FIDO2: The Train is Leaving the Station

We're gonna talk about the main components at a very high level. The the, we're then gonna talk about the dislocation, that authentication that's happening to authentication as a result of 5 0 2, cuz it's important for us in our enterprise to write, realize that, whoops. And also then look at what sort of enterprise strategy can we put together. Okay? So for the bits that we, that are missing, come and buttonhole me afterwards, we're gonna talk about components. Then one thing that is quite obvious when it becomes to 5 0 2, might I suggest, is it you ignore it at your peril? Okay? 5 0 2 has a backing of virtually every major technology pop company. So 5 0 2 is going to be appearing in virtually all of their products and it gives us unprecedented opportunity in the authentication space. So that's all the way from the hardware software, and those that do both.
The main components are two things. The c a P protocol. So those of you, those of you who up on UTC and uaf, okay? C A two is now, has now incorporated the U two F protocols in it. And it's the sort of main authentication protocol for generic devices. Then there's web, web or web or is for web applications in order for you with your web applications to move to a, what should we say, express ORU authentication of users to your applications. So if your applications are mainly web-based, take a good look at web or, and what that can do for you because your users are going to find that low friction, okay? We all aware of in an enterprise, the friction associated with enrolling people in our authentication infrastructure. 5 0 2 can help us immensely at that point in time. And of course we've got access to the, the, like at the bottom there, we've got our usb, A lot of, a lot of fighter users use USB tokens. I shouldn't call them tokens. They're not USB storage devices, okay? And we're gonna come to Pasky a little in a minute near Nearfield communications. So in, in a lot of cases, we are now working between a, could be USB key, could be smart card even, and it, if it's got NFC to our PC or to our phone if we're using that, there's a lot we lot we can do there. Bluetooth, low energy, smart card, and of course windows. Hello for business.
Okay? What sort of, what, what I mean when I, I talk about authentication dislocation, well, basically the 5 0 2 s come from the consumer area, okay? It is optimized to make it easy for people to get rid of passwords. So as an enterprise, our questionnaires is that important for us. Do we want to provide low friction for our users to access our protected resources? Okay, so we're moving from a situation like for the consumer environment, called it self registration. I'll explain that a bit more in a minute. And it's reply relying party centric. So the relying party is actually going to make decisions about how they're going to register users via 5 0 2. Okay? The that c that means that we've gotta take our workforce mechanisms and fit them into that. We are used to having an I D P and we register people and we stick their information into a, in a, into a directory, and then we issue them some entitlements.
That all breaks down in 5 0 2. Caveat doesn't have to listen to Alan's stories. Well, we'll talk about that in the pa in the panel discussion. Okay, Alan. So you need to decide now how, if we're gonna take what Martin Kuppinger calls a shift left approach, where we start to build into our authentication capabilities within our enterprise. Those processes that allow us to move to a 5 0 2 approach, it gives us the opportunity. Don't have to, it gives us the opportunity to work to a bus, go to a business unit control. We can take, tell the business unit that application. You've got, you are gonna decide the policy on accessing users, accessing that policy, how they're gonna register to that. Okay? It's, it, it allows us to, yeah, what should we say? Distribute that authentication component. Now, some companies don't want that. They want their entitlement siloed to, to manage that.
You've gotta decide where you fit on that and there's options as to how much you want to, to actually embrace in terms of a strategy. There's three things. I this is time to wake up. There's three things to think that you need to think about. One is pasky. Pasky is the word that has being used now to refer to the key pair that is being used to AC within 5 0 2. So as you take an authenticator, it could be a USB device, it could be your smartphone. You've gotta decide, are you going to use PAs key? Allow PAs key technology. PAs key technology is being promoted by Apple. You can use your, your photo two keys on your, on your iPhone, on your Mac. So you had as an enterprise needed to decide you want that. Do you want to be able to share your keys between devices like that?
Next one is attestation. So one of the big issues that we, we have in using fighter within an enterprises, we lose some ability to manage the key pairs. You know, if we've got a smart card, we can register that to our user, put it in our idp. We know what the private key pop, well, we'll HSM for the private keys, we've got public keys that we can distribute the, within Fido, we lose that capability. So you need to look at how are you gonna manage that and credentialing systems can, can assist in that space to a degree. Sorry, we're gonna move so fast, but they only gave me 15 minutes. The, the next issue is your smartphone. I don't think that anybody would argue with the fact that our smartphones are becoming a ubiquitous device. Okay? Everything's now happening on our smartphone. Everybody has them.
The question you have as an enterprise is how are you going to use them? Are you going to use users? Let users decide that. Are you gonna say, well, it's okay, this is a low assurance requirement. We'll let anybody use their smartphone as as an authenticator and they'll put their keys and their keys will be generated on the smartphone. Or are you gonna say no, we're gonna have some, have some control on that. So they'll have to adhere to the B Y O D, bring your own device strategy within the organization, which will be, Hey, we're gonna register this within our MDM and we're going to make sure we have a, a containers that we we manage, we have control over. Or are we gonna say, no, this is high assurance. We're going to only use the, the devices that are actually given by the corporation.
Obviously you've then got a lot, lot more control on what you're actually going to require for those devices. Okay, so the, those are the three things. Let's just go back over them. Pasky technology, are you going to allow that to be used within your organization? Attestation technology? Are you going to require that? Okay, so the, the attestation allows us to explicitly say for this USB device, it has all of the requirements. I need to protect the key pair, the fighter key pair that I'm generating on it, right? We've got our, our, those, the specifications that I put in place as a company as to how I want to generate that. Does it have to be a protected hardware device? Well, you can have that u sb key actually give that information back to you. You can verify that in a policy before you create the, the keys on it. And, and lastly, are you going to use smartphones? So you're gonna have to get the intelligent people within a, in a room around a whiteboard and figure that out, please, as part of your move to 5 0 2. Don't just let it happen. I think I got there. Okay. It's, it's time now to make that decision. Are we gonna be moving in that direction or not? I've got a a time for a couple of questions. Okay. What, as a presenter, you know, questions are very useful. They allow you to know have you've connected or not, right? So what questions do we have?
We might even have some online. Let me just have a look. Ah, 5 0 2 is taking over authentication, but how do we use digital signing with Fido Solutions? Thank you. Okay, good question. So basically what we're, what we're enabling with 5 0 2 is both encryption and digital signing. We can handle both of those. So what'll happen is if we are using digital signing, we will use the Fido FI 5 0 2 private key to sign the document. Then the person, the recipient then will be able to use up publicly to verify that that's been signed. Okay. Any other questions? That's it for the minute. Okay. We have one here.
So extending on what you just said about assigning within e IDAs and all that, there's this concept of qualified signatures. And I, I see here, if you use, you know, device keys, then you're much less vulnerable to your mass attacks at least. And your keys can't be compromised still. It seems that all the regulation and the Etsy standards are very tuned into FIPs level, blah, blah, blah. And really you have to buy expensive boxes sitting in a mountain somewhere. Is that true or do you think that we can actually leverage what you just described to do qualified signatures?
Oh, great, good. Thanks. The answer, the quick answer is yes, of course you can. The more difficult answer is you've gotta decide where, what your requirements are. If you are a regulated, in a regulated industry that needs FIPs compliance, you're gonna have to make sure that you provide that within the, your Fido two. So this brings up a good point. We, you've got the capability within, within Fido to select a wide variety of authenticator devices. So Yuki's probably the biggest supplier. So go to u yuki's website and look at all of the ones you can provide. They, they can provide you the, it's everything from a basic one that'll do for lower low assurance requirements all the way through to FIPs level requirement. You've gotta decide what that is, what you, what you want. And if it's FIPs level requirement, then you're gonna have to use a testation to verify that the the USB device they've plugged in to get the key payers generated fits your requirements. Okay. And again, I'll say that's where a credential management system can possibly help. Okay. Other questions? Yes? Sorry.
You just said you can use the feeder 12 keys to sign specific documents, but the key that you generate, it's not basically a Porsche key from Porsche, but we have got like a peak eye infrastructure rate. The keys we use to sign documents are issued down the iki. So we can invalidate with intermediates that that one is signed by someone with a valid Porsche certificate, but we can't control the actual certificate on the field tri key. So how do you check the authenticity of that person? It could be a, it's like a self-signed certificate's generating.
Yeah, you're quite right. And this is why if you are using a credential management system, those can assist in actually making sure that that registration of that, sorry, when that user is generates their key pair that, you know, that's happened. You lose the granularity you have in the PKI environment in terms of having a certificate there. And I can go to the, the, the CRL and, and revoke it and you lose some of that management capabilities. But what you get with 5 0 2 is the ease of use and the, the, the lower friction that people will find. I mean, we've all, a lot of them I've experienced the difficulty of getting a smart card issued within a corporate environment. Okay. And Fido removes that because you can do it on most PCs. Yeah.
Yeah.
So can all Fido tokens be used for digital signing and how does what you see is what you sign fit into that? Because obviously with the UBI key, you can't see what you sign on the device.
Okay. I, the, the quick answer is no, you can't generally use it, but you can use FIPs to environment for, for digital signing. Okay. So, and you might be in a situation where you'll have different key pairs for different things and on a single authenticator as you can with a SmartGuard, you can have multiple key pairs on that. Okay. So you would have, that would, would be specific to the particular requirements and I guess we'd need to look at that. But happy to have a chat afterwards.