FIDO Authentication in the Shifting Regulatory Landscape

FIDO Alliance © 2019 - Austin FIDO seminar Jan 20191
FIDO AUTHENTICATION IN THE
SHIFTING EUROPEAN
REGULATORY LANDSCAPE
ALAIN MARTIN
CO-CHAIR FIDO EUROPE WG
VP STRATEGIC PARTNERSHIPS - GEMALTO

AGENDA
• How FIDO helps with the SCA requirements under PSD2
• Compliance
• The customer journey
• How FIDO helps with GDPR
• The need for strong authentication
• The privacy by design

FIDO, PSD2 AND THE
CUSTOMER JOURNEY

Open
APIs
PSD2 IN A FEW WORDS
• New Access to Account mandate  Open APIs
• New Strong Customer Authentication mandate
• New Third Party Provider (TPP) roles :
Open
APIs
Open
APIs
Payment
execution
Open
APIs
Open
APIs
Open
APIs
Gives
consent
Payment Initiation
Service Provider (PISP)
Account Information
Service Provider (AISP)

THE CUSTOMER JOURNEY
KEY SUCCESS FACTOR FOR THE ROLL OUT OF
PSD2 IN EUROPE
Authentication models have been created
and… much debated by the stakeholders

AUTHENTICATION MODELS
• Redirection
AISPAISP ASPSP
Authenticate
authentication
AISP AISPASPSP
Authenticate

AUTHENTICATION MODELS
• Decoupled
• An Out of Band model
PISP
Merchant Merchant
Authenti-
cate
ASPSP
authentication

POTENTIAL UX ISSUES IN THE REDIRECTION/DECOUPLED MODELS
• In account aggregation use cases
ASPSP C
Sign in with OTP
ASPSP C
Login Go
AISP
ASPSP A
App
AISP
ASPSP B
token
ASPSP C
OTP generator
ASPSP B
Login
Pswd Go

POTENTIAL UX ISSUES IN THE REDIRECTION MODEL
• In payment initiation use cases
PISP
ASPSP
Login
Merchant
Merchant
Merchant
PISP
Bank 1
Bank 2
Bank 3
Select Bank
Select
account
ASPSP
Approve
transaction
ASPSP
ASPSP
OTP:
123456
Enter OTP:
******
Pswd

FIDO SIMPLIFIES THE CUSTOMER JOURNEY
PISP
Merchant
ASPSP
Authorise
payment?
ASPSP
Login
Pswd
OTP:
******
ASPSP
Enter OTP:
******
FIDO
Authenticator
PISP
Merchant
Merchant
Merchant
1 step
authentication
3 step
authentication
With FIDO With OTP by SMS

WHAT THE REGULATOR AND STAKEHOLDERS SAY
• The European Commission
• Added article 32-3 in the RTS on “obstacles”  ASPSP may have to provide
alternatives to Redirection if not properly implemented
• EBA opinion paper (June 2018)
• Redirection not an obstacle per se
• Implementation is key, whichever the model, for a satisfactory user journey
• The Fintechs
• Some happy with redirection, some wanting no friction in the user
experience
• The Berlin Group
• Are working on 2 additional authentication models: Embedded and
Delegated

ALTERNATIVE AUTHENTICATION MODELS
• Embedded
• Delegated
AISP
authentication
AISPAISP AISP
Authenticate
AISPAISP AISP
Authenticate
authentication

EMBEDDED MODEL = AUTHENTICATION BY THE BANK
• Not in line with
customer education
• Difference with phishing
attacks
• Similar to Apple Pay
• Requires enrolment
• Requires trust in local
user verification
 the FIDO approach
TPPBank OTP
generator Enter Pswd: ******
Enter OTP: ******
Pswd, OTP
TPP
Authen-
ticate
Bank keys
generated in
device
Challenge/
Response

DELEGATED MODEL: FIDO/EMVCO COLLABORATION ON
3DSECURE
Merchant
Directory
Service
FIDO
Authentication
3D Secure message
Device
ACS 3
1
2 Authenticator metadata
Risk assessment
Step up
authentication
4

FIDO COMPLIANCE TO PSD2/RTS ON STRONG CUSTOMER
AUTHENTICATION
• Based on multi-factor authentication
 [RTS] Articles 4, 6, 7, 8
• Protection of the “security elements”
 [RTS] Articles 22, 23, 25
• Separation of execution environments
 [RTS] Article 9
• Support of dynamic linking
 [RTS] Article 5
… a detailed analysis of FIDO compliance is published on https://fidoalliance.org/

FIDO AND THE GDPR

GDPR – GENERAL DATA PROTECTION REGULATION
• Applies since 25 May 2018
• Very large fines for infringement: Up to €20,000,000 or 4% total
worldwide turnover
• Data protection
• Consent of data subject
• Data subject rights
• Adequacy, relevance, etc. of data collection
• …
The subject for FIDO

PROTECTION AGAINST UNAUTHORIZED ACCESS
• Level of security to be appropriate to the risk
FIDO recommendation:
implement strong
authentication to prevent
phishing and hacking
Data subject right
to access, modify,
etc.

RECENT HEALTHCARE DATA BREACHES
July 2018 – Singapore
“Hackers stole data of PM Lee and 1.5
million patients in 'major cyberattack'
on SingHealth”
October 2018 – USA
“US Center for Medicare & Medicaid Services
says 75,000 individuals' files accessed in
data breach”
July 2018 – USA
“1.4M records breached in UnityPoint Health
phishing attack”
July 2018 – USA
“Patient data exposed for months
after phishing attack on Sunspire”
August 2018 - USA
“3 phishing hacks breach 20,000
Catawba Valley patient records”

20
SPECIAL CATEGORIES OF DATA
• Processing of this data prohibited,
unless allowed in specific cases
• If allowed, requires
• Explicit consent
• Suitable safeguards to protect personal
data
• Data protection impact assessment
• Assessment of the measures, safeguards
and mechanisms envisaged for
mitigating risk and ensuring the
protection of personal data
Special
Categories
of data
Political opinions
Racial or ethnic
origin
Healthcare
Sexual life
Religious
beliefs
Biometric data

21
USER CONSENT
• Data subject must give consent to processing of his/her personal data
• For special categories: explicit consent
FIDO recommendation:
Strong authentication is a good practice to properly
identify the data subject providing consent

THE CONTROLLER SHOULD BE ABLE TO DEMONSTRATE
THIS CONSENT
• FIDO authenticators are capable of signing
transaction data
• Server message can include consent information
• Signed response is a non forgeable proof
• Can be used in case of dispute
Do you agree to
providing your
health data to
ABCHealth ?
Authenticate to
confirm

23
EXEMPTION
• GDPR does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity
• Biometrics on smartphone can be exempted
• e.g. French Data Protection Authority (CNIL) exemption IF ON DEVICE STORAGE
AND MATCHING
• If remote storage and matching, there must be an impact assessment

FIDO’S USE OF BIOMETRICS
• With FIDO, biometrics can only be stored and matched on a consumer’s
device
• FIDO prohibit biometrics from being stored or matched in servers
 No Data Protection Impact Assessment for the use of biometric data

25
DATA PROTECTION BY DESIGN PRINCIPLE
• Proactive
• Embedded from the start in design
• For authentication solutions, this would mean, by design:
Protection of user authentication credentials and biometric data
Protection against phishing or MITM attacks

FIDO EMBRACES PROTECTION/PRIVACY-BY-DESIGN
Based on
public key
cryptography
No server-side
shared secrets
Keys
generated
and stored
on device
Verification of
web origin
/channel id
Biometrics, if used,
never leave device
No link-ability
between services or
accounts

IN SUMMARY
In light of the heavy fines and ever increasing attacks from hackers
 Service providers should consider replacing passwords with
stronger means of authentication
Password
Data protection
measures

RESOURCES:
PSD2
HTTPS://FIDOALLIANCE.ORG/HOW_FIDO_MEETS_THE_RTS_REQUIREMENTS/
HTTPS://FIDOALLIANCE.ORG/.../FIDO-PSD2_CUSTOMER_JOURNEY_WHITE_PAPER.PDF
GDPR
HTTPS://FIDOALLIANCE.ORG/.../FIDO_AUTHENTICATION_AND_GDPR_WHITE_PAPER_
MAY2018-1.PDF
HTTPS://FIDOALLIANCE.ORG/EVENT/WEBINAR-FIDO-AUTHENTICATION-GDPR/

FIDO Authentication in the Shifting Regulatory Landscape

More Related Content

What's hot (20)

Similar to FIDO Authentication in the Shifting Regulatory Landscape (20)

More from FIDO Alliance (20)

Recently uploaded (20)

FIDO Authentication in the Shifting Regulatory Landscape