Expected Use Cases of FIDO authentication in Social Apps in Jap… · Status of FIDO in Japan...

Expected Use Cases of FIDO authentication

in Social Apps

Naohisa Ichihara

Security Deparatment Manager

LINE Corporation

April 26th, 2019

FIDO Seminar at Bangkok

2

BackgroundWho I am?

Naohisa IchiharaManager, Security Departmentin charge of;- LINE account security- Anti-account hijack- Trust and safety team leading- FIDO Alliance Board member, Japan WG vice chair

3

0. Status of FIDO in JapanWhat’s happening in Japan

FIDO Japan WG: Mission and Activities

FJ-Deployment

@ Scale

Sub WG

APAC Market D

evelopment Ma

nager

FIDO2 Go-To-Ma

rket Strategy

Sub WG

Technology

Sub WG

Chair

Vice Chairs

Formation of Sub WGs

To effectively achieve the mission of FIDO Alliance in Japan: “Promote the expansion ofFIDO’s simpler and stronger authentication standards to remedy the password problems.”

Mission and Activities

Help members’ communications within FIDO Alliance

• Language and communication style

• Time differences

• Help understanding and discussions of FIDO standards

• Gather regional requirements if needs

External Communications in Japanese

• Web site (major messages)

• Case studies of FIDO adoption

• Overview of specifications

• Translations of glossaries in Japanese

Translation Sub WG was disbanded but FJWG members are working continuously. Marketing Sub WG has been disbanded because of new staffing changes.

All Rights Reserved | FIDO Alliance | Copyright 20194

NOTE: Government relations are out of scope due to some reasons at this moment.


FIDO Japan WG of Global Members

10 when announced, 11 when launched, and now 25 members as of January 18, 2019


FIDO Deployments in Japan

† Companies which deliver FIDO Certified products or solutions utilizing FIDO Certified products, or service pro

viders which deploy (or committed to deploy) such products, solutions, or their own FIDO Certified products.


A Big Success – Seminar & PR Conference

• Seminar - 5th annual event, 300+ actual audiences, 11 wonderful sponsorship,and 11 great speakers successfully made a great story of FIDO2, Security andPrivacy, Case Studies based on Real Deployments and their commitments.


Notable Continuing Deployment since 2015

Step-1: 36 UAF Certified docomo Android devices May 2015 through 2017 (UAF 1.0)

Step-3: UAF 1.1 app on any latest Android, now available for other MNOs since 2018

Step-2: All Touch ID or Face ID equipped iOS devices since Mar 2016 (UAF 1.0)

Carrier Billing Payment

Partner Services

Successfully migrated to a platform based implementation in 2018


Notable Deployments in Japan 2017-2018

Sep 2017 Feb 2018 Oct 2018 Nov 2018 Dec 2018

10

BTW, Why and What we expect FIDO?

11

Why and What we expect FIDO?

• (1) Password-less Experience makes both users and SPs happier

12


• (2) Anti-Phishing

ServicePhishingUser ServicePhishingUser

ID, PasswordID, Password

Send One time password

OTPOTP

Access Token

non-FIDO 2FA FIDO2

ID, PasswordID, Password

FIDO protocol

13


• (3) New era of “Digital Identity” is coming

Password-Less Account Recovery

PhishingPassword-list Attack

Re-use of same password problem

On one hand, Many issues for Password Authentication are remaining,

Forgotten Password

14



Mass Surveillance Automated StoreScoring

On one hand, Many issues for Password Authentication are remaining,On the other hand, AI-based tech is creating new values of digital identity

15



LINE Pay e-KYC

On one hand, Many issues for Password Authentication are remaining,On the other hand, AI-based tech is creating new values of digital identity

16

1. LINE introductionWho we are?

4 major regions

Japan Taiwan Thailand Indonesia

LINEのスピードと成長

B2C Platform

Payment Platform

Creator’s Sticker Market

BUSINESS CONNECT

IoT Platform

1. Introduction

Possibility as an IdP/Communication Platform

LINEのスピードと成長1. Introduction

Character Brand Business

Taxi Service

Food Delivery

MVNO

Bridging between Real & Digital

Digital Ticket


AI Speakers Virtual Home Robot

Brand-new Communication


Virtual Currency

Blockchain Platform and applications

Fin-Tech

“LINE Insurance” “LINE Bank”

23

2. Possibility of FIDOWhere and how we could apply FIDO in our service?

Authentication / Privacy related features

Account

Registration

Back-Up

Restore

Application

Unlock

Chat

History

Backup

/ Export

Account

Migration

Change

Email or

Password

Authentication / Privacy related features

Account

Registration

Back-Up

Restore

Application

Unlock

Chat

History

Backup

/ Export

Account

Migration

Change

Email or

Password

FIDO not available↑

“Account Recovery” issue

FIDO not available↑

Off-line UX

Only in case ofthe same device

Authenticationitself as Optional

Authenticationitself as Optional

Federation

Fin-Tech / Block chain

IoT

3rd Party App (Web) Clova

Desktop LINE app

“LINE Things”

LINE Pay

“LINE Login”

Federation

Fin-Tech / Block chain

IoT

3rd Party App (Web) Clova

Desktop LINE app

“LINE Login”

“LINE Things”

LINE Pay

28

3. Use cases AnalysisIntroduce how we integrate FIDO and our feasible use cases

(0) FIDO registration

Account

Registration

When login

in mobileFrom setting Just before using FIDO

access.line.me

Register your

Finger now?

1st factor authentication without email/pw

3rd party services can authenticate/authorize users secure and fast.

(1) Social Login (“LINE Login” in Mobile webs)

access.line.me

LINE Login can get high assurance level of user consent

User confirmation check

With single gesture, 3rd party native apps can provide easy account creation and authentication.

LINE app

(1) Social Login (“LINE Login” in Mobile native apps)

access.line.me

3rd party app

With single gesture, 3rd party native apps can provide easy account creation and authentication.

- Re-design for (1) login authentication screen and flow (2) anonymous auto-login? (3) FIDO-device MGT, ..

(1) Social Login (“LINE Login” in Web apps)

When changing email, password or in case of backup, export or restore of chat history

(2) Setting Confirmation

LINE app

access.line.me

(3-1) Bootstrap (currently, email + password -> QR code or PIN-code)

(3-2) Re-Auth (currently, email + password)

(3) Desktop App Login

LINE app

access.line.me

LINE app (Desktop)

Transaction confirmation for payment (Step-up authentication) across web and app

For high risk transaction, multi factor authentication is required

(4) Transaction Authentication (mobile)

LINE Pay

access.line.me

Add extra layer of security by leveraging secret keys (2nd factor authentication for login and withdrawal)

(4) Transaction Authentication (web)

bitbox.mebitbox.me

Manage and control IoT devices with secure manner

Users can control IoT devices

with LINE app

• Start the car engine

• Turn on the air conditioner

• Monitor and watch your house

LINE Things

(5) IoT Control

access.line.me

LINE app

Possible use cases

Web

LINE

Desktop App

3rd Party Web/Mobile App 3rd Party IoT

Mobile app

LINE Pay

LINE Pay App inside of LINE

Clova

LINE xxx

LINE family app

(normal)

AI speaker

Connected Car

LINE xxxLINE Game

LINE family app

(critical)

(1)Social Login

(federation)

(1) or (4)

(3) Desktop App

Login

(2) Setting

Confirmation

(4)(4) Transaction Auth

(5) IoT Control

(1) + (5)

(6)

Use cases and FIDO protocol

Use cases Scenes FIDO

(0) FIDO Registration Reg, Login, Setting, Just before usage UAF, U2F/FIDO2

(1) Social Login Mobile app UAF

Mobile web UAF

PC web U2F/FIDO2

(2) Setting Confirmation Email/PW change, Backup/Export chat history

UAF

(3) Desktop App Login Native desktop app, UAF

(4) Transaction Authentication Mobile / Payment, Transfer money, Invest, .. UAF

PC Web / (same as above) U2F/FIDO2

(5) IoT Control IoT with Mobile app UAF

40

4. Summary

UAF/U2F/FIDO2 (Universal)

Web / Mobile /

PC clientNot only LINE

Coverage

Harmonization

of UAF and FIDO2

Account

Recovery

Integration

as IdP

Issues

for Connected

World

for Digital Identity(beyond

authentication)

Disruption

Future of FIDO

2019Deployment

2018Certification

2020All Services

2017Joined FIDO

as a Board Member Open Source

45

LINE engineer blog

Expected Use Cases of FIDO authentication in Social Apps in Jap… · Status of FIDO in Japan...

Documents

Transcript of Expected Use Cases of FIDO authentication in Social Apps in Jap… · Status of FIDO in Japan...