Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIDO UAF Adoption in Hong Kong

933 views

Published on

A look at the rapidly growing ecosystem and deployments of FIDO Authentication in Hong Kong.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

FIDO UAF Adoption in Hong Kong

  1. 1. 0 Commercial Confidence FIDO UAF Adoption In Hong Kong Oct 2018
  2. 2. 1 Commercial Confidence Agenda 2FA in Hong Kong How FIDO UAF fits into the picture Adoption of FIDO UAF in HK Lessons learnt Next steps
  3. 3. 2 Commercial Confidence 2FA In Hong Kong HK is very serious and cautious about cyber security – Enactment of the Electronic Transactions Ordinance (Cap. 553) • Legal status of digital signature (created by Government recognized digital certificate) – Guidelines from financial regulators • Mandate adoption of 2FA for high risk transactions – Technology neutral, but mentioned the following » SMS OTP* » OTP Hard Token » Digital certificate » Soft token/ Biometric
  4. 4. 3 Commercial Confidence Privacy in Hong Kong Personal Data (Privacy) Ordinance* – “Organizations have to consider whether it is feasible to collect less sensitive biometric data or use other less privacy intrusive means to achieve the same organizational purpose.” – Biometric data collection should be “necessary and not excessive” – Preference on Match on Device • Remove the risk of biometric data storage hence leakage at central server • Service provider should conduct Privacy Impact Assessment (“PIA”) otherwise *https://www.pcpd.org.hk/english/resources_centre/ publications/files/GN_biometric_e.pdf
  5. 5. 4 Commercial Confidence On Device Biometric Authentication HK Population (Mid 2018) ~ 7.45 million Mobile Subscribers in HK (Mar 2018) ~ 18.39M On Device Biometric Authentication – Face ID/ Touch ID/ Fingerprint API (Android) / Iris / Face recognition • “Who you are” – HK Monetary Authority - “a mere registration of the customer’s device may not be stringent enough to be regarded as “something a customer has” for 2FA purpose” – 1FA hence can only be used for low risk transactions • Eg. Account login/ general account inquiry
  6. 6. 5 Commercial Confidence FIDO UAF Almost a perfect fit to the 2FA requirements for Hong Kong – User authentication • On device matching => Preserve privacy – FIDO UAF key pair • Public key cryptography – Same as digital certificate » => Strong device binding => “What you have”
  7. 7. 6 Commercial Confidence FIDO UAF Adoptions In HK December 2016 – First FIDO UAF adoption by a bank to replace SMS OTP for mobile stock trading Currently – 6 banks – 5 stock brokers – 1 insurance company – 1 financial regulator – HK largest community benefactor – In excess of 2.5 million user accounts collectively
  8. 8. 7 Commercial Confidence Authentication As A Service (A3S) Service provider may have difficulties in implementing proper 2FA in house – Cost – Knowhow 1. Request service 3. Request Authentication 2. Request Authentication 4. Authentication 5. Result6. Service User Service Provider Trusted Third Party
  9. 9. 8 Commercial Confidence Lessons Learnt Handset support Offline Transactions Scalability Can FIDO UAF Do More?
  10. 10. 9 Commercial Confidence Handset Support
  11. 11. 10 Commercial Confidence FIDO UAF Framework
  12. 12. 11 Commercial Confidence Observations TEE FIDO Authenticator is highly secure, however – Handset with native TEE FIDO Authenticator is still very limited in market – Some phone manufacturers has blocked access to the native FIDO authenticators on its devices – Not all TEE based FIDO Authenticators behave the same way • E.g. Language support…. – FIDO Metadata service… TEE-only solution limited the adoption of FIDO UAF
  13. 13. 12 Commercial Confidence Work Around – Software based Authenticator can be stepped up to mitigate the risks and achieved a level of security similar to TEE based Authenticator • Properly leverage and employ the on device Secure Enclave/ Hardware backend keystore • Device health check can be performed before the installation of Software Authenticator – Only those non-rooted Android M and above devices that passed the Google Compatibility Test Suite (CTS) check can be used – Effectively eliminate any devices with Modified or Unofficial Firmware/ ROM • Root detection • Realtime App Self Protection (RASP)
  14. 14. 13 Commercial Confidence Offline Transactions
  15. 15. 14 Commercial Confidence Offline Transactions FIDO = Fast Identity Online Not all transactions are “online” in reality – E.g. user traveling overseas without roaming nor wifi connection Most soft token (OTP) solutions in market can be used both online and offline – Less secure than FIDO due to the weak OTP seed protection as well as the system clock can be easily adjusted on mobile device – Key sales pitch against FIDO Can FIDO UAF be enhanced to address this?
  16. 16. 15 Commercial Confidence Scalability
  17. 17. 16 Commercial Confidence Scalability Key Strength of FIDO = Security – Leverages device computation power and connectivity – Use of public key cryptography Come with a cost – Bandwidth, message protocol, backend computation, data base storage • Eg. User base = 1,000,000. Number of concurrent access = 2,000/ second
  18. 18. 17 Commercial Confidence Can FIDO UAF Do More? Can FIDO UAF be enhanced to support these? – Two way authentication • Server authentication – Data encryption • End to end – Digital signatures
  19. 19. 18 Commercial Confidence Next Steps
  20. 20. 19 Commercial Confidence Next Steps HK Electronic Identity (eID) – HK SAR Government initiative • Issue to all HK citizens for free (life time) • Cloud based (Operated by the Government) • eID link to user’s registered mobile device(s) • FIDO Authentication & Electronic Transactions Ordnance bound digital signature – Online & Offline • Supports both Government and commercial services • Go live by 2020…
  21. 21. 20 Commercial Confidence Hong Kong eID User Immigration Department User FIDO UAF authentication (fingerprint, face, Passcode) e-Service Recognized CA Government / Commercial Services Hong Kong eID
  22. 22. 21 Commercial Confidence Thank you

×