A First Step to a World without Passwords
•Download as PPTX, PDF•
2 likes•1,336 views
1) LINE is replacing existing biometric authentication with FIDO2 authentication in their mobile payment app LINE Pay to enhance security following payment fraud incidents. 2) They plan to expand FIDO integration to more LINE platforms and countries starting with the iOS version of LINE Pay in Japan. 3) LINE has developed their own FIDO authenticator called LINE iOS FIDO2 Combo which leverages the iPhone's Touch ID/Face ID and provides attestation through a trusted security module and whitebox abstraction layer.
Report
Share
More Related Content
What's hot
What's hot (20)
Similar to A First Step to a World without Passwords
Similar to A First Step to a World without Passwords (20)
More from FIDO Alliance
More from FIDO Alliance (20)
Recently uploaded
Recently uploaded (20)
A First Step to a World without Passwords
- 1. A First Step to a World without Passwords Ki-Eun Shin Presented at FIDO Authentication Seminar – Seoul (2019)
- 4. 4 1. Why FIDO matters to us?
- 6. Image source: Jose Luis Pelaez/Getty Images
- 7. Business Expansion to Fintech Era
- 8. 8 2. LINE Pay Integration
- 9. Register credit cards or charge money for payment (wallet-less) or money transfer Compliance with PCI DSS and ISO/IEC27001 Payments are completed with passcode or biometrics 1. 2. 3.
- 10. • To enhance security, we have decided to replace existing biometric authentications with FIDO2 authentication • Recently, there were security breaches in JP (Mobile payment fraud) • First release target: LINE Pay Standalone iOS App for JP • Plan to expand FIDO integration to more platforms (Pay Android Standalone App, Pay in LINE app or Web) and other countries Motivations LINE Pay Standalone App (Old version) LINE Pay Standalone App (After v1.4.0) Re-registration (migration)
- 11. High-Level Architecture LINE Pay iOS App (TALARIA) LINE Pay RP Server (for JP) LINE Pay Central Server LINE FIDO2 Server (for JP Pay) Passcode authentication (or old biometric authentication) FIDOOperations FIDOOperations LINE iOS FIDO2Combo Authentication management LINE FIDO2 Server (forTW Pay) LINE Pay RP Server (forTW) FIDOOperations Future works
- 12. Registration Flows Migration (App update) New users • Passcode (6 digit numbers) is a primary authentication method
- 13. Authentication Flows • Explicit authentication flows vary depending on the context User scans the QR code for payments and confirms the transaction
- 14. FIDO Operations Options (LINE Pay) • Use cases and requirements • Step-up authentication (or Transaction confirmation): passcode-less • Biometric authentication (as of now) • Strong assurance for authenticators • Authenticator attachment: platform • User verification requirement: required Authenticator Selection Criteria • direct Attestation Conveyance Preference • required User Verification Requirement • Non-empty (at least one entry) Allow Credentials Registration (Create) options Authentication (Get) options
- 15. • Authentication or related policies • Supported platforms • Support Native app only? both for iOS and Android? • Target web use cases as well? • Use cases for leveraging security keys • Just support for platform attached authenticators? • Strong assurance for authenticators • Choice for FIDO protocols • Support all FIDO specifications? • Or FIDO2 (WebAuthn) or UAF only? Integration Considerations (Check points)
- 16. 16 3. LINE FIDO Platform
- 17. LINE iOS FIDO2 Combo RP App (View) LINE iOS FIDO2Combo (FIDO2 Client,Authenticator Logics) LTSM (LINETrusted Security Module) WAL (WhiteBox Abstraction Layer) KAL (KeyChain Abstraction Layer) • Leverages Touch ID or Face ID • Provides Whitebox based attestation (packed attestation format)
- 18. Security of LINE iOS Authenticator (FIDO2 Combo) • Private key is stored on the client side • The private key is stored in Secure Enclave • The private key is bound to the user verification methods (Touch ID or Face ID) • Provide basic attestation • The attestation private key is shipped in the LTSM (based on WBC) • The attestation certificate is chained to the LINE attestation root certificate • Less-secure than hardware-backed attestation (better than self or none)
- 19. FIDO Universal Server • We have been preparing for FIDO Universal Server to cover more devices and uses cases
- 20. FIDO Servers Delivery Types • On-premise • We have a plan to deliver our servers by delivering the codes (or binary) to RPs • LINE Banks and LINE family financial related services (regulation issue) • We are going to keep maintaining the software and deliver them • AaaS (Authentication-as-a-Service) • We host the authentication server (FIDO servers) for RPs instead • LINE messaging app related services will use this type of approach • FIDO server can manage different RPs with dedicated RP ID • We also have admin console for managing RP and authenticators’ metadata
- 22. Possible Use Cases LINE Desktop app 3rd Mobile apps 3rd Party IoTs Mobile app LINE Pay Clova LINE Family apps AI speaker Connected car LINE Music (3) Social Login (2SV) AuthN provider (1) Login (4)Transaction Confirm (5) Access Control LINE Login (2) Single sign on (2SV) (5) Access Control 3rd Web apps Web app LINE Messenger app LINE Family webs LINE Store (2) Single sign on (2SV) (3) Social Login (2SV) LINE Securities (2) Single sign on (2SV) LINE Financial services
- 23. Our Timeline ~4Q, 2019 LINE Login Integration 4Q, 2018 FIDO universal server certification 2020 LINE Banks and Financial services Integration3Q, 2019 LINE Pay integration 2021 LINE all services integration ~4Q, 2019 LINE Pay (more county)
- 24. • Contribute FIDO and W3C WebAuthn Standards • Share our experiences and Know-Hows • Develop more use cases and accelerate FIDO adoptions • Collaborate with • Platform/browser vendors • Authenticator vendors • Identity providers Our Plan
Editor's Notes
- Is that really you? Account takeover, Fake account, Personal data breach, even for financial related data
- Password problem (Headache), Usability issue (even with secure authentication, without usability users might not use it)
- Two use cases - PIN Auth Off (Default): User needs to authenticate with PIN during transaction confirm (my code or user scan) if the amount of payment is 50,000yen - PIN Auth On: User needs to authenticate with PIN when user launching the app or app is locked (no PIN auth for confirmation)
- LINE Pay: LINE Pay standalone Android app for JP, LINE Pay (in LINE app) for JP. extends countries (TW) LINE Login: PC Web Login cases (enhance securities) by leveraging WebAuthn LINE Banks and financial services: Login, Transaction confirm use cases (integrate with federations)