessing

22

Very difficult to attack

23

AD

CD

Dev1

Dev2

Pwd PIN Total

Phish x x 2

Malware x x x 3

Physical (one device)

x x 2

Physical (all devices)

x x x x 4

Need 6 secrets to win

$1M if you can log in as me!

24

I’ll even give you my username, password, and PIN

to make it easier

About OneID

Founded: May 2011 18 employees CEO: Alex Doll, former COO PGP San Jose, CA and Austin, TX $7M in funding

25

“I believe OneID will be one of the most significant platforms to be built in the next 10 years” Jonathan Heiliger

former VP OperationsFacebook

26

Simple & Secure Digital Identity