Bernd Kowalksi of the Federal Office for Information Security discusses government objectives in strong ID and authentication, and derived identity and authenticity approach, while answering the questions, "Why did BSI join the FIDO Alliance?" and "What is the market perspective?"
1. Bernd Kowalski
Federal Office for Information Security
FIDO, Strong Authentication
and eID in Germany
Agenda
Government Objectives in Strong ID & Authentication
Why did BSI join the FIDO alliance?
What is the market perspective?
Derived Identity / Authenticity approach
2. 2Bernd Kowalski
Government Objectives in Strong ID & Authentication
About us: Federal Office for Information Security
BSI: Bundesamt für Sicherheit in der Informationstechnik
Germany's national IT Security Agency
Founded in 1991
Staff: ~ 662 employees
Annual Budget: 89 millions Euro
3. 3Bernd Kowalski
Government Objectives in Strong ID & Authentication
BSI Mission
Analysis and evaluation of IT security risks,
Information and awareness-building
Technical standards, Test and Certification Services for the security of
IT components and systems
Security solutions for government networks
and applications
Support government regulations for
adopting adequate security standards
International cooperation:
SOGIS-MRA / Common Criteria, ICAO,
ITU-T, CEN/CENELEC, ETSI, ISO,
NFC-Forum, IETF, Global Plattform, ...
4. 4Bernd Kowalski
Smart Grid, Smart Metering (KRITIS)
Smart Home, Smart Services
Industry 4.0 / Remote Maintenance
eMobility / car2car / car2x
eHealth / eGovernment
Cloud Computing
ePassport and national IDs
Online Banking, ePayment
Need for Secure ID & Trust Services
Government Objectives in Strong ID & Authentication
Digital Transformation in All Regulatory Sectors
5. 5Bernd Kowalski
Government Objectives in Strong ID & Authentication
General Requirements on Strong ID & Authentication
Replacement of passwords by 2FA / MFA
(i.e. ownership + knowledge / ownership + inherence)
Support of certified secure elements and hardware token
Independancy of trust services and online services
Open technical standards permitting multifunctional usage
Security vs. Usability & Convenience
some Use Cases require a High level of Security
in other Use Cases Usability is the key factor
Appropriate Migration of (Hardware) Token
(i.e. replacement / renewal / revocation) must satisfy user convenience
6. 6Bernd Kowalski
Why did BSI join the FIDO Alliance?
FIDO provides
potential usage of strong ID & authentication for all webbrowsers and online
services
simple integration and fast market penetration
standardized authentication procedure independent of the application
standardized user interface
independency of Trust Services & personal IDs from business models of
market leaders
usage of mobile plattforms
synergy with NFC / ISO 14443
usage of national IDs
7. 7Bernd Kowalski
1. Creating and Managing of
a Customer Account
+
2. Creating and secure
storage of a derived identity
+
3. Contactless purchasing
and paying of a ticket by
using a derived identity
+
+
4. Contactless ticketing by
using a smartphone
Secure and safe identification Comfortable use
Strong ID for Public Transport
What is the market perspective?
German National Project “NFC-Initiative”
8. 8Bernd Kowalski
The NFC initiative is ...
a joint activity of the BMI, BMWi and the BMVI in the context of the “Digital Agenda”
with the participation of German industry, represented by the following companies:
supported by the Federal Office for Information Security in Germany.
Challenges for the NFC initiative:
Harmonization of standardization in various committees focusing on NFC Forum
Target: Functionality is important, therefore interoperability before strict conformity
Field implementation as a "proof-of-concept" for technical specifications and acceptance of public transport
companies and their customers
comfortable and safe ticketing for the citizens!comfortable and safe ticketing for the citizens!
What is the market perspective?
German National Project “NFC-Initiative”
Project Partners
9. 9Bernd Kowalski
Standardized eGov Account Service
eGov-Services can be offered nationwide
interoperable Service Accounts can
be used in different eGov domains
Some German federal states already offer one
Service Account to multiple municipalities
Impact:
More municipalities are able to offer eGov-services
Current situation: Prototypical development of interoperable Service Accounts
in Bavaria and North Rhine-Westphalia
What is the market perspective?
Citizen Service Accounts
10.
11. 11Bernd Kowalski
De-Mail – The secure and reliable German eDelivery solution
E-Mai
l
Future usage of FIDO Token as 2nd factor for a high level authentication at
De-Mail, depending on achievable security level (according to eIDAS)
What is the market perspective?
De-Mail
User logs in
via FIDO Token
12. 12Bernd Kowalski
eIDAS-VO:
Notification of member states identification systems
FIDO does authentication not identification,
but: authentication is important part of identification systems
→ FIDO could be part of an identification system according to eIDAS
Identification systems rated by "Level of Assurance"
→ mapping to FIDO security levels?
Trust-Services:
Introduction of server signatures
FIDO as possible signature activation
What is the market perspective?
eIDAS-VO
13. 13Bernd Kowalski
Reasons for the revision of EU Directive 2007/64/EG:
Sufficient standardization and interoperability of various payment services for card
payments and e- and mPayments is not given.
The central point of the PSD II from the perspective of information security:
"Strong Customer Authentication" for retrieving account information and performing
transactions is required.
Strong customer authentication is defined as a procedure based on the use of two or
more of the following elements
Chance for information security:
Designing a secure, privacy-friendly and applicable authentication solution by the
European Central Bank, the European Banking Authority and the SecurePay forum is still
pending.
Refinement of the security requirements can still be affected!
What is the market perspective?
Payment Service Directive II (PSD II)
Ownership Knowledge Inherence
14. 14Bernd Kowalski
Authentication Systems
Authentication Devices
Yubikey VDV core appMobile
Connect
Secure
Elements
Primary Identity
Technologies for Derived Identities
1. Transfer
Datagroups
Authentic DataAuthentic Data Identifier
(secret)
Identifier
(secret)
+
2. Register
Authentication Device (build secret)
= Derived Identity
Derived Identity / Authenticity approach
15. 15Bernd Kowalski
Growing risks through misuse of conventional IDs (passwords)
Digital society requires strong IDs with Secure Elements and
2-Factor Authentication
Regulatory Framework required for sufficient Technical ID-Standards in
critical areas
European Market has a sufficient size to set appropriate technical
standards
PSD2 is an opportunity for the acceptance of FIDO in Europe
FIDO should support:
NFC/ISO 14443 interoperabilty activities in the NFC-Forum
usage of FIDO in regulatory projects
adoption of certified embedded or external SE
Summary
16. 16Bernd Kowalski
Contact
Federal Office
for Information Security (BSI)
Bernd Kowalski
Godesberger Allee 185-189
53175 Bonn
Germany
Bernd.Kowalski@bsi.bund.de
www.bsi.bund.de
www.bsi-fuer-buerger.de