Striking the Right Balance — Compliance, Security and User Experience

Transcript

1. Striking the right balance between Compliance, Security and User Experience

   Ali Adnan and Tatsuo Kudo Authlete

2. 3 • Authlete has contributed to Industry Best Practices through

   the OpenID Foundation and various Working Groups • Has supported Financial-grade API since July 2018 and certified since April 2019 Authlete API Security Since 2016

3. 4 • Compliance Challenges: – Regulatory Alignment – Data Portability

   – Complying with Consumer Rights • Security Challenges: – Authentication and Authorization – Data Protection – Monitoring and Risk Management • User Experience Challenges: – Simplicity and Accessibility – Consent Management – Service Continuity Critical Factors for CIAM

4. 5 The Dilemma to Buy or Build? Buy (IDaaS) may

   be less expensive in the short term but may not offer the same flexibility or scalability as a customized solution Build (DIY) will likely require more upfront investment but may provide more long-term benefits

5. 6 • Faster time to market for simpler projects •

   Takes care of full authn/authz workflow as a managed service • Better suited for new or greenfield solutions without established user journeys Buy (IDaaS) Pros • Outsourcing limits customization Options • Requires retrofitting existing UX in the outsourced authentication workflows • Implementing changes beyond standard features is difficult or impossible. • Limited Deployment Options Challenges

6. 7 • Complete control over UX, user data, and deployment

   model Build (DIY) • Security is not a one-off task, needs constant improvements to stay secure and interoperable. • Need to have a team of experts and constantly stay on top of the changing landscape of compliance and security standards • Time to Market can take longer Pros Challenges

7. 8 • Full control over UX and user data •

   Flexible deployment model • Seamlessly integrates into the existing ecosystem • Manages all protocols complexities without impacting the UX • Integrates with any Computer Language and Framework Authlete (Buy & Build) Value Add Flexibility in UI/UX, integration, development and deployment Semi-Hosted Architecture Bring any API gateway and IAM solution of your choice Freedom of Choice Customer’s user credentials kept within Customer’s own IAM environment No Authentication Data No need to implement OAuth 2.0/OIDC protocols from scratch & build OAuth/OIDC servers in a matter of a few weeks Developer First Solution

8. 9 Authlete for CIAM Service Provider CIAM Platform OAuth/OIDC Service

   Customers Affiliates Authlete Authorization Backend APIs Token Management Database User Authentication and Consent OAuth/OIDC Requests Self Service Guests Registered Users Family Members Loyal Customers Delegated Users Identity and Access Existing Services CRM Analytics Emailing Marketing Automation 3rd Party Services Strong Authn Policy Mgmt Social Login Security Audit OAuth/OIDC Endpoints Offloading OAuth/OIDC Operations Authorization Decision SSO with Unified Profile Relying Parties Media Commerce Community OAuth/OIDC Requests Integration with relying parties using the latest OAuth/OIDC standards Front- end UI Fully customizable user-facing frontends Leveraging 3rd party IAM components Building core in-house IAM components No user credentials and attributes needed User Authentication User Registration Consent Management Entitlement Management

9. 10 Growing List of Global Customers DPG Media NTT Docomo

   Nubank Rakuten Bank

10. 12 • One of the largest digital banks globally •

    Need to implement an authorization server compliant to Brazil Open Banking directive • Adopted Authlete because of its “OAuth/OIDC Component as a Service” approach, quality of technology and products, and excellence of knowledge and support Nubank “Authlete enabled us to roll out a fully specification- compliant authorization server in just a few weeks.”

11. • One of the largest media in Japan chose Authlete

    as the ID/API security solution for the 11 million users Nikkei ID system • Authlete enabled them to focus on building a flexible system that can easily incorporate evolving authentication and authorization technologies • They no longer need to dedicate engineering resources to implement OAuth/OIDC specifications, especially to keep up with security-related updates Nikkei “We were able to achieve high development productivity by leveraging our technology stack, while delegating OAuth/OIDC processing to Authlete” https://www.authlete.com/news/20221129_nikkei/ 13

12. “The system is surprisingly stable with no problems caused by

    Authlete” • One of Japanese professional baseball teams chose Authlete to implement OpenID Connect for “F VILLAGE Account,” a customer identity infrastructure enabling various services from ticketing to cashless payment to rewards in its new ballpark • They successfully integrated Authlete with the F VILLAGE Account system within just two months • Authlete met their requirements on in-house development, especially managing customer data and authentication in their premise Hokkaido Nippon-Ham Fighters https://www.authlete.com/ja/customers/fighters/ 14

13. 15 • New approach to take back control of development

    “OAuth/OIDC Component as a Service” 15 IAM/IDaaS is a Controller offering limited room for customization IAM / IDaaS Client Protected Resources Resource Owner OAuth/OIDC Server Subsystem User Authentication Subsystem Authorization Decision Subsystem API Gateway User authentication and consent Token request API request Token introspection Custom Logic Extension Custom Logic Custom Logic Client Protected Resources Resource Owner OAuth / OIDC Server Frontend IAM Service Authorization Decision Service API Gateway Protocol Operations and Token Management User authentication and consent Token request API request Token introspection OAuth / OIDC Server Backend Custom OAuth / OIDC Server Authlete is a Component to build OAuth/OIDC infrastructure

14. 16 • Enhancing OAuth/OIDC to existing infrastructure Integratable with Any

    Form of Architecture 16 Enhancing an existing IAM service Consolidating into a web service

15. 17 • The fastest to implement and deliver FAPI1, FAPI2,

    FAPI-CIBA and relevant open finance security standards as well as advanced OAuth/OIDC extension specifications The Fastest Compliant with OAuth/OIDC • OPs (OpenID Providers) • Basic OP • Implicit OP • Hybrid OP • Config OP • Dynamic OP • Form Post OP • FAPI 1.0 ID2 OPs • FAPI R/W OP w/ MTLS • FAPI R/W OP w/ MTLS, PAR • FAPI R/W OP w/ Private Key • FAPI R/W OP w/ Private Key, PAR • UK-OB R/W OP w/ MTLS • UK-OB R/W OP w/ Private Key • AU-CDR R/W OP w/ Private Key • AU-CDR R/W OP w/ Private Key, PAR • FAPI 1.0 Final OPs • FAPI 1 Advanced Final (Generic) • FAPI Adv. OP w/ MTLS • FAPI Adv. OP w/ MTLS, PAR • FAPI Adv. OP w/ Private Key • FAPI Adv. OP w/ Private Key, PAR • FAPI Adv. OP w/ MTLS, JARM • FAPI Adv. OP w/ Private Key, JARM • FAPI Adv. OP w/ MTLS, PAR, JARM • FAPI Adv. OP w/ Private Key, PAR, JARM • UK Open Banking (Based on FAPI 1 Advanced Final) • UK-OB Adv. OP w/ MTLS • UK-OB Adv. OP w/ Private Key • Australia CDR (Based on FAPI 1 Advanced Final) • AU-CDR Adv. OP w/ Private Key • AU-CDR Adv. OP w/ Private Key, PAR • KSA Open Banking (Based on FAPI 1 Advanced Final) • KSA-OB Adv. OP w/ MTLS, PAR • KSA-OB Adv. OP w/ Private Key, PAR [NEW] • Brazil Open Banking (Based on FAPI 1 Advanced Final) • BR-OB Adv. OP w/ MTLS • BR-OB Adv. OP w/ Private Key • BR-OB Adv. OP w/ MTLS, PAR • BR-OB Adv. OP w/ Private Key, PAR • BR-OB Adv. OP w/ MTLS, JARM • BR-OB Adv. OP w/ Private Key, JARM • BR-OB Adv. OP w/ MTLS, PAR, JARM • BR-OB Adv. OP w/ Private Key, PAR, JARM • BR-OB Adv. OP DCR • Brazil Open Insurance (Based on FAPI 1 Advanced Final) • BR-OB Adv. OP w/ MTLS • BR-OB Adv. OP w/ Private Key • BR-OB Adv. OP w/ MTLS, PAR • BR-OB Adv. OP w/ Private Key, PAR • BR-OB Adv. OP w/ MTLS, JARM • BR-OB Adv. OP w/ Private Key, JARM • BR-OB Adv. OP w/ MTLS, PAR, JARM • BR-OB Adv. OP w/ Private Key, PAR, JARM • BR-OB Adv. OP DCR • FAPI-CIBA OPs • FAPI-CIBA OP poll w/ MTLS • FAPI-CIBA OP poll w/ Private Key • FAPI-CIBA OP Ping w/ MTLS • FAPI-CIBA OP Ping w/ Private Key • FAPI2 Providers • FAPI 2.0 Security Profile Second Implementer’s Draft & Message Signing First Implementer’s Draft • FAPI2SP MTLS + MTLS • FAPI2SP private key + MTLS • FAPI2SP OpenID Connect • FAPI2MS JAR • FAPI2MS JARM • Australia FAPI 2.0 ConnectId Implementer’s Draft • FAPI2MS with ConnectId support

16. Thank You www.authlete.com [email protected] Palo Alto, Tokyo, Dubai