DOCSLIB.ORG

FIDO White Paper SCA Delegation to Merchants Or Wallet

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
FIDO White Paper SCA Delegation to Merchants Or Wallet FIDO Alliance White Paper: FIDO for SCA Delegation to Merchants or Wallet Providers March 2021 Editors: Jonathan Grossar, Mastercard Alain Martin, Thales Melanie Maier, Entersekt Bernard Joly, OneSpan Felix Magedanz, Hanko Arshad Noor, StrongKey © 2021 FIDO Alliance. All rights reserved. FIDO for SCA Delegation to Merchants or Wallet Providers Abstract The authentication of consumers during remote transactions has undeniable benefits in terms of security and approval rates but raises concerns of transactions being abandoned by consumers, as those consumers are not always able to authenticate properly to their banks. Merchants and wallet providers have an existing relationship with consumers, and there is an opportunity to leverage authentication mechanisms established during that relationship to authenticate to remote transactions as a delegation of the bank’s authentication. This white paper reviews the different authentication mechanisms that can be used by merchants or wallet providers in the context of Strong Customer Authentication (SCA) Delegation and explains why FIDO is best positioned to meet the requirements from regulatory authorities, banks, merchants, or wallet providers. FIDO is an industry standard designed to authenticate consumers with a high level of security and privacy but with minimal friction, and the implementation of FIDO standards is scalable across multiple consumer devices and platforms, making FIDO the recommended solution for SCA Delegation. Audience This paper is intended for: • Merchants, Payment Service Providers, and wallet providers interested in implementing a FIDO solution to authenticate consumers as a delegation of a bank’s authentication. • Banks interested in understanding the benefits of FIDO in SCA Delegation, including how the implementation of FIDO meets their requirements. • Authentication solution providers interested in providing FIDO solutions to merchants or wallet providers. © 2021 FIDO Alliance. All rights reserved. Page 2 FIDO for SCA Delegation to Merchants or Wallet Providers Contents 1. Introduction .................................................................................................................................................................................5 Why SCA Delegation? ............................................................................................................................................................................... 5 Scope ............................................................................................................................................................................................................... 6 2. Assumptions ................................................................................................................................................................................6 Types of Transactions Considered ..................................................................................................................................................... 6 Participants .................................................................................................................................................................................................. 6 3. Prerequisites for SCA Delegation .........................................................................................................................................7 Regulatory Requirements (PSD2 Markets) .................................................................................................................................... 7 3.1.1 Contractual Agreement...................................................................................................................................................................... 8 3.1.2 Security Level ........................................................................................................................................................................................ 8 3.1.3 Documentation and Testing ............................................................................................................................................................ 8 3.1.4 Dynamic Linking ................................................................................................................................................................................... 8 What is important for banks ................................................................................................................................................................. 8 3.2.1 Trust Models .......................................................................................................................................................................................... 9 3.2.2 Evidence provided to banks ............................................................................................................................................................ 9 3.2.3 Protocols to share evidence ............................................................................................................................................................. 9 What is important for merchants or wallet providers ............................................................................................................. 10 4. SCA Delegation Solutions ..................................................................................................................................................... 10 FIDO Solutions (two-factor) ................................................................................................................................................................ 10 Non-FIDO Authentication Solutions ................................................................................................................................................ 12 4.2.1 Non-FIDO Device Biometrics Solutions (one- or two-factor) .......................................................................................... 12 4.2.2 SMS OTP (one-factor) ....................................................................................................................................................................... 12 4.2.3 Passwords (one-factor) ................................................................................................................................................................... 13 4.2.4 Behavioral Biometrics (one-factor) ............................................................................................................................................ 13 5. Why FIDO for SCA Delegation? ........................................................................................................................................... 14 Enhanced User Experience .................................................................................................................................................................. 14 Compliance with PSD2 .......................................................................................................................................................................... 14 Full Interoperability with a Standard-based Solution ............................................................................................................. 14 Security ........................................................................................................................................................................................................ 15 © 2021 FIDO Alliance. All rights reserved. Page 3 FIDO for SCA Delegation to Merchants or Wallet Providers Designed with Privacy in Mind .......................................................................................................................................................... 15 Deployment/scalability ........................................................................................................................................................................ 15 6. How to Implement FIDO in a Compliant Way ............................................................................................................... 16 Integration of FIDO Components ...................................................................................................................................................... 16 Initial Registration Process ................................................................................................................................................................. 16 6.2.1 Identification and Verification (ID&V) ...................................................................................................................................... 17 6.2.2 FIDO Authenticator Registration ................................................................................................................................................. 17 6.2.3 FIDO Authenticator Binding .......................................................................................................................................................... 17 Checkout Process ..................................................................................................................................................................................... 17 6.3.1 FIDO Credential Identification ...................................................................................................................................................... 17 6.3.2 Consumer Authentication
Load more

Recommended publications
  • Court of Appeal
    Sibiga c. Fido Solutions inc. 2016 QCCA 1299 COURT OF APPEAL CANADA PROVINCE OF QUEBEC REGISTRY OF MONTREAL No: 500-09-024648-149 (500-06-000636-130) DATE: AUGUST 10, 2016 2016 QCCA 1299 (CanLII) CORAM: THE HONOURABLE FRANCE THIBAULT, J.A. NICHOLAS KASIRER, J.A. GUY GAGNON, J.A. INGA SIBIGA APPELLANT – petitioner v. FIDO SOLUTIONS INC. ROGERS COMMUNICATIONS PARTNERSHIP BELL MOBILITY INC. TELUS COMMUNICATIONS COMPANY RESPONDENTS – respondents JUDGMENT [1] On appeal from a judgment of the Superior Court, District of Montreal (the Honourable Mr Justice Michel Yergeau), dated July 2, 2014, that dismissed the appellant's motion for authorization to institute class action proceedings. [2] For the reasons of Kasirer, J.A., with which Thibault and Gagnon, JJ.A. agree, THE COURT: [3] ALLOWS the appeal and SETS ASIDE the judgment of the Superior Court; 500-09-024648-149 PAGE: 2 [4] GRANTS the appellant's motion seeking authorization to institute the class action; [5] ASCRIBES to Inga Sibiga the status of representative for the purpose of exercising the class action on behalf of the following class: All consumers residing in Quebec who were charged international mobile data roaming fees by the respondents at a rate higher than $5.00 per megabyte after January 8, 2010. Tous les consommateurs qui résident au Québec et à qui les intimés ont chargé 2016 QCCA 1299 (CanLII) des frais d'itinérance pour les données à un taux excédant 5,00 $ par mégaoctet après le 8 janvier 2010. [6] IDENTIFIES the following as the principal questions of fact and of law
    [Show full text]
  • 2005 Annual Retail Chain Survey - Partial List of Retail Chain Stores
    2005 Annual Retail Chain Survey - Partial List of Retail Chain Stores 010 New Car Dealers 441110 New Car Dealers LEGAL NAME COMPLEXE DE L'AUTO PARK AVENUE INC. DON VALLEY NORTH AUTOMATIVE INC. HICKMAN MOTORS LIMITED JIM PATTISON INDUSTRIES LTD JOHN SCOTTI AUTOMOTIVE LIMITEE LOUNSBURY COMPANY LIMITED MERCEDES-BENZ CANADA INC OPENROAD AUTO GROUP LIMITED THE DICK IRWIN GROUP LTD THE ROYAL GARAGE LIMITED 020 Used and Recreational Motor Vehicle and Parts Dealers 441120 Used Car Dealers LEGAL NAME GARAGE DUROCHER ET FILS INC 441210 Recreational Vehicle Dealers LEGAL NAME WOODY PAYLOR ENTERPRISES LTD 441220 Motorcycle, Boat and Other Motor Vehicle Dealers LEGAL NAME ARBUTUS R V & MARINE SALES LTD ATLANTIC ELECTRONICS LIMITED 441310 Automotive Parts and Accessories Stores LEGAL NAME 3600106 MANITOBA INC 944746 ONTARIO INC ACTION FIBERGLASS & MANUFACTURING LTD ACTION VAN & TRUCK WORLD LTD AUTOTEMP INC CANUSA AUTOMOTIVE WAREHOUSING INC CARQUEST CANADA LTD KEYSTONE INDUSTRIE DE L'AUTOMOBILE QC INC PERFORMANCE IMPROVEMENTS SPEED SHOPS LIMITED THE TRUCK OUTFITTERS INC TRI-WEST AUTO PARTS (2003) LTD UAP INC UNIVERSAL AUTO & INDUSTRIAL SUPPLY INC Page 1 441320 Tire Dealers LEGAL NAME ANDY'S TIRE SHOP LIMITED BRIDGESTONE/FIRESTONE CANADA INC CENTRE DE L'AUTO PRESIDENT INC. CITY TIRE & AUTO CENTRE LTD COAST TIRE & AUTO SERVICE (2002) LTD DENRAY TIRE LTD ED'S TIRE SERVICE (1993) LTD FOUNTAIN TIRE LTD. FRISBY TIRE CO (1974) LIMITED K K PENNER & SONS LTD KAL TIRE PARTNERSHIP THE TIRE PEOPLE INC TIRECRAFT COMMERCIAL (ONT.) INC. WAYNE'S TIRE WAREHOUSE LTD 030 Furniture stores 442110 Furniture Stores LEGAL NAME 1342205 ONTARIO LIMITED 355381 ALBERTA LTD 390996 ONTARIO LIMITED 813975 ONTARIO INC ADDMORE OFFICE FURNITURE INC ARROW FURNITURE LTD AU MONDE DU MATELAS INC.
    [Show full text]
  • ROGERS COMMUNICATIONS INC. ANNUAL INFORMATION FORM (For
    ROGERS COMMUNICATIONS INC. ANNUAL INFORMATION FORM (for the fiscal year ended December 31, 2007) March 4, 2008 ROGERS COMMUNICATIONS INC. ANNUAL INFORMATION FORM INDEX The following is an index of the Annual Information Form of Rogers Communications Inc. (“RCI”) referencing the requirements of Form 51-102F2 of the Canadian Securities Administrators. Certain parts of this Annual Information Form are contained in RCI’s Management’s Discussion and Analysis for the fiscal year ended December 31, 2007, and RCI’s 2007 Annual Audited Consolidated Financial Statements, each of which is filed on SEDAR at www.sedar.com and incorporated herein by reference as noted below. Page reference / incorporated by reference from Annual Information 2007 Form MD&A Item 1 — Cover Page p. 1 Item 2 — Index p. 2 Item 3 — Corporate Structure 3.1 — Name and Incorporation p. 3 3.2 — Intercorporate Relationships pgs. 3-5 Item 4 — General Development of the Business 4.1 — Three Year History pgs. 6-10 4.2 — Significant Acquisitions p. 10 Item 5 — Narrative Description of the Business 5.1 — General — Business Overview p. 11 p. 2 — Rogers Wireless pgs. 10-12 — Rogers Cable pgs. 16-19 — Rogers Media pgs. 25-26 — Employees p. 9 — Properties, Trademarks, Environmental and Other Matters pgs. 10-11 5.2 — Risk Factors p. 11 Item 6 — Dividends 6.1 — Dividends p. 12 Item 7 — Description of Capital Structure 7.1 — General Description of Capital Structure p. 12 7.2 — Constraints pgs. 12-13 7.3 — Ratings pgs. 13-14 Item 8 — Market for Securities 8.1 — Trading Price and Volume p.
    [Show full text]
  • Résidant Au Personne Morale Légalement Constituée, Ayant Sa
    CANADA COUR SUPÉRIEURE (Chambre des actions collectives) PROVINCE DE QUÉBEC DISTRICT DE MONTRÉAL CHRISTOPHER ZAKEM, domicilié et résidant au No. : 500-06- Demandeur C. ROGERS COMMUNICATIONS CANADA INC., personne morale légalement constituée, ayant sa principale place d'affaires au Québec, au 800 rue De La Gauchetière ouest, bureau 4000, Montréal (Québec) H5A 1K3; Défenderesse DEMANDE POUR AUTORISATION D'EXERCER UNE ACTION COLLECTIVE ET POUR ÊTRE REPRÉSENTANT À L'UN DES HONORABLES JUGES DE LA COUR SUPÉRIEURE, SIÉGEANT EN CHAMBRE DES ACTIONS COLLECTIVES, DANS ET POUR LE DISTRICT JUDICIAIRE DE MONTRÉAL, LE DEMANDEUR EXPOSE RESPECTUEUSEMENT CE QUI SUIT : 1. INTRODUCTION 1. Le demandeur Christopher Zakem (le « Demandeur ») s'adresse à la Cour dans le but d'obtenir l'autorisation d'exercer une action collective pour et au nom des membres du Groupe ci-après défini contre la défenderesse Rogers Communications Canada Inc. relativement à l'application d'un taux d'intérêt annuel de 42,58% sur les soldes acquittés après la date d'échéance de facturation à ses clients; 2. La défenderesse Rogers Communications Canada Inc. fait, entre autres, affaires sous les noms Câble Rogers, Rogers Cable, Câble TV Rogers, Rogers Cable TV, Chatr Saris-fil®, Chatr Wireless®, Chatr®, -2- Communications Câble Rogers, Rogers Cable Communications, Communications Futureway, Futureway Communications, Fido Sans-fil, Fido Wireless, Fido®, Groupe de compagnies Rogers, Rogers Group of companies, Internet Fido, Fido Internet, Internet Rogers, Rogers Internet, lnterréseautage
    [Show full text]
  • Unpleasant Secure & Easy Just Bad Just Easy
    Overview of the FIDO Alliance Overview of the FIDO Alliance: For the overwhelming majority of organizations, user-ID and password authentication has proven to be the path of least resistance in terms of initial deployment. Countless experiences over the last decade have taught organizations that login credentials are not particularly secure. For consumers, it’s not easy either, considering that it’s virtually impossible for each of us to remember the numerous passwords we’re now required to use in our daily lives. According to Microsoft, the average internet user with 25 accounts, performs 8 logins using 6.5 passwords daily. Organizations cannot adequately secure password and PIN authentication and their risk and costs are mounting at $5.5M per data breach, $15M yearly in password resets, and $60 per token replacement. Information Security professionals tend to believe that authentication is a continuum – it could be described as easy to use, if insecure at one end, and hard to use, but secure at the other. You simply pick your level of security and then dial up the corresponding level of pain that you will inflict on your users. The FIDO Alliance believes that authentication can best be represented by a quadrant chart with ease of use on one axis and security on the other. The top right quadrant represents solutions that are simultaneously more secure and easier to use. Authentication is not a Continuum High Unpleasant Secure & Easy Security Just Bad Just Easy Low Low High Usability Today, it’s estimated that there are more than 100 proprietary authentication vendors, a number that historically has increased at a rate of about a dozen a year for the last several years.
    [Show full text]
  • Functional Certification Program Policy January 2019
    Functional Certification Program Policy January 2019 Version 1.3.7 FIDO Functional Certification Program Policy Table of Contents 1 Introduction0B 10 1.1 Audience11B 10 2 Overall1B Functional Certification Policies 11 2.1 FIDO12B First Implementer 11 2.2 Universal Server 12 2.3 Specification13B Version Retirement (Sunset Dates for Specifications) 12 2.4 PolicyB Version Retirement (Sunset Dates for Policy) 13 2.4.1 Functional39B Certification Policy Sunset Dates 13 3 Functional2B Certification Process Overview 15 4 Conformance3B Self-Validation 17 4.1 FIDO15B Test Tools 17 4.1.1 Test40B Tool Maintenance 18 4.2 Reference16B Implementations 18 4.2.1 FIDO2 Reference Implementations 19 5 Interoperability4B Testing 20 5.1 Informal17B (Non-Certification) Testing 21 5.2 Interoperability18B Testing Events 21 5.2.1 Remote41B Interoperability Testing 22 5.2.2 Event42B Logistics 22 5.2.3 Event43B Registration 22 5.2.3.1 Confidential Certification 23 5.2.4 Pre44B -Interop Event Testing 23 5.2.5 Re45B -Testing 23 5.2.6 Interoperability46B Testing Event Criteria 24 5.3 On19B Demand Testing 25 5.3.1 New47B Technology 26 5.3.2 Reference48B Implementation Library 26 5.3.2.1 Donating Implementations 26 5.3.2.2 Reference Implementation Library Management 27 5.3.3 49B On Demand Testing Options 27 ©2018 | FIDO Alliance – All Rights Reserved. Page | 2 FIDO Functional Certification Program Policy 5.3.3.1 Virtual 28 5.3.3.2 Shipped 28 5.3.3.3 In-Person 29 5.3.4 50B Registration 30 5.3.4.1 Book a Testing Slot 30 5.3.5 51B Pre-Testing 31 5.3.6 52B Test Facilitation
    [Show full text]
  • À La Vitesse
    À la vitesse Rogers Communications Inc. de la vie Rapport annuel 2016 WorldReginfo - e606921d-614b-466e-9b4f-d37bd858f95e La vitesse à laquelle la vie se déroule n’a jamais été aussi rapide, autant à la maison qu’à l’échelle du pays et dans le monde entier. WorldReginfo - e606921d-614b-466e-9b4f-d37bd858f95e À propos de Rogers Rogers est une société canadienne diversifiée qui est un chef de file dans l’industrie des communications et des médias, et dont l’objectif consiste à offrir une excellente expérience à ses clients jour après jour. Nous sommes le plus important fournisseur de services de communications sans fil au Canada, et l’un des plus importants fournisseurs canadiens de services de télévision par câble, d’Internet haute vitesse, de technologies de l’information et de téléphonie destinés au grand public et aux entreprises. Par l’intermédiaire de Rogers Media, nous exerçons des activités dans les secteurs de la radiodiffusion, de la télédiffusion, des sports, du magasinage télévisé et en ligne, des magazines et des médias numériques. Nos actions sont inscrites à la Bourse de Toronto (TSX) sous les symboles RCI.A et RCI.B, et à la bourse de New York (NYSE) sous le symbole RCI. Page 3 Page 4 Page 5 Pages 7–15 Être à la hauteur Résultats financiers Survol des Lettre du chef de notre stratégie et opérationnels secteurs de la direction en 2016 de 2016 Page 15 Pages 16–17 Page 18 Page 19 L’avenir Gouvernance Hauts Administrateurs d’entreprise dirigeants Pages 20–21 Page 22 Page 23 Page 170 Responsabilité Notre vision Rapport Renseignements sociale d’entreprise et nos valeurs financier 2016 à l’intention des actionnaires RAPPORT ANNUEL 2016 ROGERS COMMUNICATIONS INC.
    [Show full text]
  • Moneygram | Canada Post
    Pay for utilities, phone services, cable bills and more at your local post office with MoneyGram! Please consult the list below for all available billers. Payez vos factures de services publics, de services téléphoniques, de câblodistribution et autres factures à votre bureau de poste local avec MoneyGram! Consultez la liste ci-dessous pour tous les émetteurs de factures participants. A B C D E F G H I J K L M N O P Q R S T U V W X Y Z BILLER NAME/ PROVINCE AVAILABLE SERVICE/ NOM DE L’ÉMETTEUR DE FACTURE SERVICE DISPONIBLE 310-LOAN BC NEXT DAY/JOUR SUIVANT 407 ETR ON NEXT DAY/JOUR SUIVANT A.R.C. ACCOUNTS RECOVERY CORPORATION BC NEXT DAY/JOUR SUIVANT AAA DEBT MANAGERS BC NEXT DAY/JOUR SUIVANT ABERDEEN UTILITY SK NEXT DAY/JOUR SUIVANT ABERNETHY UTILITY SK NEXT DAY/JOUR SUIVANT ACCORD BUSINESS CREDIT ON NEXT DAY/JOUR SUIVANT ACTION COLLECTIONS & RECEIVABLES MANAGEMENT ON NEXT DAY/JOUR SUIVANT AFFINITY CREDIT SOLUTIONS AB NEXT DAY/JOUR SUIVANT AJAX, TOWN OF - TAXES ON NEXT DAY/JOUR SUIVANT ALBERTA BLUE CROSS AB NEXT DAY/JOUR SUIVANT ALBERTA MAINTENANCE ENFORCEMENT PROGRAM AB NEXT DAY/JOUR SUIVANT ALBERTA MOTOR ASSOCIATION - INSURANCE COMPANY AB NEXT DAY/JOUR SUIVANT ALGOMA POWER ON NEXT DAY/JOUR SUIVANT ALIANT ACTIMEDIA NL NEXT DAY/JOUR SUIVANT ALIANT MOBILITY - NS/NB NS NEXT DAY/JOUR SUIVANT ALIANT MOBILITY / NL NS NEXT DAY/JOUR SUIVANT ALIANT MOBILITY/PEI PE NEXT DAY/JOUR SUIVANT ALLIANCEONE ON NEXT DAY/JOUR SUIVANT ALLSTATE INSURANCE ON NEXT DAY/JOUR SUIVANT ALLY CREDIT CANADA ON NEXT DAY/JOUR SUIVANT ALLY CREDIT CANADA LIMITED (AUTO)
    [Show full text]
  • Updates & Overview
    FIDO ALLIANCE: UPDATES & OVERVIEW BRETT MCDOWELL EXECUTIVE DIRECTOR 1 All Rights Reserved | FIDO Alliance | Copyright 2017 250+ MEMBER & PARTNER ORGANIZATIONS GLOBALLY FIDO board members include leading global brands and technology providers + SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS 2 All Rights Reserved | FIDO Alliance | Copyright 2017 THE WORLD HAS A PASSWORD PROBLEM 81% Data breaches in 65% 2016 that involved Increase in 1,093 weak, default, or phishing attacks Breaches in 2016, 1 stolen passwords over the number of a 40% increase attacks recorded over 20153 in 20152 CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME 1Verizon 2017 Data Breach Report |2Anti-Phishing Working Group | 3Identity Theft Resource Center 2016 3 All Rights Reserved | FIDO Alliance | Copyright 2017 HOW OLD AUTHENTICATION WORKS ONLINE CONNECTION The user authenticates themselves online by presenting a human-readable “shared secret” 4 All Rights Reserved | FIDO Alliance | Copyright 2017 THE NEW MODEL Fast IDentity Online open standards for simpler, stronger authentication using public key cryptography 5 All Rights Reserved | FIDO Alliance | Copyright 2017 HOW FIDO AUTHENTICATION WORKS LOCAL CONNECTION The user authenticates “locally” to their device (by various means) The device authenticates the user online using public key cryptography ONLINE CONNECTION 6 All Rights Reserved | FIDO Alliance | Copyright 2017 SIMPLER AUTHENTICATION Reduces reliance on Single gesture Works with commonly Same authentication Fast and convenient complex passwords
    [Show full text]
  • FIDO Certification Program Policy Authenticator Certification
    FIDO Certification Program Policy Authenticator Certification Version 1.3 September 2020 ©2020 | FIDO Alliance - All Rights Reserved 2 Revision History Date Version Description Sunset Date 2017-04-20 1.0.0 Approved by CWG. 2017-08-10 Update to Confidentiality section to clarify that anonymized N/A information must be approved by the Vendor prior to being 2017-08-10 1.0.1 shared outside of the Security Secretariat. Approved by CWG. First draft of 1.1.0 to add L4 and L5 to the Policy. 2017-11-02 1.1.0r01 Shared with CWG. Updated to reflect the approved level naming scheme and 2018-04-23 1.1.1 FIDO2 Certification. Updated to reflect the FIAR process for Derivative, Delta and 2019-10-10 1.2 Recertification. Updates related mainly to the introduction of the new L3 TBD 1.3 companion program ©2020 | FIDO Alliance - All Rights Reserved 3 Contents 1 Introduction ................................................................................................................................................... 8 1.1 FIDO Certification Program .................................................................................................................. 8 1.2 FIDO Authenticator Certification ......................................................................................................... 8 1.3 FIDO Functional Certification Prerequisite ......................................................................................... 8 1.4 Audience ...............................................................................................................................................
    [Show full text]
  • FIDO UAF Webauthentication Assertion Format
    FIDO UAF WebAuthentication Assertion Format FIDO Alliance Proposed Standard 20 October 2020 This version: https://fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-webauthn-v1.2-ps-20201020.html Editor: Dr. Rolf Lindemann, Nok Nok Labs, Inc. The English version of this specification is the only normative version. Non-normative translations may also be available. Copyright © 2013-2020 FIDO Alliance All Rights Reserved. Abstract This document defines the assertion format "WAV1CBOR" in order to use Web Authentication assertions through the FIDO UAF protocol. Status of This Document This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current FIDO Alliance publications and the latest revision of this technical report can be found in the FIDO Alliance specifications index at https://fidoalliance.org/specifications/. This document was published by the FIDO Alliance as a Proposed Standard. If you wish to make comments regarding this document, please Contact Us. All comments are welcome. Implementation of certain elements of this Specification may require licenses under third party intellectual property rights, including without limitation, patent rights. The FIDO Alliance, Inc. and its Members and any other contributors to the Specification are not, and shall not be held, responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights. THIS FIDO ALLIANCE SPECIFICATION IS PROVIDED “AS IS” AND WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY EXPRESS OR IMPLIED WARRANTY OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
    [Show full text]
  • U2F & UAF Tutorial
    U2F & UAF Tutorial How Secure is Authentication? 2014 1.2bn? 2013 397m Dec. 2013 145m Oct. 2013 130m May 2013 22m April 2013 50m March 2013 50m Cloud Authentication Password Issues 1 2 Password might be Password could be stolen entered into untrusted from the server App / Web-site (“phishing”) 4 Inconvenient to type password on phone 3 Too many passwords to remember à re-use / cart abandonment OTP Issues 1 OTP vulnerable to real- time MITM and MITB attacks 4 Inconvenient to type OTP on phone 3 OTP HW tokens are expensive and people 2 don’t want another device SMS security questionable, especially when Device is the phone Implementation Challenge A Plumbing Problem User Verification Methods Applications Organizations Silo 1 Silo 2 App 1 Silo 3 App 2 Silo N ? ? New App Authentication Needs Do you want to login? Do you want to transfer $100 to Frank? Do you want to ship to a new address? Do you want to delete all of your emails? Do you want to share your dental record? Authentication today: Ask user for a password (and perhaps a one time code) Authentication & Risk Engines Purpose Geolocation … (from IP addr.) Explicit Authentication Authentication Risk Engine Server Summary 1. Passwords are insecure and inconvenient especially on mobile devices 2. Alternative authentication methods are silos and hence don‘t scale to large scale user populations 3. The required security level of the authentication depends on the use 4. Risk engines need information about the explicit authentication security for good decision How does FIDO work? Device FIDO
    [Show full text]