THE FIDO STANDARDS AND WHY THEY MAKE SENSE IN THE SCOPE OF PSD2 ALAIN MARTIN MEMBER OF THE BOARD AND CO-CHAIR OF FIDO EUROPE WORKING GROUP, FIDO ALLIANCE VP STRATEGIC PARTNERSHIPS, GEMALTO 1 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO: FAST IDENTITY ONLINE • The FIDO Alliance is an open industry association with a focused mission: AUTHENTICATION STANDARDS • The world’s largest ecosystem 240 Member organisations for standards-based, interoperable authentication 450+ FIDO Certified solutions 2 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SCOPE Single Sign-On MODERN AUTHENTICATION Federation Passwords Strong Risk-Based Authentication User Management Identity proofing/KYC 3 All Rights Reserved | FIDO Alliance | Copyright 2018 240 MEMBERS • 36 board members: + SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS 4 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO MARKETS • Banks • e-Commerce • Social media • Enterprise security • Government • … 5 All Rights Reserved | FIDO Alliance | Copyright 2018 HOW OLD AUTHENTICATION WORKS ONLINE CONNECTION User authenticate themselves online by presenting a human-readable “shared secret” • Inconvenient This is true of One Time • Phishable Passwords as well • Hackable 6 All Rights Reserved | FIDO Alliance | Copyright 2018 HOW FIDO AUTHENTICATION WORKS User Environment User Challenge Relying Party Authenticator User gesture before private key can be used (Touch, PIN entry, Biometric entry) Signed Response Private key Public key Local user verification step On-line authentication step 7 All Rights Reserved | FIDO Alliance | Copyright 2018 SIMPLER AUTHENTICATION Reduces reliance Single gesture Works with Same Fast and on complex to log on commonly used authentication on convenient passwords devices multiple devices 8 All Rights Reserved | FIDO Alliance | Copyright 2018 STRONGER AUTHENTICATION Based on No link-ability public key between services or cryptography accounts Keys Biometrics, if used, generated never leave device and stored on device No server-side No 3rd party in shared secrets the protocol 9 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO STANDARDS UAF: Universal Authentication Framework U2F: Universal 2nd Factor Multi Factor authentication (possession + Login & Password + possession factor knowledge/inherence) FIDO 2: a new standard for native support in (web) platforms WebAuthn: standard APIs allowing web pages WWW to call upon a FIDO authenticator WWW CTAP (Client to Authenticator Protocol): Communication between platform and external authenticator 10 All Rights Reserved | FIDO Alliance | Copyright 2018 WEBAUTHN BRINGS FIDO TO THE WEB BROWSER World Wide Web Consortium (W3C) developed Web Authentication (“WebAuthn”) with FIDO Alliance A new standard Contributions JavaScript API Participation Candidate That works with all FIDO2 from all these Recommendation platforms & authenticators platform providers 11 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO IS … MEMBERS & PARTNERS CERTIFICATIONS DEPLOYMENTS SPECIFICATIONS 12 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO EUROPE WORKING GROUP • Facilitate communication and cooperation within the European market • Promote deployment of FIDO solutions, improve FIDO awareness • Collect regulatory requirements from European stakeholders • Initial Scope: 13 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO & PSD2: PROVIDING FOR A SATISFACTORY USER EXPERIENCE 14 All Rights Reserved | FIDO Alliance | Copyright 2018 VOCABULARY For remote payment, includes: Transaction PSD2: Element categorised as amount and Payee possession PSD2: ASPSP PSD2: PSU FIDO: Authenticator FIDO: Relying Party FIDO: User PSD2: (not mentioned) FIDO: Challenge Authenticator User action PSD2: Authentication Code FIDO: Signed Response PSD2: Personalized Security Credential FIDO: Private key PSD2: (no equivalent) For remote payment: FIDO: Public key Authentication Code with dynamic linking 15 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO MEETS THE PSD2/RTS REQUIREMENTS • Based on Multi factor authentication ➔ Articles 4, 6, 7, 8 [RTS] • Secure separated execution environments ranging from hardened Software to TEE to Secure Elements ➔ Articles 9, 22, 23, 25 [RTS] • Support for dynamic linking ➔ Article 5 [RTS] 16 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO PROTECTS USER AUTHENTICATION DATA • No shared secrets • Bank keys are generated in the authenticator • Public Key is uploaded to bank’s server ➔ the security credential never leaves the authenticator • Local verification (of PIN, of biometric data) ➔ In line with GDPR’s “Privacy by Design” ➔ Facilitates deployment 17 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SUPPORTS MULTI CHANNEL AUTHENTICATION • Necessity to reach 100% users ➔ multiple devices may be necessary Bank App • A FIDO universal server supports any FIDO compliant authenticator ➔FIDO Standards reduce the cost of deploying multiple devices FIDO server 18 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO COMES WITH A CERTIFICATION PROGRAM • Functional, by the FIDO Alliance • Security, by the FIDO Alliance and independent accredited labs • New biometrics certification ➔The RTS require security evaluation (Article 3 [RTS]) 19 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS • In the redirection model FIDO authenticator AISP ASPSP AISP Login Pswd Go Example on a PC/browser FIDO authenticator AISP ASPSP AISP Example on a smart phone, app-to-app 20 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS • In the decoupled model FIDO authenticator ASPSP Merchant Merchant PISP 21 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO WORKS IN ANY OF THE AUTHENTICATION MODELS • In the embedded model FIDO authenticator AISP AISP AISP Authenticate with your device Example for account information FIDO authenticator Merchant Merchant PISP PISP Approve Transaction Example for payment initiation 22 All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO SIMPLIFIES THE CUSTOMER JOURNEY With FIDO With SMS OTP Merchant Merchant PISP PISP FIDO authenticator ASPSP OTP: ASPSP Login 1 step Pswd ****** Authorise ASPSP authentication payment? Enter OTP: ****** Merchant 3 step Merchant authentication 23 All Rights Reserved | FIDO Alliance | Copyright 2018 KEY TAKE AWAYS • FIDO standards: a user friendly solution to implement PSD2 • Security and Privacy by design • Meet all the RTS requirements • Alignment with authorization frameworks • FIDO standards maximize reach • They support a multiplicity of devices • FIDO standards: versatile and future proof • Bank can support the redirection and decoupled models • Bank can propose the embedded model to TPPs that integrate FIDO authenticators in their solutions 24 All Rights Reserved | FIDO Alliance | Copyright 2018 Join the FIDO Ecosystem Build FIDO Certified Solutions Deploy Join the Alliance Take Part in FIDO Events www.fidoalliance.org 25 All Rights Reserved | FIDO Alliance | Copyright 2018.