International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (12/2018) Security, Infrastructure and Trust Working Group Discussion Paper: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Report of the Authentication Workstream Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups and are led by the World Bank Group. ITU 2018 This work is licensed to the public through a Creative Commons Attribution-Non-Commercial- Share Alike 4.0 International license (CC BY-NC-SA 4.0). For more information visit https://creativecommons.org/licenses/by-nc-sa/4.0/ 1 Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Authentication Workstream 2 Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers About this Report This report was written by the following authors, contributors and reviewers: Andrew Hughes, Abbie Barbir, Arnold Kibuuka, Vijay Mauree, Harm Arendshorst, Tiakala Lynda Yaden, Mr. Mayank, Vinod Kotwal, Jeremy Grant, Brett McDowell, Adam Power, Sylvan Tran, Ramesh Kesanupalli, Chunpei Feng, Hongwei (Kevin) Luo, David Pollington. Section 5 of this report includes content adapted from an original work by The World Bank. Views and opinions expressed in the adaptation are the sole responsibility of the author or authors of the adaptation and are not endorsed by The World Bank. If you would like to provide any additional information, please contact Vijay Mauree at [email protected] 3 Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers Table of contents EXECUTIVE SUMMARY ........................................................................................................................... 7 1 ACRONYMS ...................................................................................................................................... 9 2 INTRODUCTION .............................................................................................................................. 11 2.1 OVERVIEW OF ITU FG DFS ................................................................................................................ 11 2.2 OVERVIEW OF THE DFS ECOSYSTEM ..................................................................................................... 12 3 STRONG AUTHENTICATION TECHNIQUES AND STANDARDS ............................................................. 12 3.1 CHARACTERISTICS OF ADVANCED AUTHENTICATION SYSTEMS ..................................................................... 13 3.2 OVERVIEW OF STANDARDS AND SPECIFICATIONS FOR STRONG AUTHENTICATION ............................................ 14 3.2.1 ITU-T RECOMMENDATION X.1254 ............................................................................................................ 15 3.2.2 NIST SPECIAL PUBLICATION 800-63-3 ....................................................................................................... 15 3.2.3 EIDAS REGULATION ................................................................................................................................. 16 3.2.4 PAYMENT SERVICES DIRECTIVE ................................................................................................................... 16 3.2.5 FIDO ALLIANCE SPECIFICATIONS................................................................................................................. 16 3.2.6 MOBILE CONNECT SPECIFICATIONS ............................................................................................................. 21 3.2.7 IFAA SPECIFICATIONS ............................................................................................................................... 26 3.2.8 AADHAAR AUTHENTICATION SPECIFICATIONS ............................................................................................... 30 3.2.9 THE ID2020 ALLIANCE ............................................................................................................................. 32 3.2.10 VERIFIABLE CREDENTIAL AND DECENTRALIZED IDENTIFIER DRAFT STANDARDS .................................................. 32 4 IMPLEMENTATION EXAMPLES OF STRONG AUTHENTICATION SYSTEMS ........................................... 34 4.1 USE CASE: ENROLMENT AND ACCOUNT OPENING ..................................................................................... 35 4.1.1 EXAMPLE 1: AADHAAR EKYC ..................................................................................................................... 35 4.1.2 EXAMPLE 2: K-FIDO ENROLMENT EXAMPLE ................................................................................................. 36 4.1.3 EXAMPLE 3: ZUG EID – ETHEREUM BLOCKCHAIN-BASED DIGITAL ID ................................................................ 38 4.1.4 EXAMPLE 4: FIDO ENROLMENT EXAMPLE .................................................................................................... 38 4.1.5 EXAMPLE 5: HEALTHCARE PROVIDER USER ENROLMENT .................................................................................. 40 4.2 USE CASE: AUTHENTICATION TO ACCESS A DIGITAL FINANCIAL SERVICE .......................................................... 41 4.2.1 EXAMPLE 1: IFAA USE CASE – ALIPAY FINGERPRINT/FACE PAYMENT ................................................................. 41 4.2.2 EXAMPLE 2: AADHAAR AUTHENTICATION ..................................................................................................... 43 4.2.3 EXAMPLE 3: AADHAAR UNIFIED PAYMENTS INTERFACE .................................................................................. 45 4.2.4 EXAMPLE 4: K-FIDO AUTHENTICATION ....................................................................................................... 45 4.2.5 EXAMPLE 5: HEALTHCARE PROVIDER CUSTOMER AUTHENTICATION .................................................................. 46 4.2.6 EXAMPLE 6: SK TELECOM – MOBILE CONNECT ............................................................................................. 47 5 DESIGN CONSIDERATIONS FOR USE OF BIOMETRICS IN AUTHENTICATION ....................................... 49 6 GUIDANCE FOR REGULATORS ......................................................................................................... 50 7 STANDARDIZATION OBJECTIVES ...................................................................................................... 51 ANNEX A – BIBLIOGRAPHY ................................................................................................................... 53 4 Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers ANNEX B – GUIDANCE FOR DFS PROVIDERS .......................................................................................... 56 ANNEX C – GUIDANCE FOR AUTHENTICATION SYSTEM PROVIDERS ....................................................... 57 5 Security, Infrastructure and Trust Working Group: Secure Authentication Use Cases for DFS and Guidelines for Regulators and DFS Providers List of Figures FIGURE 1: THE DIGITAL FINANCIAL SERVICES ECOSYSTEM ........................................................................... 12 FIGURE 2: X.1254 ENTITY AUTHENTICATION ASSURANCE FRAMEWORK ELEMENTS...................................... 15 FIGURE 3: UNIVERSAL AUTHENTICATION FRAMEWORK ARCHITECTURE ...................................................... 18 FIGURE 4: FIDO REGISTRATION OF NEW KEYS ............................................................................................... 19 FIGURE 5: FIDO AUTHENTICATION ................................................................................................................. 20 FIGURE 6: MOBILE CONNECT PORTFOLIO OF SERVICES ................................................................................. 21 FIGURE 7: EIDAS LEVEL OF ASSURANCE MAPPING WITH MOBILE CONNECT ................................................. 23 FIGURE 8: MOBILE CONNECT AND EIDAS REFERENCE ARCHITECTURE ........................................................