Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Global Regulatory Landscape for Strong Authentication
1. All Rights Reserved | FIDO Alliance | Copyright 20181
GLOBAL REGULATORY
LANDSCAPE FOR STRONG
AUTHENTICATION
DEVELOPMENTS IN POLICY, REGULATION AND
GUIDANCE AROUND THE WORLD
2. All Rights Reserved | FIDO Alliance | Copyright 20182
AUTHENTICATION IS IMPORTANT TO GOVERNMENTS
1. Protects access to government assets
2. Enables more high-value citizen-facing services
3. Empowers private sector to provide a wider range of high value
services to consumers
4. Secures critical assets and infrastructure
Governments seek identity solutions that can deliver not just improved
Security – but also Privacy, Interoperability, and better Customer
Experiences
The right policies and standards are needed to enable this.
3. FIDO IS IMPACTING HOW GOVERNMENTS THINK
ABOUT AUTHENTICATION
Priorities:
• Ensuring that future online products and services
coming into use are “secure by default”
• Empowering consumers to “choose products and
services that have built-in security as a default
setting.”
“[We will] invest in technologies like Trusted Platform
Modules (TPM) and emerging industry standards such as
Fast IDentity Online (FIDO), which do not rely on
passwords for user authentication, but use the machine
and other devices in the user’s possession to authenticate.
The Government will test innovative authentication
mechanisms to demonstrate what they can offer, both in
terms of security and overall user experience.”
All Rights Reserved | FIDO Alliance | Copyright 20183
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/
national_cyber_security_strategy_2016.pdf
4. FIDO IS IMPACTING HOW GOVERNMENTS THINK
ABOUT AUTHENTICATION
U.S. Commission on Enhancing
National Cybersecurity:
• Bipartisan commission established by
the White House in April – charged
with crafting recommendations for
the next President
• Major focus on Authentication
All Rights Reserved | FIDO Alliance | Copyright 20184
5. US COMMISSION ON ENHANCING NATIONAL
CYBERSECURITY
“Other important work that must be undertaken to overcome identity
authentication challenges includes the development of open-source
standards and specifications like those developed by the Fast IDentity
Online (FIDO) Alliance. FIDO specifications are focused largely on the
mobile smartphone platform to deliver multifactor authentication to
the masses, all based on industry standard public key cryptography.
Windows 10 has deployed FIDO specifications (known as Windows
Hello), and numerous financial institutions have adopted FIDO for
consumer banking. Today, organizations complying with FIDO
specifications are able to deliver secure authentication technology on
a wide range of devices, including mobile phones, USB keys, and near-
field communications (NFC) and Bluetooth low energy (BLE) devices
and wearables.
This work, other standards activities, and new tools that support
continuous authentication provide a strong foundation for opt-in
identity management for the digital infrastructure.”
All Rights Reserved | FIDO Alliance | Copyright 20185
https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf
6. US – TREASURY SECRETARY MNUCHIN
HIGHLIGHTS IMPORTANCE OF FIDO
“Many of you have been working toward these goals for years now – the 2011
National Strategy for Trusted Identities in Cyberspace (NSTIC) charted a path
for government to work with the private sector, developing an identity
ecosystem that embraced these important principles – security, privacy, ease
of use, and interoperability.
“Out of NSTIC, we’ve seen great innovations through public-private
partnerships. These include the emergence of FIDO authentication, where
major firms in IT, software, device manufacturers, banking, health care and
security have partnered with government - the National Institute of Standards
and Technology in particular - to deliver on this vision. This has been done
by creating new standards like FIDO and OpenID Connect that are being used
today to enable more robust and secure authentication.
“With these commitments from industry, we’re at the point where it will be
hard for a consumer to buy a device or launch a browser that doesn’t
support strong authentication out of the box. It’s an innovation – driven by
industry and supported by government – that is improving security and
transforming digital commerce.”
All Rights Reserved | FIDO Alliance | Copyright 20186
7. All Rights Reserved | FIDO Alliance | Copyright 20187
IDEA: AUTHENTICATION
AS REGTECH
8. WHAT IS REGTECH?
RegTech: Technology that helps businesses comply with
regulations efficiently and inexpensively.
- A u s t r a l i a n S e c u r i t i e s a n d I n v e s t m e n t s C o m m i s s i o n ( A S I C )
-Or-
RegTech: technology that seeks to provide “nimble,
configurable, easy to integrate, reliable, secure and cost -
effective” compliance solutions
- D e l o i t t e
8 All Rights Reserved | FIDO Alliance | Copyright 2018
10. All Rights Reserved | FIDO Alliance | Copyright 201810
OLD AUTHENTICATION - OTPS
Old strong authentication required a separate channel or device…
ONE-TIME PASSCODES
Improve security but aren’t easy enough to use
STILL
PHISHABLE
USER
CONFUSION
TOKEN
NECKLACE
SMS
RELIABILITY1
1NIST SP800-63-3: “Out-of-band authentication using the [public switched telephone network] (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.”
11. All Rights Reserved | FIDO Alliance | Copyright 201711
OLD AUTHENTICATION – SMART CARDS
INCONVENIENT
SMART CARDS OFFER STRONG CRYTOGRAPHIC SECURITY BUT…
SMART CARDS
Offer strong cryptographic security but are:
COSTLY
Old strong authentication required a separate channel or device…
POOR BYOD SUPPORT
12. THE AUTHN CHALLENGE
Nimble
Configurable
Easy to
integrate
Cost effectiveSecure
Reliable
We need authentication solutions that can meet the “RegTech”
definition - allowing better business models and customer
experiences to flourish - without concerns about security, privacy
and other compliance requirements
12 All Rights Reserved | FIDO Alliance | Copyright 2018
13. All Rights Reserved | FIDO Alliance | Copyright 201813
AREAS OF INNOVATION + REGULATION
•Digital
Government
•National IDs
•eIDAS
• GDPR
• Stop 81% of
breaches
• EHR
• Patient Access
• Doctor Access
• Payments +
FinTech
• PSD2
• KYC
Financial
Services
Health
Care
eGov/
Citizen
Services
Privacy
&
Security
14. All Rights Reserved | FIDO Alliance | Copyright 201814
AREAS OF INNOVATION + REGULATION
• Digital
Government
• National IDs
• eIDAS
• GDPR
• Stop 81%
breaches
• EHR
• Patient Access
• Doctor Access
• Payments +
FinTech
• PSD2
• KYC
Financial
Services
Health
Care
eGov/
Citizen
Services
Privacy
&
Security
Compliance is driv ing a need for better authentication
16. All Rights Reserved | FIDO Alliance | Copyright 201816
FIDO IMPACT ON POLICY
FIDO specifications offer governments newer, better options for
strong authentication – but governments may need to update
some policies to support the ways in which FIDO is different.
As technology evolves,
policy needs to evolve with it.
17. AS TECHNOLOGY EVOLVES,
POLICY NEEDS TO EVOLVE WITH IT.
• While this statement was true of most “old” MFA
technology, FIDO specifically addresses these cost
and usability issues
• FIDO enables simpler, stronger authentication
capabilities that governments, businesses and
consumers can easily adopt at scale
1) Recognize that two-factor authentication
no longer brings higher burdens or costs
All Rights Reserved | FIDO Alliance | Copyright 201817
18. All Rights Reserved | FIDO Alliance | Copyright 201818
AS TECHNOLOGY EVOLVES,
POLICY NEEDS TO EVOLVE WITH IT.
• First recognized by the U.S. government (NIST) in 2014
• “OMB (White House) to update guidance on remote electronic
authentication” to remove requirements that one factor be
separate from the device accessing the resource
• The evolution of mobile devices – in particular, hardware
architectures that offer highly robust and isolated execution
environments (such as TEE, SE and TPM) – has allowed these
devices to achieve high-grade security without the need for a
physically distinct token
2) Recognize technology is now mature enough to enable
two secure, distinct authn factors in a single device
19. All Rights Reserved | FIDO Alliance | Copyright 201819
TECHNOLOGY IS NOW MATURE ENOUGH TO ENABLE TWO SECURE,
DISTINCT AUTHENTICATION FACTORS IN A SINGLE DEVICE
Europe and Payment Services
Directive 2 (PSD2)
• Original guidance (December 2015)
from the European Banking Authority
(EBA) was heavily weighted toward
OTP, considered prohibition of two
authentication factors delivered on
the same device.
• The emergence of FIDO prompted
EBA to revise its guidance – the final
version (November 2017) references
FIDO’s architecture for protecting
the independence of authentication
factors on multi-purpose devices
such as smart phones.
http://ec.europa.eu/finance/docs/level-2-measures/psd2-rts-2017-
7782_en.pdf
20. All Rights Reserved | FIDO Alliance | Copyright 201820
TECHNOLOGY IS NOW MATURE ENOUGH TO ENABLE TWO SECURE,
DISTINCT AUTHENTICATION FACTORS IN A SINGLE DEVICE
FIDO recognized at the highest Authenticator
Assurance Level (AAL3) by NIST
• NIST published a 2017 update to its digital
identity standards that reflects the emergence of
new standards like FIDO
• Both Universal 2 Factor (U2F) and
passwordless/UAF solutions were recognized as
being at the highest level of assurance for
authenticators.
https://pages.nist.gov/800-63-3/
21. All Rights Reserved | FIDO Alliance | Copyright 201821
AS TECHNOLOGY EVOLVES,
POLICY NEEDS TO EVOLVE WITH IT.
• The market is in the midst of a burst of innovation around authentication technology—
some solutions are better than others. Don’t build rules focused on old authentication
technology
• Old authentication technologies impose significant costs and burdens on the user—
which decreases adoption
• Old authentication technologies have security (i.e., phishable) and privacy issues—
putting both users and online service providers at risk
3) As governments promote or require strong authentication,
make sure it is the “right” authentication
22. All Rights Reserved | FIDO Alliance | Copyright 201822
AS TECHNOLOGY EVOLVES,
POLICY NEEDS TO EVOLVE WITH IT
Example: Taiwan
• Taiwan’s Financial Supervisory Commission (FSC) in December 2016
changed its e-Banking Security Control regulations to make clear:
Client-side biometrics are appropriate to use for e-Banking
applications
• Previous version: Pointed only to server-side biometric match;
emergence of FIDO prompted a change
3) As governments promote or require strong authentication,
make sure it is the “right” authentication
23. All Rights Reserved | FIDO Alliance | Copyright 201823
AS TECHNOLOGY EVOLVES,
POLICY NEEDS TO EVOLVE WITH IT
Example: US
• US Department of Veterans Affairs (VA)
▸ First US government citizen-facing application
(vets.gov) to support FIDO (September 2017)
• US Department of Defense (DoD)
▸ DoD CIO declares that U2F allowed as an alternative to
PKI – where PKI integration is not feasible (April 2017)
• US Senate
▸ Requests US Social Security Administration protect
citizen accounts with FIDO - instead of SMS or OTP
3) As governments promote or require strong authentication,
make sure it is the “right” authentication
25. All Rights Reserved | FIDO Alliance | Copyright 201825
QUESTIONS?
THANK YOU!
Notes de l'éditeur
“thumbs down is a stand-in icon
To sum up, FIDO delivers on all of these key priorities: security, usability, privacy and interoperability.
Some additional points on privacy:
There’s no 3rd party in the protocol so you don’t have to worry about correlation handles or any third-party watching where users are authenticating. It’s direct from the device to the application.
There are no shared secrets stored on the server, which saves you in the case of a data breach of that server.
If used, biometric data must never leave the device, which is privacy preserving. That’s a requirement of FIDO certification.
One of the biggest benefits of the FIDO design is that there’s no new link-ability or identifier in a FIDO device – no new way to track a user or link their behavior across applications. There isn’t even a way to link that user across different accounts on the same system. Cookie methods still exist, but nothing new that’s being delivered by FIDO.