European Regulation And The Need For Strong Customer Authentication

FIDO Alliance © 2019 - GSMA/FIDO seminar Jan 20195
EUROPEAN REGULATION & THE
NEED FOR STRONG CUSTOMER
AUTHENTICATION
ALAIN MARTIN
CO-CHAIR FIDO EUROPE WG
VP STRATEGIC PARTNERSHIPS - GEMALTO

AGENDA
• The SCA mandate under PSD2 and the customer journey impacts
• GDPR and why you may need strong authentication

PSD2

STRONG CUSTOMER AUTHENTICATION
Authentication
BEFORE WITH PSD2
TPP
Interaction Authentication
Interactions
Device Device

THE CUSTOMER JOURNEY
KEY SUCCESS FACTOR FOR THE ROLL OUT OF
PSD2 IN EUROPE
Authentication models have been created
and… much debated by the stakeholders

AUTHENTICATION MODELS
• Redirection
AISPAISP ASPSP
Authenticate
authentication
AISP AISPASPSP
Authenticate
The possession
factor
The possession
factor

AUTHENTICATION MODELS
• Decoupled
• An Out of Band model
PISP
Merchant Merchant
Authenti-
cate
ASPSP
authentication
The possession
factor

POTENTIAL UX ISSUES IN THE REDIRECTION/
DECOUPLED MODELS
• In account aggregation use cases
ASPSP C
Sign in with OTP
ASPSP C
Login Go
AISP
ASPSP A
App
AISP
ASPSP B
token
ASPSP C
OTP generator
ASPSP B
Login
Pswd Go

POTENTIAL UX ISSUES IN THE REDIRECTION MODEL
• In payment initiation use cases
PISP
ASPSP
Login
Merchant
Merchant
Merchant
PISP
Bank 1
Bank 2
Bank 3
Select Bank
Select
account
ASPSP
Approve
transaction
ASPSP
ASPSP
OTP:
123456
Enter OTP:
******
Pswd

WHAT THE REGULATOR AND STAKEHOLDERS SAY
• The European Commission
• Added article 32-3 in the RTS on “obstacles”  ASPSP may have to provide
alternatives to Redirectionif not properly implemented
• EBA opinion paper (June 2018)
• Redirectionnot an obstacle per se
• Implementationis key, whichever the model, for a satisfactory user journey
• The Fintechs
• Some happy with redirection, some wanting no friction in the user
experience
• The Berlin Group
• Are working on 2 additional authentication models: Embeddedand
Delegated

ALTERNATIVE AUTHENTICATION MODELS
• Embedded
• Delegated
AISP
authentification
AISPAISP AISP
Authenticate
AISPAISP AISP
Authenticate
authentification

EMBEDDED MODEL = AUTHENTICATION BY THE BANK
• Not in line with
customer education
• Difference with phishing
attacks ?
• Similar to Apple Pay
• Requires enrolment
• Requires trust in user
verification method
 the FIDO approach
TPPBank OTP
generator Enter Pswd: ******
Enter OTP: ******
Pswd, OTP
TPP
Authen-
ticate
Bank keys
generated in
device
Challenge/
Response

DELEGATED MODEL: FIDO/EMVCO COLLABORATION ON
3DSECURE
Merchant
Directory
Service
FIDO
Authentication
3D Secure message
Device
ACS 3
1
2 Authenticator metadata
Risk assessment
Step up
authentication
4

FIDO SIMPLIFIES THE CUSTOMER JOURNEY
PISP
Merchant
ASPSP
Authorise
payment?
ASPSP
Login
Pswd
OTP:
******
ASPSP
Enter OTP:
******
FIDO
Authenticator
PISP
Merchant
Merchant
Merchant
1 step
authentication
3 step
authentication
With FIDO With OTP by SMS

FIDO COMPLIANCE TO THE RTS ON SCA
• Based on multi-factor authentication
 Articles 4, 6, 7, 8
• Protection of the “security elements”
 Articles 22, 23, 25
• Separation of execution environments
 Article 9
• Support of dynamic linking
 Article 5
… a detailed analysis of FIDO compliance is published on https://fidoalliance.org/

GDPR

GDPR – GENERAL DATA PROTECTION REGULATION
• Applies since 25 May 2018
• Very large fines for infringement: Up to €20,000,000 or 4% total
worldwide turnover
• Data protection
• Consent of data subject
• Data subject rights
• Adequacy, relevance, etc. of data collection
• …
The subject of today

PROTECTION AGAINST UNAUTHORIZED ACCESS
• Level of security to be appropriate to the risk
Strong authentication may
be needed to prevent
phishing and hacking
Data subject right
to access or rectify

RECENT HEALTHCARE DATA BREACHES
July 2018 – Singapore
“Hackers stole data of PM Lee and 1.5
million patients in 'major cyberattack'
on SingHealth”
October 2018 – USA
“US Center for Medicare & MedicaidServices
says 75,000 individuals' files accessedin
data breach”
July 2018 – USA
“1.4M records breached in UnityPoint Health
phishing attack”
July 2018 – USA
“Patient data exposed for months
after phishing attack on Sunspire”
August 2018 - USA
“3 phishing hacks breach 20,000
Catawba Valley patient records”

24
SPECIAL CATEGORIES OF DATA
• Processing of this data prohibited,
unless allowed in specific cases
• If allowed, requires
• Explicit consent
• Suitable safeguards to protect personal
data
• Data protection impact assessment
• Assessment of the measures, safeguards
and mechanisms envisagedfor
mitigating risk and ensuring the
protection of personal data
Special
Categories
of data
Political opinions
Racial or ethnic
origin
Healthcare
Sexual life
Religious
beliefs
Biometric data

25
USER CONSENT
• Data subject must give consent to processing of his/her personal data
• For special categories: explicit consent
Strong authentication may be needed to properly
identify the data subject providing consent

THE CONTROLLER SHOULD BE ABLE TO DEMONSTRATE
THIS CONSENT
• FIDO authentication includes the capability of
signing transaction data
• Server message can include consent information
• Signed response is a non forgeable proof
• Can be used in case of dispute
Do you agree to
providing your
health data to
ABCHealth ?
Authenticate to
confirm

27
EXEMPTION
• GDPR does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity
• Biometrics on smartphone can be exempted
• e.g. French Data Protection Authority (CNIL) exemption IF ON DEVICE STORAGE
AND MATCHING
• If remote storage and matching, there must be an impact assessment

FIDO’S USE OF BIOMETRICS
• With FIDO, biometrics can only be stored and matched on a consumer’s
device
• FIDO prohibit biometrics from being stored or matched in servers
 No Data Protection Impact Assessment for the use of biometric data

29
DATA PROTECTION BY DESIGN PRINCIPLE
• Proactive
• Embedded from the start in design
• For authentication solutions, this would mean, by design:
Protection of user authentication credentials and biometric data
Protection against phishing or MITM attacks

FIDO EMBRACES PROTECTION/PRIVACY-BY-DESIGN
Based on
public key
cryptography
No server-side
shared secrets
Keys
generated
and stored
on device
Verification of
web origin
/channel id
Biometrics, if used,
never leave device
No link-ability
between services or
accounts

IN SUMMARY
In light of the heavy fines and ever increasing attacks from hackers
 Service providers should consider replacing passwords with
stronger means of authentication
Password
Data protection
measures

RESOURCES:
PSD2
HTTPS://FIDOALLIANCE.ORG/HOW_FIDO_MEETS_THE_RTS_REQUIREMENTS/
HTTPS://FIDOALLIANCE.ORG/.../FIDO-PSD2_CUSTOMER_JOURNEY_WHITE_PAPER.PDF
GDPR
HTTPS://FIDOALLIANCE.ORG/.../FIDO_AUTHENTICATION_AND_GDPR_WHITE_PAPER_
MAY2018-1.PDF
HTTPS://FIDOALLIANCE.ORG/EVENT/WEBINAR-FIDO-AUTHENTICATION-GDPR/

European Regulation And The Need For Strong Customer Authentication

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to European Regulation And The Need For Strong Customer Authentication

Similar to European Regulation And The Need For Strong Customer Authentication (20)

More from FIDO Alliance

More from FIDO Alliance (20)

Recently uploaded

Recently uploaded (20)

European Regulation And The Need For Strong Customer Authentication