FIDO UAF and PKI in Asia - Case Study and Recommendations by Karen Chang and Wei-Chung Hwang, APKIC
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
Overview of FIDO Security Requirements and CertificationsFIDO Alliance
1) The FIDO Alliance authentication certification program evaluates and certifies authenticators at different security levels to create trust between relying parties and authenticators.
2) Higher certification levels provide defenses against more sophisticated attacks, with Level 3+ providing the highest security against physical attacks on authenticator devices.
3) The certification process involves security reviews and penetration testing conducted by accredited laboratories. Companion certification programs can reduce the cost and time of certification for vendors.
FIDO UAF and PKI in Asia: A Case Study and RecommendationsFIDO Alliance
This paper depicts three possible scenarios for integrating FIDO UAF and public key infrastructure (PKI) in Asian countries, along with recommendations for how the two technologies can work together to bring innovation to the authentication marketplace and to pave the way for deploying better authentication solutions to the public.
Using FIDO Authenticator for IoT DevicesFIDO Alliance
The document discusses using FIDO authenticators for IoT devices. It presents eWBM's biometric external FIDO authenticator and its security features. Potential applications of FIDO authentication for IoT are then described, including for device authentication over LoRa networks, drone control, and public WiFi access. The use of a BLE FIDO authenticator for personalized smart speaker services is also proposed. The conclusion recommends slimming down the FIDO client for embedded systems and achieving at least Security Level 2 certification for IoT authenticators.
The General Data Protection Regulation (GDPR) come into effect earlier this year, ushering in the most significant change to European data protection laws in twenty years. The regulation impacts not only impact firms resident in the European Union (EU), but around the world, as any organization doing business with EU citizens must comply with the regulation.
FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.
This presentation includes:
- Key GDPR considerations when deploying strong authentication
- Where FIDO Authentication relates to GDPR articles on data protection, consent of data subject and data subject rights
- How FIDO can help your organization meet GDPR requirements
Expected Use Cases of FIDO Authentication for Social ApplicationsFIDO Alliance
Expected Use Cases of FIDO Authentication for Social Applications by Naohisa Ichihara, LINE
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
Overview of FIDO Security Requirements and CertificationsFIDO Alliance
1) The FIDO Alliance authentication certification program evaluates and certifies authenticators at different security levels to create trust between relying parties and authenticators.
2) Higher certification levels provide defenses against more sophisticated attacks, with Level 3+ providing the highest security against physical attacks on authenticator devices.
3) The certification process involves security reviews and penetration testing conducted by accredited laboratories. Companion certification programs can reduce the cost and time of certification for vendors.
FIDO UAF and PKI in Asia: A Case Study and RecommendationsFIDO Alliance
This paper depicts three possible scenarios for integrating FIDO UAF and public key infrastructure (PKI) in Asian countries, along with recommendations for how the two technologies can work together to bring innovation to the authentication marketplace and to pave the way for deploying better authentication solutions to the public.
Using FIDO Authenticator for IoT DevicesFIDO Alliance
The document discusses using FIDO authenticators for IoT devices. It presents eWBM's biometric external FIDO authenticator and its security features. Potential applications of FIDO authentication for IoT are then described, including for device authentication over LoRa networks, drone control, and public WiFi access. The use of a BLE FIDO authenticator for personalized smart speaker services is also proposed. The conclusion recommends slimming down the FIDO client for embedded systems and achieving at least Security Level 2 certification for IoT authenticators.
The General Data Protection Regulation (GDPR) come into effect earlier this year, ushering in the most significant change to European data protection laws in twenty years. The regulation impacts not only impact firms resident in the European Union (EU), but around the world, as any organization doing business with EU citizens must comply with the regulation.
FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.
This presentation includes:
- Key GDPR considerations when deploying strong authentication
- Where FIDO Authentication relates to GDPR articles on data protection, consent of data subject and data subject rights
- How FIDO can help your organization meet GDPR requirements
Expected Use Cases of FIDO Authentication for Social ApplicationsFIDO Alliance
Expected Use Cases of FIDO Authentication for Social Applications by Naohisa Ichihara, LINE
- Presented at FIDO Seoul Public Seminar on December 5th, 2018
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO Alliance
The PSD2 (the Revised Payment Service Directive) from the European Commission requires financial institutions to deploy Strong Customer Authentication. FIDO offers a solution to the challenges created by this new regulation.
FIDO And the Future of User AuthenticationFIDO Alliance
The document discusses the problems with passwords and introduces FIDO as a solution. It notes that consumers have many online accounts but reuse few passwords, while businesses lose over $1 billion to credential theft annually. FIDO uses public key cryptography and requires a second factor, like a fingerprint, to log in securely. It has seen growing adoption with hundreds of implementations and support from governments and companies around the world working to replace passwords with stronger FIDO authentication.
The Second Payment Services Directive (PSD2) and the associated Regulatory Technical Standards (RTS) on strong customer authentication and secure communication impose stringent requirements on multi-factor authentication and on the security of implementations. Payment Service Providers will want to know whether the authentication solutions they put in place conform to the RTS both in terms of functionality and security.
The FIDO Alliance standards are based on multi-factor authentication and are a strong fit for PSD2 compliance. The FIDO Alliance’s certification program provides an independent evaluation of functional compliance to the standards as well as of the achieved level of security of FIDO authenticators.
Featuring industry experts, this presentation explores how FIDO can resolve key issues, including:
• How the FIDO standards conform to the RTS
• How FIDO’s certification program guarantees this conformity
• How FIDO’s certification program provides for the mandatory security evaluation imposed by the RTS
Presented at FIDO Authentication Seminar – Tokyo
By: Alain Martin, VP, Strategic Partnerships, Gemalto; Secretary, FIDO Alliance Board of Directors; Co-Chair, FIDO Europe Working Group
The document discusses FIDO Alliance's efforts to create simpler and stronger authentication standards to replace passwords. It provides an overview of FIDO authentication, including how it works, adoption rates, and certification programs. It also summarizes the Alliance's work in identity verification, binding, and FIDO Device Onboarding to fill gaps and further the passwordless vision.
This document summarizes a presentation given by Anthony Nadalin from Microsoft on FIDO2 and Microsoft implementations. It discusses the FIDO standards including CTAP2 and WebAuthn, and how Microsoft supports these standards in Windows 10, Microsoft Edge, and Microsoft Accounts. It provides an overview of authentication interactions and the different entities involved, such as relying parties, clients, authenticators, and platforms.
Introduction to FIDO's Identity Verification & Binding Initiative FIDO Alliance
The document is a presentation from the FIDO Alliance about establishing an Identity Verification and Binding Working Group. The working group will define criteria for remote identity proofing using government IDs and biometrics. It will create certification programs to evaluate identity verification solutions. The initial focus is on specifying requirements for remote document verification and facial matching during identity proofing. The goal is to provide guidance to help online services strengthen identity assurance when using FIDO authentication without passwords.
Answering all of your questions about FIDO Certification, including: what is FIDO certification?, types of certification, meta data service, security certification and the value of deploying certified solutions.
- The document summarizes a presentation given by Brett McDowell, Executive Director of the FIDO Alliance, about updates to the FIDO Alliance and passwordless authentication standards.
- It highlights growing issues with passwords like high costs of password resets for organizations and high rates of password-related data breaches and phishing attacks.
- The FIDO Alliance is working to solve the password problem through open authentication standards based on public key cryptography that eliminate the reliance on shared secrets and enable strong, phishing-resistant multi-factor authentication with a single gesture.
- New developments include FIDO specifications becoming ITU and W3C standards, a growing number of FIDO2 certified products
A First Step to a World without PasswordsFIDO Alliance
1) LINE is replacing existing biometric authentication with FIDO2 authentication in their mobile payment app LINE Pay to enhance security following payment fraud incidents.
2) They plan to expand FIDO integration to more LINE platforms and countries starting with the iOS version of LINE Pay in Japan.
3) LINE has developed their own FIDO authenticator called LINE iOS FIDO2 Combo which leverages the iPhone's Touch ID/Face ID and provides attestation through a trusted security module and whitebox abstraction layer.
The FIDO Alliance has launched of the FIDO Device Onboard (FDO) protocol, a new, open IoT standard that enables devices to simply and securely onboard to cloud and on-premise management platforms. Through this standard, the FIDO Alliance addresses challenges of security, cost and complexity tied to IoT device deployment at scale. FIDO Device Onboard furthers the fundamental vision of the Alliance, which has brought together 250+ of the most influential and innovative companies and government agencies from around the world to address cyber security in order to eliminate data breaches, and enable secure online experiences.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
FIDO & PSD2: Solving the Strong Customer Authentication Challenge in EuropeFIDO Alliance
The PSD2 (the Revised Payment Service Directive) from the European Commission requires financial institutions to deploy Strong Customer Authentication. FIDO offers a solution to the challenges created by this new regulation.
FIDO And the Future of User AuthenticationFIDO Alliance
The document discusses the problems with passwords and introduces FIDO as a solution. It notes that consumers have many online accounts but reuse few passwords, while businesses lose over $1 billion to credential theft annually. FIDO uses public key cryptography and requires a second factor, like a fingerprint, to log in securely. It has seen growing adoption with hundreds of implementations and support from governments and companies around the world working to replace passwords with stronger FIDO authentication.
The Second Payment Services Directive (PSD2) and the associated Regulatory Technical Standards (RTS) on strong customer authentication and secure communication impose stringent requirements on multi-factor authentication and on the security of implementations. Payment Service Providers will want to know whether the authentication solutions they put in place conform to the RTS both in terms of functionality and security.
The FIDO Alliance standards are based on multi-factor authentication and are a strong fit for PSD2 compliance. The FIDO Alliance’s certification program provides an independent evaluation of functional compliance to the standards as well as of the achieved level of security of FIDO authenticators.
Featuring industry experts, this presentation explores how FIDO can resolve key issues, including:
• How the FIDO standards conform to the RTS
• How FIDO’s certification program guarantees this conformity
• How FIDO’s certification program provides for the mandatory security evaluation imposed by the RTS
Presented at FIDO Authentication Seminar – Tokyo
By: Alain Martin, VP, Strategic Partnerships, Gemalto; Secretary, FIDO Alliance Board of Directors; Co-Chair, FIDO Europe Working Group
The document discusses FIDO Alliance's efforts to create simpler and stronger authentication standards to replace passwords. It provides an overview of FIDO authentication, including how it works, adoption rates, and certification programs. It also summarizes the Alliance's work in identity verification, binding, and FIDO Device Onboarding to fill gaps and further the passwordless vision.
This document summarizes a presentation given by Anthony Nadalin from Microsoft on FIDO2 and Microsoft implementations. It discusses the FIDO standards including CTAP2 and WebAuthn, and how Microsoft supports these standards in Windows 10, Microsoft Edge, and Microsoft Accounts. It provides an overview of authentication interactions and the different entities involved, such as relying parties, clients, authenticators, and platforms.
Introduction to FIDO's Identity Verification & Binding Initiative FIDO Alliance
The document is a presentation from the FIDO Alliance about establishing an Identity Verification and Binding Working Group. The working group will define criteria for remote identity proofing using government IDs and biometrics. It will create certification programs to evaluate identity verification solutions. The initial focus is on specifying requirements for remote document verification and facial matching during identity proofing. The goal is to provide guidance to help online services strengthen identity assurance when using FIDO authentication without passwords.
Answering all of your questions about FIDO Certification, including: what is FIDO certification?, types of certification, meta data service, security certification and the value of deploying certified solutions.
- The document summarizes a presentation given by Brett McDowell, Executive Director of the FIDO Alliance, about updates to the FIDO Alliance and passwordless authentication standards.
- It highlights growing issues with passwords like high costs of password resets for organizations and high rates of password-related data breaches and phishing attacks.
- The FIDO Alliance is working to solve the password problem through open authentication standards based on public key cryptography that eliminate the reliance on shared secrets and enable strong, phishing-resistant multi-factor authentication with a single gesture.
- New developments include FIDO specifications becoming ITU and W3C standards, a growing number of FIDO2 certified products
A First Step to a World without PasswordsFIDO Alliance
1) LINE is replacing existing biometric authentication with FIDO2 authentication in their mobile payment app LINE Pay to enhance security following payment fraud incidents.
2) They plan to expand FIDO integration to more LINE platforms and countries starting with the iOS version of LINE Pay in Japan.
3) LINE has developed their own FIDO authenticator called LINE iOS FIDO2 Combo which leverages the iPhone's Touch ID/Face ID and provides attestation through a trusted security module and whitebox abstraction layer.
The FIDO Alliance has launched of the FIDO Device Onboard (FDO) protocol, a new, open IoT standard that enables devices to simply and securely onboard to cloud and on-premise management platforms. Through this standard, the FIDO Alliance addresses challenges of security, cost and complexity tied to IoT device deployment at scale. FIDO Device Onboard furthers the fundamental vision of the Alliance, which has brought together 250+ of the most influential and innovative companies and government agencies from around the world to address cyber security in order to eliminate data breaches, and enable secure online experiences.
Presented at GSMA Mobile Connect + FIDO Alliance: The Future of Strong Authentication
By: Rolf Lindemann, Senior Director of Technology and Products, Nok Nok Labs
Introduction to the FIDO Alliance: Vision & StatusFIDO Alliance
This document summarizes the FIDO Alliance's vision and status. It discusses how authentication has become a major problem and how over 250 organizations are working together through the FIDO Alliance to solve this problem by developing open standards for simpler and stronger authentication using public key cryptography. The FIDO Alliance aims to deliver security, privacy, interoperability and usability through specifications such as FIDO UAF, FIDO U2F and the upcoming FIDO2/WebAuthn specifications. The Alliance has seen strong growth in functional certifications and aims to also offer security and biometric certifications to validate authenticator safety and accurate user identification.
Global Regulatory Landscape for Strong AuthenticationFIDO Alliance
The document discusses how governments are increasingly prioritizing strong authentication and looking to standards like FIDO to provide more secure, usable and privacy-preserving authentication. It notes that the UK and US governments have highlighted FIDO and endorsed its ability to deliver improved security without passwords. The document also discusses how authentication is an area of regulatory focus due to compliance needs around privacy, security and access across domains like digital government, healthcare, payments and financial services. It argues that FIDO specifications address regulatory needs by providing nimble, configurable and cost-effective strong authentication.
Deployment Case Study: Login.gov & FIDO2FIDO Alliance
In September 2018, login.gov began supporting FIDO2 as an option for multi-factor authentication. The security experts at login.gov were seeking to reduce the volume of users opting for SMS for multi-factor authentication by offering a more secure option. The security team used an iterative approach to deploy FIDO2 authentication and are continuously making improvements based on user feedback and platform needs. This webinar will tell the story of the login.gov implementation of FIDO2 and discuss their roadmap for future improvements.
Featured Speakers:
Steve Urciuoli, Consultant, Senior Cloud Architect, GSA
Jonathan Hooper, Innovation Specialist/Software Developer, 18F
Mike Magrath, Director, Global Regulations & Standards, OneSpan & Chair of FIDO Government Deployment Working Group
FIDO as Regtech - Addressing Government RequirementsFIDO Alliance
This document discusses how authentication technology and government policies need to evolve together. It argues that FIDO authentication addresses regulatory needs in a secure, usable way. The document notes that governments are recognizing that two-factor authentication can now happen within a single device and that they should promote the "right" authentication standards like FIDO that are secure by default. Major reports recommend FIDO to overcome identity challenges in a way that empowers consumers.
The document provides an overview of the current status of PKI (Public Key Infrastructure) in Korea. It notes that there are 5 accredited CAs that have issued around 25 million accredited certificates to subscribers. Major PKI applications in Korea include internet banking, online stock trading, internet shopping, and e-government services. It also outlines the PKI models in Korea, including the roles of the national root CA (KISA) and government root CA (GCMA). The scope of PKI benchmarking in Korea includes laws, policies, standards, PKI technology, models (national PKI and government PKI), user promotion and convenience, interoperability between CAs, and major PKI applications.
An assessment of what governments and corporations need to do to ensure blockchain technology is a success and realise its potential. Presented by Jamie Burke at the Future Blockchain Summit in Dubai on the 3rd May 2018.
Andrew Shikiar, Executive Director & CMO of the FIDO Alliance outlines what FIDO has achieved in the last 7 years, how the market is adopting FIDO, and new expanded work areas focusing on identity verification and binding and the Internet of Things.
The document provides an overview and introduction to the Authenticate 2021 conference. It discusses the growing need for strong user authentication given increased cyberattacks. It summarizes the FIDO Alliance's work in developing open authentication standards like WebAuthn and U2F to enable simpler and more secure authentication using public key cryptography and moving away from password-based systems. The document outlines the growing adoption of FIDO standards by companies and devices. It previews sessions and speakers at the conference and next steps for the FIDO Alliance to further authentication security and adoption.
Detailed information about membership levels, participation opportunities and the positive ROI that your company can find by helping drive FIDO’s efforts to create a thriving ecosystem for modern authentication.
This document summarizes a web-based cryptocurrency price tracking project called Della. The project uses Python and Django to provide features like live cryptocurrency prices from APIs, latest news from news APIs, upcoming events from web scraping, and an online forum using Redis. It allows users to post images and comments about cryptocurrencies. The project aims to help users learn about cryptocurrencies and decide where to invest. It was tested for response time with increasing users and was found to provide the essential information and guidance needed for cryptocurrency newcomers.
This document discusses authentication methods used in Hong Kong, including two-factor authentication (2FA). It summarizes how the FIDO standard fits well with Hong Kong's requirements, having been adopted by several banks and other organizations. The document also outlines some lessons learned from implementing FIDO in Hong Kong, including the need for broad handset support. It explores how FIDO could be expanded to other uses beyond authentication.
This document discusses how FIDO authentication helps organizations meet the requirements of the General Data Protection Regulation (GDPR). It explains that FIDO uses public key cryptography and stores keys locally, avoiding shared secrets and preventing third parties from accessing data. FIDO also protects against phishing and man-in-the-middle attacks. The document notes that biometric templates are stored only on devices and not transmitted, avoiding the need for impact assessments when used privately. It concludes that FIDO offers a standardized solution that balances convenience and security while meeting privacy-by-design principles.
This presentation explores how the blockchain ecosystem is developing to support a vibrant data economy,. We look at issues of why data quality matters, how AI needs trusted data, and how massive investment is coming into the blockchain-powered data economy. We also look at key ways blockchain is enabling innovation in the consumer data economy.. We examine how two major tech companies are taking action in blockchain, and suggest things that any company can do now.
SNS Insider is a market research company that delivers evidence-based strategies for clients seeking growth & also provides business consulting services ...
FIDO Webinar – A New Model for Online Authentication: Implications for Policy...FIDO Alliance
The new model for stronger, simpler online authentication has implications beyond businesses and their consumers, including government policy and applications. FIDO was designed with security and privacy at the forefront, making it a natural ally for government initiatives in these areas. View slides from policy experts on the role of FIDO in policy, what the Alliance is doing in policy and how governments are working to implement FIDO.
Contents:
Review of FIDO Alliance
– FIDO’s mission and vision
– Key liaison relationships & government members
– How FIDO enhances privacy
FIDO in Government Services, a NIST Perspective
Introduction to FIDO’s Privacy and Public Policy Workgroup (P3WG) and some key outputs:
– Privacy White Paper
– EBA Response
FIDO’s fit in global regulatory approaches to security and privacy
– Supporting common policy goals
– Key differences from traditional 2-factor authentication
– Related activities, including Cybersecurtiy National Plan (US), and eIDAS (EU)
Similar to FIDO UAF and PKI in Asia - Case Study and Recommendations (20)
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
FIDO UAF and PKI in Asia - Case Study and Recommendations
1. All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO UAF AND PKI IN ASIA –
A CASE STUDY AND
RECOMMENDATIONS
JOINT WHITE PAPER OF FIDO ALLIANCE AND ASIA PKI
CONSORTIUM (APKIC)
KAREN CHANG – EGIS TECHNOLOGY
WEI-CHUNG HWANG - APKIC
DECEMBER 5, 2018
2. All Rights Reserved | FIDO Alliance | Copyright 20182
BACKGROUND OF APKIC (1)
• Asia PKI Forum was founded in 2001,
and transform to Asia PKI Consortium
in 2007, with leading organizations
from Asia area supported by
government and industrial sectors
• Objectives:
▸ Promote the applications of PKI in e-commerce, e-
government, e-financial, etc.
▸ Advance the interoperability among PKIs in countries in
the Asia region
▸ Collaboration with global community to deliver a
comprehensive framework of e-authentication
3. All Rights Reserved | FIDO Alliance | Copyright 20183
BACKGROUND OF APKIC (2)
Policy and Technology Promotion and Awareness
Asia PKI Interoperability Guideline
CA Responsibilities and Liability
Legal Issues on New Security
Technologies
Mutual Recognition of National PKIs
(Greater China, ASEAN)
Cross Border Applications(Trade,
Financial)
Asia PKI Case Study
Asia PKI Company List and Total
Solutions
Asia PKI Best Practice Award
Asia PKI Innovation Award
PKI Market Survey
International Collaboration(PAA,
AFACT, APSCA, FIDO, etc.)
4. All Rights Reserved | FIDO Alliance | Copyright 20184
NEEDS TO BE ADDRESSED
• Both financial and government sectors are highly regulated
in the regions
▸ Most regions in Asia/Europe have regulations to use PKI for digital(electronic)
signature with legal effects
▸ Financial transactions are required to use PKI in some regions
With the certificate issued by the “Certificate Authority”(CA) endorsed by the
regulations for digital(electronic) signature
• Accelerate the adoption of FIDO in Asia
▸ APKIC Member companies are not so familiar with FIDO and its use of biometrics
▸ Whitelist FIDO is needed in certain regions
• e.g., FIDO is whitelisted in certain financial transactions in some regions(Korea, Taiwan)
▸ Different member companies have different ideas on how FIDO should be used,
especially together with an existing PKI system
▸ FIDO has its own policies/opinions, too
5. All Rights Reserved | FIDO Alliance | Copyright 20185
FIDO WEBSITE (APRIL 2018)
6. All Rights Reserved | FIDO Alliance | Copyright 20186
CURRENT DEVELOPMENT IN ASIA (1)
• Di g i ta l Si g na ture Reg ula ti o n, N a ti o na l PKI, Publi c / L i cens ed C A
Country/
Region
National/Regional
PKI
Digital Signature
Legislation
Financial Regulation on PKI eID and Other PKI Applications
China ✓ (Some regions) ✓ (ESL, 2005) Mandatory for financial transaction
above certain amount
eID (Optional, with PKI), e-Government,
e-Commerce, etc.
Hong Kong ✓ (HKPost[13]) ✓ (ETO[19], 2000) Optional eID (Mandatory, with PKI option),
e-Government, e-Commerce, etc.
India ✓ (CCA[14]) ✓ (ITA-CCA, 2000) Mandatory for high risk bank
transactions
eID[26] (Mandatory, signed by PKI),
e-Government, e-Commerce, etc.
Japan ✓ (JPKI[15]) ✓ (ESaCBA, 2000) Optional eID (Optional, with PKI option),
e-Government, e-Commerce, etc.
Korea ✓ (NPKI, GPKI) ✓ (ESA, 1999) Optional (Mandatory~2014) eID (Optional without PKI),
e-Government, e-Commerce
Macao ✓ (eSignTrust[16]) ✓ (EDSL, 2005) Optional eID (Mandatory, with PKI option),
e-Government, e-Commerce, etc.
Taiwan ✓ (GPKI[4], FRCA) ✓ (ESA, 2002) Mandatory for high risk bank
transactions and all online stock trading
eID (Optional, with PKI),
e-Government, e-Commerce, etc.
Thailand ✓ (NRCA[17]) ✓ (ETA, 2001) Optional
eID, e-Government, e-Commerce
7. All Rights Reserved | FIDO Alliance | Copyright 20187
CURRENT DEVELOPMENT IN ASIA (2)
• Deployment of FIDO, PKI, and Others
China
Korea (1)
Macao (5)
Thailand (3)
India (6)
Taiwan (2)
Hong Kong
• eID by MPS with PKI
• Domain/Regional PKI
CFCA, BJCA, …
• FIDO in Chinese
FCWG
• National eID(UIDAI)
AADHAAR(Fingerprint, IRIS)
• National PKI(CCA)
eMudhra, (n)Code, …
- Financial, Government,
Procurement, …
• Digital Signature Regulation
• Nation eID
NID card & i-PIN
• National PKI(KISA)
NPKI & K-FIDO/GPKI & G-FIDO
Financial, Commerce, Government…
• Digital Signature Regulation
• Private Sector
TWID (Financial Identification with PKI)+FIDO
TWID + Mobile ID
• Government Sector
T-FIDO & Government PKI (MOEACA for Citizen)
• Telecom (FIDO-based CRM)
• Local Government (IOTA Tangle ID)
• Digital Signature Regulation
• Hongkong Post, Macau Post -
eID with PKI (and FIDO)
• Digital Signature Regulation
• National PKI(NRCA by ETDA)
• eID (not active yet)
• Digital ID Committee
• National Digital ID Co., Ltd
Blockchain+MQ
• ETDA Connect
Blockchain(Omise)/FIDO
• Digital Signature Regulation
Singapore
Malaysia
• eID (SingPass)
• eID with PKI and fingerprint (MyKad, …)
Japan
• National eID
My Number Card with JPKI
• FIDO in Telecom/Financial/Commerce and others
• Digital Signature Regulation
8. All Rights Reserved | FIDO Alliance | Copyright 20188
FIDO VS. PKI
Authenticator
Token
Certificate
Authority
Authentication Server Relying Party
Relying Party
Registration
Authority
Validation
Authority
Attestation
Service
…
FIDO
PKI
Key pairs
Key pairs
9. All Rights Reserved | FIDO Alliance | Copyright 20189
CASE STUDY (1)
• K-FIDO (FIDO + NPKI certificate) by KISA
10. All Rights Reserved | FIDO Alliance | Copyright 201810
CASE STUDY (2)
• Taiwan Identification Center (FIDO + PKI) by TWCA
11. All Rights Reserved | FIDO Alliance | Copyright 201811
RECOMMENDATIONS
• T h r e e c l a s s e s t o i n t e g r a t e F I D O a n d P K I
▸ Class 1: Shared Authenticator
Only client side implementation is needed
▸ Class 2: Synchronized Registration Process
Server side integration with or without client side implementation (reference from derived credential model)
(1) Bootstrapping PKI Registration with FIDO
(2) Bootstrapping FIDO Registration with PKI
(3) Combined Registration for FIDO and PKI
▸ Class 3: Shared Key Pairs
Need both server side integration and client side implementation
(1) FIDO reuse PKI’s key pair
(2) PKI reuse FIDO’s key pair
(3) Generate new FIDO+PKI key pair
• C l a s s 1 a n d 2 c o u l d b e i m p l e m e n t e d b y e x t e n s i o n o f F I D O
s p e c i f i c a t i o n s
• C l a s s 3 m a y c o n f l i c t w i t h F I D O S e c u r i t y G u i d e l i n e a n d U A F
s p e c i f i c a t i o n
▸ Not in the scope of recommendations in this version of white paper
13. FIDO2 and PKI
13
Browser PKI
Platform PKI
Internal PKI Token
External PKI Token
RP APP Server
PKI Server
CA/RA/VA
Server
RP PKI App
PKCS#11
PKI Identification/Signature
Class 1
Class 2
•Browser
•Platform
14. 14
FIDO2+PKI
• Future Use Cases:
▸United States:
• Education (Students and Teachers)
• Healthcare (Medical Wallet)
• Government (First Responders, DoD, DoI)
▸Taiwan:
• Government Mobile Identity for Citizen (G2C services)
15. Pilot Project for
Mobile Authentication & Identification Platform
MOICA
GCA
HCA
MOEACA
XCA
FIDO2
☞ Service Portal
☞ Tax filling
☞ Health bank
☞ e-Invoice
☞ Finance
☞ …
☞ Decentralized Identification &
Applications(e.g. Blockchain,
Distributed Ledger, …)
National
Citizen
Database
☞ Use PKI to bootstrap FIDO2 account (ID
proofing)
☞ Use FIDO2 to enhance the security of
cloud-based PKI system
☞ FIDO2 & PKI in one token/authenticator
16. All Rights Reserved | FIDO Alliance | Copyright 201816
WELCOME JOINING WITH US!
17. 2018 FIDO TAIPEI SEMINAR
NOVEMBER 30, 2018
VICTORIA TAIPEI HOTEL
17
We Work together!
Moving Beyond Passwords!
18. All Rights Reserved | FIDO Alliance | Copyright 201818
CLIENT ARCHITECTURE (1)
• PKI us e F IDO ’s A uthentic ator
19. All Rights Reserved | FIDO Alliance | Copyright 201819
CLIENT ARCHITECTURE (2)
• F IDO us e PKI’s To ken
20. All Rights Reserved | FIDO Alliance | Copyright 201820
CLASS 2 (1)
• B o o ts tra ppi ng PKI reg i s tra ti o n wi th F IDO
21. All Rights Reserved | FIDO Alliance | Copyright 201821
CLASS 2 (2)
• B o o ts tra ppi ng F IDO reg i s tra ti on wi th PKI
22. All Rights Reserved | FIDO Alliance | Copyright 201822
CLASS 2 (3)
• C o m bi ned Reg i s tra ti on f o r F IDO a nd PKI
23. All Rights Reserved | FIDO Alliance | Copyright 201823
CLASS 2 (4)
• Rev o c a ti on Pro c es s