authentication work stream - itu · 2019-02-05 · • use cases (web/mobile) • national...
TRANSCRIPT
![Page 1: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/1.jpg)
![Page 2: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/2.jpg)
Authentication Work stream
FIGI Security Infrastructure
and Trust Working Group
Abbie Barbir, Chair
![Page 3: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/3.jpg)
3
Security, Infrastructure,
Trust Working Group
• To enhance confidence in using Digital
Financial Services (DFS)
• To address DFS security issues and mass
digital fraud in developing countries
• To assess new technology impact on security
& consumer protection
![Page 4: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/4.jpg)
4
Authentication
Workstream
• To provide use cases, requirements,
definitions and examples of strong
authentication solutions
• To offer guidance for regulators,
authentication providers and Digital Financial
Services (DFS) providers
![Page 5: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/5.jpg)
Scope and Focus
• Strong interoperable authentication to support DFS• Use cases (web/Mobile)
• National solutions (e.g Aadhaar in India. AliPay)• Means of evaluating authentication assurance (ITU-T X.1254)• Digital Lab setup
• APIs for interoperable authentication Supporting FIDO Standards (ITU-T X.1277 / ITU-T X.1278) including API for:• End point validation, subscription and registration• Device Registration enabling service provider to register an Authenticator
with user account and policy.• Device authentication. • Transaction Confirmation: Support for user to confirm a specific
transaction is provided.• Deregistration: Relying party can trigger the deletion of the account-
related authentication key material
![Page 6: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/6.jpg)
Trouble With Passwords
Most people use less than 5 passwords for
all accounts
50%of those haven’t changed
their password in the last 5 years
Reusemakes them easy to
compromise
39%of adults use the same
password for many of their online accounts
Theyare very
difficult toremember
25%of adults admit to using less
secure passwords, because they are easier to remember
There arelots of placesto steal them
from
49%of adults write their passwords down on
paper
Sources: Pew research; Telesign research
6
Over 3 billion user IDs and passwords were stolen in 2016
![Page 7: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/7.jpg)
Aetna Next Generation Authentication
Aetna solution
FIDO
Standards Based
Passwordless
Behavioral
Continuous Risk-Based
7
![Page 8: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/8.jpg)
Speak common language
Know what to expect
Know how to respond
No need to reinvent
8
Standards = Interoperability • ITU X.1252 (Revision)
• ITU X.1254 (Revision)
• ITU X.509
• ITU-T X.1276
• ITU-T X.1277, ITU-T X.1278
• ISO 29115 (Revision)
• ISE FICAM
• NIST 800-63-3
• FIDO 2.0 WebAuthN (w3C)
• Oauth 2.0
• OIDC
![Page 9: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/9.jpg)
![Page 10: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/10.jpg)
Discussion Paper:
Secure Authentication Use Cases
for DFS and Guidelines for
Regulators and DFS Providers
Andrew Hughes, Editor
![Page 11: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/11.jpg)
The Discussion Paper
![Page 12: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/12.jpg)
12
The Sources
• Contributions from working group members
over the last 12 months
• Additional contributions from industry
consortia and standards development bodies
![Page 13: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/13.jpg)
13
The Contents
• Describes standards and regulations for
strong authentication
• Implementation examples for use cases
• Guidance for regulators, authentication
providers and DFS providers
• Standardization objectives
![Page 14: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/14.jpg)
‘Authentication’
![Page 15: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/15.jpg)
15
Authentication Systems
• Used in two ways:
– Establish that the person is who they claim to be
when enrolling for an account
– Verify that a returning customer is the same one
that previously opened an account
![Page 16: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/16.jpg)
16
For Account Creation
• Ask for and verify identification information
– For DFS – ‘Know Your Customer’ (KYC)
procedures
– “e-KYC” examples are given in this report
– Obtain from previously-established accounts
based on regulatory obligations
![Page 17: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/17.jpg)
17
For Returning Customers
• For returning customers, ask for evidence
that they are the same person as seen before
– Ask for a secret only known to them
– Have them demonstrate possession and control
of a credential or device previously issued
– Compare a biometric sample to one ‘on file’
![Page 18: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/18.jpg)
18
Multi-factor
Authentication Approach
• Combine multiple authentication factors to
strengthen overall authentication mechanism
– Knowledge-based factor
– Possession-based factor
– Factor based on physical or inherent
characteristic
![Page 19: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/19.jpg)
19
Advanced Authentication
Techniques
• Convenient and easy to use
• Eliminate or reduce reliance on passwords
• Examine real-time behaviour to detect anomalies
• Dynamic risk scoring of authentication confidence
• Background authentication throughout transaction
• Broadly similar to anti-fraud techniques
![Page 20: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/20.jpg)
The Standards and
Specifications
![Page 21: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/21.jpg)
21
Standards and
Regulations
• These contain ‘levels’ and requirements
• ITU-T Recommendation x.1254
• NIST SP 800-63-3
• eIDAS Regulation
• Payment Services Directive 2
![Page 22: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/22.jpg)
22
Technical Specifications
• FIDO Alliance specifications– ITU-T Recommendations x.1277, x.1278
• OpenID Connect + Mobile Connect
• IFAA Authentication
• Aadhaar Authentication
• W3C Verifiable Credentials and Decentralized Identifiers
![Page 23: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/23.jpg)
The Use Case
Examples
![Page 24: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/24.jpg)
24
The Use Cases
• Use cases
– Enrolment and account opening
– Authentication to access a DFS
![Page 25: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/25.jpg)
25
Account Opening
• Aadhaar eKYC – from national ID
• K-FIDO Enrolment – from national ID
• City of Zug eID – from citizen register
• FIDO account enrolment
• Healthcare provider – member enrolment
![Page 26: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/26.jpg)
26
Access A Service
• IFAA – mobile payment – fingerprint or face
• Aadhaar Authentication & Universal Payments Interface –
several modalities including non-smartphone
• K-FIDO Authentication
• Healthcare Provider customer authentication
• SK Telecom – Mobile Connect
• FIDO Alliance – hardware security key
![Page 27: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/27.jpg)
The Guidance
![Page 28: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/28.jpg)
28
Guidance for Regulators
• Require strong authentication
• Recognize limitations of shared secrets
• Make authentication easy to use
• New technologies remove barriers
• Mobile must be supported
• Privacy is important
• Biometrics must be used appropriately
• Focus on standards and outcomes, not technology
![Page 29: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/29.jpg)
29
Biometric Authentication
• Design considerations
– Accuracy, universality, stability/permanence,
collectability, resistance to circumvention,
acceptability, usability, cost
![Page 30: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/30.jpg)
30
Standardization
• More work is needed for
– Behavioral biometrics
– Relative strengths of authentication
– Mobile security capabilities and authenticator
strengths
– User experience
![Page 31: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/31.jpg)
31
Closing Remarks
• Keep watching this space for innovation – the
rate of invention is very high & technologies
and approaches are maturing
• Please review and provide feedback
• Don’t be the next weak link in the chain!
![Page 32: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/32.jpg)
32
To Provide Feedback
• Download the report
https://www.itu.int/en/ITU-T/extcoop/figisymposium/
Documents/Secure%20Authentication
%20Use%20Cases.pdf
![Page 33: Authentication Work stream - ITU · 2019-02-05 · • Use cases (web/Mobile) • National solutions (e.g Aadhaar in India. AliPay) • Means of evaluating authentication assurance](https://reader033.vdocuments.us/reader033/viewer/2022050206/5f592ab702ad5d54b31a2302/html5/thumbnails/33.jpg)