A presentation on the FIDO authentication specification, as presented at a PIMN event on 23 January 2015 in The Hague (NL). Please note there is no introduction on FIDO, this was done by speakers earlier in the program.
3. Without FIDO
Separate authenticators for
every websites/identity
No choice between
authenticators
Rarely use the embedded
authenticators of your
mobile (e.g., fingerprint
sensor)
With FIDO
Select own authenticator at
registration time
Less passwords and/or
more 2nd factors
End-user perspective
4. Without FIDO
Costs and user friction for
non-password/2nd factor
authentication
Vendor lock-in to
authenticator
Often use one-time-
password like 2nd factors
(SMS, TOTP app etc)
With FIDO
No biometric data on
premise
Flexibility & easy integration
Allow wide range of
authenticators
No (?) branding on
authenticators
Relying party perspective
5. BYOId vs BYOAuthn
FIDO is about BYOAuthn, not BYOId
(trusted ?)
attributes
authenti-
cation
BYOId
verication/
issuing process
authenti-
cation means
level of
assurance
[STORK, ISO29115]
BYOId – e.g. OpenID, eID Framework NL,
SAML federations, trust frameworks etc
6. FIDO vs social login
Social login is often associated with
BYOId, but is more BYOAuthn in reality
FIDO may reduce usage of social logins
But not very popular in NL anyway …
7. FIDO vs eID Framework NL
FIDO can be used by Authentication
providers
Potentially easier to adopt new
authentication means
NO impact on service providers
(websites): they simply use SAML
8. FIDO vs Oath
OATH - Initiative for Open
Authentication
TOTP is often used, e.g., Google
authenticator
Aimed at one-time passwords
9. FIDO a hype?
Gartner (17 nov 2014): “beyond
Samsung Galaxy S5-Paypal no significant
implementations yet”
Kuppinger Cole (10 dec 2014): from
more skeptical to “the initiative is
gaining more traction”
10. A perspective on FIDO
What it does offer
• For relying parties: flexibility, ease of integration, less vendor lock-in
• For users: re-use of authentication means aka BYOAuthn
• Easier to move to non-password
• No ‘spillover’ of hacks (anti-phishing, MITM, mutual authn)
What it doesn’t offer
• No attributes, no identity: no BYOId
• No cross device authentication (yet ? USB + NFC), re-registration needed
• No passwords, no one-time-passwords
• No context-based or continuous authentication
What remains to be seen
• Will it confuse people? One authenticator for many identities?
• Adoption is key: chicken-egg, especially browser and smartphone vendors
11. Take aways
FIDO is about BYOAuthn, not BYOId
FIDO enables non-password, non-OTP authentication
factors
As always, adoption is key, especially by browser and
smartphone vendors
maarten.wegdam@innovalor.nl | +31 6 51993485 |
@maartenwegdam | http://innovalor.nl |
http://www.linkedin.com/in/wegdam