NTT DOCOMO Deployment Case Study

FIDO Alliance Seminar in Sydney
NTT DOCOMO Deployment Case Study:
“Your Security, More Simple.”
September 25, 2017
Koichi Moriyama
Senior Director of Product Innovation, Product Dept., NTT DOCOMO, INC.
(acting) A Board of Directors and Chair of FIDO Japan WG, FIDO Alliance
FIDO Seminar in Sydney 9/25/2017 © 2017 NTT DOCOMO, INC. All Rights Reserved.

Table of Contents
• Motivation: “Your Security, More Simple.”
• Overview: NTT DOCOMO’s Deployment
– NTT DOCOMO FIDO-enabled Devices for d ACCOUNT™ - 27 Models in Total
• Design Principles to Integrate the FIDO Standards
• Solution Architecture: Before & After the Deployment
• Security Architecture: Biometric Data and Secret Key stored in Secure Area
• Open Standards for Interoperability: Varieties of Authenticator Solutions
• Deployment at More Scale – Rolled Out the same to iOS Customers
• Mobile Devices as Your Key to Life – 2DA: “AuthN by Your Smartphone”
• NTT DOCOMO as a FIDO Alliance Board Member
• FIDO Japan WG Updates
FIDO Seminar in Sydney 9/25/2017 2© 2017 NTT DOCOMO, INC. All Rights Reserved.

Motivation: “Your Security, More Simple.”
• NTT DOCOMO provides our customers OpenID based “d ACCOUNT” in
addition to 4-digit passwords for online service access including DOCOMO
branded services, partner services, and carrier billing payments.
• NTT DOCOMO wanted to help our customers, who always needed to
remember their passwords, for their convenience in a secure way, and
DOCOMO recognized that the FIDO standards may help.
https://www.youtube.com/watch?v=UP0DyYk5IXc
Iris Fingerprints
Login Unlock
Carrier Billing
Payment
Passwords-less AuthN
using Biometrics

生体認証で注文・決済した初めてのピザ
72015年5月26日ドコモの生体認証について
Overview: NTT DOCOMO’s Deployment (1/2)
• NTT DOCOMO launched four FIDO® UAF Certified devices and FIDO UAF-
enabled server in May 2015. There were some world firsts, a.) as an MNO,
b.) with multiple FIDO Certified devices from multiple OEMs, c.) with the
world first Iris scanner equipped smartphone, and d.) for multiple services.
The former president Mr. Kato demonstrated to order a pizza by NTT DOCOMO service d delivery™ with the world first Iris
scanner equipped device Arrows NX at the NTT DOCOMO New Products and Services Announcement on 5/13/2015.
SC-05GF-04G SC-04GSH-03G
The ordered pizza was illustrated at the NTT DOCOMO Press
Announcement Event with FIDO Alliance on 5/26/2016

Overview: NTT DOCOMO’s Deployment (2/2)
• NTT DOCOMO’s FIDO-enabled “d ACCOUNT” online authentication allows
our customers to login and authenticate their account without passwords.
• In addition to DOCOMO-branded services at dmarket™, varies of partner
services are available with the FIDO authentication through two ways, a.)
Carrier Billing Payment, and b.) as a federated ID utilizing OpenID Connect.
Carrier Billing Payment
MARKET

FIDO-enabled d ACCOUNT Authentication
DOCOMO Smartphone & Tablet : 27 Models by 6 OEMs
• 4 models for 2015 Summer, 6 for 2015-16 Winter/Spring, 4 for 2016
Summer, 6 for 2016-17 Winter/Spring, and 7 for 2017 Summer, by 6 OEMs.
FIDO Seminar in Sydney 9/25/2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 6
SH-01H SO-03H SO-01H SO-02HF-02HSC-05G SH-04HF-04H SO-04HSC-02HF-04G SC-04G F-01HSH-03G
SO-02JF-01J SH-02J DM-01JSO-01J L-01J d-01JSC-03JSO-04J SC-02JSO-03J SH-03J SC-04J
2015 Summer 2015-16 Winter/Spring 2016 Summer
2016-17 Winter/Spring 2017 Sumer

Design Principles to Integrate the FIDO Standards
• Integrate the FIDO standards in a straightforward manner
– Create and maintain the FIDO eco-system, and align with it for sustainability
• Utilize the FIDO standards as much as possible
– Allow different type of authenticators e.g. fingerprint sensors and iris scanner
• Protect users and ecosystem partners in consideration of security
– Follow the FIDO privacy policy, “Biometric template and private keys never
leave devices,”
– Realize that genuineness of authenticator shall be securely proven to servers,
– Keep the same security level of various devices from multiple OEMs, and
– Avoid to generate wrong perception in the market.
• Minimize the integration efforts, time and cost
– Gather FIDO-enabled service apps to a single point of I/F – d ACCOUNT to ASM

Solution Architecture: d ACCOUNT and 4-digits
[before the FIDO integration]
• The d ACCOUNT app and system had already been introduced and
operated for authentication and single-sign-on experience.
…
DOCOMO Branded Devices
by OEM Partners
Client App Pre-installed
…
Web Browser
Pre-installedService Apps
System Server
…
DOCOMO Branded
Services
Carrier Billing
Partner Services
Billing
System Servers
Launched by Service
Apps or Web Browser
Authenticate user by
ID/Password or 4-digitsID/Password
• Single Sign-On

Solution Architecture: d ACCOUNT and 4-digits
[after the FIDO integration]
• The d ACCOUNT app and system had already been introduced and
operated for authentication and single-sign-on experience.
DOCOMO Branded Devices
by OEM Partners
…
Web Browser
Pre-installedService Apps
…
DOCOMO Branded
Services
Carrier Billing
Partner Services
Billing
System Servers
FIDO-enabled by
xxxx Client SDK
FIDO-enabled
by Server
FIDO-enabled w/
some additional
requirements to adopt
…
In addition to ID/Password
• Single Sign-On
• Biometric Authentication
without Passwords
Client App Pre-installed System Server

FIDO Enables Online Authentication by
Utilizing Biometric Data in a Secure Manner
– Biometric Data and Secret Key stored in Secure Area –
Biometric
Authentication Device
Secure Area (TEE)
User Verification through
Matching
Secure App
Secure Folder
FIDO Client
Verified
FIDO Authenticator
FIDO Server
Challenge
Authentication is completed
once the Signed Challenge is
verified by
Public Key
Sign the Challenge
by Secret Key
✓
✓
Signed Challenge
d ACCOUNT
Server
d ACCOUNT
App
Scope of FIDO UAF 1.0 Spec
✓
✓
Public Key CryptographySecure Protocol
Biometric Data
Device Server
FIDO-enabled services are
enhanced gradually…
Registered
Template
Secret Key

Implementations of the FIDO Authenticators
– Varieties of FIDO® Certified FIDO Authenticator Solutions –
• OEMs may choose a FIDO® Certified authenticators solution from a variety
of choices in order to meet their requirements.
FIDO-enabled by
xxxx Client SDK
FIDO® Certified
xxxxx Server
FIDO Standards
Client App Pre-installed System Server

How NTT DOCOMO Implements FIDO UAF on iOS
© 2017 NTT DOCOMO, INC. All Rights Reserved. 12
• NTT DOCOMO developed “d ACCOUNT app” for iOS, incorporating Nok
Nok Labs’ FIDO® Certified FIDO UAF Client SDK to work with the FIDO-
enabled d ACCOUNT server, and deployed commercially in March, 2016.
• NTT DOCOMO utilizes the Touch ID security feature of Secure Enclave that
enables to keep the FIDO Privacy Policy.
FIDO Seminar in Sydney 9/25/2017 https://support.apple.com/en-us/HT204587
• The recent APIs enabled after iOS 9 help
DOCOMO for friendly-fraud concerns.
d ACCOUNT App
FIDO Client
Touch ID
Secure Enclave

Screen Shot Example: d ACCOUNT Login with Touch ID
• “Login with Touch ID” button appears in addition to the legacy
ID/password button. Once select to login with Touch ID, easy to login.
d ACCOUNT login screen
supporting Touch ID
d ACCOUNT Touch ID app
encourages you to do Touch ID
If you haven’t installed d ACCOUNT Touch
ID app yet, you encouraged to install it
“Login with Touch ID”

Screen Shot Example: Shopping at d Shopping
© 2017 NTT DOCOMO, INC. All Rights Reserved. 14
• Shopping is the same. Once select to purchase with Touch ID, easy to go.
d ACCOUNT app to support Touch ID on iOS 9 or later works behind of it.
Select what you
purchase, and go next
Authenticate with
Touch ID
d ACCOUNT Touch ID app
encourages you to do Touch ID
That’s it!
FIDO Seminar in Sydney 9/25/2017

The Same Server Hosts Your Authentication!
© 2017 NTT DOCOMO, INC. All Rights Reserved. 15FIDO Seminar in Sydney 9/25/2017
…
DOCOMO Branded
Services
Carrier Billing
Partner Services
Billing
System ServersSystem ServerAndroid
iOS
SH-01H SO-03H SO-01H SO-02HF-02HSC-05G SH-04HF-04H SO-04HSC-02HF-04G SC-04G F-01HSH-03G
SO-02JF-01J SH-02J DM-01JSO-01J L-01J d-01JSC-03JSO-04J SC-02JSO-03J SH-03J SC-04J

Future Goal
Mobile Devices as Your Key to Life
16
NTT DOCOMO x FIDO Alliance Presentation on May 26th, 2015
FIDO Seminar in Sydney 9/25/2017

“AuthN by Your Smartphone” from PC, et el.
• Commercially available since February, 2017
docomo Smartphone
Android
Notification Authentication
Before Now
It’s clumsy, and very hard to
remember all passwords…
“AuthN by Your Smartphne”
enables you to login very easily!
XXXXXX
iOS devices

Architecture for “AuthN by Your Smartphone”
18
1st Device
(No-FIDO supported)
2nd Device
(existing FIDO UAF devices)
Always-On
ID/Password 2DA: 2nd Device Authentication
Authentication (FIDO UAF)
Authentication and Login Login
FIDO Seminar in Sydney 9/25/2017 © 2017 NTT DOCOMO, INC. All Rights Reserved.
Server
FIDO® Certified
xxxxx Server
Server
Implemented w/o any
modifications of FIDO UAF
1st Device
(No-FIDO supported)
It’s clumsy, and very hard to
remember all passwords…
“AuthN by Your Smartphone”
enables you to login very easily!

NTT DOCOMO Video Clip:
“Your Security, More Simple.” 2017
https://www.youtube.com/watch?v=3Uki8SlSJMk

NTT DOCOMO as a FIDO Alliance Board Member
• NTT DOCOMO joined FIDO Alliance as a Board of Directors, encouraged by
FIDO Alliance with the accomplishment of the FIDO UAF deployment, in
May 2015.
• DOCOMO has been contributing to FIDO Alliance through the DOCOMO’s
real FIDO deployment as well as activities based on our experiences of the
FIDO authentication operation.
– Chartered “Deployment at Scale (D@S)” WG in July 2015, and facilitating
together with Bank of America to address varies of FIDO deployment related
issues through gathering case studies and producing white papers.
– Chartered “FIDO Japan” WG in October 2016 as the third regional WG, and
taking the leadership to create the FIDO momentum for more FIDO adoptions
in Japan.

FIDO JAPAN WG: MISSION AND ACTIVITIES
All Rights Reserved | FIDO Alliance | Copyright 201721
Facilitation within Alliance
• Communication Style and
Language Barrier
• Different Time-Zone
• Understanding of FIDO Standards
Promotion to Japanese Market
• Messaging through News Letter and
Web-site
• Deployment Case-Studies
• Whitepapers, Translation-Table, etc.
Marketing & PR
SWG
Translation SWG
Technologies
SWG
Deployment-at-
Scale SWG
Chair, Vice-
Chairs, and PM
Mission
Execute the mission of FIDO Alliance in Japan efficiently through
facilitating communication within FIDO Alliance and promoting FIDO
Standards toward Japanese market.
‣Launched in October 2016, and announced on December 8th 2016

FIDO ALLIANCE MEMBERS FROM JAPAN
Board Level
Sponsor Level
Associate Level
21 member companies as of September 25th, 2017 – FIDO Japan WG
• Cybertrust Japan
• Internet of Thing, Inc.
• Passlogy Co., Ltd
• SECIOSS, Inc.
• sMedio, Inc.
• Technoglobal Inc.
• Ubiquitous Corporation

CONTRIBUTORS AT FIDO JAPAN WG
10 members at launched, 11 when announced, 21 members as of September 25th, 2017
Chair, Vice-Chair, Lead of SWG
Vice-Chair, Lead of SWG
Lead of SWG
Vice-Chair

24
Changing the World
Requires an Ecosystem
Principles
A new industry standard needed
Must support multiple types of authentication
Adoption at scale requires an interoperable ecosystem
WELCOME to THE
FIDO ALLIANCEFIDO Seminar in Sydney 9/25/2017

Creating a World without Passwords
“The new of today, the norm of tomorrow.”
• Through collaboration with the FIDO Alliance, NTT DOCOMO
will further deliver “Your Security, More Simple.”
https://www.youtube.com/watch?v=QzM4PpXEqP8

KOICHI.MORIYAMA.XR@NTTDOCOMO.COM | INFO@FIDOALLIANCE.ORG
26
KOICHI MORIYAMA
Senior Director of Product Innovation, Product Dept., NTT DOCOMO, INC.
A Board of Directors and Chair of FIDO Japan WG, FIDO Alliance
THANK YOU!

NTT DOCOMO Deployment Case Study

More Related Content

What's hot (20)

Viewers also liked (11)

Similar to NTT DOCOMO Deployment Case Study (20)

More from FIDO Alliance (20)

Recently uploaded (10)

NTT DOCOMO Deployment Case Study