Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

FIDO's Role in the Global Regulatory Landscape for Strong Authentication

817 views

Published on

A global look at how governments around the world are engaging with strong authentication, and FIDO Authentication in particular.

Published in: Government & Nonprofit
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

FIDO's Role in the Global Regulatory Landscape for Strong Authentication

  1. 1. All Rights Reserved | FIDO Alliance | Copyright 20181 FIDO AND GOVERNMENT FIDO’S ROLE IN THE GLOBAL REGULATORY LANDSCAPE FOR STRONG AUTHENTICATION JEREMY GRANT, MANAGING DIRECTOR, VENABLE LLP
  2. 2. 2 AUTHENTICATION IS IMPORTANT TO GOVERNMENTS All Rights Reserved | FIDO Alliance | Copyright 2018 1. Protects access to government assets 2. Enables more high-value citizen-facing services 3. Empowers private sector to provide a wider range of high value services to consumers 4. Secures critical assets and infrastructure Governments seek identity solutions that can deliver not just improved Security – but also Privacy, Interoperability, and better Customer Experiences
  3. 3. 3 FIDO IS IMPACTING HOW GOVERNMENTS THINK ABOUT AUTHENTICATION All Rights Reserved | FIDO Alliance | Copyright 2018 Priorities: • Ensuring that future online products and services coming into use are “secure by default” • Empowering consumers to “choose products and services that have built-in security as a default setting.” “[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.” https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/ national_cyber_security_strategy_2016.pdf
  4. 4. 4 All Rights Reserved | FIDO Alliance | Copyright 2018 U.S. Commission on Enhancing National Cybersecurity: • Bipartisan commission established by the White House in April – charged with crafting recommendations for the next President • Major focus on Authentication FIDO IS IMPACTING HOW GOVERNMENTS THINK ABOUT AUTHENTICATION
  5. 5. 5 US COMMISSION ON ENHANCING NATIONAL CYBERSECURITY All Rights Reserved | FIDO Alliance | Copyright 2018 “Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance. FIDO specifications are focused largely on the mobile smartphone platform to deliver multifactor authentication to the masses, all based on industry standard public key cryptography. Windows 10 has deployed FIDO specifications (known as Windows Hello), and numerous financial institutions have adopted FIDO for consumer banking. Today, organizations complying with FIDO specifications are able to deliver secure authentication technology on a wide range of devices, including mobile phones, USB keys, and near-field communications (NFC) and Bluetooth low energy (BLE) devices and wearables. This work, other standards activities, and new tools that support continuous authentication provide a strong foundation for opt-in identity management for the digital infrastructure.” https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf
  6. 6. 6 US CONGRESS – GAO REPORT All Rights Reserved | FIDO Alliance | Copyright 2018
  7. 7. 7 HONG KONG eGOVERNMENT All Rights Reserved | FIDO Alliance | Copyright 2018 • New proposal from Hong Kong CIO’s Office on “Digital Transformation for Agile Delivery of eGovernment Services” • Calls out FIDO as a core component of their standards- based approach to digital ID
  8. 8. IDEA: AUTHENTICATION AS REGTECH 8
  9. 9. WHAT IS REGTECH? 9 RegTech : Tec hno lo gy tha t helps bus i nes s es c o m ply wi th regula ti o ns effi c i ently a nd i nex pens i vely. -A ustrali an Securi ti es and Investments Co m m i s s i o n (A SIC) -O r - RegTech : Tec hno lo gy tha t s eeks to pro vi de “ ni m ble, c o nfi gura ble, ea s y to i ntegra te, reli a ble, s ec ure a nd c o s t - effec ti ve” c o m pli a nc e s o luti o ns -Delo i tte All Rights Reserved | FIDO Alliance | Copyright 2018
  10. 10. 10 AUTHENTICATION IS REGTECH…RIGHT? All Rights Reserved | FIDO Alliance | Copyright 2018 Nimble? Reliable? Easy to integrate? Cost effective? Configurable? Secure?
  11. 11. 11 All Rights Reserved | FIDO Alliance | Copyright 2018 OLD AUTHENTICATION - OTPs Old strong authentication required a separate channel or device… ONE-TIME PASSCODES Improve security but aren’t easy enough to use STILL PHISHABLE USER CONFUSION TOKEN NECKLACE SMS RELIABILITY1 1NIST SP800-63-3: “Out-of-band authentication using the [public switched telephone network] (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.”
  12. 12. 12 All Rights Reserved | FIDO Alliance | Copyright 2018 OLD AUTHENTICATION – SMART CARDS INCONVENIENT SMART CARDS OFFER STRONG CRYTOGRAPHIC SECURITY BUT… SMART CARDS Offer strong cryptographic security but are: COSTLY Old strong authentication required a separate channel or device… POOR BYOD SUPPORT
  13. 13. 13 THE AUTHN CHALLENGE All Rights Reserved | FIDO Alliance | Copyright 2018 We need authentication solutions that can meet the “RegTech” definition - allowing better business models and customer experiences to flourish - without concerns about security, privacy and other compliance requirements Nimble Reliable Easy to integrate Cost effective Configurable Secure
  14. 14. 14 AREAS OF INNOVATION + REGULATION All Rights Reserved | FIDO Alliance | Copyright 2018 Digital Government National IDs eIDAS • GDPR • Stop 81% of breaches • EHR • Patient Access • Doctor Access • Payments + FinTech • Open Banking • KYC Financial Services Health Care eGov/ Citizen Services Privacy & Security
  15. 15. 15 AREAS OF INNOVATION + REGULATION All Rights Reserved | FIDO Alliance | Copyright 2018 •Digital Government •National IDs •eIDAS • GDPR • Stop 81% of breaches • EHR • Patient Access • Doctor Access • Payments + FinTech • Open Banking • KYC Financial Services Health Care eGov/ Citizen Services Privacy & Security Compliance is driving a need for better authentication
  16. 16. 16 FIDO AS REGTECH All Rights Reserved | FIDO Alliance | Copyright 2018 Privacy Interoperability Usability FIDO delivers on key priorities Security
  17. 17. 17 FIDO IMPACT ON POLICY All Rights Reserved | FIDO Alliance | Copyright 2018 FIDO specifications offer governments newer, better options for strong authentication – but governments may need to update some policies to support the ways in which FIDO is different. As technology evolves, policy needs to evolve with it.
  18. 18. 18 • While this statement was true of most “old” MFA technology, FIDO specifically addresses these cost and usability issues • FIDO enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale As technology evolves, policy needs to evolve with it. 1. Recognize that two-factor authentication no longer brings higher burdens or costs
  19. 19. 19 As technology evolves, policy needs to evolve with it. 2. Recognize technology is now mature enough to enable two secure, distinct authn factors in a single device • First recognized by the U.S. government (NIST) in 2014 • “OMB (White House) to update guidance on remote electronic authentication” to remove requirements that one factor be separate from the device accessing the resource • The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token
  20. 20. 20 Technology is now mature enough to enable two secure, distinct authentication factors in a single device Europe and Payment Services Directive 2 (PSD2) • Original guidance (December 2015) from the European Banking Authority (EBA) was heavily weighted toward OTP, considered prohibition of two authentication factors delivered on the same device. • The emergence of FIDO prompted EBA to revise its guidance – the final version (November 2017) references FIDO’s architecture for protecting the independence of authentication factors on multi-purpose devices such as smart phones. http://ec.europa.eu/finance/docs/level-2-measures/psd2-rts-2017- 7782_en.pdf
  21. 21. 21 Technology is now mature enough to enable two secure, distinct authentication factors in a single device FIDO recognized at the highest Authenticator Assurance Level (AAL3) by NIST • NIST published a 2017 update to its digital identity standards that reflects the emergence of new standards like FIDO • Both Universal 2 Factor (U2F) and passwordless/UAF solutions were recognized as being at the highest level of assurance for authenticators. https://pages.nist.gov/800-63-3/
  22. 22. 22 As technology evolves, policy needs to evolve with it. 3. As governments promote or require strong authentication, make sure it is the “right” authentication • The market is in the midst of a burst of innovation around authentication technology—some solutions are better than others. Don’t build rules focused on old authentication technology • Old authentication technologies impose significant costs and burdens on the user—which decreases adoption • Old authentication technologies have security (i.e., phishable) and privacy issues—putting both users and online service providers at risk
  23. 23. 23 As technology evolves, policy needs to evolve with it. 3. As governments promote or require strong authentication, make sure it is the “right” authentication Example: Taiwan • Taiwan’s Financial Supervisory Commission (FSC) in December 2016 changed its e-Banking Security Control regulations to make clear: Client-side biometrics are appropriate to use for e-Banking applications • Previous version: Pointed only to server-side biometric match; emergence of FIDO prompted a change
  24. 24. 24 As technology evolves, policy needs to evolve with it. 3. As governments promote or require strong authentication, make sure it is the “right” authentication Example: US • US Department of Veterans Affairs (VA) • First US government citizen-facing application (vets.gov) to support FIDO (September 2017) • US Department of Defense (DoD) • DoD CIO declares that FIDO allowed as an alternative to PKI – where PKI integration is not feasible (April 2017) • US Senate • Requests US Social Security Administration protect citizen accounts with FIDO - instead of SMS or OTP
  25. 25. 25All Rights Reserved | FIDO Alliance | Copyright 2018 Privacy Interoperability Usability FIDO delivers on key policy priorities Security
  26. 26. 26 All Rights Reserved | FIDO Alliance | Copyright 2018 QUESTIONS? THANK YOU! jeremy.grant@venable.com

×