THE FIDO STANDARDS AND WHY THEY MAKE SENSE IN THE SCOPE OF PSD2

ALAIN MARTIN MEMBER OF THE BOARD AND CO-CHAIR OF FIDO EUROPE WORKING GROUP, FIDO ALLIANCE VP STRATEGIC PARTNERSHIPS, GEMALTO

1 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO: FAST IDENTITY ONLINE

• The FIDO Alliance is an open industry association with a focused mission: AUTHENTICATION STANDARDS

• The world’s largest ecosystem 240 Member organisations for standards-based, interoperable authentication 450+ FIDO Certified solutions

2 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SCOPE

Single Sign-On MODERN AUTHENTICATION Federation

Passwords Strong Risk-Based Authentication

User Management

Identity proofing/KYC

3 All Rights Reserved | FIDO Alliance | Copyright 2018 240 MEMBERS

• 36 board members:

+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS

4 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO MARKETS

• Banks

• e-Commerce

• Social media

• Enterprise security

• Government • …

5 All Rights Reserved | FIDO Alliance | Copyright 2018 HOW OLD AUTHENTICATION WORKS

ONLINE CONNECTION

User authenticate themselves online by presenting a human-readable “shared secret”

• Inconvenient This is true of One Time • Phishable Passwords as well • Hackable

6 All Rights Reserved | FIDO Alliance | Copyright 2018 HOW FIDO AUTHENTICATION WORKS

User Environment User Challenge Relying Party

Authenticator User gesture before private key can be used (Touch, PIN entry, Biometric entry) Signed Response Private key Public key

Local user verification step On-line authentication step

7 All Rights Reserved | FIDO Alliance | Copyright 2018 SIMPLER AUTHENTICATION

Reduces reliance Single gesture Works with Same Fast and on complex to log on commonly used authentication on convenient passwords devices multiple devices

8 All Rights Reserved | FIDO Alliance | Copyright 2018 STRONGER AUTHENTICATION

Based on No link-ability public key between services or cryptography accounts

Keys Biometrics, if used, generated never leave device and stored on device No server-side No 3rd party in shared secrets the protocol

9 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO STANDARDS

UAF: Universal Authentication Framework U2F: Universal 2nd Factor Multi Factor authentication (possession + Login & Password + possession factor knowledge/inherence)

FIDO 2: a new standard for native support in (web) platforms WebAuthn: standard APIs allowing web pages

WWW to call upon a FIDO authenticator WWW CTAP (Client to Authenticator Protocol): Communication between platform and external authenticator

10 All Rights Reserved | FIDO Alliance | Copyright 2018 WEBAUTHN BRINGS FIDO TO THE WEB BROWSER

World Wide Web Consortium (W3C) developed Web Authentication (“WebAuthn”) with FIDO Alliance A new standard Contributions JavaScript API Participation Candidate That works with all FIDO2 from all these Recommendation platforms & authenticators platform providers

11 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO IS …

MEMBERS & PARTNERS CERTIFICATIONS

DEPLOYMENTS

SPECIFICATIONS

12 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO EUROPE WORKING GROUP

• Facilitate communication and cooperation within the European market • Promote deployment of FIDO solutions, improve FIDO awareness • Collect regulatory requirements from European stakeholders

• Initial Scope:

13 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO & PSD2: PROVIDING FOR A SATISFACTORY USER EXPERIENCE

14 All Rights Reserved | FIDO Alliance | Copyright 2018 VOCABULARY

For remote payment, includes: Transaction PSD2: Element categorised as amount and Payee possession PSD2: ASPSP PSD2: PSU FIDO: Authenticator FIDO: Relying Party FIDO: User PSD2: (not mentioned) FIDO: Challenge

Authenticator

User action

PSD2: Authentication Code FIDO: Signed Response PSD2: Personalized Security Credential FIDO: Private key PSD2: (no equivalent) For remote payment: FIDO: Public key Authentication Code with dynamic linking

15 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO MEETS THE PSD2/RTS REQUIREMENTS

• Based on Multi factor authentication ➔ Articles 4, 6, 7, 8 [RTS]

• Secure separated execution environments ranging from hardened Software to TEE to Secure Elements ➔ Articles 9, 22, 23, 25 [RTS]

• Support for dynamic linking ➔ Article 5 [RTS]

16 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO PROTECTS USER AUTHENTICATION DATA

• No shared secrets • Bank keys are generated in the authenticator • Public Key is uploaded to bank’s server ➔ the security credential never leaves the authenticator

• Local verification (of PIN, of biometric data)

➔ In line with GDPR’s “Privacy by Design” ➔ Facilitates deployment

17 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SUPPORTS MULTI CHANNEL AUTHENTICATION

• Necessity to reach 100% users ➔ multiple devices may be necessary

Bank App

• A FIDO universal server supports any FIDO compliant authenticator

➔FIDO Standards reduce the cost of deploying multiple devices FIDO server

18 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO COMES WITH A CERTIFICATION PROGRAM

• Functional, by the FIDO Alliance

• Security, by the FIDO Alliance and independent accredited labs

• New biometrics certification

➔The RTS require security evaluation (Article 3 [RTS])

19 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS

• In the redirection model FIDO authenticator AISP ASPSP AISP Login Pswd Go

Example on a PC/browser

FIDO authenticator

AISP ASPSP AISP

Example on a smart phone, app-to-app

20 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS

• In the decoupled model

FIDO authenticator ASPSP

Merchant Merchant PISP

21 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS

• In the embedded model FIDO authenticator

AISP AISP AISP Authenticate with your device

Example for account information

FIDO authenticator Merchant Merchant PISP PISP Approve Transaction

Example for payment initiation

22 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SIMPLIFIES THE CUSTOMER JOURNEY

With FIDO With SMS OTP

Merchant Merchant PISP PISP FIDO authenticator

ASPSP OTP: ASPSP Login 1 step Pswd ****** Authorise ASPSP authentication payment? Enter OTP: ****** Merchant 3 step Merchant authentication

23 All Rights Reserved | FIDO Alliance | Copyright 2018 KEY TAKE AWAYS

• FIDO standards: a user friendly solution to implement PSD2 • Security and Privacy by design • Meet all the RTS requirements • Alignment with authorization frameworks

• FIDO standards maximize reach • They support a multiplicity of devices

• FIDO standards: versatile and future proof • Bank can support the redirection and decoupled models • Bank can propose the embedded model to TPPs that integrate FIDO authenticators in their solutions

24 All Rights Reserved | FIDO Alliance | Copyright 2018 Join the FIDO Ecosystem

Build FIDO Certified Solutions Deploy

Join the Alliance Take Part in FIDO Events

www.fidoalliance.org

25 All Rights Reserved | FIDO Alliance | Copyright 2018