Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Nomura Research Institute
Nat Sakimura
Chairman of the Board, OpenID Foundation
Senior Researcher, Nomura Research Institu...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2
Do you use...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
3
When NRI s...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
4
WRONG!
4
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
5
After 15 y...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
6
The situat...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
7
Fintech is...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
8
API is kno...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
9
I
JSON , ...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
10
REGULATOR...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
11
Regulator...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
12
Open Data...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
13
Now is th...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
14
but what ...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
15
Solution ...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
16
OpenID Fo...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
17
Purpose
T...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
18
Enable
a...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
19
So that w...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
20
It will a...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
21
Possible ...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
2222
JSON RE...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
23
Challenge...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
24
Challenge...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
25
Should we...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
26
Is bearer...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
27
Once comp...
© 2016 by Nomura Research Institute. All rights reserved.
Copyright © 2016 Nat Sakimura. All Rights Reserved.
28
Join the ...
Upcoming SlideShare
Loading in …5
×

OpenID Foundation Foundation Financial API (FAPI) WG

10,352 views

Published on

This presentation explains the newly formed FAPI WG at OpenID Foundation.

Date: June 7, 2016
Place: Cloud Identity Summit 2016

Published in: Technology

OpenID Foundation Foundation Financial API (FAPI) WG

  1. 1. Nomura Research Institute Nat Sakimura Chairman of the Board, OpenID Foundation Senior Researcher, Nomura Research Institute #cisnola Foundation Financial API WG • OpenID® is a registered trademark of OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks. June 2016 Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit http://openid.net/wg/fapi/
  2. 2. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 Do you use Personal Finance Software? What are the current problems?
  3. 3. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 3 When NRI started screen scraping in 2001, we thought it will be a temporally solution. 3 “There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
  4. 4. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 4 WRONG! 4
  5. 5. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 5 After 15 years, we are still screen scraping. 5
  6. 6. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 6 The situation is changing though. 6
  7. 7. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 7 Fintech is gaining a lot of interest lately (SOURCE)Google Trends
  8. 8. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 8 API is known to be one of the three main component of FinTech 8 Use cases for Identity Federation API in Financial sector 1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management (Source) Nikkei BP: Fintech Revolution P.4 (Source)Nikkei BP: FinTech Yearbook
  9. 9. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 9 I JSON , XML + OAuth 2.0 INDUSTRY PUSH > US: FS-ISAC Durable Data API 9 (Source) FS-ISAC FSDDA WG OpenID Financial API
  10. 10. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 10 REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017. 10 (SOURCE) ODI OBWG: The Open Banking Standard (2016) JSON REST OAuth OpenID Connect
  11. 11. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 11 Regulatory Pressures Release 1 – to be completed within 12 months ▪ the launch of a tightly scoped Open Banking API, enabling select, read-access, open data use cases. Release 2 – to be completed by end of Q1 2017 ▪ Third party read access to “midata”* personal customer data (Read Only) Release 3 – to be completed by end of Q1 2018 ▪ Similar to R2 but has “midata” business customer data sets (Read Only) Release 4 – to be completed by end of Q1 2019 ▪ Higher Risk – Full read & write access. Timelines 11 * Minimum midata is a csv file. provided in a single column (indicating whether a transaction is a debit or credit using the symbols -/+), 2.4.5. Running Balance: Provides an account balance after each transaction. 2.4.6. The columns will be titled: Date, Type, Merchant/Description Debit/Credit, Balance. 2.4.7. Arranged overdraft limit at point of download. 3. Example of midata minimum standard Draft midata minimum standard Date Type Merchant/ Description Debit/Credit Balance 04/03/2014 VIS Boots the Chemist £5.00 £260.00 04/03/2014 DD Fitness First -£50.00 £255.00 03/03/2014 ATM ATM withdrawal -£100.00 £305.00 03/03/2014 TRF etc. -£20.00 £405.00 02/03/2014 VIS etc. -£75.00 £425.00 01/03/2014 CSH etc. -£50.00 £500.00 Arranged overdraft limit 04/03/2014 £1000.00 (SOURCE) http://www.pcamidata.co.uk/445505-v2-PCA_midata_- _file_content_standard_-_March_2015-2.pdf
  12. 12. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 12 Open Data in Finance Conference 15 June London 12 http://www.open-data-finance.com/agenda/
  13. 13. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 13 Now is the time! 13
  14. 14. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 14 but what API protection? 14 and what API request/response?
  15. 15. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 15 Solution Time! 15
  16. 16. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 16 OpenID Foundation Financial API WG (FAPI WG) 16
  17. 17. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 17 Purpose The goal of FAPI is to provide JSON data schemas, REST APIs, and security & privacy recommendations and protocols to: 17 JSON REST OAuth OpenID Connect (SOURCE) ODI OBWG: The Open Banking Standard (2016)
  18. 18. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 18 Enable applications to utilize the data stored in the financial account, applications to interact with the financial account, and users to control the security and privacy settings. Both commercial and investment banking account as well as insurance, and credit card accounts are to be considered. (Source) OpenID Foundation Financial API WG draft charter
  19. 19. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 19 So that we can finally get rid of password storing and screen scraping! 19 Enhanced Authentication Profile WG http://openid.net/wg/eap/
  20. 20. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 20 It will also help foster the FinTech companies. 20
  21. 21. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 21 Possible Approaches 21 JSON REST OAuth OpenID Connect Based on FS-ISAC DDA Internationalize Convert to Swagger Based on FS-ISAC DDA Internationalize Convert to Swagger and HAL.
  22. 22. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 2222 JSON REST OAuth OpenID Connect Locked down profile for interoperability. Holder of Key and out- of-band authorization for higher risk scenario (write). Privacy Considerations.
  23. 23. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 23 Challenges of OAuth (RFC 6749) in a typical scenario  OAuth’s primary security assumption is that there are only 1 Authz Server per client: In case of Personal Financial Client, it will necessarily have multiple Authz Servers.  Make sure to have adequate separation, e.g., having different redirect endpoints for each server. v.s. C1 O C1R U A A1Z C2R C2 O A2Z 1 Authz Server / client Model C2R C1 O C1R U A A1Z C2 O A2Z n Authz Server / client Model
  24. 24. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 24 Challenges of OAuth (RFC 6749) in a typical scenario Communication through UA are not authenticated and thus can be tainted, but often used without taint check. Neither ‘code’ nor ‘state’ can be taken at its face value, but we do... C1O C1R UA A1Z TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state) Not authenticated (code, state)
  25. 25. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 25 Should we recommend using modified hybrid flow? Include ‘s_hash’ as well? Security Level Feature Set Remarks Request Object w/Hybrid FLow Authz Request protected Hybrid Flow (confidential client) Authz Response protected Code Flow (confidential client) Client authentication Implicit Flow No client authentication Plain OAuth Anonymous
  26. 26. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 26 Is bearer token adequate?  For “read only” access, probably yes.  For “write” access, maybe not. Token Binding? Mobile Apps security? RFC7636 OAuth PKCE mandatory? MODRNA? AppAuth?
  27. 27. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 27 Once complete, consider submitting it to ISO/TC 68 27 ISO 20022 Financial Services - universal financial industry message scheme. Part 1: Overall Methodology and Format Specifications for Inputs and Outputs to/from the ISO 20022 Repository Part 2: Roles and responsibilities of the registration bodiesPart 3: (TS) XML design rules Part 5: (TS) Reverse engineering Part 6: Message Transport Characteristics
  28. 28. © 2016 by Nomura Research Institute. All rights reserved. Copyright © 2016 Nat Sakimura. All Rights Reserved. 28 Join the group! https://openid.net/wg/fapi/ 28

×