Fast IDentity Online – a new industry alliance formed to develop technical standards that enable Internet Services to use Simpler Stronger Auth solutions © 2014 FIDO Alliance

Who… What… Why… Repeat that we are growing the Alliance now, if you represent any of these constituencies please join!

Slide deck includes members from all parts of the value chain: authenticator vendors, device OEMs, OS vendors, authentication players and relying parties Strong motivation for multiple players to support FIDO For example, Microsoft’s customers are increasingly having to deal with non-Windows devices

142+ & growing…

142+ & growing…

To Change Authentication Online by: (a) Developing unencumbered Specifications that define interoperable mechanisms that supplant reliance on passwords (b) Operating programs to help ensure industry adoption (c) Submitting mature Specifications for formal standardization Emphasize this is the User eXperience, acknowledge that most of us do much more on the backend with risk-based techniques, but the UX is password/OTP

FIDO Alliance’s Role… “Paper” Specifications Interoperability and Conformance testing Trademark licensing against criteria Thought leadership, nurture ecosystem The Alliance does not ship products! Implementations left to commercial vendors Emphasize this is the User eXperience, acknowledge that most of us do much more on the backend with risk-based techniques, but the UX is password/OTP

Identity & Authentication Building Blocks E-Gov Payments Security Personalization Single Sign-On Modern Authentication Federation Passwords Risk-Based Authentication Strong Identity services will be a key control point in the modern computing ecosystem. Whether its Over-the-Top players like Google, Facebook and PayPal or Device-OEMs like Apple, Samsung, and Lenovo or communication providers like Telefonica, Vodafone, Verizon and other MNOs who are in this room, everyone is beginning to understand that Identity & Authentication are the “Ignition Keys” for their business We’re going to zoom into a pivotal part of the identity problem - Authentication User Management Physical-to-digital identity ©NOK NOK LABS – Used by Permission

Why Authentication is Cybersecurity Priority #1 Poor authentication mechanisms are a commonly exploited vector of attack by adversaries; the 2013 Data Breach Investigations Report (conducted by Verizon in concert with the U.S. Department of Homeland Security) noted that 76% of 2012 network intrusions exploited weak or stolen credentials. -- NIST Roadmap for Improving Critical Infrastructure Cybersecurity,12-Feb-2014 The Internet Services need Simpler, Stronger authentication online, the devices are coming with Simpler, Stronger local auth innovations, why not put them together (which will require open, interoperable wire protocols that can be implemented to by any device and any online service) – that’s what FIDO is!

Today’s Passwords REUSED PHISHED KEYLOGGED We all know the inherent problems with passwords… REUSED PHISHED KEYLOGGED

Today’s Password Alternatives One Time Codes with SMS or Device SMS USABILITY DEVICE USABILITY USER EXPERIEN CE STILL PHISHABL E In spite of the recent trend to bolt-on optional OTP solutions (aka “2-step verification”) f/Google, Twitter, etc. – this is a temp. fix, only makes UX worse Improves security but not easy enough Coverage | Delay | Cost One per site | $$ | Fragile User find it hard Known attacks today

Major Industry Trend PERSONAL DEVICES LOCAL LOCKING Simpler, Stronger Local Device Auth PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY Carry Personal Data Pins & Patterns today Simpler, Stronger local authentication With so many people carrying mobile devices full of personal information, they are locking their devices, now with PIN & Gesture, but even more convenient and stronger solutions are on the horizon: finger scan, keychain devices, voice, facial recognition, etc. with an underpinning of silicon-based security

Putting It Together The problem: Simpler, Stronger online The trend: Simpler, Stronger local device auth Why not: Use local device auth for online auth? The Internet Services need Simpler, Stronger authentication online, the devices are coming with Simpler, Stronger local auth innovations, why not put them together (which will require open, interoperable wire protocols that can be implemented to by any device and any online service) – that’s what FIDO is! This is the core idea behind FIDO standards!

FIDO Experiences ONLINE AUTH REQUEST LOCAL DEVICE AUTH SUCCESS PASSWORDLESS EXPERIENCE (UAF standards) Transaction Detail Show a biometric Done SECOND FACTOR EXPERIENCE (U2F standards) We are enabling two fundamental use cases/user experiences: Passwordless w/UAF (requires native device support), PW+token w/U2F (FIDO-enable any device with an innovative “driverless PKI” keychain-type device) FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing. Passwordless UX: The passwordless FIDO experience is supported by the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. The UAF protocols allows the service to select which mechanisms are presented to the user. Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN. Second Factor UX: The second factor FIDO experience is supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords (eg. 4-digit PIN) without compromising security. During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their FIDO U2F device across all online services that support the protocol leveraging built-in support in web browsers. Login & Password Insert Dongle, Press button Done

State of Market Adoption Repeat that we are growing the Alliance now, if you represent any of these constituencies please join!

Version 1.0 is in Public Review

13+ products have participated in and satisfied the requirements of our testing program and are conferred the right to use the FIDO Ready™ mark.

OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors OEMs SHIPPING FIDO-READY ™ PRODUCTS New and existing devices are supported OEM Enabled: Lenovo ThinkPads with Fingerprint Sensors OEM Enabled: Samsung Galaxy S5 - On the authenticator side, we are working with dozens of authenticator manufacturers - Here are three that we have publicly demonstrated Clients available for these operating systems : Software Authenticator Examples: Voice/Face recognition, PIN, QR Code, etc. Aftermarket Hardware Authenticator Examples: USB fingerprint scanner, MicroSD Secure Element DOCUMENT & TITLE

First FIDO Deployment already live… Customers can use their finger to pay with PayPal from their new Samsung Galaxy S5 because the FIDO Ready™ software on the device securely communicates between the fingerprint sensor on their device and PayPal’s service in the cloud. The only information the device shares with PayPal is a unique cryptographic “public key” that allows PayPal to verify the identity of the customer without having to store any biometric information on PayPal’s servers.

From July 2014… Alipay – formerly a part of Alibaba Group in China Processed $519 Billion in transactions in 2013 Launched FIDO-based payments using Galaxy S5

How it works Repeat that we are growing the Alliance now, if you represent any of these constituencies please join!

REGISTRATION COMPLETE FIDO Registration REGISTRATION BEGINS USER APPROVAL 1 2 USER APPROVAL REGISTRATION COMPLETE NEW KEY CREATED 4 3 KEY REGISTERED Using Public key Cryptography

FIDO Login LOGIN USER APPROVAL 1 2 LOGIN COMPLETE KEY SELECTED 4 3 LOGIN CHALLENGE Login LOGIN COMPLETE KEY SELECTED 4 3 LOGIN RESPONSE Using Public key Cryptography

Decouple User Verification Method from Authentication Protocol PLUGGABLE LOCAL AUTH LOGIN USER APPROVAL 1 2 LOGIN CHALLENGE ONLINE SECURITY PROTOCOL REGISTRATION COMPLETE KEY SELECTED 4 3 LOGIN RESPONSE Leverage public key cryptography

No 3rd Party in the Protocol

No secrets on Server side

Key Benefit for Service Providers CHA-BOA087-20090804-IN-LJ-v1

FIDO’s Focus on User Privacy Biometric data (if used) never leaves device No link-ability between Services No link-ability between Accounts

Call to Action FIDO is ready for use Get involved: launch a Proof-of-Concept & Pilot Get involved: Adapt your strategy & roadmap to include FIDO Join the Alliance – we are non-profit & volunteer Contact Brett McDowell – brett@fidoalliance.org Come to the plenary, meet and mingle, speak with the pioneers, select your partners

THANK YOU Repeat that we are growing the Alliance now, if you represent any of these constituencies please join!