Authentication and identification Whitepaper Authentication… · Factor) and UAF (Universal...
Transcript of Authentication and identification Whitepaper Authentication… · Factor) and UAF (Universal...
1
Authentication and identification
www.computop.com
2
The difference between identification and authentication 3
PKI (public/private key infrastructure) 4
Authentication with FIDO 7
Identity providers with potential 10
Summary 11
Content
Security on the internet is one of the biggest issues of our time. Owing to the increasing
amount of digitisation in all areas of life, secure identification and authentication are
becoming more and more important. Particularly the transfer of sensitive data such as
payment transactions must be performed with as little risk as possible in order to protect
service providers and service users against the theft and misuse of valuable information.
While personal ID cards are recognised as a reliable identification medium in the ana-
logue world, the uncharted digital territory feels almost like the wild west. The established
combination of user name and password is comparatively insecure and the alternative,
more sophisticated methods are competing for the best positions on the market. While
many companies, initiatives and even the government are working on solutions, a stan-
dardised and generally accepted system for secure identification and authentication has
yet to be established.
Ralf GladisCo-founder and CEO
of Computop
3
Many people use both terms synonymously, but they describe two
different processes. Identification is when a person proves their
identity to an authority or entity to which they were previously
unknown. This occurs, for example, via conventional registration
with an email address and password, which is sufficient for many
services. For more sensitive applications such as payment transac-
tions or banking, on the other hand, there are more sophisticated
identification processes such as Postident and WebID. These use
significantly more complex methods to check whether a person cor-
responds to the identity he or she claims to have.
Authentication, on the other hand, involves recognition. After a
user has identified themselves and registered, they must then log
in. For this and all subsequent uses, they must be authenticated.
The usual pairing of user name and password entered during the
registration are typically used for this purpose.
However, this method has been the focus of criticism for years. In
contrast to other processes, it is relatively insecure – particularly
when the user’s email address serves as the user name as well. It is
often known by a large group of people, thus weakening the level
of security. In addition, many customers consider password man-
agement to be a tedious annoyance. As a result, instead of using
complex letter and number combinations (ideally a different one
for each portal), they often use an easily memorable code based
on birth dates or family names, often comprising just a few char-
acters. This type of weak password protection is easy to crack, thus
presenting a high security risk.
Alternatives include social-login solutions provided by sites such
as Facebook, Twitter, LinkedIn or Google once the user has regis-
tered. The advantage of this is that in contrast to user name and
password combinations, website operators do not store the log-in
data on their servers. Instead, the authentication is performed via
the plug-in of the relevant site. This means that criminals can only
steal the login information directly from the login solution provider
and have to hack the social media account. Many platforms offer
an optional two-factor authentication via mobile phone number.
This would make them significantly more secure than with just one
password or with access via a password manager. However, many
users do not take advantage of this option either due to conve-
nience reasons or because they are wary of giving the sites their
mobile numbers. Security is not enhanced by this behavior, but
data scandals, especially the ones Facebook has been involved in,
have made users cautious. Apple’s newly introduced solution, “Sign
In with Apple”, addresses this problem and focuses on user privacy.
Unlike Facebook and Google, the company’s business model means
that it is not dependent on trading in specific user information,
The difference between identification and authentication
4
20%
0%
40%34%
Total population
Too careless with passwords: 61% of German internet users use the same password for several or all online services. When it comes to users under 30, this figure rises to 73%.
Do you use different passwords for different services?
18 - 29 year old Carried out by Bilendi GmbH on behalf of WEB.DE
24%
55%
63%
6%10%
5% 3%
60%Yes, an individual password for each service
Sometimes the same password for several services
No, the same password for all services
I don’t know/No answer
thus Apple enjoys greater user trust. At the same time, all three
providers are shifting the problem to central accounts, be it Face-
book, Apple or Google. Because in the end these accounts are also
password-protected.
In addition, it is not possible to fully identify users via this method.
The social media giants lack the final proof of identity which can
only be provided by service providers who identify their users in a
lawful manner and then securely link the information to an authen-
tication process. They are then able to link each authentication to
the identity behind it. Solutions exist which meet these high secu-
rity requirements.
For 20 years, technology has allowed identification and authen-
tication to be encoded asymmetrically via a private and a public
key. The secure infrastructure described below which is used for this
purpose relies on a certification authority (CA) which verifies public
keys and issues digital certificates for these. The key pair is usually
generated on the device or smartcard of the user. The private key
always stays with the user, while the public counterpart which has
been signed by the CA is submitted to the service for which they are
registering. For the authentication, the service provider then sends
the user a calculation which they can only solve if they possess the
private key. Only the service with the matching public counterpart
which has sent the request is able to check the solution.
Processes such as ‘Identity management’ and ‘Postident’ in Germa-
ny or BankID in Sweden are state-regulated identity
verifications. Regulators recognise them as equivalent to identifica-
tion through personal presence. These processes must fulfil specific
regulations in the relevant countries in order to be accepted as
secure by the government. For example, in Germany, the identifica-
tion must be carried out by service provider employees who are in
access-protected rooms. Additional requirements include – among
many others – uninterrupted video identifications in real time and
adequate image and sound quality.
PKI (public/private key infrastructure)
5
PKI key pair
User interaction – web service and PKI
User
User
Web servicePKI
PKI
They central security element of the public/private key infrastruc-
ture is therefore the private key. The security provider only issues it
in a protected environment. This may be, for example, a protected
hardware sector in an iPhone. They sign the public key with a cer-
tificate authority (CA). As with the SSL certificate of a website, the
certificate is verifiable for any outsider and is generally issued for
the email address of the user. The authenticity, confidentiality and
integrity of messages are thus guaranteed.
If the issuer of the certificate has checked and verified the identity
of the user, the user can use it to sign documents in accordance
with signature legislation. The digital signature thus replaces the
‘wet’ signature.
Authentication responseIdentity verification
Authentication requestIdentity request
Registration with PUBLIC KEY
Issuance of a PUBLIC/PRIVATE key pair
1
24
35
6
PKI in practiceWith clearly and lawfully identified customers, data centres and
smartcards, banks have the ideal conditions to work in this busi-
ness field.
Despite these options, banks have not yet recognised the market
for themselves. In Germany, the Sparkasse trustcenter, S-Trust, has
now completely ceased its business operations for end customers.
All banks are currently considering how to implement the strong
authentication required in the PSD2. However, the institutes quite
literally have the key in their hands. Bank cards, generally giro-
cards, also offer the advantage that almost everyone has one with
them at all times. Solutions involving personalised hardware for
the end customer such as a dedicated TAN generator, on the other
hand, are no longer in demand and have not prevailed over the
last 20 years. New alternatives for the authentication of digital
identities must tread logical, convenient and uncomplicated paths.
PKI at the point of saleSending personalised hardware to the end client is no lon-
ger required due to the rapidly advancing digitisation in
authentication. The point of sale (POS), however, is a spe-
cial case. The card terminal contains the certificate issued
by a PKI which is operated by the payment service provid-
er (PSP). The PCI-P2PE security standard of the credit card
industry guarantees that credit card data is transferred
from the card terminal to the end point in an encrypted
form directly from the POS to the PSP who then decrypt
the information in accordance with the PCI standards and
transfers it to the acquiring bank. Retailers who integrate
the P2PE terminals encapsulate the payment data and
significantly reduce efforts for the PCI certification.
7
In order to reduce reliance on passwords, the FIDO Alliance is work-
ing on establishing public and licence-free industry standards for
global online authentication. FIDO stands for Fast IDentity Online.
The non-profit organisation was founded in 2012 by the companies
Agnitio, Infineon, Lenovo, Nok Nok Labs, PayPal and Validity Sen-
sors and has so far published the standards U2F (Universal Second
Factor) and UAF (Universal Authentication Framework). The first is
a specified hardware and software combination for two-factor au-
thentication, and the latter is a network protocol for password-free
authentication. Once a product is certified
according to FIDO standards, the provider
can mark it with the trademark-protected
FIDO Certified logo.
As with the PKI solution, FIDO uses a
pair comprising a public and a private
key. However, the duo is not created by a
central entity and transferred via a secure
container, but rather generated and stored
on the device, e.g. smartphone. Specifical-
ly, it takes place in the FIDO authenticator,
a protected software area in the smart-
phone. It supports various methods for
user verification which takes place every
time the key is used, for example via bio-
metric methods such as iris or fingerprint
scans. Almost all operating system manu-
facturers offer suitable interfaces. Google
integrates this from Android M onward,
Apple from iPhone 5s onward, and Micro-
soft uses it for Windows Hello launched in
2015. In all cases, the respective system
manages the key pairs in a secure area of
the smartphone hardware – the trusted ex-
ecution environment (TEE).
FIDO also allows separate hardware such as security keys. Provid-
ers such as YubiKey offer modern smartcards (such as in the form
of a USB stick) which enable contact-based or contactless authen-
tication without relying on a reader or a dedicated driver.
If a user wishes to make use of a password-free login via FIDO,
they must log in at the respective web service or, if they do not
have an account, they must register there. They then select the
option to authenticate with FIDO. The FIDO authenticator then
generates a specific pair of public and private keys especially for
this service. In accordance with the stated principle, it transfers
the public key to the service provider and the private key does not
leave the secure environment.
The rest proceeds as usual: the web service
sends a request for the authentication with
a random number (known as a challenge)
to the user’s device and the authenticator
responds by signing with the private key.
The data used for the verification remains
secure in the authenticator. As an open
source standard, FIDO is suitable for ef-
fecting a paradigm shift for the security of
the ‘digital self’. However, the technology
only offers the authentication. In order to
create a digital identity, it must be joined
with the identity of the identity provider.
FIDO in practice
For web services, FIDO is a convenient and
secure option for authentication which
they can integrate easily using a FIDO
server. The W3C Consortium, a body for
the standardization of techniques on the
Internet, has adopted Web Authentica-
tion, an authentication standard for web
browsers with FIDO connection that can
be used for all common browsers. It en-
ables password-free authentication in the
browser. Users can log into websites using their fingerprint or via
face recognition, and are thus no longer reliant on the compara-
tively insecure combination of user name and password. Microsoft,
Google and Apple can use the API for smartphones and tablets
with a fingerprint sensor (e.g. Touch ID) or face recognition (Win-
dows Hello, Face ID). The biometric user data therefore remains in
a secure area of the device, where it never leaves.
Authentication with FIDO
8
One of the first users to offer end clients the FIDO login was Goo-
gle. The company used YubiKey to secure logins to their sites with
a second factor. Samsung then entered the market and used FIDO
for the biometric authentication on its smartphones. Initially, the
Korean company still relied on strongly coordinated components.
However, standardisation has recently progressed to the point
where mobile telephones of different manufacturers are able to
communicate with the authentication servers of other producers.
The list of FIDO members currently includes service providers such
as Amazon and eBay, finance companies such as MasterCard, VISA
and PayPal, hardware manufacturers such as HUAWEI, Intel, Leno-
vo and Samsung, software companies such as Google and Micro-
soft as well as security providers such as Gemalto, Giesecke+Devri-
ent, RSA Security and Symantec. The German government is
involved through the Federal Office for Information Security (BSI).
When used for e-commerce, retailers can offer their customers a
biometric login when registering for the first time. As a result, us-
ers no longer have to worry about data theft if a hacker targets
the database, since there are no saved passwords to be stolen.
This also increases convenience, as they can easily make purchases
with just their fingerprint.
The strong authentication required by PSD2 (see infobox “FIDO
and PSD2”) can be implemented by merchants via FIDO solutions.
This provides them with anonymous, reliable and secure authen-
tication information from their customers and allows them, in ac-
cordance with the SCA Delegation requirements, to take over the
strong authentication process (see box “FIDO and PSD2”), that
would usually be realized by the issuers. This is an attractive way
to provide customers with a shopping experience that is as seam-
less as possible and avoids friction, especially regarding the hotly
debated topic of 3D Secure 2.0.
The improved experience derives from the card-issuing banks del-
egating the process to the merchants, who often offer the buyer a
much more attractive user experience than the issuer at the point
of checkout. All that merchants need for SCA delegation is an
authentication process that complies with FIDO guidelines. Such
solutions are, as already mentioned, available for mobile devices
in apps, but are now also available for web browsers. Payment ser-
vice providers such as Computop are able to provide this technolo-
gy. Retailers themselves decide which particular biometric solution
they want to use and are flexible with regard to integration.
FIDO and PSD2The revised Payment Services Directive (PSD2) has been
in force since 13 January 2018. This new Payment Ser-
vices Directive aims to make electronic payments in Eu-
rope more convenient and secure for users. The accom-
panying stricter security guidelines require a so-called
stronger authentication. To this end, it must manage at
least two of the following three factors:
1 Knowledge: Information that only the
user knows (e.g. password).
2 Possession: Something that only the
user owns (e.g. smartphone).
3 Inherence: Something that is a personal or physical
aspect of the user (e.g. fingerprint).
FIDO enables secure authentication without passwords. A
separate key pair exists in the FIDO authenticator for ev-
ery service to which a user logs in. The authenticator rep-
resents the factor of possession. A smartphone combines
it with the factors of knowledge or inherence. The FIDO
authenticator builds on this as it can only be activated via
a PIN, fingerprint sensor or facial recognition.
9
Identity brokersThey hold no identities themselves and thus do not carry out
any authentications. Instead, they are aggregators who com-
bine various small identity providers into one unit. They also
provide services that build on digital identities. The market is
currently experiencing a gold-rush atmosphere. Dozens of com-
panies and start-ups are working on establishing themselves as
central logins for internet services. These identity brokers ad-
vertise to both end customers as well as retailers and service
providers. It seems unlikely that one of these players will win
the race alone.
Since they cannot compete globally with the GAFA companies,
providers often focus primarily on national internet. However,
the challenge is hard to meet on both national and
international territory. Players such as Mobile Connect, yes!, ver-
ify-U or ID4me are facing clarity issues in online shops. These
will only allow a limited number of login buttons for single-
sign-on login services on their website. As a result, very few al-
ternative solutions are able to find a spot alongside Facebook
and Google logins. A common directory service of the providers
in the market would be a possible solution. To this end, ID4me
uses the Domain Name System (DNS). However, such a central-
ly managed registry is not sufficiently scalable. It is therefore
being considered if the core tasks of the DNS should be trans-
ferred to a blockchain. However, the identification could also
run fully on this new technology.
BlockchainBlockchain is a new technology for data storage and the secure
management of information. It is a continuously expandable
list of records (blocks) that are chained through cryptographic
techniques, whereby each consists of a cryptographically se-
cure hash of the previous block, a timestamp and the transac-
tion data. If someone wishes to manipulate a block, they must
also change all the following blocks. The costs involved in this
make this type of fraud completely unprofitable, making the
technology tamper-proof.
Identity providers and brokers can store the customer’s identity
information along with the offered trust level, the cost of an
identification and the delegation address for the authentica-
tion in the blockchain.
The end customer then clicks on the central checkout button
on the online retailer’s website and enters their email address
there. The system then checks if a local authentication is avail-
able for the customer – either via a FIDO biometric solution or
a user name and password combination. It then asks the block-
chain if there is a registered identity provider for the custom-
er. If not, they can register locally. The identity provider then
delivers the identity information and confirms the successful
authentication.
User Website (login/registration)
Identity brokers Identity providers
Access request
Authentication
Access authorisation
Authentication
Authentication Authentication
Authentication Authentication
1
6
8
3
5 2
4 7
10
The Big FourIt is currently hard to predict who will be responsible in the future
for person identification in the digital environment. However, there
are a few candidates who meet the essential prerequisites. Social
media or the so-called Big Four (‘GAFA’: Google, Apple, Facebook
and Amazon) could take on this role, but legally compliant identi-
fication requires transparent processes. Whether the Silicon Valley
companies are interested in this is currently questionable. The role
of authentication service provider seems more likely.
The StateThe State is another player among potential identity providers. In
Germany, with the issuance of a new generation of ID card (nPA),
on paper they are the provider with the greatest coverage in Ger-
many. In two years, coverage theoretically lies at 100 percent. Mi-
nus the citizens who did not activate the card or do not know their
PIN, realistic estimates of user numbers vary between 10 and 40
percent. To make matters worse, the actual number of users on the
most popular identification channel of our time, the smartphone,
is even lower. The market is generally divided into iOS and Android
users. Another state that is turning to digital identification via elec-
tronic IDs is Estonia. There, citizens use the card to register a com-
pany on their computer, to vote in elections or to sign documents
online. Other countries such as Italy, Uruguay and Sri Lanka are
introducing modern identity verifications. Digital identification and
authentication through state solutions is gaining more and more
interest among governments around the world and is becoming an
increasingly important factor on the market.
BanksFinancial institutions are always cautious about new business mod-
els from outside the industry and have not taken the opportunity
to position themselves as relevant identity providers over the past
twenty years. In Sweden, however, the state-approved internet iden-
tification system BankID proves that there is a market they could
exploit. Customers use their online banking access data for identi-
fication on the Internet. In Germany, similar identity broker models
(see box) such as Verimi and ‘yes!’ are on the starting blocks. The
start-up ‘yes!’ aims to enable end customers to use their online
banking login to log in to websites securely, generate qualified sig-
natures and to verify their identity and credit rating – without addi-
tional accounts. In contrast to ‘yes!’, which wants to turn banks into
keys, Verimi aims to become a key itself. Anyone who wishes to use
the brand has to create a separate account. Verimi’s partners in-
clude Allianz, Deutsche Bank, Telekom, Daimler and Axel Springer.
Identity providers with potential
10%
0%
20%
40,2%
31,1%
11,5%
6,6%4,1%
2,5% 2,5% 1,6%
1 TAN code via SMS
2 Fingerprint
3 TAN list
4 TAN code via email
5 TAN code via an app
6 Iris scan
7 Facial recognition
8 Voice recognition
Which second authentication option would you most like to use?
Source: ECC Köln
30%
40%
50%
1 2 3 4 5 6 7 8
11
About Computop – the payment people
As one of the very first payment service providers, Computop of-
fers its customers around the world local and innovative omni-
channel solutions for payment processing and fraud prevention.
The Computop Paygate payment platform enables seamless in-
tegrated payment processes for e-commerce, at POS and on mo-
bile devices. With this internally developed software, retailers and
service providers have the flexibility and freedom to choose from
over 350 payment methods enabling them to specifically tailor
their payment options per country. Technologies such as biometric
authentication and self-learning algorithms improve security and
convenience for retailers and consumers alike.
Computop, a global player with its head office in Germany and
locations in China, England and the USA, has been servicing large
international companies in the service, retail, mobility, gaming
and travel industries for more than 20 years. These companies in-
clude global brands such as Bigpoint, C&A, Fossil, the entire Otto
Group, Sixt and Swarovski. Computop also provides it payment
system to banks and financial service providers as a white-label
solution. Through its customer network and collaboration with
the global marketplace Rakuten, Computop processes commercial
payment transactions for more than 16,000 retailers annually,
with a combined value of USD 34 billion. With its individual and
secure solutions, Computop makes a major contribution to the fu-
ture of international payment processing. | www.computop.com
Numerous initiatives exist to ensure secure digital identification and
authentication in the future. Standards such as FIDO set the course
for future business and government communication which gets by
without passwords. Google, HUAWEI, Intel, Lenovo, Microsoft, Sam-
sung and others are working on the aspects of functionality and
convenience. Retailers ultimately decide if they identify and authen-
ticate customers using their own system or if they will work together
with service companies and full-service identity providers. However,
development on the market shows one thing clearly: the reign of
passwords is coming to an end.
Computop is prepared for the challenges of the future. The Com-
putop POS terminals follow the standards of the PCI P2PE certifica-
tion which currently feature the highest level of security. Computop’s
FIDO solution can support retailers and banks with biometric au-
thentications during the payment process as well as with access
controls. This enables customers to log into their customer accounts
using a fingerprint or voice recognition – everything in accordance
with the highest security standards and via FIDO servers in Germa-
ny. Banks can use Computop biometric solutions as a white label
offering.
Summary
12Status 02/2019 . Subject to change . Copyright 2019 . Computop GmbH
T: +49 (0) [email protected]
T: +44 (0) [email protected]
T: +852 [email protected]
DE
UK
USA
CHINA
Any further questions? Our experts will be happy to provide you with assistance: www.computop.com