DOCSLIB.ORG

Report on Implementation of Secure Authentication Technologies

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Report on Implementation of Secure Authentication Technologies International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR 11/2019 OF ITU Security, Infrastructure and Trust Working Group Implementation of Secure Authentication Technologies for Digital Financial Services Report of the Security Workstream FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups and are led by the World Bank Group. ITU 2019 This work is licensed to the public through a Creative Commons Attribution-Non-Commercial- Share Alike 4.0 International license (CC BY-NC-SA 4.0). For more information visit https://creativecommons.org/licenses/by-nc-sa/4.0/ i Implementation of Secure Authentication Technologies for Digital Financial Services Security Workstream ii About this Report This report was written by Andrew Hughes, Abbie Barbir. The authors would like to thank the following contributors and reviewers: Arnold Kibuuka, Vijay Mauree, Harm Arendshorst, Tiakala Lynda Yaden, Mr. Mayank, Vinod Kotwal, Jeremy Grant, Brett McDowell, Adam Power, Sylvan Tran, Ramesh Kesanupalli, Chunpei Feng, Hongwei (Kevin) Luo, David Pollington, Matthew Davie, Wycliffe Ngwabe, Salton Massally and Mathan Babu Kasilingam. If you would like to provide any additional information, please contact Vijay Mauree at [email protected] iii 1 Executive Summary ........................................................................................................................................... 1 2 Acronyms .......................................................................................................................................................... 3 3 Background ....................................................................................................................................................... 5 4 Introduction ...................................................................................................................................................... 6 4.1 Implementations examples section ......................................................................................................... 7 5 The requirement for strong authentication – standards and regulations ........................................................... 7 5.1 ITU-T Recommendation X.1254 ............................................................................................................... 7 5.2 NIST Special Publication 800-63-3 ........................................................................................................... 8 5.3 eIDAS Regulation ..................................................................................................................................... 9 5.4 Payment Services Directive ...................................................................................................................... 9 5.5 The ID2020 Alliance ................................................................................................................................. 9 5.6 Standardization Objectives .................................................................................................................... 10 6 Strong Authentication Technologies and Specifications ...................................................................................10 6.1 Characteristics of Advanced Authentication Systems ............................................................................ 10 6.2 FIDO Alliance Specifications ................................................................................................................... 12 6.2.1 Universal Authentication Framework (UAF) .......................................................................... 12 6.2.2 Universal Second Factor (U2F) ............................................................................................... 13 6.2.3 Client to Authenticator Protocol (CTAP) ................................................................................ 13 6.2.4 Web Authentication (WebAuthn) .......................................................................................... 14 6.2.5 FIDO Registration Flow .......................................................................................................... 14 6.2.6 FIDO Authentication Flow ...................................................................................................... 15 6.3 Mobile Connect Specifications ............................................................................................................... 16 6.3.1 Mobile Connect for eIDAS ...................................................................................................... 17 6.3.2 Mobile Connect for PSD2 ....................................................................................................... 20 6.4 IFAA Specifications ................................................................................................................................. 21 6.4.1 IFAA Biometric Authentication – Local Model ....................................................................... 22 6.4.2 IFAA Biometric Authentication - Remote Model ................................................................... 25 6.5 Aadhaar Authentication ........................................................................................................................ 25 6.5.1 APB Process Steps .................................................................................................................. 27 6.5.2 Types and modes of authentication for Aadhaar .................................................................. 28 6.5.3 Aadhaar authentication security concerns ............................................................................ 28 6.5.4 Security measures introduced recently to address those threats ......................................... 29 6.6 Cognitive Continuous Authentication .................................................................................................... 30 6.7 Decentralized Identity and Distributed Ledgers ..................................................................................... 31 6.7.1 Decentralized Identity Definition of Terms ............................................................................ 31 6.7.2 Decentralized Identity System Infrastructure Layers ............................................................. 32 6.7.3 Verifiable Credential and Decentralized Identifier Draft Standards ...................................... 33 6.7.4 Verifiable Credentials ............................................................................................................. 33 6.7.5 Decentralized Identifiers ........................................................................................................ 34 iv 6.7.6 DID Authentication ................................................................................................................ 36 6.7.7 DID Resolution ....................................................................................................................... 36 6.7.8 Decentralized Identity Wallets ............................................................................................... 36 7 Implementation examples of Strong Authentication Systems ..........................................................................37 7.1 Use case: Enrolment and Account opening............................................................................................ 38 7.1.1 Example: Aadhaar eKYC ......................................................................................................... 38 7.1.2 Example: Sierra Leone National Digital Identity and Credit Platform – Kiva ......................... 39 7.1.3 Example: K-FIDO Enrolment example .................................................................................... 41 7.1.4 Example: Zug eID – Ethereum Blockchain-based Digital ID ................................................... 44 7.1.5 Example: FIDO Enrolment example ....................................................................................... 44 7.1.6 Example: Healthcare provider user enrolment ...................................................................... 46 7.2 Use case: Authentication to access a digital financial service ............................................................... 47 7.2.1 Example: IFAA use case – Alipay fingerprint/face payment .................................................. 47 7.2.2 Example: Aadhaar authentication ........................................................................................
Load more

Recommended publications
  • FIDO Technical Glossary
    Client to Authenticator Protocol (CTAP) Implementation Draft, February 27, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id- 20180227.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/ Issue Tracking: GitHub Editors: Christiaan Brand (Google) Alexei Czeskis (Google) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs) Adam Powers (FIDO Alliance) Johan Verrept (VASCO Data Security) Former Editors: Matthieu Antoine (Gemalto) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID) Contributors: Jeff Hodges (PayPal) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application layer protocol. Table of Contents 1 Introduction 1.1 Relationship to Other Specifications 2 Conformance 3 Protocol Structure 4 Protocol Overview 5 Authenticator API 5.1 authenticatorMakeCredential (0x01) 5.2 authenticatorGetAssertion (0x02) 5.3 authenticatorGetNextAssertion (0x08) 5.3.1 Client Logic 5.4 authenticatorGetInfo (0x04)
    [Show full text]
  • Report On​ Next Generation Authentication Technologies
    International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (12/2018) Security, Infrastructure and Trust Working Group Discussion Paper: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Report of the Authentication Workstream Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups
    [Show full text]
  • Security Evaluation of Multi-Factor Authentication in Comparison with the Web Authentication API
    Hochschule Wismar University of Applied Sciences Technology, Business and Design Faculty of Engineering, Department EE & CS Course of Studies: IT-Security and Forensics Master’s Thesis for the Attainment of the Academic Degree Master of Engineering (M. Eng.) Security Evaluation of Multi-Factor Authentication in Comparison with the Web Authentication API Submitted by: September 30, 2019 From: Tim Brust born xx/xx/xxxx in Hamburg, Germany Matriculation number: 246565 First supervisor: Prof. Dr.-Ing. habil. Andreas Ahrens Second supervisor: Prof. Dr. rer. nat. Nils Gruschka Purpose of This Thesis The purpose of this master’s thesis is an introduction to multi-factor authentication, as well as to the conventional methods of authentication (knowledge, possession, biometrics). This introduction includes technical functionality, web usability, and potential security threats and vulnerabilities. Further, this thesis will investigate whether the Web Authentication API is suit- able as an alternative or possible supplement to existing multi-factor authentication methods. The question has to be answered to what extent the Web Authentication API can increase security and user comfort. An evaluation of the security of the Web Authentication API in comparison with other multi-factor authentication solutions plays a crucial role in this thesis. Abstract Internet users are at constant risk, given that data breaches happen nearly daily. When a breached password is re-used, it renders their whole digital identity in dan- ger. To counter these threats, the user can deploy additional security measures, e.g., multi-factor authentication. This master’s thesis introduces and compares the multi- factor authentication solutions, one-time passwords, smart cards, security keys, and the Universal Second Factor protocol with a focus on their security.
    [Show full text]
  • Authentication Module Based on the Protocol of Zero- Knowledge Proof*
    365 Authentication Module Based on the Protocol of Zero- Knowledge Proof* Alexander M. Kadan1[0000-0003-3701-8100], Egor R. Kirichonok2[0000-0002-5904-6391] 1 Yanka Kupala State University of Grodno, Grodno, Belarus, [email protected] 2 Yanka Kupala State University of Grodno, Grodno, Belarus, [email protected] Abstract. This article discusses passwordless authentication methods. These methods are now becoming commonplace and eliminate the problems associated with the difficulty of remembering secrets. Passwordless authentication has clear security and privacy advantages over traditional authentication methods. The us- ability of passwordless authentication depends on the type of authenticator used. The paper proposes an implementation of an authentication module based on the Zero Knowledge Proof (ZKP) protocol. The issues of its application for pass- wordless user authentication to web application resources are discussed within the framework of the Web Authentication (WebAuthn) passwordless web au- thentication standard developed by the FIDO Alliance. The module is based on the use of the FIDO2 authenticator. It also allows the use of various authentica- tors, including hardware keys connected to the device via USB, Bluetooth Low Energy or NFC, software keys, the implementation of which can be very differ- ent. Currently, the cost of implementing passwordless authentication can be sig- nificant. This is a major obstacle to the widespread adoption of this advanced technology. Keywords: Zero-Knowledge Proof, ZKP, Cryptographic Protocols, Authentica- tion, Web Authentication, WebAuthn, FIDO Alliance. 1 Introduction In cryptography, Zero-Knowledge Proof (ZKP) is considered as an interactive protocol that allows one of the parties (the Verifier) to verify the validity of a statement (usually mathematical) without receiving any other information from the second party (the Prover), neither the content of the statement nor the source from which the Prover learned about its truth.
    [Show full text]
  • Client to Authenticator Protocol (CTAP) Proposed Standard, January 30, 2019
    Client to Authenticator Protocol (CTAP) Proposed Standard, January 30, 2019 This version: https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-id-20180227/ Issue Tracking: GitHub Editors: Christiaan Brand (Google ) Alexei Czeskis (Google ) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs ) Adam Powers (FIDO Alliance ) Johan Verrept (OneSpan ) Former Editors: Matthieu Antoine (Gemalto ) Arnar Birgisson (Google ) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID ) Contributors: Jeff Hodges (PayPal) Copyright © 2019 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application ↑ layer protocol. → Status of This Document This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current FIDO Alliance publications and the latest revision of this technical report can be found in the FIDO Alliance specifications index at https://www.fidoalliance.org/specifications/. This document was published by the FIDO Alliance as a Proposed Standard. If you wish to make comments regarding this document, please Contact Us . All comments are welcome. Implementation of certain elements of this Specification may require licenses under third party intellectual property rights, including without limitation, patent rights.
    [Show full text]
  • FIDO Client to Authenticator Protocol (CTAP)
    Client to Authenticator Protocol (CTAP) Implementation Draft, February 27, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id- 20180227.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-ps-20170927/ Issue Tracking: GitHub Editors: Christiaan Brand (Google) Alexei Czeskis (Google) Jakob Ehrensvärd (Yubico) Michael B. Jones (Microsoft) Akshay Kumar (Microsoft) Rolf Lindemann (Nok Nok Labs) Adam Powers (FIDO Alliance) Johan Verrept (VASCO Data Security) Former Editors: Matthieu Antoine (Gemalto) Vijay Bharadwaj (Microsoft) Mirko J. Ploch (SurePassID) Contributors: Jeff Hodges (PayPal) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract This specification describes an application layer protocol for communication between a roaming authenticator and another client/platform, as well as bindings of this application protocol to a variety of transport protocols using different physical media. The application layer protocol defines requirements for such transport protocols. Each transport binding defines the details of how such transport layer connections should be set up, in a manner that meets the requirements of the application layer protocol. Table of Contents 1 Introduction 1.1 Relationship to Other Specifications 2 Conformance 3 Protocol Structure 4 Protocol Overview 5 Authenticator API 5.1 authenticatorMakeCredential (0x01) 5.2 authenticatorGetAssertion (0x02) 5.3 authenticatorGetNextAssertion (0x08) 5.3.1 Client Logic 5.4 authenticatorGetInfo (0x04)
    [Show full text]
  • Mitigating Users' Misconceptions About FIDO2 Biometric Webauthn
    “It’s Stored, Hopefully, on an Encrypted Server”: Mitigating Users’ Misconceptions About FIDO2 Biometric WebAuthn Leona Lassak, Annika Hildebrandt†, Maximilian Golla?, Blase Ur† Ruhr University Bochum, † University of Chicago, ? Max Planck Institute for Security and Privacy Abstract While prior attempts at passwordless authentication on the web have required specialized hardware, FIDO2’s WebAuthn protocol lets users sign into websites with their smartphone. Users authenticate locally via the phone’s unlock mechanism. Their phone then uses public-key cryptography to authenti- cate to the website. Using biometrics (e.g., fingerprint, face) for this local authentication can be convenient, yet may en- gender misconceptions that discourage adoption. Through three complementary studies, we characterized and sought to mitigate misconceptions about biometric WebAuthn. We (a) WebAuthn notification used (b) WebAuthn instructions on also compared it to non-biometric WebAuthn and traditional by eBay (June 2021, edited). a Google Pixel 3a (Android 11). passwords. First, 42 crowdworkers used biometric WebAuthn Figure 1: Examples of a site-specific notification used by to sign into a website and then completed surveys. Critically, eBay and OS-specific instructions for authenticating. 67% of participants incorrectly thought their biometrics were sent to the website, creating security concerns. In remote focus groups, 27 crowdworkers then co-designed short no- A user can also adopt a password manager to facilitate unique tifications to mitigate biometric WebAuthn misconceptions. passwords [45]. Sadly, adoption rates for these mechanisms Through a 345-participant online study, we found that some remain low [37, 45] and industry has thus continued to search notifications improved perceptions of biometric WebAuthn for an alternative to passwords for signing into websites [26].
    [Show full text]
  • “You Still Use the Password After All” – Exploring FIDO2 Security Keys in a Small Company Florian M
    “You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company Florian M. Farke, Ruhr University Bochum; Lennart Lorenz, tracekey solutions GmbH; Theodor Schnitzler, Philipp Markert, and Markus Dürmuth, Ruhr University Bochum https://www.usenix.org/conference/soups2020/presentation/farke This paper is included in the Proceedings of the Sixteenth Symposium on Usable Privacy and Security. August 10–11, 2020 978-1-939133-16-8 Open access to the Proceedings of the Sixteenth Symposium on Usable Privacy and Security is sponsored by USENIX. “You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company Florian M. Farke Lennart Lorenz Theodor Schnitzler Ruhr University Bochum tracekey solutions GmbH Ruhr University Bochum Philipp Markert Markus Dürmuth Ruhr University Bochum Ruhr University Bochum Abstract Phishing attacks become more and more sophisticated, lead- The goal of the FIDO2 project is to provide secure and usable ing to often transparent and nearly indistinguishable imita- alternatives to password-based authentication on the Web. It tions of valid authentication requests [3, 27]. relies on public-key credentials, which a user can provide via Many alternatives have been proposed, but their usage is security tokens, biometrics, knowledge-based factors, or com- minimal [5]. Biometric schemes such as fingerprint or face binations. In this work, we report the results of a qualitative recognition are regularly used to unlock phones, but they study accompanying the deployment of FIDO2-enabled secu- are not used for remote authentication. Authentication with rity tokens for primary authentication in a web application of hardware tokens, typically in the form of two-factor authenti- a small software company operating in the life sciences indus- cation (2FA) combined with a knowledge-based scheme like try.
    [Show full text]
  • Server Requirements and Transport Binding Profile Review Draft, July 02, 2018
    Server Requirements and Transport Binding Profile Review Draft, July 02, 2018 This version: https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html Previous Versions: https://fidoalliance.org/specs/fido-v2.0-id-20180227/ Issue Tracking: Github Editors: Adam Powers (FIDO Alliance) Yuriy Ackermann (FIDO Alliance) Copyright © 2018 FIDO Alliance. All Rights Reserved. Abstract FIDO2 provides secure authentication through the use of authenticators that implement the Client-to- Authenticator Protocol (CTAP) and platforms or browsers that implement the W3C WebAuthn specifications. These authenticators are expected to communicate to servers that will validate registration and authentication requests. Many of the requirements for FIDO2 servers, such as assertion formats, attestation formats, optional extensions, and so forth, are contained in the W3C WebAuthn specification. This Server Requirements and Guidance specification attempts to pull together all the requirements for servers in a single document that will be an aid to implementing a FIDO2 server, while leaving behind the details of authenticators and web browsers that do not pertain to servers. Table of Contents 1 Introduction 2 Registration and Attestations 2.1 Validating Attestation 2.2 Attestation Types 2.3 Attestation Formats 2.3.1 Packed Attestation 2.3.2 TPM Attestation 2.3.3 Android SafetyNet Attestation Example 2.3.4 Android SafetyNet Attestation Example 2.3.5 U2F Attestation 3 Authentication and Assertions 4 Communication Channel Requirements 5 Extensions
    [Show full text]
  • Brno University of Technology Excalibur System
    BRNO UNIVERSITY OF TECHNOLOGY VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ FACULTY OF INFORMATION TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ DEPARTMENT OF INTELLIGENT SYSTEMS ÚSTAV INTELIGENTNÍCH SYSTÉMŮ EXCALIBUR SYSTEM - SSO IMPLEMENTATION SYSTÉM EXCALIBUR - IMPLEMENTACE SSO MASTER’S THESIS DIPLOMOVÁ PRÁCE AUTHOR Bc. JURAJ CHRIPKO AUTOR PRÁCE SUPERVISOR Mgr. KAMIL MALINKA, Ph.D. VEDOUCÍ PRÁCE BRNO 2021 Brno University of Technology Faculty of Information Technology Department of Intelligent Systems (DITS) Academic year 2020/2021 Master's Thesis Specification Student: Chripko Juraj, Bc. Programme: Information Technology Field of study: Information Technology Security Title: Excalibur System - SSO Implementation Category: Security Assignment: 1. Get familiar with Single Sign On (SSO) technologies, focus on Security Assertion Markup Language (SAML) and Fast Identity Online 2 (FIDO2). 2. Get familiar with Excalibur (commercial distributed infrastructure access control system) and other existing access control solutions and used concepts. 3. Design a solution for integrating SAML or FIDO2 into Excalibur system to enable SSO. 4. Implement proposed design for integrating SAML or FIDO2 protocols into Excalibur system. 5. Test correct functionality of implemented solution such as correct behavior from a user point of view, soundness of access control mechanism, and access revocation. Recommended literature: FIDO Alliance (available online https://fidoalliance.org/fido2/) Security Assertion Markup Language (SAML) V2.0 Technical Overview (available online http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html) "Excalibur - No More Passwords!" (available online https://getexcalibur.com/docs/Excalibur_pitch_2_4_2018.pdf) Requirements for the semestral defence: Items 1 to 3. Detailed formal requirements can be found at https://www.fit.vut.cz/study/theses/ Supervisor: Malinka Kamil, Mgr., Ph.D.
    [Show full text]
  • A Relying Party Implementation As a Webauthn Authenticator Debugging Tool
    Facultade de Informática TRABALLO FIN DE GRAO GRAO EN ENXEÑARÍA INFORMÁTICA MENCIÓN EN TECNOLOXÍAS DA INFORMACIÓN DebAuthn: a Relying Party Implementation as a WebAuthn Authenticator Debugging Tool Estudante: Martiño Rivera Dourado Dirección: José M. Vázquez Naya Dirección: Marcos Gestal Pose A Coruña, setembro de 2020. A meu pai e a miña nai Acknowledgements Firstly, I would like to show gratitude to my tutors José and Marcos for their time in mentoring and guiding this project. I also want to acknowledge the RNASA-IMEDIR group and the CITIC Research for supporting the project with their resources. More personally, I would like to show my gratitude to my close friends for their help and care during my studies and primarily during these last months. Many thanks also to my classmates who were always willing to give me a hand. Finally, I could not finish these acknowledgements without expressing my gratitude to my parents and my sister for the great support through all these years. Abstract Passwords as an authentication method have become vulnerable to numerous attacks. During the last few years, the FIDO Alliance and the W3C have been working on a new authentication method based on public key cryptography and hardware authenticators, which avoids attacks like phishing or password stealing. This degree thesis focuses on the development ofaweb application as a flexible testing and debugging environment for developers and researchers of the protocol, still under development. Moreover, the developed tool is used for testing the most relevant hardware authenticators, showcasing their main characteristics. Resumo Os contrasinais como método de autentificación volvéronse vulnerables a numerosos ata- ques.
    [Show full text]
  • Implementation of Secure Authentication Technologies for Digital Financial Services Security, Infrastructure and Trust Working G
    SECURITY, INFRASTRUCTURE AND TRUST WORKING GROUP Implementation of secure authentication technologies for digital financial services REPORT OF SECURITY WORKSTREAM a • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions b • Technical report on SS7 vulnerabilities and mitigation measures for digital fi nancial services transactions Security, Infrastructure and Trust Working Group Implementation of Secure Authentication Technologies for Digital Financial Services DISCLAIMER The Financial Inclusion Global Initiative (FIGI) is a three-year program implemented in partnership by the World Bank Group (WBG), the Committee on Payments and Market Infrastructures (CPMI), and the International Telecommunication Union (ITU) funded by the Bill & Melinda Gates Foundation (BMGF) to support and accelerate the implementa- tion of country-led reform actions to meet national financial inclusion targets, and ulti- mately the global 'Universal Financial Access 2020' goal. FIGI funds national implemen- tations in three countries-China, Egypt and Mexico; supports working groups to tackle three sets of outstanding challenges for reaching universal financial access: (1) the Elec- tronic Payment Acceptance Working Group (led by the WBG), (2) The Digital ID for Financial Services Working Group (led by the WBG), and (3) The Security, Infrastructure and Trust Working Group (led by the ITU); and hosts three annual symposia to gather national authorities, the private sector, and the engaged public on relevant topics
    [Show full text]