International Telecommunication Union FINANCIAL INCLUSION GLOBAL INITIATIVE (FIGI) TELECOMMUNICATION STANDARDIZATION SECTOR 11/2019 OF ITU Security, Infrastructure and Trust Working Group Implementation of Secure Authentication Technologies for Digital Financial Services Report of the Security Workstream FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. A new global program to advance research in digital finance and accelerate digital financial inclusion in developing countries, the Financial Inclusion Global Initiative (FIGI), was launched by the World Bank Group, the International Telecommunication Union (ITU) and the Committee on Payments and Market Infrastructures (CPMI), with support from the Bill & Melinda Gates Foundation. The Security, Infrastructure and Trust Working Group is one of the three working groups which has been established under FIGI and is led by the ITU. The other two working groups are the Digital Identity and Electronic Payments Acceptance Working Groups and are led by the World Bank Group. ITU 2019 This work is licensed to the public through a Creative Commons Attribution-Non-Commercial- Share Alike 4.0 International license (CC BY-NC-SA 4.0). For more information visit https://creativecommons.org/licenses/by-nc-sa/4.0/ i Implementation of Secure Authentication Technologies for Digital Financial Services Security Workstream ii About this Report This report was written by Andrew Hughes, Abbie Barbir. The authors would like to thank the following contributors and reviewers: Arnold Kibuuka, Vijay Mauree, Harm Arendshorst, Tiakala Lynda Yaden, Mr. Mayank, Vinod Kotwal, Jeremy Grant, Brett McDowell, Adam Power, Sylvan Tran, Ramesh Kesanupalli, Chunpei Feng, Hongwei (Kevin) Luo, David Pollington, Matthew Davie, Wycliffe Ngwabe, Salton Massally and Mathan Babu Kasilingam. If you would like to provide any additional information, please contact Vijay Mauree at [email protected] iii 1 Executive Summary ........................................................................................................................................... 1 2 Acronyms .......................................................................................................................................................... 3 3 Background ....................................................................................................................................................... 5 4 Introduction ...................................................................................................................................................... 6 4.1 Implementations examples section ......................................................................................................... 7 5 The requirement for strong authentication – standards and regulations ........................................................... 7 5.1 ITU-T Recommendation X.1254 ............................................................................................................... 7 5.2 NIST Special Publication 800-63-3 ........................................................................................................... 8 5.3 eIDAS Regulation ..................................................................................................................................... 9 5.4 Payment Services Directive ...................................................................................................................... 9 5.5 The ID2020 Alliance ................................................................................................................................. 9 5.6 Standardization Objectives .................................................................................................................... 10 6 Strong Authentication Technologies and Specifications ...................................................................................10 6.1 Characteristics of Advanced Authentication Systems ............................................................................ 10 6.2 FIDO Alliance Specifications ................................................................................................................... 12 6.2.1 Universal Authentication Framework (UAF) .......................................................................... 12 6.2.2 Universal Second Factor (U2F) ............................................................................................... 13 6.2.3 Client to Authenticator Protocol (CTAP) ................................................................................ 13 6.2.4 Web Authentication (WebAuthn) .......................................................................................... 14 6.2.5 FIDO Registration Flow .......................................................................................................... 14 6.2.6 FIDO Authentication Flow ...................................................................................................... 15 6.3 Mobile Connect Specifications ............................................................................................................... 16 6.3.1 Mobile Connect for eIDAS ...................................................................................................... 17 6.3.2 Mobile Connect for PSD2 ....................................................................................................... 20 6.4 IFAA Specifications ................................................................................................................................. 21 6.4.1 IFAA Biometric Authentication – Local Model ....................................................................... 22 6.4.2 IFAA Biometric Authentication - Remote Model ................................................................... 25 6.5 Aadhaar Authentication ........................................................................................................................ 25 6.5.1 APB Process Steps .................................................................................................................. 27 6.5.2 Types and modes of authentication for Aadhaar .................................................................. 28 6.5.3 Aadhaar authentication security concerns ............................................................................ 28 6.5.4 Security measures introduced recently to address those threats ......................................... 29 6.6 Cognitive Continuous Authentication .................................................................................................... 30 6.7 Decentralized Identity and Distributed Ledgers ..................................................................................... 31 6.7.1 Decentralized Identity Definition of Terms ............................................................................ 31 6.7.2 Decentralized Identity System Infrastructure Layers ............................................................. 32 6.7.3 Verifiable Credential and Decentralized Identifier Draft Standards ...................................... 33 6.7.4 Verifiable Credentials ............................................................................................................. 33 6.7.5 Decentralized Identifiers ........................................................................................................ 34 iv 6.7.6 DID Authentication ................................................................................................................ 36 6.7.7 DID Resolution ....................................................................................................................... 36 6.7.8 Decentralized Identity Wallets ............................................................................................... 36 7 Implementation examples of Strong Authentication Systems ..........................................................................37 7.1 Use case: Enrolment and Account opening............................................................................................ 38 7.1.1 Example: Aadhaar eKYC ......................................................................................................... 38 7.1.2 Example: Sierra Leone National Digital Identity and Credit Platform – Kiva ......................... 39 7.1.3 Example: K-FIDO Enrolment example .................................................................................... 41 7.1.4 Example: Zug eID – Ethereum Blockchain-based Digital ID ................................................... 44 7.1.5 Example: FIDO Enrolment example ....................................................................................... 44 7.1.6 Example: Healthcare provider user enrolment ...................................................................... 46 7.2 Use case: Authentication to access a digital financial service ............................................................... 47 7.2.1 Example: IFAA use case – Alipay fingerprint/face payment .................................................. 47 7.2.2 Example: Aadhaar authentication ........................................................................................