“Your Security, More Simple.” by utilizing FIDO Authentication
-
Upload
line-corporation -
Category
Technology
-
view
3.374 -
download
0
Transcript of “Your Security, More Simple.” by utilizing FIDO Authentication
LINE and Intertrust Security Summit Tokyo 2017
“Your Security, More Simple.” by utilizing FIDO Authentication
May 17, 2017
Koichi Moriyama Senior Director, Product Department, NTT DOCOMO, INC.
A Board of Directors and Chair of FIDO Japan WG, FIDO Alliance
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 1
Table of Contents
• What is FIDO? Why FIDO?
• FIDO Deployments at NTT DOCOMO
– Motivation
– User Experiences
– Security under the Design Principles
“The new of today, the norm of tomorrow.”
• FIDO Alliance & FIDO Japan WG – Today & Tomorrow
LINE and Intertrust Security Summit 2017 2 © 2017 NTT DOCOMO, INC. All Rights Reserved.
What is FIDO? Why FIDO?
LINE and Intertrust Security Summit 2017 3
Referring a part of Mr. Brett McDowell’s presentations Executive Director, FIDO Alliance
Executive Director Brett McDowell FIDO Alliance
All Rights Reserved | FIDO Alliance | Copyright 2017 4
THE WORLD HAS A PASSWORD PROBLEM
Data breaches in
2016 that involved
weak, default, or
stolen passwords1
Increase in
phishing attacks
over the number
of attacks
recorded in 20152
Breaches in 2016,
a 40% increase
over 20153
1Verizon 2017 Data Breach Report |2Anti-Phishing Working Group | 3Identity Theft Resource Center 2016
CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME
81% 65%
1,093
THE FIDO PARADIGM
SEC
UR
ITY
USABILITY
Poor Easy
Weak
Str
ong
authentication
HOW FIDO AUTHENTICATION WORKS
LOCAL CONNECTION
ONLINE CONNECTION
The device
authenticates the
user online using
public key
cryptography
The user
authenticates
“locally” to
their device
(by various means)
ID・パスワード(“Shared Secret”)
THE NEW MODEL
open standards forsimpler, stronger authenticationusing public key cryptography
Fast
IDentity
Online
HOW OLD AUTHENTICATION WORKS
ONLINE CONNECTION
The user authenticates themselves online by
presenting a human-readable “shared secret”
All Rights Reserved | FIDO Alliance | Copyright 2017 5
6
No 3rd Party in the Protocol
No Secrets generated/stored on the Server side
Biometric Data (if used) Never Leaves Device
No Link-ability Between Services and Accounts
De-register at any time
THE FIDO PRIVACY POLICIES
All Rights Reserved | FIDO Alliance | Copyright 2017
All Rights Reserved | FIDO Alliance | Copyright 2017 7
Passwordless Experience Second Factor Experience
Flexible authentication spanning a variety of service providers
ENHANCED AUTHENTICATION EXPERIENCES
FIDO Specifications
FIDO 1.1 (FIDO)
CTAP* (FIDO)
WebAuthn* (FIDO+W3C)
UVC* (FIDO+EMVCo)
All Rights Reserved | FIDO Alliance | Copyright 2017 8
*FIDO 2 Project: In Development
All Rights Reserved | FIDO Alliance | Copyright 2017 9
The FIDO Alliance is an open industry
association of over 250
global member and partner
organizations
FIDO Deployments at NTT DOCOMO
d ACCOUNT™ Login Authentication
Mobile Payment, and more…
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 10
Motivation: “Your Security, More Simple.”
• NTT DOCOMO provides our customers OpenID based “d ACCOUNT” in addition to 4-digit passwords for online service access including DOCOMO branded services, partner services, and carrier billing payments.
• NTT DOCOMO wanted to help our customers, who always needed to remember their passwords, for their convenience in a secure way, and recognized that the FIDO standards may help.
LINE and Intertrust Security Summit 2017 11 © 2017 NTT DOCOMO, INC. All Rights Reserved. https://www.youtube.com/watch?v=UP0DyYk5IXc
Iris Fingerprints
Passwords-less Authn using Biometrics
Login Unlock
Carrier Billing Payment
Overview: NTT DOCOMO’s Deployment (1/2)
• DOCOMO launched FIDO-enabled online authentication with biometric sensor equipped devices for “d ACCOUNT” (a.k.a. docomo ID) login and carrier billing payments from May 2015. DOCOMO has been continuing to extend FIDO-enabled experience, supporting legacy 4-digit pins and others including “d ACCOUNT” carrier billing partners.
LINE and Intertrust Security Summit 2017 12 © 2017 NTT DOCOMO, INC. All Rights Reserved.
Carrier Billing Payment
MARKET
Overview: NTT DOCOMO’s Deployment (2/2)
• NTT DOCOMO selected the FIDO UAF 1.0 standard due to reasons below:
1.) Easy, and fast online authentication using biometrics, 2.) Secure protocol that utilizes public key crypto, and 3.) Open-standard for interoperability in the future.
• NTT DOCOMO launched four FIDO® Certified devices and the FIDO-enabled server in May 2015. There were some world firsts, a.) as an MNO, b.) with multiple FIDO Certified devices from multiple OEMs, c.) with the world first Iris scanner equipped smartphone, and d.) for multiple services.
LINE and Intertrust Security Summit 2017 13 © 2017 NTT DOCOMO, INC. All Rights Reserved.
FIDO-enabled Devices for d ACCOUNT 20 Models in Total
• 4 models for 2015 Summer, 6 for 2015-16 Winter/Spring, 4 for 2016 Summer, and 6 for 2016-17 Winter/Spring by
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 14
SH-01H SO-03H SO-01H SO-02H F-02H SC-05G
SH-04H F-04H SO-04H SC-02H
F-04G SC-04G F-01H SH-03G
SO-02J F-01J SH-02J DM-01J SO-01J L-01J
Video Clip: Let’s setup, let’s use FIDO-enabled biometric authentication for d ACCOUNT!
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 15
Security under the Design Principles
“The new of today, the norm of tomorrow.”
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 16
FIDO Deployments at NTT DOCOMO
Design Principles to Integrate the FIDO Standards
• Integrate the FIDO standards in a straightforward manner
– Create and maintain the FIDO eco-system, and align with it for sustainability
• Utilize the FIDO standards as much as possible
– Allow different type of authenticators e.g. fingerprint sensors and iris scanner
• Protect users and ecosystem partners in consideration of security
– Follow the FIDO privacy policy, “Biometric template and private keys never leave devices,”
– Realize that genuineness of authenticator shall be securely proven to servers,
– Keep the same security level of various devices from multiple OEMs, and
– Avoid to generate wrong perception in the market.
• Minimize the integration efforts, time and cost
– Gather FIDO-enabled service apps to a single point of I/F – d ACCOUNT to ASM
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 17
Solution Architecture: d ACCOUNT and 4-digits [before the FIDO integration]
• The d ACCOUNT app and system had already been introduced and operated for authentication and single-sign-on experience.
LINE and Intertrust Security Summit 2017 18 © 2017 NTT DOCOMO, INC. All Rights Reserved.
…
DOCOMO Branded Devices by OEM Partners
Client App Pre-installed
… Web Browser
Pre-installed Service Apps
System Server
…
DOCOMO Branded Services
Carrier Billing Partner Services
Billing System Servers
Launched by Service Apps or Web Browser
Authenticate user by ID/Password or 4-digits ID/Password
• Single Sign-On
Solution Architecture: d ACCOUNT and 4-digits [after the FIDO integration]
• The d ACCOUNT app and system had already been introduced and operated for authentication and single-sign-on experience.
LINE and Intertrust Security Summit 2017 19 © 2017 NTT DOCOMO, INC. All Rights Reserved.
DOCOMO Branded Devices by OEM Partners
… Web Browser
Pre-installed Service Apps …
DOCOMO Branded Services
Carrier Billing Partner Services
Billing System Servers
FIDO-enabled by xxxx Client SDK
FIDO-enabled by Server
FIDO-enabled w/ some additional requirements to adopt
…
In addition to ID/Password
• Single Sign-On • Biometric Authentication
without Passwords
Client App Pre-installed System Server
FIDO Enables Online Authentication by Utilizing Biometric Data in a Secure Manner
– Biometric Data and Secret Key stored in Secure Area –
LINE and Intertrust Security Summit 2017 20 © 2017 NTT DOCOMO, INC. All Rights Reserved.
Biometric Authentication Device
Secure Area (TEE)
User Verification through Matching
Secure App
Secure Folder
FIDO Client
Verified
FIDO Authenticator
FIDO Server
Challenge
Authentication is completed once the Signed Challenge is verified by Public Key
Sign the Challenge by Secret Key
✓ ✓
Signed Challenge
d ACCOUNT Server
d ACCOUNT App
Scope of FIDO UAF 1.0 Spec
✓
✓
Public Key Cryptography Secure Protocol
Biometric Data
Device Server FIDO-enabled services are enhanced gradually…
Registered Template
Secret Key
Implementations of the FIDO Authenticators – Varieties of FIDO® Certified FIDO Authenticator Solutions –
• OEMs may choose a FIDO® Certified authenticators solution from a variety of choices in order to meet their requirements.
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 21
FIDO-enabled by xxxx Client SDK
FIDO® Certified xxxxx Server
FIDO Standards
Client App Pre-installed System Server
How NTT DOCOMO Implements FIDO UAF on iOS
© 2017 NTT DOCOMO, INC. All Rights Reserved. 22
• NTT DOCOMO developed “d ACCOUNT app” for iOS, incorporating Nok Nok Labs’ FIDO® Certified FIDO UAF Client SDK to work with DOCOMO services and the FIDO-enabled d ACCOUNT server.
• NTT DOCOMO utilizes the Touch ID security feature of Secure Enclave that enables to keep the FIDO Privacy Policy.
LINE and Intertrust Security Summit 2017 https://support.apple.com/en-us/HT204587
• The recent APIs enabled after iOS 9 help DOCOMO for friendly-fraud concerns.
d ACCOUNT App
FIDO Client
Touch ID
Secure Enclave
Screen Shot Example: d ACCOUNT Login with Touch ID
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 23
• “Login with Touch ID” button appears in addition to the legacy ID/password button. Once select to login with Touch ID, easy to login.
d ACCOUNT login screen supporting Touch ID
d ACCOUNT Touch ID app encourages you to do Touch ID
If you haven’t installed d ACCOUNT Touch ID app yet, you encouraged to install it
“Login with Touch ID”
Screen Shot Example: Shopping at d Shopping
© 2017 NTT DOCOMO, INC. All Rights Reserved. 24
• Shopping is the same. Once select to purchase with Touch ID, easy to go. d ACCOUNT app to support Touch ID on iOS 9 or later works behind of it.
Select what you purchase, and go next
Authenticate with Touch ID
d ACCOUNT Touch ID app encourages you to do Touch ID
That’s it!
LINE and Intertrust Security Summit 2017
The FIDO Standards Connect Multiple Services – Open Standards for Future Interoperability –
LINE and Intertrust Security Summit 2017 25 © 2017 NTT DOCOMO, INC. All Rights Reserved.
Standards
SH-01H SO-03H SO-01H SO-02H F-02H F-01H
F-04H SH-04H SO-04H SC-02H
SO-02J F-01J SH-02J DM-01J SO-01J L-01J
2015 Summer models
2015-16 Winter/Spring models
2016 Summer models
2016-17 Winter/Spring models
Company A’s Server
Company B’s Server
Company C’s Server
d ACCOUNT DOCOMO Server
The Same Server Hosts Your Authentication!
© 2017 NTT DOCOMO, INC. All Rights Reserved. 26 LINE and Intertrust Security Summit 2017
…
DOCOMO Branded Services
Carrier Billing Partner Services
Billing System Servers System Server
SH-01H SO-03H SO-01H SO-02H F-02H F-01H
F-04H SH-04H SO-04H SC-02H SO-02J F-01J SH-02J DM-01J SO-01J L-01J
Android
iOS
Future Goal Mobile Devices as Your Key to Life
27
NTT DOCOMO x FIDO Alliance Presentation on May 26th, 2015
LINE and Intertrust Security Summit 2017
“AuthN by Your Smartphone” from PC, et el.
• Commercially available since February, 2017
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 28
docomo Smartphone Android
Notification Authentication
Before Now
It’s clumsy, and very hard to remember all passwords…
“AuthN by Your Smartphne” enables you to login very easily!
XXXXXX
iOS devices
Architecture for “AuthN by Your Smartphone”
29
1st Device (No-FIDO supported)
2nd Device (existing FIDO UAF devices)
Always-On
ID/Password 2DA: 2nd Device Authentication
Authentication (FIDO UAF)
Authentication and Login Login
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved.
Server
FIDO® Certified xxxxx Server
Server
Implemented w/o any modifications of FIDO UAF
1st Device (No-FIDO supported)
It’s clumsy, and very hard to remember all passwords…
“AuthN by Your Smartphne” enables you to login very easily!
Creating a World without Passwords
“The new of today, the norm of tomorrow.”
• Through collaboration with the FIDO Alliance, NTT DOCOMO will further deliver “Your Security, More Simple.”
LINE and Intertrust Security Summit 2017 30 © 2017 NTT DOCOMO, INC. All Rights Reserved.
https://www.youtube.com/watch?v=QzM4PpXEqP8
New Video Clip:
“Your Security, More Simple.” 2017
LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 31
https://www.youtube.com/watch?v=3Uki8SlSJMk
All Rights Reserved | FIDO Alliance | Copyright 2017 32
WELCOME
LINE CORPORATION
~LINE CORPORATION JOINS FIDO ALLIANCE AS A BOARD OF DIRECTORS~
FIDO Japan WG, FIDO Alliance
MAY 17th, 2017
FIDO JAPAN WG: MISSION AND ACTIVITIES
All Rights Reserved | FIDO Alliance | Copyright 2017 33
Facilitation within Alliance
• Communication Style and Language Barrier
• Different Time-Zone
• Understanding of FIDO Standards
Promotion to Japanese Market
• Messaging through News Letter and Web-site
• Deployment Case-Studies
• Whitepapers, Translation-Table, etc.
Marketing & PR
SWG Translation SWG
Technologies
SWG
Deployment-at-
Scale SWG
Chair, Vice-
Chairs, and PM
Mission
Execute the mission of FIDO Alliance in Japan efficiently through facilitating communication within FIDO Alliance and promoting FIDO Standards toward Japanese market.
‣Launched in October 2016, and announced on December 8th 2016
All Rights Reserved | FIDO Alliance | Copyright 2017 34
FIDO ALLIANCE MEMBERS FROM JAPAN
Board Level
Sponsor Level
Associate Level
19 member companies as of May 17th, 2017 – FIDO Japan WG
• Cybertrust Japan
• Internet of Thing, Inc.
• Passlogy Co., Ltd
• SECIOSS, Inc.
• sMedio, Inc.
• Technoglobal Inc.
• Ubiquitous Corporation
All Rights Reserved | FIDO Alliance | Copyright 2017 35
CONTRIBUTORS AT FIDO JAPAN WG
10 members at launched, 11 members when announced, 17 members as of May 17th, 2017
Chair, Vice-Chair, Lead of SWG Vice-Chair, Lead of SWG Lead of SWG
All Rights Reserved | FIDO Alliance | Copyright 2017 36
250+ ORGANIZATIONS GLOBALLY FIDO board members include leading global brands and technology providers
+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS
37
Changing the World Requires an Ecosystem
Principles
A new industry standard needed Must support multiple types of authentication
Adoption at scale requires an interoperable ecosystem
WELCOME to THE FIDO ALLIANCE LINE and Intertrust Security Summit 2017
[email protected] | [email protected]
38
KOICHI MORIYAMA
Senior Director, Product Department, NTT DOCOMO, INC.
A Board of Directors and Chair of FIDO Japan WG, FIDO Alliance
THANK YOU!