2019 DevDay Strong Customer Authentication & Biometrics Using FIDO > Kieun Shin > LINE Security Development Team Engineer 

Agenda > Do you like passwords? > What is FIDO? > What we’ve done? (LINE FIDO platform) > Which services are using FIDO in LINE? > What’s next? 

How many accounts do you have? 

Do you like passwords? 

Nobody likes passwords Only hackers passwords! Phishing Social engineering Key logging Credential stuffing 

Passwords are the root of all most of breaches. Passwords are not secure From 2016 to 2017 Security incidents 279% Supports costs Forgotten password 20% Among breaches Due to passwords 81% source: Verizon cyber crime case study 2017 

Indeed, they’re great solutions. We have solutions 2 Factor Authentication (OTP, SMS codes) Federation and SSO (OIDC, OAuth) Biometrics (Fingerprint, Face) Password Managers (1password and etc.) 

The best is yet to come 

What is ? 

Industry’s answer to the password problems. Industry efforts for better authentication Members 250+ Partners 30+ Hours 10000+ 

Design principles > Strong against various attacks > Pluggable and interoperable > Easy to use Design a new authentication > Privacy preserving 

How does FIDO work? It’s based on the public key cryptography. Device (Authenticator) RP Server (Web Server) User verification FIDO Protocol User (Device owner) Challenge (random number) Prompt user gesture User gesture Response (signature) Success or fail Unlock private key Verify signature (/w public key) 

FIDO specifications FIDO2 is the newest set of specifications. FIDO2 CTAP W3C WebAuthn Platform proprietary FIDO2 External Authenticator Platform Authenticator Relying Party Client 

Why FIDO matters? 

Protect our users from attacks Authentication is a gateway to services and one of the efficient ways to protect accounts. 

Business expansion to Fintech area We are now trying to provide more financial services. 

It allows for the creation of strong, attested and scoped credentials. > Provides MFA if the authenticator has user verification features > Splits local authentication (user verification) and online authentication > Provides strong assurance of device possession What makes FIDO different? > Supported by major browsers and platforms 

Strong assurance of device possession The key has following security properties. Generated randomly (Guess) Stored in secure area (Extraction) Attested by trust root (Emulation) Generating the signature (Forgery) > Strongly assure the authentication was performed with the device which was registered before. 

Multi-factor authentication support Adding something you are or something you know factor Something you are Something you know Something you have OR 

Major browser/platform support FIDO becomes cross-platform/browser support and universal. Platforms (Operating systems) Browsers (Web engines) 

What we’ve done? (LINE FIDO platform) 

LINE FIDO Server Works with any FIDO compatible devices (supports all FIDO specifications) > World’s first achievement for FIDO Universal Server certification as a service provider (Dec. 2018) Ensures interoperability with all FIDO Certified Authenticators 

Utilities/helpers and etc Services LINE FIDO Server software stack LINE FIDO Server is built on top of Spring Boot with Reactive stack. Storage Mongo DB Redis Routers/ Handlers Framework (Library) Challenge Response Attestation Metadata Session Certificate Spring Boot Spring Webflux Crypto COSE X509 Validator Mapper Config Lettuce Reactive Mongo Reactive Netty Metadata client MDS client Serializer Deserializer Verifier Spring Security Bouncy Castle 

LINE FIDO Server deployment models Supports both models depending on the conditions (e.g., regulation) AaaS (Authentication-as-a-Service) On Premise 

LINE FIDO2 Combo for iOS Uses Touch ID and Face ID as UV and leverages WBC (Whitebox cryptography) for attestation RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) WAL (Whitebox Abstraction Layer) KAL (KeyChain Abstraction Layer) 

LINE FIDO2 Compat for Android Abstraction layer supporting both Android native authenticator and LINE authenticator RP App (Activity) LINE FIDO2 Glue Layer (Abstraction) LINE Authenticator FIDO2 GMS Core Native Authenticator External Authenticator Single API entry point FIDO Play service API CTAP2 LTSM 

Which services are using FIDO in LINE? 

LINE Pay is now using FIDO 

Why LINE Pay adopts FIDO? Motivations FIDO Industry standards Best Security Frictionless UX Zero incidents Customer Trust 

High-level architecture LINE Pay iOS App (TALARIA) LINE Pay RP Server (for JP) LINE Pay Central Server LINE FIDO2 Server (for JP Pay) Passcode authentication (or old biometric authentication) FIDO Operations FIDO Operations LINE FIDO2 Combo for iOS Authentication management LINE FIDO2 Server (for TW Pay) LINE Pay RP Server (for TW) FIDO Operations Future works 

Registration flow Generates a key pair and registers the public part of the key to the server iOS (Face ID, Touch ID) Android (Fingerprint, Face) 

Authentication flow Generates a digital signature and verifies it on the server with the public key App launching Payment User scans the QR code for payments and confirms the transaction . 

LINE Pay deployment plan Expands FIDO adoptions across countries Released in Sept. Release in Nov. 2020 2020 Standalone App (Android) In-app (LINE) Other countries Standalone App (iOS) 

What’s next? 

Bootstrap with your phone or watch User authenticates to a service with new device for the first time LINE Desktop is trying to verify your identity on Macbook. Verify your identity with biometric. Login with your phone 

Re-authentication User tries to authenticates to a service again Login with your phone LINE is trying to verify your identity. Verify your identity with biometric. LINE is trying to verify your identity. Verify your identity with biometric. Confirm access to your account LINE is requesting access to your account 

Identity binding Bind government-issued identity document authentication (KYC) with FIDO credential Identity documents Selfie KYC (Know Your Customer) User devices AND FIDO 

Go password-less Remove passwords from all LINE services. Stop using passwords Integrate FIDO to all LINE services. Users can authenticate with FIDO for all LINE services. Integrate FIDO to all LINE services Encourage users to enroll multiple authenticators. Introduce multiple FIDO authenticators Introduce FIDO to LINE Login and LINE Pay. Educate users for the convenience. FIDO authentication for user convenience 

Thank you for watching