FIDO for the Enterprise - Challenges & Rewards

Okay, thanks. Thanks very much guys for coming. That is really, really good that you're here to help us understand all of this. Let's quickly go over what do you see the main benefit or benefits of 5 0 2? Can we start with you Alan?

Yeah, So my background is high assurance customers and it's, it's fishing resistant. Most of our customers have deployed PKI on Smart CARSs and they're now being pushed to deploy that everywhere and down the supply chain and PKIs just too hard to do that. So it's primarily the security, it's fi ticking that fishing resistant box. Okay.

Andreas, where would you say is the main benefit or benefits for Fido Fishing resistance? Obviously this is why we actually want to do it, but it comes with another benefit. It's an open standard, it's nothing proprietary and we have some kind of guiding principle in our company. We want to own identities, the credentials and the authentication, which means we have to sell, host these, this stuff and this is possible with Fido. So beforehand we had like if you have an active directory, their passwords can be on-prem, but then the MFA is somewhere in the cloud.

And once you go to Passwordless Signin for instance with the authenticator, suddenly it's only the cloud. It's against our principles and with Fido we can take it back, we can hold it on-prem or at least self host it in a cloud native environment. And we can use it not only for one IDP but for all IDPs that we have in the company. And that makes it very neat because the registered credentials, the biometry or PIN can not only be used for, for one IDP but for everything that you have within your company. Okay. Neither of you have mentioned lower friction for users.

Is that, is that an important point? It is.

So for, so for some of our customers today using PKI and smart cards, that's already phishing resistant and it's already quite low friction once they've actually got the device deployed. So they put a card in, they put a pin in, they're in.

However, that's hard to roll out across all of the devices in the organization. So to pick an example, we have a telco who has back office with pki. They happen to deploy UB keys, they put them in their laptop, they're log in, the PKI simple, take that device out to the storefront and suddenly they're taking an iPad off the shelf and they're using that to log into cloud applications. You simply can't do that with a smart card. So that brings that frictionless experience. Cuz in that, in that world they can put the F credential onto the UBI key.

They can use the same one to log onto the corporate applications in the back office, in the store. They can simply use the CTAP functionality built into Fido to hold their UBI key onto their iPad and then they can log onto the application.

So yes, the frictionless is important when you need to extend it to a wide range of users and devices. Understood. How about Pasky technology?

Pasky, as we've talked, talked about is the ability to move our key pairs between devices. Alan, in a high assurance environment, would you allow that? It wouldn't be me not allowing it, it would be the CSO of the organization and the simple answer is no. There's a slightly longer answer with an extra word in front, but I won't go into that.

So if, if you think about past keys, where they came from, it's basically password turned into a pass key. I can share my password with other people, I can sync it in my key chain account between my iPhone and my iPad. And that's really convenient for me. And if you're coming from a world of passwords and you want to get better, then pass keys is more secure. It's shareable but it's fishing resistant. But if you're coming from the very high assurance world where you have to make sure you cannot share that credential with anybody else, which you can with the PAs key, then absolutely not.

So it's like most of these, it's a question of how secure do you want to be? Okay, what about enterprise requirements? Can Fido accommodate all of our enterprise requirements like beyond web or with our other authentications?

Okay, let's start Andrews. What, what do you think can, can, can all of our enterprise requirements be satisfied via Fido two? We believe, We believe it right now. Maybe I love what you just said and it's it's place in in hand probably. So we have the same approach.

We, we don't want past keys but we say it's at the beginning the most important part to have a fishing resistant environment and then we have to take care of this part where we say only security keys or something else has to be been used in a, in a second step. And yeah, this works for us and this also plays into this direction right now we believe that it opens up a door that allows us to do to any solution that we need to implement at the moment. If that works out, we don't know, but it's a very good way it keeps the door open with an open standard. Yeah. Okay.

Alan does it does, does it basically happen depend then upon your level of assurance requirement or let me ask a question. Can we satisfy all enterprise requirements via 5 0 2? All is a very big word. Most yes. So 5 0 2 is is an authentication technology.

Yes, it happens to come from the consumer world so as slightly different characteristics but just like a password or a one-time password, Fido or pki, they are all authentication technologies and you can fit them into your identity and access management infrastructure. Yes. Okay. Let's open up to the floor questions. I'd just like to continue on what you just discussed.

For me, fighter two is definitely an authentication solution because we had the, the well the issue a few weeks a few months ago that we had to implement multifactor authentication in a hell of a lot of applications within a very short period of time worldwide. We were sending like pika ICO smart cards through the whole world. We actually had a few students, they were working for us for two weeks.

I'm now big bit of marketing for Porsche they were working at for two weeks and they were put into a brand new TA drove all the way to Hamburg because we had to deliver those two smart cards within 12 hours. Otherwise our services were not being administered anymore. But fighter two for me is only an authentication solution. The PKI solution also brings the signature certificates and the encryption certificates. But if the use the most of the use cases are authentic, well all of the use cases have got authentication only some use cases have got encryption and limited have got signature.

So for me it's enterprise ready for authentication. My question is there anything in the future planned to make Fido two also possible for encryption or maybe even for signatures? So I don't think fighter two lends itself very well to signatures because of the fact there's nothing binding the public key to the identity. With pki you have the certificate, I could digitally sign something, I could send it to you. You could verify that anywhere the system that issued it could be unplugged, you could verify that.

But the fact that the, the issuing authority has to verify the public key and the fact that there's nothing that inherently binds it to the identity, I don't think it lends itself very well. You're talking about qualified certificates earlier. I think the most likely scenario is those are still going to be in a centralized protected environment, otherwise you're not gonna get the IDAs qualification standard there from the trust service provider.

But I can see fpla a good spot into actually authenticating you into that central environment cuz that's one of the weak points potentially there at the moment. Technologies will change. I personally agree with you. I think Fido is a very strong authentication protocol but I don't think it lends itself to other uses particularly. How about you Andre? Are you using Fido two keys for for anything beyond authentication? No we don't. So other questions?

Yeah, you mentioned that five two can be used for the project based application like web and all that. Currently we are using a smart card as an all in one card concept for physical access printing as well as for the logical access. How you see the five two can also play a role in something on on meeting those requirements as well that fiscal access as well as for printing. Okay. So there are initiatives to start looking at asymmetric case based key access to doors primarily P K I at the moment, not quite Fido yet, most of our customers are looking at hybrid authentication.

So I'm looking for a single device that can deal with physical access, logical access, PKI and Fido. So that's where most of our customers are looking at the moment as opposed to trying to fien enable everything physical access in particular they're looking at using the existing protocols. We can pros whatever that may be for that sort of access, but try and combine it onto a single device. Okay. Even for like if you've got an FFC enabled USB key, you could potentially use that for your physical access system but Generally not because the protocols aren't there to support it yet.

So most of those are prox based. There are a few P K I at the door enabled systems out there, but most of them are still using Prox technology, contactless technology, so not quite the same as NFC and not quite accessing the Fido key. They don't really understand the protocols And the most important part is we can use Fido for what it's meant for for authentication right now and you can roll it out. You don't have to do much. I mean you can use the devices that the user currently has like laptop or a phone.

You just need to change something in your backend and then you can make use of it and make yourself Fido fishing resistant with Fido, when you talk about doors for instance, it is installed. You have, I don't know how many sites, whatever production sites you would've to exchange everything to talk about this is something nice for the for the future but it's, it's existing already. So I don't think that this is a solution for the problem right now. It could be probably potentially in the future, but that's not the goal of what we want to achieve with it.

For us it's the digital identity that we want to protect and the physical world has good solutions and maybe it can be adapted to, but it's currently not the focus as at least for us in in our company To that currently frictions is not getting as much because already they had holding the smart card and then again they have to hold one security key. No, you can use a smart card that is fighter two enable it can have NFC and then you can use it, change it, you have to change it.

But as I said for the authentication part, you can use the laptop so they can continue to use their card for the sign in at the door and they can sign in into web applications with their laptop or smartphone without a key or anything else. It's the device and news that authenticates the sign in with biometrics that are stored on it that you registered beforehand.

So if you want to go look into the into the future and have a vision of using Fido for for doors for instance, then you can look into this direction and exchange over time the carts that you use for your doors or badges for your sites and enable it with 5 0 2. But I think this is a longer journey because it requires you to change physical stuff that the people carry with them. That's what I think. Yeah. Thank You. Super.

Okay, questions? Any other questions?

Okay, can we, should we let him have another question? Yeah. Okay. It's gonna be a quick one.

Oh, I forgot the question To do with physical access. Can I answer it? Totally forgot the question, sorry. That's Okay.

Okay, no worries. Yeah, so I think it's a good point that we are on a journey that there's capabilities right now that can be deployed right here and now and you get a lot of benefit from it when it becomes to other things like so for your your physical access requirement, you're gonna have to go to the vendor who made that boxes on the wall and say what do you do in terms of NSC from a USB device quick before you forget.

Now remember the nice thing about Fido two is you basically secure, you make it fishing resistant between me, the user and the system, there's no way of really fishing or in the middle, there's nothing possible. But that's gonna move the shifter of the attackers to actually hijacking the sessions because they now know they can't get in before the authentication. They have to now try and get in afterwards to capture the sessions.

And I think a new possibility for the attackers might be to get into the server side of the feeder authentication because all they now need to do is just switch to public use in the database and they've got authentication of that other person. Is that something that you looked at with your implementation as well? I honestly didn't get the attack vector or a use case that you just described.

So we, we use an appliance, it's an open source appliance, it's hardened and it's pen tested and you cannot fish the authentication session and whatever happens between the, the I D P and the application that is independent of the authentication part is something, it's a different topic, right? You've got your identity connected to it publicly that was registered. If I take my public key that was registered to my identity and I put my public key next to your identity, then I can use MyFi two key to In our server. Yeah. So you want to get in our server. Well good luck. You can try.

That's A tough question because I have seen an implementation that actually add, not just insert and delete but also replace, So you were talking about an attack to an an appliance and obviously there are always problems. You can say the same for, I don't know, active directory if you use it and and stuff like that. But we are now in a different topic.

You can, you can isolate it completely differently. The active direct directory for example is on-prem and in your network and it has to be reached by all your devices. In this case it's a server that is secured and it's an appliance and it has different security measures that you can make use of. And I agree there is a theoretical chance that this happens, but that's the case for every IT server or I don't know, PKI even that you're using. Yeah. If if anybody's at that point on your network, you are already in trouble. Yeah.

So the, the the, the main attacks has been said a few times around here, 80% due to weak credentials. This is what that's really all about. There's no such thing as a hundred percent secure. This makes you significantly more secure. I think it's as important too to mention that with attestation, we, the, the phyto can ensure that that, that that key air has been created on approved hardware that or or software. Cuz the phones are getting pretty good but it got all of the requirements we we need.

Then also hearing now post quantum, you know, that we're having the ability to stop the, the, the quantum attacks that might go with the trying to break key pairs and get into key pairs and things like that. So lots of capabilities I guess for the, for the good black hats maybe we do, we do have vulnerability. Other questions? Yes.

So just one wonder if you see some step up or multifactor authentication in the space of PAs, like if you are doing pasky between multiple device or you are doing it on the local device or if you are doing like hardware smart card or something like that, it's more secure than other solution of fighter. So that's like Is your question that we are using step-up authentication in general? Yes.

If so, like if there is like a point to to consider different type of fido more secure. Okay, so this is the part I think that you both talked about.

Fora, I guess it's about the attestation and if you ask him, he will say it has to be an attestation for some kind of PKI or security key or whatever. And this is for compliance reason, it's more secure for the company that we are working for. We said we want to have fishing resistance at the beginning and it doesn't really matter if it's a paske or even a virtual authenticator, which you could use theoretically, but it is still fishing resistant. But then comes the trouble that we were talking about earlier and this is something that we as a company have to, to address in the next step.

It's a journey. I don't think you will find anything on the market where you say this is something we apply and it, it's, it's perfect from the beginning. You have to get used to it. You have to use, get the users used to it and the, as we talked about it at the beginning, you have to start an onboarding process for the existing workforce and for new, for new users they have to adopt to what is out there. And once they have done this in whatever way, you can start limiting their options.

But if you start with a limited option at the beginning, at least in, in a company like we have it, then it will not be used. It's the part that you talked about at the beginning, how do you make users to switch? If it's a very secure environment and it is needed, like in your case they will have to do it. You have regulations that you know, push it into the environment. But if you have a company that wants to develop that says it's a science and technology company, they need freedom to, to get something done. You cannot start with, you cannot do anything anymore.

You have to use this one device and it is very limited and then they are like, no, we don't use it. So I think this is something that you have to think about. How do you want to introduce Fido as an authentication standard within your company and what kind of power can you apply in order to make a user register an authenticator?

Yeah, I agree. So Fider will certainly, if you're using passwords or otp, fider will certainly make you more secure. How secure you need to be and do you need to comply with any specific regulations is a slightly different question. Okays.