“Your Security, More Simple.” by utilizing FIDO Authentication

LINE and Intertrust Security Summit Tokyo 2017

“Your Security, More Simple.” by utilizing FIDO Authentication

May 17, 2017

Koichi Moriyama Senior Director, Product Department, NTT DOCOMO, INC.

A Board of Directors and Chair of FIDO Japan WG, FIDO Alliance

LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved. 1

../20150428-Video/20150430 最終納品/2)YOUTUBE　ドコモ公式チャネル掲載用/【mp4】90sec_English_whistle.mp4

Table of Contents

• What is FIDO? Why FIDO?

• FIDO Deployments at NTT DOCOMO

– Motivation

– User Experiences

– Security under the Design Principles

“The new of today, the norm of tomorrow.”

• FIDO Alliance & FIDO Japan WG – Today & Tomorrow

LINE and Intertrust Security Summit 2017 2 © 2017 NTT DOCOMO, INC. All Rights Reserved.

What is FIDO? Why FIDO?

LINE and Intertrust Security Summit 2017 3

Referring a part of Mr. Brett McDowell’s presentations Executive Director, FIDO Alliance

Executive Director Brett McDowell FIDO Alliance


All Rights Reserved | FIDO Alliance | Copyright 2017 4

THE WORLD HAS A PASSWORD PROBLEM

Data breaches in

2016 that involved

weak, default, or

stolen passwords1

Increase in

phishing attacks

over the number

of attacks

recorded in 20152

Breaches in 2016,

a 40% increase

over 20153

1Verizon 2017 Data Breach Report |2Anti-Phishing Working Group | 3Identity Theft Resource Center 2016

CLUMSY | HARD TO REMEMBER | NEED TO BE CHANGED ALL THE TIME

81% 65%

1,093

THE FIDO PARADIGM

SEC

UR

ITY

USABILITY

Poor Easy

Weak

Str

ong

authentication

HOW FIDO AUTHENTICATION WORKS

LOCAL CONNECTION

ONLINE CONNECTION

The device

authenticates the

user online using

public key

cryptography

The user

authenticates

“locally” to

their device

(by various means)

ID・パスワード（“Shared Secret”）

THE NEW MODEL

open standards forsimpler, stronger authenticationusing public key cryptography

Fast

IDentity

Online

HOW OLD AUTHENTICATION WORKS

ONLINE CONNECTION

The user authenticates themselves online by

presenting a human-readable “shared secret”


6

No 3rd Party in the Protocol

No Secrets generated/stored on the Server side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services and Accounts

De-register at any time

THE FIDO PRIVACY POLICIES

All Rights Reserved | FIDO Alliance | Copyright 2017


Passwordless Experience Second Factor Experience

Flexible authentication spanning a variety of service providers

ENHANCED AUTHENTICATION EXPERIENCES

FIDO Specifications

FIDO 1.1 (FIDO)

CTAP* (FIDO)

WebAuthn* (FIDO+W3C)

UVC* (FIDO+EMVCo)


*FIDO 2 Project: In Development


The FIDO Alliance is an open industry

association of over 250

global member and partner

organizations

FIDO Deployments at NTT DOCOMO

d ACCOUNT™ Login Authentication

Mobile Payment, and more…



Motivation: “Your Security, More Simple.”

• NTT DOCOMO provides our customers OpenID based “d ACCOUNT” in addition to 4-digit passwords for online service access including DOCOMO branded services, partner services, and carrier billing payments.

• NTT DOCOMO wanted to help our customers, who always needed to remember their passwords, for their convenience in a secure way, and recognized that the FIDO standards may help.

LINE and Intertrust Security Summit 2017 11 © 2017 NTT DOCOMO, INC. All Rights Reserved. https://www.youtube.com/watch?v=UP0DyYk5IXc

Iris Fingerprints

Passwords-less Authn using Biometrics

Login Unlock

Carrier Billing Payment


https://www.youtube.com/watch?v=UP0DyYk5IXc

Overview: NTT DOCOMO’s Deployment (1/2)

• DOCOMO launched FIDO-enabled online authentication with biometric sensor equipped devices for “d ACCOUNT” (a.k.a. docomo ID) login and carrier billing payments from May 2015. DOCOMO has been continuing to extend FIDO-enabled experience, supporting legacy 4-digit pins and others including “d ACCOUNT” carrier billing partners.


Carrier Billing Payment

MARKET

Overview: NTT DOCOMO’s Deployment (2/2)

• NTT DOCOMO selected the FIDO UAF 1.0 standard due to reasons below:

1.) Easy, and fast online authentication using biometrics, 2.) Secure protocol that utilizes public key crypto, and 3.) Open-standard for interoperability in the future.

• NTT DOCOMO launched four FIDO® Certified devices and the FIDO-enabled server in May 2015. There were some world firsts, a.) as an MNO, b.) with multiple FIDO Certified devices from multiple OEMs, c.) with the world first Iris scanner equipped smartphone, and d.) for multiple services.


FIDO-enabled Devices for d ACCOUNT 20 Models in Total

• 4 models for 2015 Summer, 6 for 2015-16 Winter/Spring, 4 for 2016 Summer, and 6 for 2016-17 Winter/Spring by


SH-01H SO-03H SO-01H SO-02H F-02H SC-05G

SH-04H F-04H SO-04H SC-02H

F-04G SC-04G F-01H SH-03G

SO-02J F-01J SH-02J DM-01J SO-01J L-01J

Video Clip: Let’s setup, let’s use FIDO-enabled biometric authentication for d ACCOUNT!


Security under the Design Principles



FIDO Deployments at NTT DOCOMO


Design Principles to Integrate the FIDO Standards

• Integrate the FIDO standards in a straightforward manner

– Create and maintain the FIDO eco-system, and align with it for sustainability

• Utilize the FIDO standards as much as possible

– Allow different type of authenticators e.g. fingerprint sensors and iris scanner

• Protect users and ecosystem partners in consideration of security

– Follow the FIDO privacy policy, “Biometric template and private keys never leave devices,”

– Realize that genuineness of authenticator shall be securely proven to servers,

– Keep the same security level of various devices from multiple OEMs, and

– Avoid to generate wrong perception in the market.

• Minimize the integration efforts, time and cost

– Gather FIDO-enabled service apps to a single point of I/F – d ACCOUNT to ASM


Solution Architecture: d ACCOUNT and 4-digits [before the FIDO integration]

• The d ACCOUNT app and system had already been introduced and operated for authentication and single-sign-on experience.


…

DOCOMO Branded Devices by OEM Partners

Client App Pre-installed

… Web Browser

Pre-installed Service Apps

System Server

…

DOCOMO Branded Services

Carrier Billing Partner Services

Billing System Servers

Launched by Service Apps or Web Browser

Authenticate user by ID/Password or 4-digits ID/Password

• Single Sign-On

Solution Architecture: d ACCOUNT and 4-digits [after the FIDO integration]

• The d ACCOUNT app and system had already been introduced and operated for authentication and single-sign-on experience.


DOCOMO Branded Devices by OEM Partners

… Web Browser

Pre-installed Service Apps …



Billing System Servers

FIDO-enabled by xxxx Client SDK

FIDO-enabled by Server

FIDO-enabled w/ some additional requirements to adopt

…

In addition to ID/Password

• Single Sign-On • Biometric Authentication

without Passwords

Client App Pre-installed System Server

FIDO Enables Online Authentication by Utilizing Biometric Data in a Secure Manner

– Biometric Data and Secret Key stored in Secure Area –


Biometric Authentication Device

Secure Area (TEE)

User Verification through Matching

Secure App

Secure Folder

FIDO Client

Verified

FIDO Authenticator

FIDO Server

Challenge

Authentication is completed once the Signed Challenge is verified by Public Key

Sign the Challenge by Secret Key

✓ ✓

Signed Challenge

d ACCOUNT Server

d ACCOUNT App

Scope of FIDO UAF 1.0 Spec

✓

✓

Public Key Cryptography Secure Protocol

Biometric Data

Device Server FIDO-enabled services are enhanced gradually…

Registered Template

Secret Key

Implementations of the FIDO Authenticators – Varieties of FIDO® Certified FIDO Authenticator Solutions –

• OEMs may choose a FIDO® Certified authenticators solution from a variety of choices in order to meet their requirements.


FIDO-enabled by xxxx Client SDK

FIDO® Certified xxxxx Server

FIDO Standards

Client App Pre-installed System Server

How NTT DOCOMO Implements FIDO UAF on iOS

© 2017 NTT DOCOMO, INC. All Rights Reserved. 22

• NTT DOCOMO developed “d ACCOUNT app” for iOS, incorporating Nok Nok Labs’ FIDO® Certified FIDO UAF Client SDK to work with DOCOMO services and the FIDO-enabled d ACCOUNT server.

• NTT DOCOMO utilizes the Touch ID security feature of Secure Enclave that enables to keep the FIDO Privacy Policy.

LINE and Intertrust Security Summit 2017 https://support.apple.com/en-us/HT204587

• The recent APIs enabled after iOS 9 help DOCOMO for friendly-fraud concerns.

d ACCOUNT App

FIDO Client

Touch ID

Secure Enclave

https://support.apple.com/en-us/HT204587



Screen Shot Example: d ACCOUNT Login with Touch ID


• “Login with Touch ID” button appears in addition to the legacy ID/password button. Once select to login with Touch ID, easy to login.

d ACCOUNT login screen supporting Touch ID

d ACCOUNT Touch ID app encourages you to do Touch ID

If you haven’t installed d ACCOUNT Touch ID app yet, you encouraged to install it

“Login with Touch ID”

Screen Shot Example: Shopping at d Shopping

© 2017 NTT DOCOMO, INC. All Rights Reserved. 24

• Shopping is the same. Once select to purchase with Touch ID, easy to go. d ACCOUNT app to support Touch ID on iOS 9 or later works behind of it.

Select what you purchase, and go next

Authenticate with Touch ID

d ACCOUNT Touch ID app encourages you to do Touch ID

That’s it!

LINE and Intertrust Security Summit 2017

The FIDO Standards Connect Multiple Services – Open Standards for Future Interoperability –


Standards

SH-01H SO-03H SO-01H SO-02H F-02H F-01H

F-04H SH-04H SO-04H SC-02H

SO-02J F-01J SH-02J DM-01J SO-01J L-01J

2015 Summer models

2015-16 Winter/Spring models

2016 Summer models

2016-17 Winter/Spring models

Company A’s Server

Company B’s Server

Company C’s Server

d ACCOUNT DOCOMO Server

The Same Server Hosts Your Authentication!

© 2017 NTT DOCOMO, INC. All Rights Reserved. 26 LINE and Intertrust Security Summit 2017

…



Billing System Servers System Server

SH-01H SO-03H SO-01H SO-02H F-02H F-01H

F-04H SH-04H SO-04H SC-02H SO-02J F-01J SH-02J DM-01J SO-01J L-01J

Android

iOS

Future Goal Mobile Devices as Your Key to Life

27

NTT DOCOMO x FIDO Alliance Presentation on May 26th, 2015

LINE and Intertrust Security Summit 2017

“AuthN by Your Smartphone” from PC, et el.

• Commercially available since February, 2017


docomo Smartphone Android

Notification Authentication

Before Now

It’s clumsy, and very hard to remember all passwords…

“AuthN by Your Smartphne” enables you to login very easily!

XXXXXX

iOS devices

Architecture for “AuthN by Your Smartphone”

29

1st Device (No-FIDO supported)

2nd Device (existing FIDO UAF devices)

Always-On

ID/Password 2DA: 2nd Device Authentication

Authentication (FIDO UAF)

Authentication and Login Login

LINE and Intertrust Security Summit 2017 © 2017 NTT DOCOMO, INC. All Rights Reserved.

Server

FIDO® Certified xxxxx Server

Server

Implemented w/o any modifications of FIDO UAF

1st Device (No-FIDO supported)

It’s clumsy, and very hard to remember all passwords…

“AuthN by Your Smartphne” enables you to login very easily!

Creating a World without Passwords


• Through collaboration with the FIDO Alliance, NTT DOCOMO will further deliver “Your Security, More Simple.”


https://www.youtube.com/watch?v=QzM4PpXEqP8

https://www.youtube.com/watch?v=QzM4PpXEqP8

New Video Clip:

“Your Security, More Simple.” 2017


https://www.youtube.com/watch?v=3Uki8SlSJMk

https://www.youtube.com/watch?v=3Uki8SlSJMk


WELCOME

LINE CORPORATION

~LINE CORPORATION JOINS FIDO ALLIANCE AS A BOARD OF DIRECTORS~

FIDO Japan WG, FIDO Alliance

MAY 17th, 2017

FIDO JAPAN WG: MISSION AND ACTIVITIES


Facilitation within Alliance

• Communication Style and Language Barrier

• Different Time-Zone

• Understanding of FIDO Standards

Promotion to Japanese Market

• Messaging through News Letter and Web-site

• Deployment Case-Studies

• Whitepapers, Translation-Table, etc.

Marketing & PR

SWG Translation SWG

Technologies

SWG

Deployment-at-

Scale SWG

Chair, Vice-

Chairs, and PM

Mission

Execute the mission of FIDO Alliance in Japan efficiently through facilitating communication within FIDO Alliance and promoting FIDO Standards toward Japanese market.

‣Launched in October 2016, and announced on December 8th 2016


FIDO ALLIANCE MEMBERS FROM JAPAN

Board Level

Sponsor Level

Associate Level

19 member companies as of May 17th, 2017 – FIDO Japan WG

• Cybertrust Japan

• Internet of Thing, Inc.

• Passlogy Co., Ltd

• SECIOSS, Inc.

• sMedio, Inc.

• Technoglobal Inc.

• Ubiquitous Corporation


CONTRIBUTORS AT FIDO JAPAN WG

10 members at launched, 11 members when announced, 17 members as of May 17th, 2017

Chair, Vice-Chair, Lead of SWG Vice-Chair, Lead of SWG Lead of SWG


250+ ORGANIZATIONS GLOBALLY FIDO board members include leading global brands and technology providers

+ SPONSOR MEMBERS + ASSOCIATE MEMBERS + LIAISON MEMBERS

37

Changing the World Requires an Ecosystem

Principles

A new industry standard needed Must support multiple types of authentication

Adoption at scale requires an interoperable ecosystem

WELCOME to THE FIDO ALLIANCE LINE and Intertrust Security Summit 2017

[email protected] | [email protected]

38

KOICHI MORIYAMA

Senior Director, Product Department, NTT DOCOMO, INC.

A Board of Directors and Chair of FIDO Japan WG, FIDO Alliance

THANK YOU!

mailto:[email protected]

mailto:[email protected]

“Your Security, More Simple.” by utilizing FIDO Authentication

Technology

Transcript of “Your Security, More Simple.” by utilizing FIDO Authentication