New Trends in Mobile Authentication
7 likes•1,462 views
This document discusses new trends in mobile authentication. It suggests that smartphones and their built-in sensors can enable simpler and more secure authentication compared to passwords. Biometric authentication methods like fingerprint sensors, facial recognition, and voice recognition are discussed as easier and more secure alternatives to traditional passwords. The document also introduces the FIDO protocol as a way to standardize authentication across devices, applications, and services using public-key cryptography instead of reusable passwords.
New Trends in Mobile Authentication
- 1. 1 T FINGERPRINT SEC U FA BIOME TOKEN RBA ACTIVE FINGERPRINT SECURE ELEMENT NFC BIOMETRIC PIN RBA SILEFINGERPRINT ELEME NFFACE BIOMETRIC TOKENACTIVE SILE ELEMENT USB FACE PIN TOK RBA PASSIVE SILEN FINGERPRINT VOICEUSB BIOMETRIC TPM VOICE NFC FACE TPM FINGERPRINT NFC USB RBA ACTIV TP FINGERPRINT SECURE NFC FACE RBA PASSIVE SILENT TPM FINGERPRINT VOICE ELEMENT ACTIVE BIOMETRIC PIN PASSIVE SILENT TPM FINGERPRINT SECURE ELEMENT NFC PIN TOKEN PASSIVE FINGERPRINT VOICE SECURE E TOKEN R VOICE SECURE NFC TOKEN TPM PIN RBA FINGERPRINT SECURE NFC USB VOICE NFC PASSIVE USB TOKEN PASSIVE TPM SECURE ELE FACE BIOMETRIC ACTIVE SECURE USB ACTIVE TPM VOICE NFC USB FACE PIN RBA ACTIVE TPM SECURE ELEMENT PIN RBA SILENT USB PIN SILENT ELEMENT NFC FINGERPRINT USB TPM VOICE RBA PASSIVE ACTIVE TPM SECURE USB FACE ACTIVE VOICE PIN PASSIVE TPM FINGERPRINT RBA ACTIVE TPM ELEMENT ACTIVE SILENT TPM USB RBA SECURE BIOMETRIC PIN SILENT TPM VOICE USB PIN USB FACE BIOMETRIC NFC TOKEN RBA PIN RBA SILENT FACE RBA PASSIVE ACTIVE SILENT TPM FINGERPRINT RBA ACTIVE TPM TOKEN ACTIVE SILENT VOICE USB FACE PIN RBA ACTIVE SILENT RBA VOICE NFC USB ACTIVE TPM BIOMETRIC TOKENTPM FACE TOKEN PASSIVE PIN TPM TPM FACE TPM FACE PASSIVE SILENT BIOMETRIC SECURE PIN PASSIVE SILENT VOICE USB PIN TOKEN PASSIVE NFC BIOMETRIC RBA SILENT TPM SECURE VOICE USB USB FACE SILENT SECURE PIN SILENT ELEMENT USB FACE VOICE USB SECURE FACE PIN FINGERPRINT SILENT PIN BIOMETRIC TPM USB FACE ELEMENT TPM VOICE SILENT USB RBA SILENT TPM VOICE FACE PASSIVE PIN TOKEN ACTIVE USB PASSIVE USB FACE TPM PASSIVE SECURE USB TPM FACE PIN RBA NFC USB RBA ACTIVE NFC USB PIN NFC SILENT VOICE FACE PIN RBA PASSIVE NFC USB PIN TPM PASSIVE PIN USB TPM NFC USB FACE SILENT FINGERPRINT USB USB USB TPM FACE TPM USB PIN FACE USB FACE USB NFC FACE TPM PIN FACE FACE USB TPM NFC RBA USB PIN PIN TPM USB RBA RBA PIN USB USB USB USB NFC FACE PIN NFC VOICE USB USB USB TPM USB USB TPM FACE NFC RBA USB FACE PIN VOICE USB USB USB RBA TPM NFC USB TPM USB USB USB TPM FACE USB FACE USB TPM USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB USB New Trends in Mobile Authentication
- 2. INTRODUCTIONS 2 Sebastien Taveau Chief Technology Officer Validity Sensors, Inc @frogtwitt Jamie Cowper Senior Director, Business Development Nok Nok Labs, Inc @jcowper
- 3. THEPOWEROFAUTHENTICATION ① Bookonline ② Ridetorentalcenter ③ Waitinline ④ Handovercreditcard+Driver’s license ⑤ Sign forms ⑥ Driveaway ① Bookonline ② Walktonearbyparkinglot ③ Unlockcarwithmobileapp/ ZipCard ④ Driveaway 3 Total Time: 15-30 min Total Time: 2 min
- 5. LATESTNUMBERS 5 Source: IDC Worldwide Quarterly Smart Connected Device Tracker, September 11, 2013
- 7. A Shift in Authentication
- 8. New Paradigm
- 9. Opportunity for Better Authentication is Upon Us Are you ready? For Users For Organiza.ons Painful to Use • 25 Accounts • 8 Logins / Day • 6.5 Passwords Difficult to Secure • $5.5M / Data Breach • $15M / PWD Reset • $60+ / Token For the Ecosystem Impossible to Scale • Fragmented • Inflexible • Slow to Adopt
- 10. User Auth Online Do you want to login? Do you want to transfer $100 to Joe? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Auth today: Ask user for a password (and perhaps a one time code)
- 12. Natural ID and User Options
- 13. Passwords Too many to remember, difficult to type, and not secure REUSED PHISHED KEYLOGGED
- 14. Password and PIN: harsh reality Source: XQCD
- 15. One Time Codes Improves security but not easy enough SMS USABILITY DEVICE USABILITY USER EXPERIENCE STILL PHISHABLE Coverage | Delay | Cost One per site | Fragile User confusion Known attacks today
- 16. Megatrend Simpler, Stronger Local Device Auth PERSONAL DEVICES LOCAL LOCKING NEW WAVE: CONVENIENT SECURITY Carry Personal Data Pins & Patterns today Simpler, Stronger local auth 2F
- 17. Strong Consent"
- 18. How does it work? "
- 19. How does it work? "
- 20. Enrollment and Matching" Reconstruct Image 01FE B93F 00F1 0A2B 001D 4752 648B 5563 5362 6A79 ... (292 bytes per scan line) Host Platform Raw Image Data Fingerprint Template Sensor Extract Minutiae M1={x1,y1,a1,z1) M2={x2,y2,a2,z2} ...
- 21. Where? "
- 22. NFC"
- 27. 27 EXPANSION (POST FEB) AuthenticatorsWeb Services Devices Implementers FOUNDERS
- 29. MORESECUREAUTHENTICATION 29 Unique Cryptographic Secrets Feature Security Benefit Unique key per user/device/site Segmentation of risk High-entropy asymmetric keys instead of passwords Protection against dictionary, brute force attacks Secrets not exposed to user Protection against phishing, key logging, shoulder surfing User Account Device Site
- 30. LEVERAGINGHARDWARESECURITY User Space Secure Hardware MFAC SDK UX Layer Input, Display Crypto Layer MFAC SDK UX Layer Input, Display Crypto Layer MFAC SDK Crypto Layer UX Layer Input, Display No Secure HW Secure Crypto + Storage Secure Execution Environment
- 31. DEVICESARERICHINAUTHENTICATION CAPABILITIES 31 Camera Fingerprint Sensor Microphone Secure Execution Secure Storage Location Motion, Heartbeat, etc. M7 Face Recognition Fingerprint Recognition Voice Recognition
- 32. COMPLEMENTARY DESIGNEDFORMODERNAUTHENTICATION 32 IMPLICIT AUTHENTICATION EXPLICIT AUTHENTICATION
- 34. MOBILE PAYMENTS TRANSACTIONCONFIRMATION 34 Setup Confirm Sent
- 35. 35 FIDO DOCUMENT TITLE
Editor's Notes
- #33: The protocol allows the authentication client to communicate with the server. It has 3 main functions: Discovery – Allows the servers to discovery what capabilities are present on the client device. Enables the use of existing device capabilities for authentication Provisioning -Allows users to self-register using authenticator(s) by the server. Keys are provisioned in this step. Authentication – Provides token-abstracted authentication using a challenge-response model based on OCRA (Oath Challenge-Response Algorithms)FIDO is designed to be extensible - Enables plugging-in of new authenticators, cryptographic, etcFollows a challenge response model based on OCRA It supports both symmetric and asymmetric key encryptionValidates authenticators present in client devices to verify their genuineness
- #35: MFAC’s design takes advantage of secure hardware when it is available on devicesDepending on device capabilities, more parts of MFAC can be “sunk into” secure hardware When no secure hardware is present, all software executes in userspaceSoftware techniques are used to protect cryptographic material and code Whitebox encryption Code obfuscation Signing of code When cyrptographic chips like TPMs and Secure Elements are present MFAC SDK and the UX Layer execute in userspaceCryptographic operations and key storage use secure hardware When full secure execute enviroments like Trustzone are availableMFAC SDK still executes in userspaceCryptographic operations and key storage use secure hardware UX Layer uses secure keyboards and secure display Fingerprint sensors and also securely hardwired This mode is provides the most security