Strong customer authentication & biometrics using FIDO

Strong customer authentication & biometrics using FIDO

Kieun Shin
LINE Security Development Team Engineer
https://linedevday.linecorp.com/jp/2019/sessions/D1-1

Be4518b119b8eb017625e0ead20f8fe7?s=128

LINE DevDay 2019

November 20, 2019
Tweet

Transcript

  1. 2019 DevDay Strong Customer Authentication & Biometrics Using FIDO >

    Kieun Shin > LINE Security Development Team Engineer
  2. Agenda > Do you like passwords? > What is FIDO?

    > What we’ve done? (LINE FIDO platform) > Which services are using FIDO in LINE? > What’s next?
  3. How many accounts do you have?

  4. Do you like passwords?

  5. Nobody likes passwords Only hackers passwords! Phishing Social engineering Key

    logging Credential stuffing
  6. Passwords are the root of all most of breaches. Passwords

    are not secure From 2016 to 2017 Security incidents 279% Supports costs Forgotten password 20% Among breaches Due to passwords 81% source: Verizon cyber crime case study 2017
  7. Indeed, they’re great solutions. We have solutions 2 Factor Authentication

    (OTP, SMS codes) Federation and SSO (OIDC, OAuth) Biometrics (Fingerprint, Face) Password Managers (1password and etc.)
  8. The best is yet to come

  9. What is ?

  10. Industry’s answer to the password problems. Industry efforts for better

    authentication Members 250+ Partners 30+ Hours 10000+
  11. Design principles > Strong against various attacks > Pluggable and

    interoperable > Easy to use Design a new authentication > Privacy preserving
  12. How does FIDO work? It’s based on the public key

    cryptography. Device (Authenticator) RP Server (Web Server) User verification FIDO Protocol User (Device owner) Challenge (random number) Prompt user gesture User gesture Response (signature) Success or fail Unlock private key Verify signature (/w public key)
  13. FIDO specifications FIDO2 is the newest set of specifications. FIDO2

    CTAP W3C WebAuthn Platform proprietary FIDO2 External Authenticator Platform Authenticator Relying Party Client
  14. Why FIDO matters?

  15. Protect our users from attacks Authentication is a gateway to

    services and one of the efficient ways to protect accounts.
  16. Business expansion to Fintech area We are now trying to

    provide more financial services.
  17. It allows for the creation of strong, attested and scoped

    credentials. > Provides MFA if the authenticator has user verification features > Splits local authentication (user verification) and online authentication > Provides strong assurance of device possession What makes FIDO different? > Supported by major browsers and platforms
  18. Strong assurance of device possession The key has following security

    properties. Generated randomly (Guess) Stored in secure area (Extraction) Attested by trust root (Emulation) Generating the signature (Forgery) > Strongly assure the authentication was performed with the device which was registered before.
  19. Multi-factor authentication support Adding something you are or something you

    know factor Something you are Something you know Something you have OR
  20. Major browser/platform support FIDO becomes cross-platform/browser support and universal. Platforms

    (Operating systems) Browsers (Web engines)
  21. What we’ve done? (LINE FIDO platform)

  22. LINE FIDO Server Works with any FIDO compatible devices (supports

    all FIDO specifications) > World’s first achievement for FIDO Universal Server certification as a service provider (Dec. 2018) Ensures interoperability with all FIDO Certified Authenticators
  23. Utilities/helpers and etc Services LINE FIDO Server software stack LINE

    FIDO Server is built on top of Spring Boot with Reactive stack. Storage Mongo DB Redis Routers/ Handlers Framework (Library) Challenge Response Attestation Metadata Session Certificate Spring Boot Spring Webflux Crypto COSE X509 Validator Mapper Config Lettuce Reactive Mongo Reactive Netty Metadata client MDS client Serializer Deserializer Verifier Spring Security Bouncy Castle
  24. LINE FIDO Server deployment models Supports both models depending on

    the conditions (e.g., regulation) AaaS (Authentication-as-a-Service) On Premise
  25. LINE FIDO2 Combo for iOS Uses Touch ID and Face

    ID as UV and leverages WBC (Whitebox cryptography) for attestation RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) WAL (Whitebox Abstraction Layer) KAL (KeyChain Abstraction Layer)
  26. LINE FIDO2 Compat for Android Abstraction layer supporting both Android

    native authenticator and LINE authenticator RP App (Activity) LINE FIDO2 Glue Layer (Abstraction) LINE Authenticator FIDO2 GMS Core Native Authenticator External Authenticator Single API entry point FIDO Play service API CTAP2 LTSM
  27. Which services are using FIDO in LINE?

  28. LINE Pay is now using FIDO

  29. Why LINE Pay adopts FIDO? Motivations FIDO Industry standards Best

    Security Frictionless UX Zero incidents Customer Trust
  30. High-level architecture LINE Pay iOS App (TALARIA) LINE Pay RP

    Server (for JP) LINE Pay Central Server LINE FIDO2 Server (for JP Pay) Passcode authentication (or old biometric authentication) FIDO Operations FIDO Operations LINE FIDO2 Combo for iOS Authentication management LINE FIDO2 Server (for TW Pay) LINE Pay RP Server (for TW) FIDO Operations Future works
  31. Registration flow Generates a key pair and registers the public

    part of the key to the server iOS (Face ID, Touch ID) Android (Fingerprint, Face)
  32. Authentication flow Generates a digital signature and verifies it on

    the server with the public key App launching Payment User scans the QR code for payments and confirms the transaction .
  33. LINE Pay deployment plan Expands FIDO adoptions across countries Released

    in Sept. Release in Nov. 2020 2020 Standalone App (Android) In-app (LINE) Other countries Standalone App (iOS)
  34. What’s next?

  35. Bootstrap with your phone or watch User authenticates to a

    service with new device for the first time LINE Desktop is trying to verify your identity on Macbook. Verify your identity with biometric. Login with your phone
  36. Re-authentication User tries to authenticates to a service again Login

    with your phone LINE is trying to verify your identity. Verify your identity with biometric. LINE is trying to verify your identity. Verify your identity with biometric. Confirm access to your account LINE is requesting access to your account
  37. Identity binding Bind government-issued identity document authentication (KYC) with FIDO

    credential Identity documents Selfie KYC (Know Your Customer) User devices AND FIDO
  38. Go password-less Remove passwords from all LINE services. Stop using

    passwords Integrate FIDO to all LINE services. Users can authenticate with FIDO for all LINE services. Integrate FIDO to all LINE services Encourage users to enroll multiple authenticators. Introduce multiple FIDO authenticators Introduce FIDO to LINE Login and LINE Pay. Educate users for the convenience. FIDO authentication for user convenience
  39. Thank you for watching