Bernd Kowalksi of the Federal Office for Information Security discusses government objectives in strong ID and authentication, and derived identity and authenticity approach, while answering the questions, "Why did BSI join the FIDO Alliance?" and "What is the market perspective?"

1. Bernd Kowalski
Federal Office for Information Security
FIDO, Strong Authentication
and eID in Germany
Agenda
 Government Objectives in Strong ID & Authentication
 Why did BSI join the FIDO alliance?
 What is the market perspective?
 Derived Identity / Authenticity approach

2. 2Bernd Kowalski
Government Objectives in Strong ID & Authentication
About us: Federal Office for Information Security
 BSI: Bundesamt für Sicherheit in der Informationstechnik
 Germany's national IT Security Agency
 Founded in 1991
 Staff: ~ 662 employees
 Annual Budget: 89 millions Euro

3. 3Bernd Kowalski
Government Objectives in Strong ID & Authentication
BSI Mission
 Analysis and evaluation of IT security risks,
Information and awareness-building
 Technical standards, Test and Certification Services for the security of
IT components and systems
 Security solutions for government networks
and applications
 Support government regulations for
adopting adequate security standards
 International cooperation:
SOGIS-MRA / Common Criteria, ICAO,
ITU-T, CEN/CENELEC, ETSI, ISO,
NFC-Forum, IETF, Global Plattform, ...

4. 4Bernd Kowalski
 Smart Grid, Smart Metering (KRITIS)
 Smart Home, Smart Services
 Industry 4.0 / Remote Maintenance
 eMobility / car2car / car2x
 eHealth / eGovernment
 Cloud Computing
 ePassport and national IDs
 Online Banking, ePayment
Need for Secure ID & Trust Services
Government Objectives in Strong ID & Authentication
Digital Transformation in All Regulatory Sectors

5. 5Bernd Kowalski
Government Objectives in Strong ID & Authentication
General Requirements on Strong ID & Authentication
 Replacement of passwords by 2FA / MFA
(i.e. ownership + knowledge / ownership + inherence)
 Support of certified secure elements and hardware token
 Independancy of trust services and online services
 Open technical standards permitting multifunctional usage
 Security vs. Usability & Convenience
 some Use Cases require a High level of Security
 in other Use Cases Usability is the key factor
 Appropriate Migration of (Hardware) Token
(i.e. replacement / renewal / revocation) must satisfy user convenience

6. 6Bernd Kowalski
Why did BSI join the FIDO Alliance?
FIDO provides
 potential usage of strong ID & authentication for all webbrowsers and online
services
 simple integration and fast market penetration
 standardized authentication procedure independent of the application
 standardized user interface
 independency of Trust Services & personal IDs from business models of
market leaders
 usage of mobile plattforms
 synergy with NFC / ISO 14443
 usage of national IDs

7. 7Bernd Kowalski
1. Creating and Managing of
a Customer Account
+
2. Creating and secure
storage of a derived identity
+
3. Contactless purchasing
and paying of a ticket by
using a derived identity
+
+
4. Contactless ticketing by
using a smartphone
Secure and safe identification Comfortable use
Strong ID for Public Transport
What is the market perspective?
German National Project “NFC-Initiative”

8. 8Bernd Kowalski
 The NFC initiative is ...
 a joint activity of the BMI, BMWi and the BMVI in the context of the “Digital Agenda”
 with the participation of German industry, represented by the following companies:
 supported by the Federal Office for Information Security in Germany.
 Challenges for the NFC initiative:
 Harmonization of standardization in various committees focusing on NFC Forum
 Target: Functionality is important, therefore interoperability before strict conformity
 Field implementation as a "proof-of-concept" for technical specifications and acceptance of public transport
companies and their customers
comfortable and safe ticketing for the citizens!comfortable and safe ticketing for the citizens!
What is the market perspective?
German National Project “NFC-Initiative”
Project Partners

9. 9Bernd Kowalski
Standardized eGov Account Service
 eGov-Services can be offered nationwide
 interoperable Service Accounts can
be used in different eGov domains
Some German federal states already offer one
Service Account to multiple municipalities
 Impact:
More municipalities are able to offer eGov-services
 Current situation: Prototypical development of interoperable Service Accounts
in Bavaria and North Rhine-Westphalia
What is the market perspective?
Citizen Service Accounts

11. 11Bernd Kowalski
De-Mail – The secure and reliable German eDelivery solution
E-Mai
l
 Future usage of FIDO Token as 2nd factor for a high level authentication at
De-Mail, depending on achievable security level (according to eIDAS)
What is the market perspective?
De-Mail
User logs in
via FIDO Token

12. 12Bernd Kowalski
eIDAS-VO:
 Notification of member states identification systems
 FIDO does authentication not identification,
but: authentication is important part of identification systems
→ FIDO could be part of an identification system according to eIDAS
 Identification systems rated by "Level of Assurance"
→ mapping to FIDO security levels?
Trust-Services:
 Introduction of server signatures
 FIDO as possible signature activation
What is the market perspective?
eIDAS-VO

13. 13Bernd Kowalski
Reasons for the revision of EU Directive 2007/64/EG:
 Sufficient standardization and interoperability of various payment services for card
payments and e- and mPayments is not given.
The central point of the PSD II from the perspective of information security:
 "Strong Customer Authentication" for retrieving account information and performing
transactions is required.
 Strong customer authentication is defined as a procedure based on the use of two or
more of the following elements
Chance for information security:
 Designing a secure, privacy-friendly and applicable authentication solution by the
European Central Bank, the European Banking Authority and the SecurePay forum is still
pending.
 Refinement of the security requirements can still be affected!
What is the market perspective?
Payment Service Directive II (PSD II)
Ownership Knowledge Inherence

14. 14Bernd Kowalski
Authentication Systems
Authentication Devices
Yubikey VDV core appMobile
Connect
Secure
Elements
Primary Identity
Technologies for Derived Identities
1. Transfer
Datagroups
Authentic DataAuthentic Data Identifier
(secret)
Identifier
(secret)
+
2. Register
Authentication Device (build secret)
= Derived Identity
Derived Identity / Authenticity approach

15. 15Bernd Kowalski
 Growing risks through misuse of conventional IDs (passwords)
 Digital society requires strong IDs with Secure Elements and
2-Factor Authentication
 Regulatory Framework required for sufficient Technical ID-Standards in
critical areas
 European Market has a sufficient size to set appropriate technical
standards
 PSD2 is an opportunity for the acceptance of FIDO in Europe
 FIDO should support:
 NFC/ISO 14443 interoperabilty activities in the NFC-Forum
 usage of FIDO in regulatory projects
 adoption of certified embedded or external SE
Summary

16. 16Bernd Kowalski
Contact
Federal Office
for Information Security (BSI)
Bernd Kowalski
Godesberger Allee 185-189
53175 Bonn
Germany
Bernd.Kowalski@bsi.bund.de
www.bsi.bund.de
www.bsi-fuer-buerger.de