FIDO & PSD2 – Achieving Strong Customer Authentication Compliance

All Rights Reserved | FIDO Alliance | Copyright 20191
FIDO & PSD2:
ACHIEVING STRONG
CUSTOMER AUTHENTICATION
COMPLIANCE

AGENDA
• FIDO essentials
• The RTS requirements and how FIDO complies
• The necessity of evaluation and FIDO’s certification program

FIDO ESSENTIALS

FIDO: FAST IDENTITY ONLINE
The FIDO Alliance is an open industry association with a focused mission:
The world’s largest ecosystem
for standards-based,
interoperable authentication 500+ FIDO® Certified solutions
240 Members
AUTHENTICATION STANDARDS

FIDO SCOPE IN DIGITAL IDENTITY
Identity proofing/KYC
User Management
Authentication
Federation
Single
Sign-On
Passwords Risk-BasedStrong
MODERN
AUTHENTICATION

LEADERSHIP IN THE FIDO ALLIANCE
CONSUMER ELECTRONICS SECURITY & BIOMETRY SERVICE PROVIDERS

FIDO MARKETS
• Banks
• e-Commerce
• Social media
• Enterprise security
• Healthcare
• Government
• …

8 All Rights Reserved | FIDO Alliance | Copyright 20198
FIDO STANDARDS
UAF: Universal Authentication Framework
Multi Factor authentication
U2F: Universal 2nd Factor
Login & Password + possession factor
******
• WebAuthn: standard APIs
• CTAP (Client to Authenticator Protocol):
WWW
FIDO2: Brings FIDO support to the web browser, Windows 10 and Android 7
WWW

EXAMPLES OF FIDO AUTHENTICATORS
Platform authenticators Roaming authenticators
Multi factor
authentication
(possession +
knowledge/inherence)
2nd factor only
(Login & Password +
possession factor)
PC with TPM &
fingerprint sensor or
facial recognition
PC with TPM only Security key
Smart phone
with TEE
Smart card with
PIN or fingerprint
sensor
Security key with
PIN or fingerprint
sensor
Smart card

User environment
THE PRINCIPLE OF FIDO: AUTHENTICATION
Authenticator
User gesture before
private key can be used
(Touch, PIN entry,
Biometric entry)
Challenge
Signed response
Private key
Public key
User Relying party
Local user verification step On-line authentication step

User environment
THE PRINCIPLE OF FIDO: REGISTRATION
Authenticator
Biometric data
captured
Key pair generation
Device attestation
+ Public key
Private key
stays in device
User Relying party
Public key
Device
verification

THE RTS REQUIREMENTS AND
HOW FIDO COMPLIES

MAPPING WITH PSD2
Authenticator
User action
(PIN entry,
Biometric entry)
PSD2: (not mentioned)
FIDO: Challenge
PSD2: Authentication Code
FIDO: (Signed) Response
PSD2: Personalized
Security Credential
FIDO: Private key
PSD2: PSU
FIDO: User
PSD2: ASPSP
FIDO: Relying Party
PSD2: Element
categorized as possession
FIDO: AuthenticatorPSD2: Element
categorized as knowledge
FIDO: PIN
PSD2: Element
categorized as inherence
FIDO: biometric data PSD2: (not mentioned)
FIDO: Public key
For remote payment
PSD2: Authentication code
with dynamic linking
FIDO: (signed) Response
For remote payment
PSD2: Transaction amount and payee
FIDO: Challenge + Transaction text

AUTHENTICATION CODE – BASED ON MULTIPLE FACTORS
(ARTICLE 4)
• Inherence factor: FIDO supports any biometric modality
• Biometric data matched locally
• Biometric data never leaves the device
• Knowledge factor: FIDO supports local PIN verification
• PIN never leaves the device
• Possession factor: The authenticator itself with its
private key
• Authentication code verification proves the possession of the
device AND the correct verification of the user
• Private key never leaves the device and cannot be found from
the knowledge of the authentication code

DYNAMIC LINKING
(ARTICLE 5)
• FIDO authenticators can digitally sign
• Some authenticators support “Transaction confirmation”
• Ability to display information and sign what is displayed
 ensures authenticity and integrity of information
Authenticator
Authentication code with
dynamic linking
ASPSPChallenge + transaction
amount and payee
Pay
123 € to
Merchant ABC ?
Authenticate to
confirm

CONFIDENTIALITY AND INTEGRITY OF CREDENTIALS
(ARTICLE 22)
• FIDO protects private keys, PIN and biometrics from disclosure
• Non readable, never displayed, never exported
• FIDO authenticators come in a variety of implementations:
ROE
App
Authenticator
Platform
Browser Authenticator
Platform
Browser
Authenticator
App
Platform
Browser App
In Applications
In Restricted Operating
Environments In Secure Devices

SECURITY CREDENTIAL MANAGEMENT
(ARTICLES 23-27)
• Creation
• Delivery
• Renewal
• Destruction/revocation
With FIDO:
• Private key created within secure environment of authenticator. Public
key uploaded to server.
 No need for a delivery mechanism
• FIDO keys do not expire: it is up to service provider to manage
revocation or renewal
 for example, revoking use of associated public key on server

EVALUATION: WHAT THE REGULATOR SAYS
[RTS] RECITAL 2, ARTICLE 3.1
The security measures for the application of strong customer
authentication, the measures to protect confidentiality and integrity of
the personalised security credentials must be:
• Documented
• Periodically tested, evaluated and audited by auditors
• Auditors must have expertise in IT security and payments and be
operationally independent

THE NECESSITY OF
EVALUATION AND FIDO’S
CERTIFICATION PROGRAM

FIDO CERTIFICATION PROGRAM
A documented program covering:
• Functional compliance
• Of authenticators and servers
 Interoperability test events
• Security evaluation
• Of authenticators
 Tests of security measures that protect keys and biometrics
 Tests done by independent labs

21
FIDO SECURITY LEVELS
21
Any device HW or SW
Implementation in a Restricted
Operating Environment e.g., TEE
Implementation in a
Secure Element
Implementation in “hardened” SW
L1
L1+
L2
L2+
L3
L3+

LEVEL 1
• Better than passwords
• FIDO is unphishable and biometrics are
more convenient
• Keys and biometric templates are
protected similar to passwords stored
by a browser or password manager app
• Requires best facilities offered by
hosting OS
• L1+ adds white-box cryptography,
obfuscation and other techniques to
defend against compromise of hosting
OS
L1 L1+ (in development)
Vendor Create detailed design document
Lab No lab at L1 Penetration testing
FIDO Design Review,
Administration
Administration
Certification Process
Examples
• Android or iOS applications
• Platform built-in authenticators
• Level 2 or Level 3 capable authenticators that have
not been certified at Level 2 or Level 3 yet

LEVEL 2
• In addition to L1
• A restricted operating
environment like a TEE gives
security even if OS is
compromised
• Separate USB, BLE and NFC
authenticators are considered
to use a restricted operating
environment
• Gives defense against larger
scale attacks
• Additional assurance at L2+
L2 L2+ (in development)
Vendor Create detailed
design document
Supply source code
Lab Design Review Penetration testing,
Attack potential
calculation
FIDO Administration
Examples
• Android apps using TEE in smart phone
• PC TPM based implementations
• USB, BLE and NFC Security Keys
• Level 3 capable authenticators that haven’t yet
been certified at Level 3

LEVEL 3
• In addition to L2
• Defends against physically
captured authenticators
• Defenses against disassembling,
probing, glitching and other such
physical attacks
• L3+ adds defense against chip-
level physical attacks, such as
decapping and probing the chip
L3 & L3+
Vendor Create detailed design document,
Supply source code
Lab Design Review, Penetration testing, Attack
potential calculation
FIDO Administration
Examples
• USB, BLE and NFC Security Keys or smart cards using
Secure Elements or other means of defending HW
attacks
• Some phone & platform authenticators may achieve
L3, but it is uncommon

COMPANION PROGRAMS
• Re-use as much as possible from other programs like
Common Criteria
• Reduces time, effort and cost of certification for authenticator
vendors
• Companion programs do not cover all FIDO requirements
• Even with advanced companion programs, vendors will have to
go through additional certification with the FIDO Alliance
FIDO Security Level Companion Program
L3 Common Criteria AVA_VAN 3
L3+ Common Criteria AVA_VAN 4
L2+, L3 FIPS
L2+ Global Platform TEE Protection Profile
Authentication-
specific
Companion program
AllFIDOSecurityRequirements
End-device
configuration
Cryptographic
algorithms
FIDOSpecific

BIOMETRIC SUB COMPONENT CERTIFICATION
• Labs perform empirical testing for False Acceptance
and False Rejection Rates
• 245 subjects
• Biometric sub-systems FAR must be below 1:10,000
• Biometric sub-systems FRR must be below 3:100
• Labs perform empirical testing for Presentation Attack
Detection
• At least 10 subjects
• Both Level A and B artifacts will be tested
• Imposter Attack Presentation Match Rate (IAPMR) < 20%
• Validation of optional Self Attestation
• Vendor may attest to a higher FAR at a FRR of 3% or less
• Validated test results

COMPLETE PROCESS
Develop Complete
Authenticator Test
Complete
Authenticator
Authenticator
Vendor
Develop
Complete
Authenticator
FIDO Accredited
Laboratory
Review and
approval
Develop Complete
Authenticator
Biometric
Vendor
Develop
Biometric
Subcomponent
Biometric
Subcomponent
Certificate
Review and
approval
Test Biometric
Subcomponent
FIDO Accredited
Biometric Lab
Allowed
Integration
Document

FIDO ACCREDITED LABS
L2 L3, L3+
All labs that do FIDO certification must pass accreditation by the FIDO Alliance
Biometric
List as of April 2019

THE IMPORTANCE OF METADATA
• Describe the authenticator characteristics
• Convey the certification status
• Typically checked by relying party at the time of registration
Authenti-
cator
Biometric
data
captured
Key pair
generation
Device
attestation
+ Public key
User
Relying
party
Device
verification
Metadata
serviceMetadata incl.
certification
status

TAKE AWAY
• ASPSPs will need assurance that their authentication solution meets the
regulatory requirements
• ASPSPs have to have their authentication solutions tested, evaluated by
independent auditors
FIDO can help
• FIDO standards conform to the RTS
• FIDO’s certification program guarantees this conformity
• FIDO’s certification program provides for the mandatory
security evaluation

RESOURCES:
HTTPS://FIDOALLIANCE.ORG/HOW_FIDO_MEETS_
THE_RTS_REQUIREMENTS/
HTTPS://FIDOALLIANCE.ORG/CERTIFICATION/

32
Connect with FIDO
fidoalliance.org

FIDO & PSD2 – Achieving Strong Customer Authentication Compliance

More Related Content

What's hot

Similar to FIDO & PSD2 – Achieving Strong Customer Authentication Compliance

More from FIDO Alliance

Recently uploaded

FIDO & PSD2 – Achieving Strong Customer Authentication Compliance