Professional Documents
Culture Documents
a • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
b • Technical report on SS7 vulnerabilities and mitigation measures for digital financial services transactions
Security, Infrastructure and Trust Working Group
Implementation of Secure
Authentication Technologies
for Digital Financial Services
DISCLAIMER
This report is a product of the FIGI Security, Infrastructure and Trust Working Group, led
by the International Telecommunication Union.
The findings, interpretations, and conclusions expressed in this work do not necessar-
ily reflect the views of the Financial Inclusion Global Initiative partners including the
Committee on Payments and Market Infrastructures, the Bill & Melinda Gates Foundation,
the International Telecommunication Union, or the World Bank (including its Board of
Executive Directors or the governments they represent). The mention of specific compa-
nies or of certain manufacturers’ products does not imply that they are endorsed or
recommended by ITU in preference to others of a similar nature that are not mentioned.
Errors and omissions excepted, the names of proprietary products are distinguished by
initial capital letters. The FIGI partners do not guarantee the accuracy of the data includ-
ed in this work. The boundaries, colours, denominations, and other information shown
on any map in this work do not imply any judgment on the part of the FIGI partners
concerning the legal status of any country, territory, city or area or of its authorities or
the endorsement or acceptance of such boundaries.
© ITU 2020
Some rights reserved. This work is licensed to the public through a Creative Commons
Attribution-Non-Commercial-Share Alike 3.0 IGO license (CC BY-NC-SA 3.0 IGO).
Under the terms of this licence, you may copy, redistribute and adapt the work for
non-commercial purposes, provided the work is appropriately cited. In any use of this
work, there should be no suggestion that ITU or other FIGI partners endorse any specific
organization, products or services. The unauthorized use of the ITU and other FIGI part-
ners’ names or logos is not permitted. If you adapt the work, then you must license your
work under the same or equivalent Creative Commons licence. If you create a translation
of this work, you should add the following disclaimer along with the suggested citation:
“This translation was not created by the International Telecommunication Union (ITU).
ITU is not responsible for the content or accuracy of this translation. The original English
edition shall be the binding and authentic edition”. For more information, please visit
https://creativecommons.org/licenses/by-nc-sa/3.0/igo/
About this Report
This report was written by Andrew Hughes, Abbie Barbir. The authors would like to thank
the following contributors and reviewers: Arnold Kibuuka, Vijay Mauree, Harm Arend-
shorst, Tiakala Lynda Yaden, Mr. Mayank, Vinod Kotwal, Jeremy Grant, Brett McDow-
ell, Adam Power, Sylvan Tran, Ramesh Kesanupalli, Chunpei Feng, Hongwei (Kevin) Luo,
David Pollington, Matthew Davie, Wycliffe Ngwabe, Salton Massally and Mathan Babu
Kasilingam.
If you would like to provide any additional information, please contact Vijay Mauree at
tsbfigisit@itu.int
1 Executive Summary�������������������������������������������������������������������������������������������������������� 5
2 Acronyms������������������������������������������������������������������������������������������������������������������������� 6
3 Background���������������������������������������������������������������������������������������������������������������������� 7
4 Introduction��������������������������������������������������������������������������������������������������������������������� 9
4.1 Implementations examples section�������������������������������������������������������������������������������� 9
8 Conclusion���������������������������������������������������������������������������������������������������������������������55
Annex A – Bibliography������������������������������������������������������������������������������������������������������56
This Report is the result of contributions and delib- detection and authentication of human users versus
erations of the Financial Inclusion Global Initiative the client software used by people through envi-
Security, Infrastructure and Trust Working Group ronmental and behavioral analysis. New approach-
Authentication work stream. es are being implemented to minimize friction for
The Digital Financial Services (DFS) ecosystem mobile and multi-factor use cases: many systems are
requires standardized, interoperable, strong authen- now built with ‘mobile first’ designs. Authentication
tication technologies as enablers to reduce risk and now happens at many points during a user-system
protect assets. Weak authentication approaches interaction: at identification time, at times when
based on web browsers and passwords are no lon- increased privileges are invoked (so-called ‘step-up’
ger sufficient to support safe DFS use. This report authentication), and even continuously during the
is focused on implementation. It describes technol- entire session.
ogies and standards that can be used to implement This report describes several widely-adopted
strong authentication systems for DFS and provides technical and policy standards that support strong
examples of implemented strong authentication sys- authentication mechanisms.
tems. The examples of strong authentication and
Previously, the ITU Focus Group on Digital Finan- advanced authentication systems are categorized
cial Services, a multiparty consultative body for fos- as either enrolment or authentication for the use of
tering the development of safe DFS ecosystems, pro- DFS. These two use case categories primarily impact
duced recommendations on security, identification users of DFS.
and authentication for DFS. This report addresses The examples presented for the Enrolment use
several of the Focus Group recommendations. case describe how previously-established identi-
A primary goal of authentication systems is to ty information can be used to create new service
increase confidence that a previously-enrolled user accounts and to satisfy KYC requirements. The key
is actually that user. Access control and authorization aspect in the examples is that the person has been
policy can then be applied to that authenticated user. enrolled previously with an authority: their identity
Design decisions and technology choices for each information collected, verified and stored. This stored
authentication system element affect how ‘strong’ identity information is then available for later presen-
an authentication system is: how resistant to attack tation to service providers, controlled by the person’s
and compromise due to common threats. ‘Strong’ authorization to release that identity information.
authentication systems are designed to mitigate The examples for the Entity authentication use
threats that ‘weak’ authentication systems do not. case describe how next generation authentication
Typical authentication systems in use today were mechanisms are used to authenticate an individual
designed for the pre-mobile-device internet. They for authorization to consume services.
are based on a single authentication event, typically The report describes several examples of strong
performed at application start up, and assume that and advanced authentication systems for access to
the user, device and session do not change after that financial services. Further standardization work is
single authentication event. These elements have needed to ensure that technologies are made to be
proven to introduce weaknesses into authentication fit for purpose and that different approaches can be
systems. evaluated for relative strengths and capabilities.
In addition to ‘strong’ authentication system In conclusion, it is clear that there exist effective
elements, advanced authentication systems are solutions addressing today’s enhanced threats to
designed to address today’s threat models and DFS. Through careful planning, strong direction and
design patterns. Compared to ‘strong’ authenti- sustained effort, access to DFS can be safe, low-bar-
cation systems, there is an increased emphasis on rier and effective.
3 BACKGROUND
The Financial Inclusion Global Initiative was formed • At time of registration, a DFS operator should
as a follow-on activity of the ITU Focus Group on create a digital identity for its customers, for use
Digital Financial Services (hereinafter, “ITU FG DFS” in both DFS transactions and (where relevant) in
or “Focus Group”) which was established as a multi- identity assertion with external service providers.
party consultative body for fostering the develop- • DFS Operators should ensure an intuitive and
ment of safe, enabling DFS ecosystems. The overall straightforward customer experience for registra-
objectives of the Focus Group were to: (i) increase tion and subsequent authentication.
and formalize the collaboration between financial • Policy makers and regulators are encouraged
and telecommunications authorities with respect to use national identity systems, or other mar-
to DFS; (ii) identify key issues limiting the develop- ket-wide identity systems, to help with opening
ment of safe, enabling DFS ecosystems; (iii) analyse transaction accounts, addressing payments, and,
how these issues have been addressed in practice in some instances, improving transaction security.
and exchange information on best practices; and • App developers should ensure that DFS appli-
(iv) develop policy recommendations for authorities cations are designed and implemented in accor-
and other stakeholders on how to approach these dance with industry and Standards Setting Bodies
issues in their countries. The Focus Group brought (SSB) best practices for secure software devel-
together financial and telecommunications author- opment, including encrypted and authenticated
ities, private-sector stakeholders, consumer advo- communication and secure coding practices.
cates, DFS technical experts, development partners, • Regulators should standardize digital identity reg-
and other key DFS stakeholders to collaboratively istration, and ensure interoperability between DFS
explore these issues and develop consensus recom- operators and service providers relying on the
mendations. [1] digital identity.
This report addresses several of the Focus Group
recommendations, including [1]: The Digital Financial Services ecosystem consists of
users (consumers, businesses, government agencies
• The use of mobile devices that allow for the use and non-profit groups) who have needs for digital
of strong authentication mechanisms to demon- and interoperable financial products and services;
strate ownership of the device is recommended. the providers (banks, other licensed financial insti-
tutions, and non-banks) who supply those products
Infrastructure Readiness
Payment Systems Energy Availability
Technical Systems to
Enable Digital Financial Services Voice and Data Communication
Networks Identity Systems
Enabling Environment
Regulators Standards Bodies
Regulatory, supervision and Standards Setting Enabling
Environment (national, regional and international)
Financial Inclusion policies Industry Groups
The Digital Financial Services (DFS) ecosystem Technologies and approaches that use continuous
requires standardized, interoperable, strong authen- and adaptive authentication to minimize the time
tication technologies as enablers to reduce risk and required to detect impostors are emerging. Technol-
protect assets. ogies that securely shift the storage location for per-
Regulators are increasing the requirement for sonal data out of centralized storage that might be
robust identification of clients to combat money limited by network infrastructure, to user-controlled
laundering and other misuses of financial systems. mobile devices are advancing. These new approach-
Along with the increase of mobile-only and es will become widely available within the next sev-
remote-only clients, financial institutions are fac- eral years, and will help to address new threats that
ing new kinds of fraud, impersonation and security emerge over time.
threats that older password-based authentication
systems were never designed to address. 4.1 Implementations examples section
The systems, technologies and approaches Section 8 of this report contains descriptions of
described in this report have been designed for implemented systems covering two DFS use cases:
use in mobile computing environments, blending Enrolment/Account Opening and Authentication for
well-established techniques such as public key cryp- accessing a DFS. Both use cases deal with identifi-
tography with new techniques such as generation cation of an individual: the former handles the situ-
and storage of cryptographic keys on-device instead ation where the DFS system sees the individual for
of centrally. The move towards mobile devices has the first time; the latter authenticates the individu-
made the already weak password-based security less al using previously-issued credentials. To effectively
usable while the increasing availability of widespread manage mis-identification risks, DFS providers must
fingerprint and other biometric sensors makes the ensure that both enrolment and credential authenti-
shift to password-less and multi-factor authentica- cation are robust and use standardized methods and
tion technologies feasible. technologies.
A primary goal of authentication systems is to view of solutions that can be used to fulfil identity
increase confidence that a previously-enrolled user vetting requirements.
is actually that user. Access control and authorization This section describes standards that cover strong
policy can then be applied to that authenticated user. authentication and authentication technologies that
Entity authentication assurance is needed in order support strong authentication mechanisms.
to comply with various stages of an identity manage-
ment system. In particular, identity vetting is required 5.1 ITU-T Recommendation X.1254
as part of the credentialing process. The assurance Recommendation ITU-T X.1254, Entity authentication
of achieved in the vetting process determines the assurance framework
nature of the issued credential and eventually can In the entity authentication phase, the entity uses
be used to perform access control decisions by the its credential to attest its identity to a Relying Party
relying party. (RP). The authentication process is concerned sole-
Initial work from NIST, ITU and ISO focused on ly with the establishment of confidence in the claim
defining four levels of entity assurance. The levels or assertion of identity, and it has no bearing on or
included identity vetting and credentialing. Experi- relationship with the actions the relying party may
ence in implementations revealed some limitations choose to take based upon the claim or assertion.
of combining authentication assurance and identity ITU-T X.1254 section 10.3 describes threats to and
vetting assurance which resulted in limiting cases controls for the authentication phase.
where all what is needed to ensure that the same
entity is requesting access as opposed to who is 5.2 NIST Special Publication 800-63-3
the real requester. As such newer versions of NIST NIST Special Publication 800-63B Digital Identity
800-63 separated the identity vetting assurance lev- Guidelines Part B
els from the credentialing levels and promoted the The publication lists the authenticator types and
use of three levels as opposed to the initial four lev- authentication protocols capabilities that are accept-
els. ITU X.1254 and ISO 29115 are being updated to able at each level of assurance.
reflect NIST work.
A recent report from the Financial Action Task
Force (FATF) [3] provides a comprehensive over-
Authentication systems involve individuals, creden- systems are not easy for mobile users to interact
tials issued to those individuals, and authenticators with: on mobile devices, authentication events are
used by the individual to prove they are the original infrequent and rely on device security locks that may
registered credential receiver. Authentication proto- not be effective.
cols define how each element interacts to authen- Advanced authentication systems are designed to
ticate the individual. Each element has observable address today’s threat models and design patterns.
or measurable behaviors in the environment which Compared to ‘strong’ authentication systems, there
can be compared to previously-measured ‘normal’ is an increased emphasis on detection and authen-
behavior. tication of human users versus the client software
Design decisions and technology choices for each used by people through environmental and behav-
authentication system element affect how ‘strong’ ioral analysis. New approaches are being implement-
an authentication system is: how resistant to attack ed to minimize friction for mobile and multi-factor
and compromise due to common threats. ‘Strong’ use cases: many systems are now built with ‘mobile
authentication systems are designed to mitigate first’ designs. Authentication now happens at many
threats that ‘weak’ authentication systems do not. points during a user-system interaction: at identifi-
For example, a weakness for individuals is having cation time, at times when increased privileges are
to deal with password systems. Passwords are hard to invoked (so-called ‘step-up’ authentication), and
remember, easy to steal, reused across services and even continuously during the entire session.
very inconvenient to use. Stronger authentication Advanced authentication systems do not replace
systems might choose to use a biometric to unlock strong authentication systems – the technologies
a local secure encryption key vault, which gives the work together to address different threats and vul-
individual a lower-friction, password-less experience. nerabilities.
Authenticators such as SMS-delivered one-time The objective of advanced authentication systems
codes that are subject to phishing could be replaced is to provide a low-friction experience for users, while
by hardware cryptographic authenticators such as a reducing risk and increasing security assurance.
Secure Element or Trusted Execution Environment in See 7.1 Cognitive Continuous Authentication for
mobile devices. a description of a solution that embodies these
Authentication protocols that use shared secrets advanced authentication system characteristics.
or unencrypted transmissions could be replaced with
asymmetric key cryptographic protocols, encrypt- 6.2 FIDO Alliance Specifications
ed channels and different keys for each service. The FIDO Alliance protocols use standard public
Multi-factor authentication protocols have additional key cryptography techniques to provide stronger
attacker resistance than single-factor protocols. authentication. During registration with an online
The threat landscape changes regularly and service, the user’s client device creates a new key
design decisions must be made to address new or pair. It retains the private key and registers the public
commonly-used threats. For example, threats to web key with the online service. Authentication is done
site access from desktop computers are different by the client device proving possession of the private
from mobile-only apps and services which have been key to the service by signing a challenge. The client’s
invented in recent years. private keys can be used only after they are unlocked
locally on the device by the user called “user veri-
6.1 Characteristics of Advanced Authentication fication”. User verification can take the form of any
Systems number of user–friendly and secure action such as
Typical authentication systems in use today were swiping a finger, performing facial recognition, enter-
designed for the pre-mobile-device internet. They ing a PIN, or speaking into a microphone. Private keys
are based on a single authentication event, typically are bound to a device and prove that users are in
performed at application start up, and assume that possession of a specific device (i.e. – the “something
the user, device and session do not change after that you have” of authentication), and their combination
single authentication event. Authentication tends to with user verification ensures that every authentica-
be a high friction activity with a poor user experience, tion is multi-factor authentication.
especially when password or multi-factor authenti- FIDO protocols are designed to protect user pri-
cation are used. Current-generation authentication vacy. The protocols do not provide information that
can be used by different online services to collabo- mon devices to easily authenticate to online services
rate and track a user across the services. Biometric — in both mobile and desktop environments.
information, if used, never leaves the user’s device
and is only used for user verification to approve the 6.2.1 Universal Authentication Framework
use of a private key. (UAF)
For implementing authentication beyond a pass- The goal of the Universal Authentication Framework
word, companies have traditionally been faced with is to provide a broad and comprehensive framework
an entire stack of proprietary clients and protocols. for cryptographically secure multifactor authentica-
To enable interoperability between client authen- tion. It includes first-factor (e.g. PIN and biometrics),
tication methods, FIDO standardizes the client and second-factor, as well as a generalized architecture
protocol layers. This allows many client authentica- and protocol that can be extended to any platform
tion methods such as biometrics, PINs and second– or integrated with any system.
factors to be used with a variety of online services in The UAF specification standardizes four pieces:
an interoperable manner.
The main FIDO specifications are Universal Sec- 1. The authenticator, which is a device that creates
ond Factor (U2F) [5], Universal Authentication and securely stores the authentication secrets
Framework (UAF) [6] and the FIDO2 project which 2. The server, which registers users and subsequent-
includes both the Client to Authenticator Protocol ly validates authentication requests
(CTAP) [7] and W3C’s Web Authentication (WebAu- 3. The client, which acts as a multiplexer and policy
thn) [9]. enforcer between multiple servers and multiple
The FIDO2 Project is a set of interlocking initia- authenticators.
tives that together create a FIDO Authentication 4. The protocol, which defines the message for-
standard for the web and greatly expands the FIDO mats, cryptographic objects, etc. that are carried
ecosystem. between the authenticator and the server through
FIDO2 is comprised of the W3C’s Web Authenti- the client.
cation specification (WebAuthn) and FIDO’s corre-
sponding Client-to-Authenticator Protocol (CTAP),
which collectively will enable users to leverage com-
1. Initiate registration with Relying Party a registration response: device model number +
2. FIDO Server sends registration challenge and device attestation signature + user’s public key
requested registration options 5. Validate response and attestation. The device
3. Authenticator performs user verification on device model number (AAGUID) can be used to look up
to signal the user’s consent to registering with the metadata about the device, such as the attesta-
service tion public key, the type of user verification being
4. Authenticator generates a new key pair for the performed (e.g. – biometric, PIN), and the securi-
service and associates the private key with the ty characteristics of the device (e.g. – how private
service’s origin. The public key and device model keys are protected; how biometric templates are
number are signed over by a device model spe- protected; third-party security and biometric cer-
cific (shared across no less than 100,000 devices) tifications).
attestation private key. The authenticator sends 6. The service stores user’s public key for future
authentication requests.
Network
Authentication Authorisation Identity
Attributes
Simple and globally User authorisation of SP Provision or verification In sights about the device
ubiquitous log-in or step- requests of user identity and users mobile account
up authentication
Mobile Connect uses a distributed architecture in • Possession-based (Something I Have); the posses-
which each Mobile Operator deploys Mobile Connect sion of the mobile device by the user. This is the
services for its particular user base, but with all first factor used in Mobile Connect Authentication.
deployments abiding by a strict set of technical • Knowledge/secrecy-based (Something I Know);
standards to ensure that from a Service Provider’s for example, PIN/Personal Code.
perspective, the experience of consuming Mobile • Active Inherence (Something I Am); for example,
Connect services from any of the Mobile Operators biometrics: fingerprints, iris scan, facial biometrics.
is consistent. • Passive Inherence (Something the Network
Mobile Connect is based upon the OpenID Con- Knows); Mobile network-based inherence ele-
nect (OIDC) protocol which provides an identity lay- ments, such as usual cell sites (can also be used
er on top of the OAuth 2.0 protocol. It allows Users as “something the user does”) available to the
to be identified by their MSISDN (or a related Pseud- mobile operator. This separation between device
onymous Customer Reference) and to be authenti- and network is vital to fighting fraud and estab-
cated securely via their mobile device with the SIM lishing ownership of the device.
providing security. Mobile Connect defines two pro- • Contextual (Something I Do); for example, sup-
files of OIDC to support Device-Initiated and Serv- plement the device-based authentication with
er-Initiated requests for authentication, authorisation network-based insights to create a more robust
or permissioned access to User attributes. multi-factor authentication mechanism (such as
The serving Mobile Operator supports and selects pairing status between IMSI, IMEI and MSISDN).
an appropriate authenticator to present the authen-
tication and authorisation requests to the user on Mobile Connect levels of assurance are a guide to the
their mobile device to which the user responds. The degree of confidence in an authentication process. As
authenticator may also be used to seek user consent a critical element within the Mobile Connect ecosys-
for the serving operator to share or validate user tem, the Mobile Connect levels of assurance are used
attributes with the Service Provider. The authentica- in the Mobile Connect API (OpenID Connect), in the
tor is selected based on operator policy, device capa- cryptographically-signed Identity Token sent as an
bility and the Level of Assurance required. authentication proof to the Service Provider, in the
Mobile Connect authentication factors and authenticator-selection policy and also in the Mobile
insights include: Connect product-enablement policy.
Figure 7 – shows a mapping between Mobile Connect and eIDAS level of assurance.
MC
Service Provider Connector (Receiving MS) Proxy (Se nding MS) MC Discovery Se rvice MC Provider
Authenticator
Authenticate
Validate
Request (Authenticate and identity)
SAML
Validate
Disco ver MC Provider (M NO)
Discovery API
MC Provider Endpoints
Authenticate
OpenID Connect
Validate
Authenticate
Authenticate Response
Authenticate Response
Response
MC
Service Provider Connector (Receiving MS) Proxy (Se nding MS) MC Discovery Se rvice MC Provider
Authenticator
OpenID Connect
ID GateWay Discovery
Authentication Tx Log Exch
Mobile Connect
ASPSP APIX Mobile Connect ID Gateway MNO Authentication System Mobile Authentica tor
Server Initiated Authorization call (payment_context: amount, currency, MSISDN as user id)
Authentication
Authentication response
response
Generate
authorization_code
ASPSP APIX Mobile Connect ID Gateway MNO Authentication System Mobile Authentica tor
Additional details to assist in deployment of Mobile Connect can be found in Annex C of this report.
1. User initiate s
registration and 2. User re gistration request with authentication information
provides information 3. Verify User
for server authentication
authentication info
4. initiates
registration
5. Ge nerates
registration
request info
6. Registration
request info
8. Registration
request info
9. Registration
request info
10. Registration
request info
14. User
biometric
verification or 15. User biometric verification or enrollment
16. Generate ke y
enrollment pair as auth
17. Re gistration credential
response
7. Authentication
request info
8. Authentication
request info
9. Select
authenticator
3. User deregistration
request 4. Delete user
registration
record and auth
5. User credential
dere gistration
6. User dere gistration
7. User
dere gistration
8. User
dere gistration 9. Delete user
registration
and auth
credential
10. Return
dere gistration result
11. Return
dere gistration result
Biometrics
sensor
Mandatory
Optional
Logical boundary
ification process has a possibility of impacting a Corporation of India (NPCI) to banks, financial insti-
subject's information privacy, since this process tutions using Aadhaar. AEPS is a bank led model,
requires both biometric reference and identity ref- which allows online financial inclusion transaction at
erence. The identification process requires exhaus- micro-ATM through the business correspondent of
tive search of enrolment database. So, this also any bank using the Aadhaar authentication. This sys-
has a possibility of impacting on subject's physical tem is designed to handle both ONUS and OFFUS
privacy. Verification is generally considered to be requests seamlessly in an effective way by enabling
less privacy intrusive than identification. In Aad- authentication gateway for all Aadhaar linked
haar system verification is done via online authen- account holders.
tication having only a “yes/no” answer. AEPS empowers the marginalised and excluded
segments to conduct financial transactions (credit,
UIDAI has partnered with various stakeholders includ- debit, remittances, balance enquiry, etc.) through
ing Reserve Bank of India (RBI), National Payments microATMs deployed by banks in their villages. Four
Corporation of India (NPCI), and banks to develop types of transactions are supported by AEPS:
two key platforms:
• Balance Enquiry
• Aadhaar Payments Bridge (APB) – A system that • Cash Withdrawal
facilitates seamless transfer of all welfare scheme • Cash Deposit
payments to beneficiary residents' Aadhaar • Fund Transfer
Enabled Bank Account (AEBA). • Aadhaar Pay/Purchase
• Aadhaar Enabled Payment System (AEPS) – A • Mini Statement
system that leverages Aadhaar online authentica- • Aadhaar Status (Bank Linked) through AePS
tion and enables AEBAs to be operated in any-
time-anywhere banking mode by the marginal- To make an AEPS, the following information needs
ized d financially excluded segments of society to be supplied:
through microATMs.
• Transaction Type
Aadhaar Enabled Payment System (AEPS) is a • Aadhaar number,
payment service offered by the National Payments • Bank’s Institute Identification Number (IIN)3,
Destination
Bank 1 Switch
NPCI Bank 1 CBS
(Central
Infrastructure
Originator 1 Core Engine)
(MGNREGA Destination
Bank 2 Switch
Payments) Bank 2 CBS
NPCI
Originator 1 (Central
(Scholarships Sponsor Bank Infrastructure
Disbursement) File Based
Mechanism)
Originator 1
(Old Age Pensions)
Higher LOA
Privileged
Requires
Transaction
StepUP
Anomaly
Authentication
Authentication via
Transaction Valid Credential Passthrough
Landing page
2
4
8 Cognitive 9
Continuous
AuthenticationTM
5a 6
3
1
5b
Transaction 7
Risk
Assessment Higher LOA
Pre-Auth Risk requires
Calculation Authentication
Higher LOA
Additional
Auth Needed
Layer Four:
Governance
+Human Trust
Verifiable Proof
Layer Three: Credential
Credential $
Holder
Exchange `
Trust
Issuer Verifier
Cryptographic Trust
Payment
External
Layer One: Main
Sovrin Ledger Node
Internal
Config
tion can compromise privacy. Collection and use of Layer 3, the Credential Exchange layer, provides
such information should follow the principle of data the mechanisms for credential issuers to issue verifi-
minimization. able credentials to holders, and holders to generate
proofs to verifiers. Verifiers check the cryptographic
6.7.2 Decentralized Identity System proofs to gain certainty that the asserted claim with-
Infrastructure Layers in the credential is valid according to the issuer.
The Sovrin Foundation [13] has created an approach Layer 4, the Governance Frameworks layer, is
to organizing the technology infrastructure compo- where business and legal agreements are estab-
nents of their decentralized identity system solution. lished to specify the rules that issuers and verifiers
Sovrin uses a ‘layer’ concept to explain the roles, must follow.
functions and relationships between infrastructure
components as shown in Figure 23. 6.7.3 Verifiable Credential and Decentralized
Layer 1, the Sovrin Ledger layer, contains the Identifier Draft Standards
component DLTs that underpin the Sovrin solution. New approaches and technologies are emerging to
Credential issuers who need their credential to be use distributed ledgers (also known as ‘blockchains’)
publicly verifiable store their Sovrin identities and to establish identity networks that are not depen-
decentralized identifiers in these DLTs. Schemas, cre- dent on centralized data authorities. These identity
dential definitions and revocation registries are also networks are described in many different ways by
located in layer one. different groups. Two core standards projects are
Layer 2, the Agent-to-Agent layer, contains com- central to these new developments: W3C Verifiable
munications protocols to enable direct peer-to-peer Credentials [12] and W3C Decentralized Identifiers
credential, agent and cryptographic wallet commu- [10]. This group of technologies and standards are
nications. This layer does not contain a DLT. Together, still being developed and do not yet have wide adop-
layer two and layer one provide cryptographic trust tion.
between software and hardware components.
Http get
Driver Driver Driver
DID:ledger1 DID:ledger2 DID:ledgerN
Universal Resolver
App App
Credential
Issuer
Pairwise
Issue
Unique
Credential
Credential DID
Verifier
Credential
Holder
(Wallet)
Decentralized Identifier
Decentralized Ledger
This section contains examples of strong authentica- dent’s latest demographic and photograph informa-
tion systems that cover DFS use cases. The examples tion using an e-KYC User Agency (KUA) public key
also illustrate mechanisms related to the authenti- and subsequently forwards the encrypted response
cation assurance phases of ITU-T Recommendation to KUA. On receiving the encrypted response, the
X.1254. KUA decrypts the data using their own private key
and returns an eXtensible Markup Language (XML)
7.1 Use case: Enrolment and Account opening with seven pieces of data - name, address, date of
The examples presented for the Enrolment use case birth, gender, phone number, e-mail address and
describe how previously-established identity infor- photograph, this eliminates collecting photocopy of
mation can be used to create new service accounts Aadhaar letter from resident.
and to satisfy KYC requirements. The key aspect in Some of the benefits of Aadhaar-based eKYC are
the examples is that the person has been enrolled described below:
previously with an authority: their identity informa-
tion collected, verified and stored. This stored iden- • Activation – there is no requirement for filling up
tity information is then available for later presenta- of Customer Application Form (CAF) and submis-
tion to service providers, controlled by the person’s sion of photograph along with Proof of Identity
authentication to release that identity information. (POI) and Proof of Address (POA) documents.
Use of digital sources of identity information for • Secure process – customer’s data is fetched from
not-in-person KYC and account opening is both central UIDAI server in encrypted format and not
convenient for the person but also presents risks stored on any of the Point of Sale (POS) terminals
for impersonation. Therefore, use of using strong except for the company’s server.
authentication mechanisms is recommended. • No document copy or photograph is required –
this gives additional confidence to the custom-
7.1.1 Example: Aadhaar eKYC ers as they don’t need to submit any documents
eKYC service allows resident to authorize Unique which can be later misused by the retailers for
Identification Authority of India (UIDAI) to share pecuniary gains.
electronic version of Aadhaar information (demo- • Extremely quick activation – as against the tra-
graphic information and photo only) with the explicit ditional process for activation of SIM card which
authentication of the resident. In eKYC service, UIDAI could take between 12-24 hours, the SIM card is
encrypts the eKYC response data containing resi- activated in very short time once the form gets
AWS Cloud
REST
KYC Id entity Server
D ig ital ID D B
Screened Subnet
Mysql
Authenticatio n
ID server
Server Cred it server
(KYC related fields)
(NIN + Fing erprint)
The Alipay user first initiates the registration request 3) Alipay payment server sends the authentication
through the Alipay client app and runs the regis- information to the IFAA authentication server for
tration process as in Figure 15. After a successful verification and retrieves the verification results.
registration, the user can initiate a payment request 4) Alipay payment server authorizes the payment
through the Alipay client app. after successful verification.
To begin a payment process, the Alipay client app
first interacts with the Alipay payment server to 7.2.2 Example: Aadhaar authentication
confirm whether mobile payment can be carried out. Aadhaar authentication is the process wherein the
If yes, the Alipay client app calls the key manager (or Aadhaar Number, along with other attributes, includ-
optionally, the IFAA client) to authenticate the user ing biometrics, are submitted online to the Central
as in the following: Identities Data Repository (CIDR) for its verification
on the basis of information or data or documents
1) Require the user to perform fingerprint/face available with it. During the authentication trans-
authentication based on the local fingerprint/face action, the resident’s record is first selected using
template. the Aadhaar Number and then the demographic/
2) After fingerprint/face verification, the key manag- biometric inputs are matched with the stored data
er invokes the local stored user authentication pri- which was provided by the resident during enrol-
vate key to sign the transaction information, and ment/update process. Alternatively, authentication
sends it to the Alipay payment server through the can also be carried out on the basis of the OTP. All
Alipay client app. biometric/OTP authentication schemes are valid for
e-KYC service too.
Aadhaar User
UIDAI s CIDR
Service
7 1 Authenticated Request
Delivery
Authentication Devices
ASA Communication
3
AUA
ASA Repository
5
YES/NO Response
The following are the major steps in the Aadhaar • For digital signing of Authorised XML, Authenti-
authentication process as shown in Figure 36 above: cation request is digitally signed by the request-
ing entity (AUA/ KUA) and/or by the ASA using
• Aadhaar holder sends the authentication request HSM, as per the mutual agreement between them.
through the devices However, to decrypt the e-KYC response data
• Aadhaar authentication enabled application soft- received from UIDAI, the KUA shall necessarily
ware which is installed on the device, encrypts use its own HSM.
and sends the data to AUA server • The HSM to be used for signing Auth XML as well
• AUA server, after validation, adds necessary head- as for e-KYC decryption is FIPS 140-2 compliant.
ers (AUA specific wrapper XML with license key, • All AUA/ KUA/ASA ensure the implementation of
signature, etc.), and passes the request through HSM in Aadhaar authentication services.
ASA server to UIDAI CIDR. • To eliminate the use of stored biometrics, UIDAI
• Aadhaar authentication server returns a “yes/no” has mandated the use of registered devices by
based on the match of the input parameters. AUA/KUAs and ASAs. The registered devices
• Based on the response from the Aadhaar authen- provide the following key additional features com-
tication server, AUA/Sub-AUA conducts the trans- pared to public devices:
action and Aadhaar holder receives the service. • Device identification – every device is required to
have a unique identifier allowing traceability, ana-
Additional Security features for Authentication/KYC lytics, and fraud management.
service: • Eliminating use of stored biometrics – biometric
data is signed within the device using the provider
• To further enhance the security of Aadhaar authen- key to ensure it is indeed captured live. Then the
tication eco-system, under Regulations 14(n) and Registered Device (RD) Service of the device pro-
19(o) of Aadhaar (Authentication) Regulations, vider must form the encrypted PID block before
2016, it is mandatory to use Hardware Security returning to the host application.
Module (HSM) for digital signing of Authorised
XML and decryption of e-KYC data.
① RP App performs bio-authentication and requests electronic signature for a service provider.
② FIDO server triggers UAF authentication request to FIDO client.
③ A User performs a bio-authentication by the FIDO authenticator using the same method as at registration time.
④ The FIDO authenticator generates FIDO signature (using the FIDO authentication private key).
⑤ The FIDO client sends UAF authentication response to FIDO server. The FIDO server checks FIDO authentication
message and if passed, the RP server generates an Authcode.
⑥ The FIDO client requests electronic signature generation to PKI module.
⑦ The PKI module requests electronic signature generation to Crypto module.
⑧ In case of secure element such as Trustzone, or USIM, the electronic signature will be generated by the private key
inside the secure element. However, in case of keystore or keychain, the encrypted private key should be decrypted
by a decryption key stored in keystore or keychain and electronic signature will be generated by the private key
with crypto module.
⑨ RP App sends the signed data to Service server.
⑩ Service server verifies the signed data.
⑪ Service server or RP Server checks user certificate’s verification from OCSP server.
⑫ Service server checks the Authcode from FIDO service provider. And Service server sends the result to the user.
⓪ Application Requests Authentication - The application makes the initial authentication request. The
protocol and format of this request is outside of the scope of FIDO.
① Server Sends Challenge - The server sends a challenge to the application. The protocol for communi-
cating with the server is not specified and is outside of the scope of FIDO. Typically, server communi-
cations would be REST over TLS, but they could also be SOAP, RFC 2549 or nearly any other protocol
provided that the protocol is secure. The parameters received from the server will be passed to the
credentialGet call, typically with little or no modification.
② Client Calls authenticatorGetCredential on Authenticator via CTAP - Internally, the client will validate
the parameters and fill in any defaults, which become the clientData. One of the most important param-
eters is the Relying Party ID, which recorded as part of the clientData so that the Relying Party ID can
be verified by the server later. The parameters to the credentialGet call are passed to the authenticator,
along with a SHA-256 hash of the clientData (only a hash is sent because the link to the authenticator
may be a low-bandwidth NFC or Bluetooth link and the authenticator is just going to sign over the hash
to ensure that it isn't tampered with).
③ Authenticator Creates an Assertion - The authenticator finds a credential for this service that matches
the Relying Party ID and prompts a user to consent to the authentication. Assuming both of those steps
are successful, the authenticator will create a new assertion by signing over the clientDataHash and
authenticatorData with the private key generated for this account during the registration call.
④ Authenticator Returns Data to Client - The authenticator returns the authenticatorData and assertion
signature back to the client.
⑤ Client Creates Final Data, Application sends response to Server - The authenticatorGetCredential call
returns a PublicKeyCredential with the authenticator’s assertion response. It is up to the application to
transmit this data back to the server using any protocol and format of its choice.
⑥ Server Validates and Finalizes Authentication - Upon receiving the result of the authentication request,
the server performs validation of the response such as:
1. Using the public key that was stored during the registration request to validate the signature by the authentica-
tor.
2. Ensuring that the challenge that was signed by the authenticator matches the challenge that was generated by
the server.
3. Checking that the Relying Party ID is the one expected for this service.
This report provides information about two key munities by ensuring that their DFS implementations
functions supporting DFS: initial identification of use open international technology standards.
customers at enrolment and strong authentication The Financial Action Task Force (FATF) recom-
of customers returning to access DFS services. Both mends a risk based approach for regulated entities
functions are essential to meet regulatory require- which includes understanding the digital ID systems
ments, de-risk service provision and to improve level/s of assurance for identity proofing and authen-
customer experiences. tication and that these assurance levels are appro-
The implementation examples describe many priate for consumer due diligence. Strong consumer
different system and technology approaches, each authentication is based on two or more factors of
dealing with a different set of constraints and envi- authentication hence a high level of assurance which
ronments. The examples build on either centralized is consistent with the FATF recommendation.
authorities and systems or distributed and decen- As new technologies and approaches appear,
tralized systems depending on the capabilities of standardization becomes critical, both to ensure that
the constituency, available technologies and socie- existing threats and risks are addressed, and that the
tal norms. There is no single optimum solution for all new technologies are compatible and fit into existing
environments. However, implementers can benefit architectures.
from the experience of the global standards com-
DFS Providers engage with consumers and manage most aspects of their user experience. Careful attention to
customer journeys and user experience can increase trust in the system and increase operational security. Open
Banking has published Customer Experience Guidelines [18] that describe ‘experience principles’ which were
developed to assist designers.
• Control: Consumers need to have a sense of control through having the right tools and clear information at
the right time.
• Speed: Speed must be appropriate to the specific customer and interaction. Fastest is not always best.
• Transparency: Transparency of choice, action and information about consequences are crucial.
• Security: Fraud and data privacy are top concerns for users of DFS. Messaging and information about secu-
rity measures must be clear and direct.
• Trust: The combination of the Control, Speed, Transparency and Security principles create a trusted environ-
ment for the customer.
Authentication standards organizations publish “This white paper outlines how the FIDO stan-
guidance material for authentication system provid- dards compliment federation protocols. It also
ers to assist with implementation. Guidance material provides guidelines on how to integrate the two
relevant to the standards cited in this report include: in order to add support for FIDO-based MFA and
replace or supplement traditional authentication
NIST Trusted Identities Group: methods in federation environments.”
https:// w ww . nist . gov/ i tl/ t ig/ p rojects/ s pecial
-publication-800-63 OpenBanking:
Implementation guidance https:// w ww .openbanking .org . uk/ p roviders/
standards/
• “NIST will work with the community to prepare Customer Experience Guidelines
implementation guidance for the Digital Identity
Guidelines. The goal is to give implementers eas- • “This document brings together regulatory
ily deployable guidance and help them meet the requirements and extensive customer research
requirements.” to provide customer experience guidelines and
examples of customer journeys for third party pro-
Fido Alliance: viders and account providers. They are designed
https://fidoalliance.org/white-papers/ to encourage adoption of Open Banking-enabled
products and services.”
• FIDO Alliance White Paper: Enterprise Adoption
Best Practices – Managing FIDO Credential Lifecy- GSMA Mobile Connect:
cle for Enterprises (April 2018): https:// w ww . gsma .com/ i dentity/ w pcontent/
“This white paper provides guidance to IT and uploads/2019/03/mc_mwc_platforms_booklet2
Security professionals on how manage FIDO _web_02_19-1.pdf
authentication credentials throughout their full GSMA Platforms & Operations services, February
lifecycle.” 2019
• FIDO Alliance White Paper: How FIDO Standards
Meet PSD2’s Regulatory Technical Standards “The GSMA offers a series of technical platforms and
Requirements on Strong Customer Authentication services designed to help mobile network oper-
(December 2018): ators (MNO) and service providers (SP) deploy
“This document provides a detailed review of Mobile Connect successfully:
the security requirements listed in the Regula- • Interoperability Testsuite Portal: Check if your
tory Technical Standards For Strong Customer Mobile Connect product complies with the Mobile
Authentication and Common and Secure Open Connect specification.
Standards Of Communication under PSD2 (the • API Exchange: Become part of a Mobile Connect
RTS) and describes how the FIDO standards meet ecosystem with other MNOs to be able to offer
such requirements.” seamless cross-operator reach to Service Provid-
• FIDO Alliance White Paper: FIDO & PSD2 – Provid- ers.
ing for a Satisfactory Customer Journey (Septem- • Developer Portal (with Sandbox and SDKs):
ber 2018): Comprehensive documentation and tools to facil-
“This white paper examines the different authen- itate the integration of Mobile Connect into your
tication models that could apply within the inter- applications.
actions of a Third-Party Provider and an Account • Operator Management Console: Self-service por-
Servicing Payment Service Provider. It proposes tal to access reports and manage business pro-
the FIDO standards as a solution to simplify the cesses between you and GSMA.
user experience, for any of these models, in a way • Service Desk: Single point of contact for all Mobile
that meets the Strong Customer Authentication Connect enquiries.
requirements of PSD2.” • Monitoring & Incident Management: Check the
• FIDO Alliance White Paper: Enterprise Adoption health of your Mobile Connect components and
Best Practices – Integrating FIDO & Federation the status of any incident affecting these.”
Protocols (December 2017):