Webinar: PSD2 Support: Why Change to FIDO
•Transferir como PPTX, PDF•
2 gostaram•1,532 visualizações
Banks in Europe have deployed customer authentication solutions for several years. These solutions have served their purpose well and enabled customers to safely log in to their bank accounts. In the world of e-commerce, these solutions, when used, have been successful in combating online payment fraud. The Second Payment Services Directive (PSD2) and its associated Regulatory Technical Standards (RTS) dramatically change the payment landscape, considering: -- The mandate for strong, multi-factor authentication, -- The emergence of Third Party Providers (TPP) accessing accounts via open APIs The success of PSD2 will ultimately be determined by how well banks can balance user convenience with security obligations, while maximizing reach. As such, they may want to evaluate how well their legacy authentication solutions meet this new need. FIDO authentication standards have been proposed as a way for banks to meet all requirements in a PSD2 world — but is the change from a legacy method to FIDO worthwhile? This webinar covers FIDO Authentication standards and how they compare with legacy authentication methods used to access an account or secure an online payment. The methods compared are SMS OTPs, hardware OTP generators, CAP readers, and proprietary smartphone and biometrics-based solutions in terms of PSD2 compliance, security, usability and scalability. Read this to find out: Why change to FIDO?
Recomendados
Recomendados
Mais conteúdo relacionado
Mais de FIDO Alliance
Mais de FIDO Alliance (20)
Último
Último (20)
Webinar: PSD2 Support: Why Change to FIDO
- 1. © FIDO Alliance 2020 PSD2 Support: Why Change to FIDO WEBINAR
- 2. © FIDO Alliance 20202
- 3. © FIDO Alliance 2020 Today’s Speakers Andrew Shikiar Executive Director & CMO FIDO Alliance Alain Martin Head of Consulting & Industry Relations, Thales Co-chair, FIDO Europe Working Group
- 4. © FIDO Alliance 20204
- 5. © FIDO Alliance 2020 Intro to FIDO Andrew Shikiar Executive Director & CMO FIDO Alliance
- 6. © FIDO Alliance 20206 Growth in credential loss in 2019 (RiskBased Security) 284% Financial loss caused by online payment fraud by 2024 in Europe (Juniper Research) $25 billion 18 million COVID-19 themed malware and phishing emails blocked per day by Google 7,098 breaches in 2019, exposing 15.1 billion records (ITRC) 51% of passwords are reused across services (University of Oxford) collectively spent by humans each day entering passwords (Microsoft) 1,300 years e-commerce sites’ attempted log-ins are compromised by stuffing (Shape Security) 80-90% Europeans that would abandon transaction if too many authentication steps (yStats) 1/3 Of IT leaders re-use a single password (Sailpoint) 55% Of helpdesk calls are for password resets (Forrester) 20-50%
- 7. © FIDO Alliance 20207 Security Usability Poor Easy WeakStrong = Single Gesture Possession-based Authentication Open standards for simpler, stronger authentication using asymmetric public key cryptography
- 8. © FIDO Alliance 20208 FIDO Breaks the Credential Theft Cycle & Prevents Account Takeovers Use of Public Key Cryptography eliminates dependence on server-side credentials Nothing of value for hackers to steal (public keys have no utility) Stuffed credentials won’t work Stops supply & demand for hackers
- 9. © FIDO Alliance 20209 + Sponsor members + Associate members + Liaison members FIDO Leadership
- 10. © FIDO Alliance 202010 Since May 2018 Broader matrix of support across platforms and transports Hello Over 2.5 Billion Devices can support FIDO Authentication
- 11. © FIDO Alliance 2020 WHYCHANGE TOFIDO? FIDOvsLegacyAuthnMethods Alain Martin Head of Consulting & Industry Relations, Thales Co-chair, FIDO Europe Working Group
- 12. © FIDO Alliance 20201313 Authentication BEFORE WITH PSD2 TPP Interaction Authentication Interactions Device Device
- 13. © FIDO Alliance 20201414 June 2020 EBA Opinion: the authentication of the [user] with the ASPSP in an AISP/PISP journey, […] should not create unnecessary friction THE CUSTOMER JOURNEY KEY SUCCESS FACTOR FOR THE ROLL OUT OF PSD2 IN EUROPE
- 14. © FIDO Alliance 2020 Existing SCA solutions 15
- 15. © FIDO Alliance 20201616 ****** ****** 123456
- 16. © FIDO Alliance 202017 123456 TPP or Merchant UI Bank UI ****** ****** Bank UI TPP or Merchant UI
- 17. © FIDO Alliance 202018
- 18. © FIDO Alliance 202019 123456 ******
- 19. © FIDO Alliance 202020 TPP or Merchant UI Bank UI OTP Bank UI OTP ****** Some OTP generators can scan QR codes TPP or Merchant UI Some OTP generators can be connected to PC
- 20. © FIDO Alliance 202021
- 21. © FIDO Alliance 202022 123456 ******
- 22. © FIDO Alliance 202023 TPP or Merchant UI Bank UI OTP Bank UI OTP ****** TPP or Merchant UI Some CAP readers can be connected to PC
- 23. © FIDO Alliance 202024
- 24. © FIDO Alliance 202025 Bank UI Challenge Signed Response Bank key Bank Verification Bank key
- 25. © FIDO Alliance 202026 TPP or Merchant UI TPP or Merchant UIBank UI TPP UI Bank UI TPP UI
- 26. © FIDO Alliance 202027
- 27. © FIDO Alliance 2020 Why change to FIDO 28
- 28. © FIDO Alliance 202029 User Environment Authenticator Touch, PIN entry, Biometric entry Challenge Signed Response Private key Public key User Relying Party Verification
- 29. © FIDO Alliance 20203030 TPP or Merchant UI TPP or Merchant UIBank UI TPP or Merchant UI Bank UI TPP or Merchant UI Web or app based UI
- 30. © FIDO Alliance 20203131 TPP or Merchant UI TPP or Merchant UI TPP UI Bank UI TPP UI Bank UI Embedded FIDO platform authenticator Embedded FIDO platform authenticator Web or app based UI
- 31. © FIDO Alliance 20203232
- 32. © FIDO Alliance 202033
- 33. © FIDO Alliance 202034 User Environment Authenticator Touch, PIN entry, Biometric entry Challenge + web origin Signed Response Private key Public key User Relying Party Verification of web origin
- 34. © FIDO Alliance 20203535
- 35. © FIDO Alliance 20203636 Consideration SMS OTP + password Hardware OTP Generators CAP Readers Proprietary and biometrics FIDO User convenience When using MFA authenticators PSD2 compliance May require password entry if no on-device user verification Resistance to phishing Security of the solution Passwords and SMS channel insecure. SIM swapping Depending on key storage method Account recovery in case of loss New device to be seeded, deployed and activated New reader to be deployed. New card to be personalized Re enrollment required Re enrollment required Deployment/Scalability Devices need seeding and deploying Readers still need deploying Proprietary solutions. Require key provisioning server
- 36. © FIDO Alliance 202037 Enhanced user experience Security and resistance to phishing Deployment/scalability
- 37. © FIDO Alliance 2020 Read the white paper! https://fidoalliance.org/white-paper-psd2-support-why-change-to-fido/
- 38. © FIDO Alliance 2020 Q&A Andrew Shikiar Executive Director & CMO FIDO Alliance Alain Martin Head of Consulting & Industry Relations, Thales Co-chair, FIDO Europe Working Group
- 39. © FIDO Alliance 2020 If we didn’t have time to answer your question, please reach out to us at help@fidoalliance.org The webinar recording and slides will be emailed to you and posted on fidoalliance.org Please stay on to take the survey at the conclusion of the webinar 40
- 40. © FIDO Alliance 2020 fidoalliance.org 41
Notas do Editor
- We know that passwords have very weak security and poor usability – but the thing that doesn’t (or didn’t“) get enough attention was the risk associated with OTPs. Not only do OTPs present major usability challenges (what’s worse than one password? Two passwords) but OTPs are also centrally stored secrets, just for a shorter timeframe. As such, they are succeceptible to large-scale attacks and/or spear-phishing – as we’ve seen in some very well-documented breaches. This really is the crux of what FIDO is trying to do – it’s eliminating use of all shared secrets, not just passwords. FIDO’s goal from day one was to transform the market away from dependence on centrally stored shared secrets to a model that uses public key cryptography and allows consumers to authenticate through devices that they literally have in their fingertips every day. It’s simpler and stronger authentication. FIDO rapidly realized this goal with the initial release of FIDO’s UAF and U2F specifications in 2015.
- History of the Alliance: Organization was organized in 2012, open to any organization to join in 2013 with the mission to solve the world’s password problem FIDO was launched with just 6 member companies. Today we have more than 250 members from around the world – including the Board of Directors that you see represented here My favorite way of looking at this list of logos is consider closing your eyes and asking yourself “what companies do we need have sitting around a board table to help solve the password problem?” – and I suspect it would look a lot like this We have major platform providers and manufacturers creating devices that we all use every day We have leaders in security, biometrics and identity – both established companies and innovative start-ups Last but not least, we have companies whose very businesses depend on their ability to deliver high-assurance services to billions of users around the world
- -2019 was Significant year in terms of fido2 adoption -Platform authenticators are certified -Brings reach of fido2 to billions of users using these platforms -Browser support grown in breadth and depth -Ex: Stronger initial and growing support in safari for fido2 -Safari13 supports security keys on macOS, iOS and iPadOS
- -Significant year in terms of fido2 adoption -Platform authenticators are certified -Brings reach of fido2 to billions of users using these platforms -Browser support grown in breadth and depth -Ex: Stronger initial and growing support in safari for fido2 -Safari13 will support security keys on macoS - You can deploy across any mainstream OS today
- ANDREW