Who Are You, Really? – FIDO’s Biometric Authentication

George Peabody

October 12, 2015

POF Podcast

Since the first promise to pay was made, knowing who you’re dealing with has been a requirement. Authenticating the identity of a trading partner – a customer, an accountholder, a business or even a computer – is a burden that falls on the one extending trust because the giver takes on the transaction risk. In online and mobile transactions, the job of authentication has fallen on the password’s sagging shoulders in combination with other credentials such as a payment card or drivers license.

The smartphone has brought, to this world of stolen passwords, social security numbers, and other bits of personal information, the fingerprint and other biometric techniques. Authentication and convenience are no longer at odds. While Apple’s TouchID is at the heart of Apple Pay, the Android side is made up of a broad assembly of technology providers and users called the Fast Identity Online Alliance or FIDO Alliance. Take a listen to this discussion between FIDO board member Philip Andreae and Glenbrook’s George Peabody on how FIDO works and the growing role of biometrics in authentication.

Transcript below the break.


George:         Welcome back to another Payments on Fire podcast. I’m George Peabody and I’ve got, fortunately, Philip Andreae back with me to carry on another conversation. Philip, welcome!

Philip:             Good to talk to you again, George.

George:         So Philip Andreae is with Oberthur Technologies and he is also speaking with us today in the capacity of another role. He’s on the board of directors of the FIDO Alliance. I’m going to let Philip describe FIDO’s mission and components. FIDO has been all around strengthening and making authentications simpler. If you’ve got an elevator pitch on what FIDO does, why don’t you give us that as a place to start?

Philip:             Ok. Let’s start with the mission of FIDO, and I’m going to almost read this straight off of their website to make sure I stay consistent with the corporate message of the FIDO Alliance. Our mission is basically to drive, to replace the username and password experience. To create a password-less experience.

George:         I’m into that.

Philip:             The second piece was to also to create a second factor experience. So if we think about those two worlds, and we think about the various websites and the various kinds of transactions we do in this digital environment that the internet has enabled, we have classically relied on username / password as the security to access the account – when you’re accessing your Facebook account or your bank account or your Monster.com.

George:         Your Ashley-Madison account if you’re one of those.

Philip:             Or your Ashley-Madison account if you want to go there. The other piece of the experience is from the security point of view, we’ve always talked about this concept of multi-factor authentication. When we talk about multi-factor, what we typically talk about is something you have – a card, a secure element, a mobile phone with an embedded secure element in it, a USB token – some physical thing that is singular, unique, and can be authenticated digitally. That’s the first piece of the puzzle. The second piece of the puzzle could be a password, it could be a biometric, it could be some other piece of information (a secret, a password, a PIN) or a biometric (your fingerprint, your iris, your face).

George:         Some of those are what you know – the PIN and the password, and then the biometric is what you are. Right?

Philip:             Absolutely. You put two or three of those together, so what you have (the physical), what you know (the secret), and what you are (the biometric). If you want really, really, really strong security, you put all three together, if you want a weaker level of security, you put two of them together, if you only need a modicum of security then you may only select one.

George:         One of the key things here about authentication, and it’s one of the things I appreciate about the FIDO design, is that the party who is granting the authentication, granting the access to the resource whatever it is, they’re the one who is basically on the hook. They’re the ones who have to detect the risk. So classic authentication is they get to decide what level of authentication is required to grant access to that resource. What I understand about FIDO is that FIDO provides the ability for the relying party, the one that takes the risk, to say I need a known device and I need a biometric before I’m going to grant access to the resource. How does that actually work?

Philip:             Let’s back up again to what FIDO is trying to do. FIDO wanted and has developed a set of technical specifications that the various stakeholders who enable people this security infrastructure can go off and develop against knowing that their components will work with everybody else’s components and that it’s developed to serve information regimes and a security regime to ensure that what you built was built to the specification, it did adhere to the security principles and practices, and then gave you the necessary seal of approval so that you could then go out and make money – sell your product and enable your solution. What we stress at the very beginning is that FIDO is not about identification. Identification is assumed to be the responsibility of the relying party, so your bank that you want to gain access to, your Facebook account that you want to call yourself Mickey Mouse on, your Google account that you’re going to call yourself GPeabody on, that’s down to the relying party. What FIDO does is it says ok once you’ve made sure that the person who is presenting themselves over the internet is who they claim to be, then allow them to register their authenticator, their FIDO authenticator, to that website. Every time they present that FIDO authenticator, you know that it is a unique FIDO authenticator, yes you might have to deal with the fact that it might have gotten stolen, and therefore you may need two-factor authentication because of the risk associated with the kind of transactions you’re doing, or maybe you’re not so worried about that because you know they’re going to call you when they lost their phone because their mobile phone is their authenti cator. When we think about some of the people who sit around the FIDO table, and we think about the current Chairman (Microsoft), the current Vice President (Google), the current Treasurer (Lenovo), the current Secretary (PayPal), Bank of America, ourselves at OT, NXP, Docomo coming out of Japan, RSA, you’ve got some major, major players sitting around the table, driving the conversation, and then when you look at the membership, you’ve got a membership that is growing at a beautiful rate. At one point when I joined, which is probably about a year ago, we were at 150, we’re pushing 250 already.

George:         A lot of that growth is coming internationally and I believe some government members have taken place.

Philip:             Yes, absolutely. In May, when we had our plenary in Dublin, we created a new class of membership, and we’ve already accepted memberships from this tier in the United States, UK government has already joined and there are other governments that I can’t talk about at this point in time, who are looking at, considering, and trying to figure out which division, which department should represent themselves in the organization. The other interesting thing that’s important to know, is when the White House held the CyberSecurity Summit at Stanford on February 13th, in the pre-development of that conversation, key people at the White House wanted to make sure that people from FIDO, representing what FIDO was doing would be in the room talking about what FIDO was doing. We should probably talk about Apple for a second. And while Apple is not a member, what I’m encouraged by, and this is Philip speaking not the FIDO Alliance, I’m encouraged by the fact that what they’re doing resembles FIDO. Just like Safari resembles what the W3C Consortium, who manages the browser specification, does. Apple kind of has this we’re Apple but we’re happy to embrace anything any standard that makes sense. We’re seeing compatibility between what they’ve done with touch id and what we’re doing with various implementations of our membership and those people who have embraced the standard.

George:         Are we seeing any mobile phone users in the US starting to interact with FIDO enabled relying parties?

Philip:             PayPal was the first to deploy and PayPal has a significant number of users now using their mobile phone, using what’s called the UAF Standard to authenticate themselves to their PayPal account. Google was an early adopter. Google took what we call the U2F, the second factor experience and was targeting people like Generals who are Gmail users and other people who use various Google services that want strong authentication to access their account. So Google was in there. Docomo, who just joined, and I think this is probably the most interesting of what’s happening right now. Docomo joined in May. When they joined, they came already equipped with solutions that they had deployed in the Japanese market with YouTube videos in Japanese that were showing facial recognition and fingerprint recognition and all kinds of FIDO-esque solutions where the underlying technology was based on the FIDO standard. We have very recently created another working group which is focusing on deployment at scale, where all of the board members and other members of the alliance are assembling to figure out how we move this out. I think the key to, and I know there’s people who sit there and go “Has FIDO lost its way?”, we need to reflect on the fact that FIDO is very young when it comes to a standards body. FIDO, within the first 18 months, had published two completed works – the UAF Specification and the U2F Specification, and it currently in the final throws of producing what we call FIDO 2.0 that brings all of that together as Microsoft has announced is part of their doing with Windows 10, and let’s remember Windows 10 is in multiple browser environments, multiple establishments, so they’re looking and if you see the Windows 10 advertisement where the baby smiles, that’s a FIDO gesture.

George:         So it sounds like we have a lot to look forward to with FIDO here. I am also suspecting then that for relying parties, we have this classical chicken and egg problem. For the relying parties who need to believe there are enough participants out there or enough devices and applications to connect to them using the FIDO standard before they will commit to it. Are you seeing that problem at all?

Philip:             That’s what the deployment at scale working group is now addressing. If you think again about when did these standards came to life, if I go back to early 2015, the first two standards became public. It moved out of that let’s make sure IP etc. is addressed, protected, and made public intellectual property. So those two standards became public at the beginning of this year. The FIDO 2.0 Specification will become public. We can’t give you a date, but it’s imminent, it’s going to happen in a reasonable period of time. Now we get into the deployment phase. Now you’ve got organizations, let’s pick some of the people at the board – Bank of America, American Express, Discover, Visa, MasterCard – who are all thinking about FIDO and how they’re going to deal with it. You’ve got people at the associate sponsor level – Wells Fargo, USAA who’s a board member now, ING, large financial institutions who are trying to get it figured out, working through it, who are inside the deployment at scale working groups to work through what are the licensing issues and what are the compatibility issues and how do we grade etc. and make this thing commercially available. Then you turn around to Docomo, large telecommunications entity, very focused, driving, took and is chairing the deployment at scale working group who is busy out there trying to figure it out. You take Lenovo, who has made major announcements about the use of FIDO. You’ve got large organizations, Microsoft Windows 10.

George:         They key point here, of course we’re most interested in the financial services aspect, but given those members and the roles of authentication, the folks who are interested in authentication go way beyond just payment applications – access to enterprise resources obviously being a huge one, the corporate use of authentication based on risk.

Philip:             Right. FIDO’s focus is not payment, it is one of the use cases, its focus is on accessing your Google Gmail account. Its focus is on accessing your mobile banking account. Its focus is on accessing your PC.

George:         And making that all straightforward and easier than the user ID and particularly that password mess we continue to find ourselves in.

Philip:             Right. Then you go through the membership and you go “What’s Goldman Sachs going to do?” You kind of go, that could be rather interesting as I think about the stock markets and the rest of the bond markets, and the commodities markets and what they’ve may want to see happen with this thing. You know, you think about ING, what are they going to do? You think about Diesel, where is it going to go? SK Telecom, where are they going to go? I’m just looking now at the associate level, excuse me, the sponsor level, Blackberry.

George:         They’re hanging their hat on a more secure device.

Philip:             If we look at hardware venders, Dell’s there. Lenovo’s there.

George:         I think there’s a lot of good news here that besides the payment industry starting to get its security act together with EMV, with both encryption of card data and tokenization of card data two ways – both for security tokens that you get at stores on behalf of the merchant as well as payment with the new EMV code spec. Not only that, but now we’ve got the stronger wrapper, if you will, of authentication, a broader set of authentication tools. I don’t think we’re going to be having this same kind of conversation in 3 to 5 years, Philip, that we’ve had recently. It’s good news.

Philip:             The other one I’m looking at and I’m thinking about is Netflix. Where are they going to go? I now see OSD, the German standards, the German entities coming into this whole thing. So you’ve got some major, major players. You mentioned in the earlier conversation the concept of NSTIC in the desire of the federal government to create this concept called federated standards. I’m sitting there going well part of the NSTIC problem is what’s the authenticator? You could easily take a FIDO authenticator in a federated identity environment and now establish a relying party that somebody else trusts. The fact that the relying party has established a relationship with my authenticator means that that relying party can extend that trust and that authenticator to somebody else.

George:         That’s a whole other kettle of fish in terms of folks being willing to make that step, to basically outsource their trust with a third party. I think for NSTIC, the strategy to trusted identity in cyberspace, that outsourcing of trust from the relying parties to an identity service provider, for example, that’s been sort of a bridge too far. What I appreciate about the FIDO approach or what the path that FIDO or as you say Apple enables, is that we have more of a component, ground up based approach. Where, as we get used to  using new authentication tools at the edge of the network where relying parties have the ability to choose which tools they will use and accept and won’t use. Out of that environment, we’re going to have a collection of brokers who actually may be able to fill in that role and occupy that role as a trusted identity provider. Interesting stuff. Philip, thank you very much. It’s important to stay abreast of what’s going on with FIDO and specifically in authentication in general. Really appreciate your thoughts on this, so thanks for joining us.

Philip:             It’s always a pleasure.

Recent Payment Views

Payments Post #14: Wallet World – WWDC, VFC, Tokens, and the Future of the “Card”

Payments Post #13: At the Intersection of Tech, Regs, and Business Partnership

This month, Cici Northup joins regular contributor Justin Pituch to recap positive news in the form of fast payments growth, new fraud mitigation strategies, and evolution in cross-border transfers. All reflect, to varying degrees, the unique dynamic in the payments industry created by the intersection of technology, regulation, and new business partnerships.

read more
Visa Payments Forum Deep Dive: Visa Flexible Credential

Payments Orchestration: What Comes Next?

Orchestration providers have certainly come a long way, and can enable powerful capabilities and benefits for the merchants that employ them. This post explores some of the possibilities Glenbrook has been thinking about for where Orchestration (and even orchestration) can go next.

read more
Payments Post #14: Wallet World – WWDC, VFC, Tokens, and the Future of the “Card”

Payments Post #12: Lessons from Change

In this month’s Payments Post, we want to draw your attention to several recent fraud incidents that underscore the criticality of effective risk management to your business and the safety and soundness of the payments industry.

read more

Glenbrook Payments Boot CampTM

Register for the next Glenbrook Payments Boot CampTM

An intensive and comprehensive overview of the payments industry.

Train your Team

Customized, private Payments Boot CampsTM workshops tailored to meet your team’s unique needs.

OnDemand Modules

Recorded, one-hour videos covering a broad array of payments concepts.

GlenbrookTM Company Press

Comprehensive books that detail the systems and innovations shaping the payments industry.

Launch, improve & grow your payments business