FIDO Munich Seminar: FIDO Tech Principles.pptx

FIDO Technical Principles Rolf Lindemann Nok Nok

Authentication Security

Attacks require physical action → not scalable Things are never 100% secure, so focus on robust security. Focus on the scalable attacks first. Scalable Attacks Authentication Security

FIDO Authentication (Signed) Response User gesture Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Public key stored at service provider Challenge FIDO MDS Lookup authenticator characteristics

Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Phishing-resistant Authentication Open standards for simpler, stronger authentication using public key cryptography FIDO since 2013: Simpler and stronger

2 1 3 Provide great alternative to traditional smart card deployments in high-risk environments Offer phishing-resistant MFA via a single authenticator and single gesture Increase the security + usability of consumer MFA The very positives …

2 1 3 Inconvenience of physical security keys Higher barrier to adoption for users who don’t (want to) use two-factor authentication at all, and are stuck with passwords Platform authenticators are lost with the device But challenges for scale

Lifecycle Traditional FIDO Register 1 st Authenticator Use non-FIDO, then register authenticator Re-Authenticate Single gesture for MFA Bootstrap new device Authenticator lost/stolen Authenticator available Use non-FIDO or security key (+ reg. new) Use non-FIDO, then register authenticator No need to think about devices when using passwords Strong device binding provides strong MFA

We haven’t solved the main problem Because our primary factor is passwords … of hacking-related breaches are caused by weak or stolen passwords (Ping Identity) 81% 76% gave up on a purchase because they forgot their password (FIDO Alliance) 43% rise in direct financial loss from successful phishing attacks from 2022-2023 (Proofpoint) either use weak passwords or repeat variations of passwords (Keeper) 64% Easily phished or socially engineered, difficult to use and maintain

Focus on fixing the foundation What if we could replace the outdated legacy model of “password + something else” and could replace it with a single factor that was much more secure – and easier to use?” If phishing is now the primary threat - a single phishing-resistant authenticator is more valuable (in most cases) than two factors which are both easily phished.

Enter: Synced passkeys Passkey /’pas, kē / noun A FIDO Authentication credential that provides passwordless sign-ins to online services. A passkey may be synced across a secure cloud so that it’s readily available on all of a user’s devices, or it can be bound to a dedicated device such as a FIDO security key, or a laptop.

A bit deeper on new(er) terminology A passkey is any passwordless FIDO credential Raises the bar for both security and UX Is most commonly synchronized across a user’s devices – but doesn’t have to be A passkey provider might be provided by platform/OS vendor, or 3rd-party software such as a password manager. Facilitates new device bootstrapping and simplifies account recovery Security of synced passkeys is the responsibility of the passkey provider Live passkey providers include Apple, Google, Dashlane , 1Password

Lifecycle Register 1 st Authenticator Bootstrap new device Authenticator lost/stolen Re-Authenticate Authenticator available Use non-FIDO, then register authenticator Use security key or FIDO-CDA (+ reg. new) Use non-FIDO, then register authenticator Single gesture for MFA Traditional FIDO Synced Passkeys Use existing passkey provider Use non-FIDO, then create passkey Use existing passkey Complex device management and user gesture “outsourced” to passkey provider – similar to password managers

Same standards-based approach, new capabilities (Signed) Response User gesture Require user gesture before private key can be used Authenticator FIDO Authentication Private key dedicated to one app Challenge Some private keys can be securely stored in cloud for synchronization across devices Public key stored at service provider FIDO MDS Lookup authenticator characteristics + passkey provider name & icon

Synced passkeys Device-bound passkeys D Z Device-bound key

Synced passkeys Device-bound passkeys D Z Device-bound key Current Initiative

Cross-device authentication (CDA) Enables passkeys to be used to sign-not to services not only on their device, but on nearby devices, too. Private key isn’t copied to nearby device. Image Credit: Google

Stronger, More Usable – Now More Scalable Security Weak Strong Usability

Some commonly needed clarifications Are passkeys a new specification or standard from FIDO Alliance? The same FIDO and WebAuthn standards are leveraged to deploy FIDO with passkeys for sign-in. The WebAuthn standard covers the browser API that manages passkeys. Are passkeys vendor-specific? Vendors support passkeys , but the passkey sign-ins are enabled by open standards. Are all passkeys synced? Device-bound passkeys can be provided by FIDO security keys and are available on selected platforms. Can passkeys only be used to sign-in on phones? Passkeys can sync to or be used via CDA on other device – phone to PC, to your TV, gaming console, etc.

Takeaways Passkeys are… Phishing-resistant passwordless FIDO credentials Add features to reduce with account recovery the need for password resets A superior alternative to passwords and legacy MFA, and a path towards passwordless Supported by all major platforms (OSes and web browsers) Already being used at scale!

Passkeys, FIDO Credentials and Keys Scope Main cred. v s. ext. Discoverability Name Example Freely exportable Main credential discoverable Passkey 1Password/Dashlane etc. Not discoverable FIDO credential Not seen (yet?) In SPK extension Inherited from main cred Not specified n/a Group Scoped, (provider or group of providers) Main credential discoverable Passkey iCloud Keychain Not discoverable FIDO credential Not seen (yet) In SPK extension Inherited from main cred Provider scoped SPK Not seen yet, but part of WebAuthn Level 3 Device-bound Main credential discoverable Passkey Windows Hello, security key Not discoverable FIDO credential Android, security key In SPK extension Inherited from main cred Device-bound SPK Not seen yet, but part of WebAuthn Level 3

Questions?

FIDO Munich Seminar: FIDO Tech Principles.pptx

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

FIDO Munich Seminar: FIDO Tech Principles.pptx

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx