Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIDO Authentication in Europe the Momentum and Opportunities

1,041 views

Published on

FIDO Authentication in Europe the Momentum and Opportunities

Published in: Technology
  • Be the first to comment

  • Be the first to like this

FIDO Authentication in Europe the Momentum and Opportunities

  1. 1. FIDO AUTHENTICATION IN EUROPE: THE MOMENTUM AND OPPORTUNITIES 08 DECEMBER 2017 ALAIN MARTIN (GEMALTO) FIDO EUROPE WG CO-CHAIR 1 FIDO Authentication in Europe
  2. 2. 2 AGENDA • What is happening in Europe • Focus on PSD2 • The FIDO standards can help FIDO Authentication in Europe
  3. 3. 3 WHAT IS HAPPENING IN EUROPE FIDO Authentication in Europe
  4. 4. 4 EUROPEAN REGULATION • PSD2 – Revised Payment Services Directive • Entered into force on 12 January 2016, applies from 13 January 2018, RTS to apply end August 2019 • GDPR – General Data Protection Regulation • Entered into force on 24 May 2016, applies from 25 May 2018 • eIDAS – Electronic Identification and Trust Services • Entered into force on the 17 September 2014, applies from 1 July 2016. Mandatory cross border recognition of eIDs in Sept 2018 FIDO Authentication in Europe
  5. 5. Open APIs FIDO Authentication in Europe5 PSD2 IN A FEW WORDS • New Access to Account mandate  Open APIs • New Strong Customer Authentication mandate • New Third Party Provider (TPP) roles : Open APIs Open APIs Payment execution Open APIs Open APIs Open APIs Gives consent Payment Initiation Service Provider (PISP) Account Information Service Provider (AISP)
  6. 6. 6 GDPR – PROTECTION OF PERSONAL DATA • Access to personal data • Protection of access to data must be proportional to data sensitivity (Article 32) • Explicit user consent is mandatory to collect personal data • May require Strong authentication for sensitive data • Privacy by design • FIDO authenticators are well suited (no shared keys, local user verification) FIDO Authentication in Europe Compliance with GDPR may require Strong Authentication : Very large fines for infringement: Up to €20,000,000 or 4% total worldwide turnover
  7. 7. 7 EIDAS – DIGITIZING ID AND SIGNATURES • Open up access to public services & ensure secure online transactions • Enable cross-border trust • Improve security and convenience when doing business online • Encourage digital transaction growth and dematerialization eIDAS Regulation eID Trust services eSignatures eSeals Time stamp Electronic delivery Website auth. user’s keys are to be held on “Qualified Signature Creation Devices” FIDO Authentication in Europe
  8. 8. 8 THE REVISED PAYMENT SERVICES DIRECTIVE – PSD2 FIDO Authentication in Europe
  9. 9. PSD2: Competition & Consumer Protection Regulatory Technical Standards FIDO Authentication in Europe9 PSD2 REGULATORY BODIES
  10. 10. FIDO Authentication in Europe10 THE RTS (REGULATORY TECHNICAL STANDARDS) • Requirement for Strong Customer Authentication • Must be based on 2FA • The Bank authenticates the user • Customer consent materialised by an Authentication code • Transaction signature (transaction amount and transaction payee) • Apply to card based payments and to Credit Transfers
  11. 11. Transposition period “Fuzzy period” Regulatory Technical Standards RTS Adoption RTS implementation 11 PSD2 TIMELINE • The Open APIs have been defined (STET, Berlin Group, OBIE) • They impact the way user authentication happens • Banks are deciding now on their authentication methods PSD2 entry into force 12 January 2016 Transposition into national law 13 January 2018 RTS application Sept 2019 (max 18 months after RTS adoption by Commission) Final RTS 27 Nov 2017 01/2016 01/2017 03/201812/2017 Official publication End Feb 2018 01/2019 10/2019 FIDO Authentication in Europe
  12. 12. AISP AISP FIDO Authentication in Europe12 THIS COULD HAPPEN Bank A App Bank B token Bank C OTP generator Account aggregator web site
  13. 13. FIDO Authentication in Europe13 IMPROVED USER EXPERIENCE • A standard will facilitate implementation of this model • FIDO standards may be attractive to implement its model AISPAISP AISP Authenticate with your device AISP app OR AISP AISP AISP
  14. 14. 14 STANDARDISATION IS NECESSARY • Cost reduction • Multi channel, multi form factors • Ease of deployment • User experience Bank App FIDO Authentication in Europe
  15. 15. 15 THE FIDO STANDARDS CAN HELP FIDO Authentication in Europe
  16. 16. FIDO Authentication in Europe16 FIDO STANDARDS ARE RELEVANT • Based on Multi factor authentication, in line with the regulations • Secure execution environments ranging from hardened Software to TEE to Secure Elements • Strong focus on Biometrics • Can be combined with Authorisation frameworks • OAuth 2
  17. 17. 17 FIDO PROTECTS USER IDENTIFICATION DATA • No shared secrets • On-device key generation • Local verification (of PIN, of biometric data) In line with GDPR Facilitates deployment FIDO Authentication in Europe
  18. 18. 18 FIDO COMES WITH A CERTIFICATION PROGRAM • Functional, by the FIDO Alliance • Security, by the FIDO Alliance with independent accredited labs • The Regulations require security evaluation • Article 3 of the Feb 2017 revision of the PSD2 RTS • eIDAS article 30 FIDO Authentication in Europe
  19. 19. FIDO Authentication in Europe19 THANK YOU

×