NEW FIDO SPECIFICATIONS OVERVIEW

- STRONG WEB AUTHENTICATION -

12/8/2016
Chief Security Architect, Microsoft
FIDO2.0 TWG Co-Chair
Anthony J Nadalin
All Rights Reserved. FIDO Alliance. Copyright 2016
 FIDO
for platforms in ubiquitous environments

All Rights Reserved. FIDO Alliance. Copyright 2016 2

 What is missing in FIDO today...

• Universal distribution of the FIDO technology

• Ideally
• Every major platform delivers the FIDO API and technology
• Web platforms, OS Platforms

All Rights Reserved. FIDO Alliance. Copyright 2016 3

 How will platform support help?

• Accelerate mass FIDO adoption

• For RP
• It’s available on all devices, so incentive to adopt
• PC may have an imbedded authenticator (TPM)
• For the authenticator vendors
• RPs are adopting, all devices want authenticators
• Think way back to TCP/IP
• Took off when Win95/MacOS integrated it
• Compatible browsers appeared on all platforms

All Rights Reserved. FIDO Alliance. Copyright 2016 4

 So what FIDO is doing NOW?

• Crafting standards which in future will come built-in in all

platforms.

• The web platform is special, and the future API needs to be

standardized in W3C, hence FIDO liaison with W3C.

• The Web API is the first one we standardize and use it to drive
other platform (native) specific APIs

All Rights Reserved. FIDO Alliance. Copyright 2016 5

 Goals
Support for Major Platforms (Browsers, OSs)
Web Authentication Clients/Authenticators Web Authentication Server
Browsers
Chrome
IE/Edge
Firefox
Safari
etc.
OSs
Windows
Android
MacOS
iOS
etc.
All Rights Reserved. FIDO Alliance. Copyright 2016 6
 Specifications

Web Platform API specs:

Abstract API calls (in/out) and messages
• Web API These are submitted to W3C,
• Key Attestation Format the international standards organization
• Signature Format for the World Wide Web.

Client to Authenticator Protocol:

Communication between client and external authenticator
• CTAP (Client to Authenticator Protocol)
*API: Application Programming Interface

All Rights Reserved. FIDO Alliance. Copyright 2016 7

 Overview
Formats
- Signature
User Device - Key Attestation Server

RP App RP Server

W3C Web API

FIDO Server
OS/Browser
(FIDO Client)
OS Platform API
Authenticator

Authenticator
OS Platform API
Client to Authenticator Protocol
*RP: Relying Party
All Rights Reserved. FIDO Alliance. Copyright 2016 8
 Web API for Accessing FIDO 2.0 Technology
Specifies an API that enables web pages to access FIDO 2.0
compliant strong cryptographic technology through Javascript.
Browser Server
(1) service request
Java script calls (2) authentication request
credential API

(3) Request for (5) Response with

cryptographic cryptographic proof
operation
Authenticator
Scoped Credential
User information required for authentication
(4) User gesture allows (private key) (instead of password)
cryptographic operations
All Rights Reserved. FIDO Alliance. Copyright 2016 9
 Use Case for Web API (1)
Registration of authenticator
Browser Server
(1) service request
Java script calls
credential API (2) registration request

(3) Request for Scoped (5) Response with Scoped Credential

Credential creation information
public key (public key, attestation,
Authenticator client data (with signature), etc.)
User
Private key (4) Scoped Credential creation

“Do you want to register this device (authenticator) with server?”

- User gesture
- Authorize creating a key pair
All Rights Reserved. FIDO Alliance. Copyright 2016 10
 Use Case for Web API (2)
Authentication using registered authenticator
Browser Server
(1) service request
Java script calls
credential API (2) authentication request
Public key
(3) Request for (5) Response with assertion
authentication (signed challenge + other data)

Authenticator
User
Private key (4) Credential discovery

“Do you want to authenticate using this device (authenticator)?”

- User gesture
- Authorize using an existing credential
All Rights Reserved. FIDO Alliance. Copyright 2016 11
 Browser Responsibilities
• Compose messages for operations
• Provide origin and RP IDs
• Compute client data hashes
• Process extensions
• Provide UI for authenticators that lack the ability
• Error handling / housekeeping

All Rights Reserved. FIDO Alliance. Copyright 2016 12

 Authenticator Responsibilities
• Perform operations
• Obtain user gesture if needed: consent button, password, PIN, a
biometric...
• Process extensions
• e.g. show and sign message for transaction auth
• Provide Attestation(s)

All Rights Reserved. FIDO Alliance. Copyright 2016 13

 API Details
• makeCredential: key generation with attestation
• used to register new keypair with RP

• getAssertion: authentication
• mixes in state like facet id, token-binding id
• also: key discovery (for “typeless” authentication)

All Rights Reserved. FIDO Alliance. Copyright 2016 14

 Key Attestation Format
• Defines generic data structures that cover the semantics of
FIDO various authenticator attestation formats.
• Authenticator asserts the trust of a private key that it
maintains.
• Provides profiles such as TPM, Android, etc.

All Rights Reserved. FIDO Alliance. Copyright 2016 15

 Signature Format
• Proves possession of a private key of a FIDO 2.0 credential and
asserts contextual information about the client and
authenticator that generated it.
• Client data allows other information to be bound to signature

All Rights Reserved. FIDO Alliance. Copyright 2016 16

High Level Operations

All Rights Reserved. FIDO Alliance. Copyright 2016 17

High Level Operations

All Rights Reserved. FIDO Alliance. Copyright 2016 18

 Web Authentication API Example
/* Verify platform is capable. Handle error if not. */ }
var userAccountInformation = {
rpDisplayName: "Acme",
displayName: "John P. Smith",
name: "johnpsmith@example.com",
id: "1098237235409872",
imageURL: "https://pics.acme.com/00/p/aBjjjpqPb.png"
};
var cryptoParams = [{type: "ScopedCred", algorithm: "ES256"}, {type: "ScopedCred", algorithm: "RS256"}];
var challenge = "Y2xpbWIgYSBtb3VudGFpbg";
var timeoutSeconds = 300; // 5 minutes
var blacklist = []; // No blacklist
var extensions = {}; // No extensions
// Note: The following call will cause the authenticator to display UI.
window.webauthnAPI.makeCredential(userAccountInformation, cryptoParams, challenge, timeoutSeconds, blacklist, extensions)
.then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});

All Rights Reserved. FIDO Alliance. Copyright 2016 19

Browser Operations

All Rights Reserved. FIDO Alliance. Copyright 2016 20

Authenticator Operations

All Rights Reserved. FIDO Alliance. Copyright 2016 21

Authenticator Operations

All Rights Reserved. FIDO Alliance. Copyright 2016 22

 CTAP (Client to Authenticator Protocol)
• Describes an application layer protocol for communication between an
external authenticator and another client/platform.
• Can be run over a variety of transport protocols using different physical
media.
browser
User device
Java script calls
for credential

(3) Request for

cryptographic operation Transport binding for USB/BLE/NFC
External
located outside of user device
User Authenticator
Private key
(4) credential creation/discovery
All Rights Reserved. FIDO Alliance. Copyright 2016 23
 Use Case for CTAP
Example) Authentication for an application on PC using a smartphone
Server
FIDO Authentication
PC (Client)

Public key
BLE

Smartphone
(external authenticator)
User
Private key
User can choose an external authenticator that is used to authenticate
himself for applications running on his multiple clients across devices.
All Rights Reserved. FIDO Alliance. Copyright 2016 24
 Current Timeline
• W3C Web Authentication Specification
• Candidate Recommendation 1Q2017

• FIDO Client to Authenticator Protocol

• Implementation draft 1Q2017

All Rights Reserved. FIDO Alliance. Copyright 2016 25

 Summary
• FIDO authentication
• Authenticators are pluggable, using public key cryptography.
• FIDO 1.X deployments have enabled FIDO ecosystem in market.
• FIDO 2.0: for platforms (Web Platform and OS Platforms)
natively supporting FIDO
• Web Platform APIs: submitted to W3C
• CTAP enables client authentication using external authenticator.

FIDO continues to expand its ecosystem to support

authentication in ubiquitous computing with FIDO 2.0.

All Rights Reserved. FIDO Alliance. Copyright 2016 26

 Specification References
• W3C Web Authentication Specification Latest Draft
http://www.w3.org/TR/2016/WD-webauthn-20160902/

• FIDO Client to Authenticator Protocol

https://fidoalliance.org/specs/fido-v2.0-rd-20161004/fido-
client-to-authenticator-protocol-v2.0-rd-20161004.pdf

All Rights Reserved. FIDO Alliance. Copyright 2016 27

Thank you for your attention!

All Rights Reserved. FIDO Alliance. Copyright 2016 28

 Acknowledgement
• Thank FIDO Alliance members especially FIDO 2.0 Technology
Working Group members.
• Thank W3C for the collaboration.
• Thank Dr. Gomi’s and his presentation for FIDO Tokyo Seminar
2015.

All Rights Reserved. FIDO Alliance. Copyright 2016 29

All Rights Reserved. FIDO Alliance. Copyright 2016 30
 Please Silence All
Electronic Devices

All Rights Reserved. FIDO Alliance. Copyright 2016. 31