So far, most applications still rely on passwords, but there is a growing need for strong authentication to protect against identity theft. As of January 13th, 2018, the Second Payment Services Directive (PSD2) requires every payment service provider to implement strong customer authentication (SCA) based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code (PSD2, Article 4).
In the area of two-factor authentication, mobile TAN (mTAN) is facing growing opposition and will eventually lose its predominant position to a plethora of Challenge-and-Response Apps. But actually, we are facing a more fundamental architectural shift: Passwords (including mobile TAN) will be replaced not by just another mechanism but by a 3-tier architecture model. In this presentation, we will look at current standards, trends and initiatives for each of these tiers using the NIST Digital Identity Guidelines (SP 800-63-3) as a conceptual base:
We will start with the user’s authenticator implemented on a mobile device according to a standard such as FIDO or the W3C Web Authentication API. We will investigate various approaches how an authenticator may be isolated from the OS (and its vulnerabilities) and how a user may activate her private key based on a PIN, biometrics, or wearables. Related to biometrics, the NIST SOFA-B initiative may be of special relevance.
Second, we will look at the functionality of an Identity Provider (IdP) and the SAML and OpenID Connect federation protocols used to integrate with Relying Parties. We will also address the SwissID initiative where major Swiss banks and public sector companies cooperate to provide a Digital Identity for Switzerland.
We will conclude with some strategic advice to Identity Providers and Service Providers on how to migrate to the future 3-tier model of strong authentication.
Key Takeaways:
