(Strong) Authentication Trends

The future of Strong Authentication

So far, most applications still rely on passwords, but there is a growing need for strong authentication to protect against identity theft. As of January 13th, 2018, the Second Payment Services Directive (PSD2) requires every payment service provider to implement strong customer authentication (SCA) based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code (PSD2, Article 4).

In the area of two-factor authentication, mobile TAN (mTAN) is facing growing opposition and will eventually lose its predominant position to a plethora of Challenge-and-Response Apps. But actually, we are facing a more fundamental architectural shift: Passwords (including mobile TAN) will be replaced not by just another mechanism but by a 3-tier architecture model. In this presentation, we will look at current standards, trends and initiatives for each of these tiers using the NIST Digital Identity Guidelines (SP 800-63-3) as a conceptual base:

We will start with the user’s authenticator implemented on a mobile device according to a standard such as FIDO or the W3C Web Authentication API. We will investigate various approaches how an authenticator may be isolated from the OS (and its vulnerabilities) and how a user may activate her private key based on a PIN, biometrics, or wearables. Related to biometrics, the NIST SOFA-B initiative may be of special relevance.

Second, we will look at the functionality of an Identity Provider (IdP) and the SAML and OpenID Connect federation protocols used to integrate with Relying Parties. We will also address the SwissID initiative where major Swiss banks and public sector companies cooperate to provide a Digital Identity for Switzerland.

We will conclude with some strategic advice to Identity Providers and Service Providers on how to migrate to the future 3-tier model of strong authentication.

Key Takeaways:

• Passwords (including mobile TAN) will be replaced not by just another mechanism but by a 3-tier architecture model.
• Identity Providers (IdP) will be at the heart of the future authentication model.
• Standard interfaces are used to connect an authenticator to an IdP (FIDO and W3C Authn API) and to connect an IdP to Relying Parties (SAML and OIDC).

Presentation deck

The future of Strong Authentication

Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.

Balancing User Experience and Cybersecurity in Healthcare: FIDO based Strong Consumer Authentication

Faced with mounting threats associated with consumer healthcare fraud, Aetna embarked on a journey to transform consumer authentication built upon FIDO standards and risk-based consumer authentication. During this talk we will discuss:

• Pitfalls of binary authentication & American healthcare consumer fraud trends
• Risk-based authentication
• Biometric-based authentication leveraging FIDO
• Using security to improve user experience and access to care

Presentation deck

Balancing User Experience and Cybersecurity in Healthcare: FIDO based Strong Consumer Authentication

Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.