HTML Injection Attacks: Impact and Mitigation Strategies
FIDO Authentication in Europe the Momentum and Opportunities
1. FIDO AUTHENTICATION IN
EUROPE:
THE MOMENTUM AND
OPPORTUNITIES
08 DECEMBER 2017
ALAIN MARTIN (GEMALTO)
FIDO EUROPE WG CO-CHAIR
1 FIDO Authentication in Europe
2. 2
AGENDA
• What is happening in Europe
• Focus on PSD2
• The FIDO standards can help
FIDO Authentication in Europe
4. 4
EUROPEAN REGULATION
• PSD2 – Revised Payment Services Directive
• Entered into force on 12 January 2016, applies from 13 January 2018, RTS to apply
end August 2019
• GDPR – General Data Protection Regulation
• Entered into force on 24 May 2016, applies from 25 May 2018
• eIDAS – Electronic Identification and Trust Services
• Entered into force on the 17 September 2014, applies from 1 July 2016. Mandatory
cross border recognition of eIDs in Sept 2018
FIDO Authentication in Europe
5. Open
APIs
FIDO Authentication in Europe5
PSD2 IN A FEW WORDS
• New Access to Account mandate Open APIs
• New Strong Customer Authentication mandate
• New Third Party Provider (TPP) roles :
Open
APIs
Open
APIs
Payment
execution
Open
APIs
Open
APIs
Open
APIs
Gives
consent
Payment Initiation
Service Provider (PISP)
Account Information
Service Provider (AISP)
6. 6
GDPR – PROTECTION OF PERSONAL DATA
• Access to personal data
• Protection of access to data must be proportional to data sensitivity (Article 32)
• Explicit user consent is mandatory to collect personal data
• May require Strong authentication for sensitive data
• Privacy by design
• FIDO authenticators are well suited (no shared keys, local user verification)
FIDO Authentication in Europe
Compliance with GDPR may require Strong Authentication :
Very large fines for infringement:
Up to €20,000,000 or 4% total worldwide turnover
7. 7
EIDAS – DIGITIZING ID AND SIGNATURES
• Open up access to public services & ensure secure online transactions
• Enable cross-border trust
• Improve security and convenience when doing business online
• Encourage digital transaction growth and dematerialization
eIDAS Regulation
eID
Trust services
eSignatures eSeals Time stamp
Electronic
delivery
Website
auth.
user’s keys are to be held on
“Qualified Signature Creation Devices”
FIDO Authentication in Europe
10. FIDO Authentication in Europe10
THE RTS (REGULATORY TECHNICAL STANDARDS)
• Requirement for Strong Customer Authentication
• Must be based on 2FA
• The Bank authenticates the user
• Customer consent materialised by an Authentication code
• Transaction signature (transaction amount and transaction payee)
• Apply to card based payments and to Credit Transfers
11. Transposition period “Fuzzy period”
Regulatory Technical Standards
RTS
Adoption
RTS implementation
11
PSD2 TIMELINE
• The Open APIs have been defined (STET, Berlin Group, OBIE)
• They impact the way user authentication happens
• Banks are deciding now on their authentication methods
PSD2 entry into force
12 January 2016
Transposition into
national law
13 January 2018
RTS application
Sept 2019
(max 18 months after RTS
adoption by Commission)
Final RTS
27 Nov 2017
01/2016 01/2017 03/201812/2017
Official
publication
End Feb 2018
01/2019 10/2019
FIDO Authentication in Europe
12. AISP
AISP
FIDO Authentication in Europe12
THIS COULD HAPPEN
Bank A
App
Bank B
token
Bank C OTP
generator
Account
aggregator
web site
13. FIDO Authentication in Europe13
IMPROVED USER EXPERIENCE
• A standard will
facilitate
implementation
of this model
• FIDO standards
may be attractive
to implement its
model
AISPAISP AISP
Authenticate
with your device
AISP
app
OR
AISP AISP AISP
14. 14
STANDARDISATION IS NECESSARY
• Cost reduction
• Multi channel, multi form factors
• Ease of deployment
• User experience
Bank
App
FIDO Authentication in Europe
16. FIDO Authentication in Europe16
FIDO STANDARDS ARE RELEVANT
• Based on Multi factor authentication, in line with the
regulations
• Secure execution environments ranging from hardened
Software to TEE to Secure Elements
• Strong focus on Biometrics
• Can be combined with Authorisation frameworks
• OAuth 2
17. 17
FIDO PROTECTS USER IDENTIFICATION DATA
• No shared secrets
• On-device key generation
• Local verification (of PIN, of biometric data)
In line with GDPR
Facilitates deployment
FIDO Authentication in Europe
18. 18
FIDO COMES WITH A CERTIFICATION PROGRAM
• Functional, by the FIDO Alliance
• Security, by the FIDO Alliance with independent accredited labs
• The Regulations require security evaluation
• Article 3 of the Feb 2017 revision of the PSD2 RTS
• eIDAS article 30
FIDO Authentication in Europe