THE FIDO STANDARDS AND WHY THEY MAKE SENSE IN THE SCOPE OF PSD2
ALAIN MARTIN MEMBER OF THE BOARD AND CO-CHAIR OF FIDO EUROPE WORKING GROUP, FIDO ALLIANCE VP STRATEGIC PARTNERSHIPS, GEMALTO
1 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO: FAST IDENTITY ONLINE
• The FIDO Alliance is an open industry association with a focused mission: AUTHENTICATION STANDARDS
• The world’s largest ecosystem 240 Member organisations for standards-based, interoperable authentication 450+ FIDO Certified solutions
2 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SCOPE
Single Sign-On MODERN AUTHENTICATION Federation
Passwords Strong Risk-Based Authentication
User Management
Identity proofing/KYC
3 All Rights Reserved | FIDO Alliance | Copyright 2018 240 MEMBERS
• 36 board members:
+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS
4 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO MARKETS
• Banks
• e-Commerce
• Social media
• Enterprise security
• Government • …
5 All Rights Reserved | FIDO Alliance | Copyright 2018 HOW OLD AUTHENTICATION WORKS
ONLINE CONNECTION
User authenticate themselves online by presenting a human-readable “shared secret”
• Inconvenient This is true of One Time • Phishable Passwords as well • Hackable
6 All Rights Reserved | FIDO Alliance | Copyright 2018 HOW FIDO AUTHENTICATION WORKS
User Environment User Challenge Relying Party
Authenticator User gesture before private key can be used (Touch, PIN entry, Biometric entry) Signed Response Private key Public key
Local user verification step On-line authentication step
7 All Rights Reserved | FIDO Alliance | Copyright 2018 SIMPLER AUTHENTICATION
Reduces reliance Single gesture Works with Same Fast and on complex to log on commonly used authentication on convenient passwords devices multiple devices
8 All Rights Reserved | FIDO Alliance | Copyright 2018 STRONGER AUTHENTICATION
Based on No link-ability public key between services or cryptography accounts
Keys Biometrics, if used, generated never leave device and stored on device No server-side No 3rd party in shared secrets the protocol
9 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO STANDARDS
UAF: Universal Authentication Framework U2F: Universal 2nd Factor Multi Factor authentication (possession + Login & Password + possession factor knowledge/inherence)
FIDO 2: a new standard for native support in (web) platforms WebAuthn: standard APIs allowing web pages
WWW to call upon a FIDO authenticator WWW CTAP (Client to Authenticator Protocol): Communication between platform and external authenticator
10 All Rights Reserved | FIDO Alliance | Copyright 2018 WEBAUTHN BRINGS FIDO TO THE WEB BROWSER
World Wide Web Consortium (W3C) developed Web Authentication (“WebAuthn”) with FIDO Alliance A new standard Contributions JavaScript API Participation Candidate That works with all FIDO2 from all these Recommendation platforms & authenticators platform providers
11 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO IS …
MEMBERS & PARTNERS CERTIFICATIONS
DEPLOYMENTS
SPECIFICATIONS
12 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO EUROPE WORKING GROUP
• Facilitate communication and cooperation within the European market • Promote deployment of FIDO solutions, improve FIDO awareness • Collect regulatory requirements from European stakeholders
• Initial Scope:
13 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO & PSD2: PROVIDING FOR A SATISFACTORY USER EXPERIENCE
14 All Rights Reserved | FIDO Alliance | Copyright 2018 VOCABULARY
For remote payment, includes: Transaction PSD2: Element categorised as amount and Payee possession PSD2: ASPSP PSD2: PSU FIDO: Authenticator FIDO: Relying Party FIDO: User PSD2: (not mentioned) FIDO: Challenge
Authenticator
User action
PSD2: Authentication Code FIDO: Signed Response PSD2: Personalized Security Credential FIDO: Private key PSD2: (no equivalent) For remote payment: FIDO: Public key Authentication Code with dynamic linking
15 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO MEETS THE PSD2/RTS REQUIREMENTS
• Based on Multi factor authentication ➔ Articles 4, 6, 7, 8 [RTS]
• Secure separated execution environments ranging from hardened Software to TEE to Secure Elements ➔ Articles 9, 22, 23, 25 [RTS]
• Support for dynamic linking ➔ Article 5 [RTS]
16 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO PROTECTS USER AUTHENTICATION DATA
• No shared secrets • Bank keys are generated in the authenticator • Public Key is uploaded to bank’s server ➔ the security credential never leaves the authenticator
• Local verification (of PIN, of biometric data)
➔ In line with GDPR’s “Privacy by Design” ➔ Facilitates deployment
17 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SUPPORTS MULTI CHANNEL AUTHENTICATION
• Necessity to reach 100% users ➔ multiple devices may be necessary
Bank App
• A FIDO universal server supports any FIDO compliant authenticator
➔FIDO Standards reduce the cost of deploying multiple devices FIDO server
18 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO COMES WITH A CERTIFICATION PROGRAM
• Functional, by the FIDO Alliance
• Security, by the FIDO Alliance and independent accredited labs
• New biometrics certification
➔The RTS require security evaluation (Article 3 [RTS])
19 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS
• In the redirection model FIDO authenticator AISP ASPSP AISP Login Pswd Go
Example on a PC/browser
FIDO authenticator
AISP ASPSP AISP
Example on a smart phone, app-to-app
20 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS
• In the decoupled model
FIDO authenticator ASPSP
Merchant Merchant PISP
21 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS
• In the embedded model FIDO authenticator
AISP AISP AISP Authenticate with your device
Example for account information
FIDO authenticator Merchant Merchant PISP PISP Approve Transaction
Example for payment initiation
22 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SIMPLIFIES THE CUSTOMER JOURNEY
With FIDO With SMS OTP
Merchant Merchant PISP PISP FIDO authenticator
ASPSP OTP: ASPSP Login 1 step Pswd ****** Authorise ASPSP authentication payment? Enter OTP: ****** Merchant 3 step Merchant authentication
23 All Rights Reserved | FIDO Alliance | Copyright 2018 KEY TAKE AWAYS
• FIDO standards: a user friendly solution to implement PSD2 • Security and Privacy by design • Meet all the RTS requirements • Alignment with authorization frameworks
• FIDO standards maximize reach • They support a multiplicity of devices
• FIDO standards: versatile and future proof • Bank can support the redirection and decoupled models • Bank can propose the embedded model to TPPs that integrate FIDO authenticators in their solutions
24 All Rights Reserved | FIDO Alliance | Copyright 2018 Join the FIDO Ecosystem
Build FIDO Certified Solutions Deploy
Join the Alliance Take Part in FIDO Events
www.fidoalliance.org
25 All Rights Reserved | FIDO Alliance | Copyright 2018