Presented at FIDO Authentication Seminar – Tokyo By: Alain Martin, VP, Strategic Partnerships, Gemalto; Secretary, FIDO Alliance Board of Directors; Co-Chair, FIDO Europe Working Group

1. All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO SUPPORT FOR THE GDPR
ALAIN MARTIN
CO-CHAIR FIDO EUROPE WG
VP STRATEGIC PARTNERSHIPS - GEMALTO

2. All Rights Reserved | FIDO Alliance | Copyright 20182
AGENDA
• Review of relevant GDPR requirements
• How FIDO helps to meet these requirements

3. All Rights Reserved | FIDO Alliance | Copyright 20183
GDPR – GENERAL DATA PROTECTION REGULATION
• Applies since 25 May 2018
• Very large fines for infringement: Up to €20,000,000 or 4% total
worldwide turnover
• Data protection
• Consent of data subject
• Data subject rights
• Adequacy, relevance, etc. of data collection
• …
The subject of today

4. 4
SECURITY OF PROCESSING
• Personal data shall be protected against unauthorised processing,
unauthorized disclosure or access (articles 5, 32.2)
• Level of security to be appropriate to the risk (article 32.1)
All Rights Reserved | FIDO Alliance | Copyright 2018

5. All Rights Reserved | FIDO Alliance | Copyright 20185
PROTECTION AGAINST UNAUTHORIZED ACCESS
Are passwords still OK ?
➔Strong authentication
may be required

6. All Rights Reserved | FIDO Alliance | Copyright 20186
RECENT HEALTHCARE DATA BREACHES
July 2018 – Singapore
“Hackers stole data of PM Lee and 1.5 million
patients in 'major cyberattack' on SingHealth”
October 2018 – USA
“US Center for Medicare & Medicaid Services
says 75,000 individuals' files accessed in
data breach”
July 2018 – USA
“1.4M records breached in UnityPoint Health
phishing attack”
July 2018 – USA
“Patient data exposed for months
after phishing attack on Sunspire”

7. 7
SPECIAL CATEGORIES OF DATA
• Processing of this data prohibited,
unless allowed in specific cases
(article 9.1)
• If allowed, requires
• Explicit consent (article 9.2)
• Suitable safeguards to protect personal
data
• Data protection impact assessment
(article 35)
• Assessment of the measures, safeguards
and mechanisms envisaged for
mitigating risk and ensuring the
protection of personal data
Special
Categories
of data
Political opinions
Racial or ethnic
origin
Healthcare
Sexual life
Religious
beliefs
Biometric data
All Rights Reserved | FIDO Alliance | Copyright 2018

8. 8
USER CONSENT
• Data subject must give consent to processing of his/her personal data
(article 6.1)
• The controller should be able to demonstrate this consent (article 7.1)
• For special categories: explicit consent (article 9.2)
All Rights Reserved | FIDO Alliance | Copyright 2018

9. All Rights Reserved | FIDO Alliance | Copyright 20189
EXPLICIT CONSENT
Is ticking a box the best
practice ?
➔Strong authentication could be a good practice
➔Creating a non forgeable digital proof could be
a good practice

10. 10
EXEMPTION
• GDPR does not apply to the processing of personal data by a natural
person in the course of a purely personal or household activity (article 2.2)
• Biometrics on smartphone can be exempted
• e.g. French Data Protection Authority (CNIL) exemption IF ON DEVICE STORAGE
AND MATCHING
• If remote storage and matching, there must be an impact assessment
All Rights Reserved | FIDO Alliance | Copyright 2018

11. All Rights Reserved | FIDO Alliance | Copyright 201811
CNIL BIOMETRIC DIRECTIVE
Criteria for exemption from CNIL review and authorization
1. The user uses this device privately, using his own biometric data, to unlock his
phone or to access applications he has downloaded on his own
2. The user only decides to use the biometric authentication integrated in his device
3. The biometric template is stored in the device in a closed environment and is not
accessible or transmitted to the outside
4. The biometric template is stored in the apparatus in an encrypted manner using a
cryptographic algorithm and a key management according to the state of the art
5. During the access control, only a token or data indicating the success or failure of
the recognition of the biometry presented is transmitted

12. All Rights Reserved | FIDO Alliance | Copyright 201812
DATA SUBJECT RIGHTS
• Data subjects have a number of rights on their personal data:
• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to data portability (Article 20)
• Delivering these capabilities requires user authentication
For sensitive data (special categories), are
passwords still OK ?
➔Strong authentication may be required

13. 13
DATA PROTECTION BY DESIGN PRINCIPLE
• Controllers should implement measures which meet the principles of
data protection by design (article 25)
• Proactive
• Embedded from the start in design
• For authentication solutions, this would mean, by design:
➔ Protection of user authentication credentials and biometric data
➔ Protection against phishing or MITM attacks
➔ Protection against third parties inferring the identities of authenticating parties
All Rights Reserved | FIDO Alliance | Copyright 2018

14. All Rights Reserved | FIDO Alliance | Copyright 201814
FIDO HELPS MEET GDPR
REQUIREMENTS

15. All Rights Reserved | FIDO Alliance | Copyright 201815
HUMAN-READABLE “SHARED SECRET”
• Inconvenient
• Phishable
• Hackable
This is true of One Time
Passwords as well
Password or OTP

16. All Rights Reserved | FIDO Alliance | Copyright 201816
SMS OTP HACKS
August 2018 – USA
“Reddit Breach Highlights Limits of SMS OTP-
Based Authentication”
May 2017 – Germany (Süddeutsche Zeitung )
“Vulnerability in the mobile network: Criminal
hackers empty accounts”
German
Banks

17. User Environment
All Rights Reserved | FIDO Alliance | Copyright 201817
FIDO AUTHENTICATION
Authenticator
User gesture before
private key can be used
(Touch, PIN entry,
Biometric entry)
Challenge
Signed Response
Private key
Public key
User Relying Party
Local user verification step On-line authentication step

18. All Rights Reserved | FIDO Alliance | Copyright 201818
FIDO EMBRACES PROTECTION/PRIVACY-BY-DESIGN
Based on
public key
cryptography
No server-side
shared secrets
Keys
generated
and stored
on device
No 3rd party in
the protocol
Biometrics, if used,
never leave device
No link-ability
between services or
accounts

19. All Rights Reserved | FIDO Alliance | Copyright 201819
FIDO PROTECTION FROM HACKERS
• Non human readable cryptographic response
• Protects from (simple) phishing attacks
• Verification of web origin/channel id
• Prevents man-in the middle attacks and (complex) phishing attacks
Relying
Party

20. All Rights Reserved | FIDO Alliance | Copyright 201820
FIDO’S USE OF BIOMETRICS
• With FIDO, biometrics can only be stored and matched on a consumer’s
device
• FIDO prohibit biometrics from being stored or matched in servers
➔ No Data Protection Impact Assessment for the use of biometric data

21. All Rights Reserved | FIDO Alliance | Copyright 201821
EXPLICIT CONSENT WITH FIDO
• FIDO authenticators are capable of signing
transaction data
• Server message can include consent information
• Signed response is a non forgeable proof
• Can be used in case of dispute
Do you agree to
providing your
health data to
ABCHealth ?
Authenticate to
confirm

22. All Rights Reserved | FIDO Alliance | Copyright 201822
BROADER REACH: A BENEFIT OF STANDARDISATION
• A FIDO universal server
supports any FIDO
compliant authenticator
➔FIDO Standards reduce
the cost of deploying
multiple devices
FIDO server
App

23. All Rights Reserved | FIDO Alliance | Copyright 201823
TAKE AWAY
• In light of the heavy fines
• In light of the ever increasing attacks
from hackers
➔ A service provider should consider
replacing passwords with stronger
means of authentication
Password
• FIDO proposes a standardized solution
• That combines convenience and security
• That meets the privacy-by-design requirement
Data protection
measures

24. All Rights Reserved | FIDO Alliance | Copyright 201824
HTTPS://FIDOALLIANCE.ORG/