Expected Use Cases of FIDO authentication in Social Apps in Jap… · Status of FIDO in Japan...
Transcript of Expected Use Cases of FIDO authentication in Social Apps in Jap… · Status of FIDO in Japan...
Expected Use Cases of FIDO authentication
in Social Apps
Naohisa Ichihara
Security Deparatment Manager
LINE Corporation
April 26th, 2019
FIDO Seminar at Bangkok
2
BackgroundWho I am?
Naohisa IchiharaManager, Security Departmentin charge of;- LINE account security- Anti-account hijack- Trust and safety team leading- FIDO Alliance Board member, Japan WG vice chair
3
0. Status of FIDO in JapanWhat’s happening in Japan
FIDO Japan WG: Mission and Activities
FJ-Deployment
@ Scale
Sub WG
APAC Market D
evelopment Ma
nager
FIDO2 Go-To-Ma
rket Strategy
Sub WG
Technology
Sub WG
Chair
Vice Chairs
Formation of Sub WGs
To effectively achieve the mission of FIDO Alliance in Japan: “Promote the expansion ofFIDO’s simpler and stronger authentication standards to remedy the password problems.”
Mission and Activities
Help members’ communications within FIDO Alliance
• Language and communication style
• Time differences
• Help understanding and discussions of FIDO standards
• Gather regional requirements if needs
External Communications in Japanese
• Web site (major messages)
• Case studies of FIDO adoption
• Overview of specifications
• Translations of glossaries in Japanese
Translation Sub WG was disbanded but FJWG members are working continuously. Marketing Sub WG has been disbanded because of new staffing changes.
All Rights Reserved | FIDO Alliance | Copyright 20194
NOTE: Government relations are out of scope due to some reasons at this moment.
All Rights Reserved | FIDO Alliance | Copyright 20195
FIDO Japan WG of Global Members
10 when announced, 11 when launched, and now 25 members as of January 18, 2019
All Rights Reserved | FIDO Alliance | Copyright 20196
FIDO Deployments in Japan
† Companies which deliver FIDO Certified products or solutions utilizing FIDO Certified products, or service pro
viders which deploy (or committed to deploy) such products, solutions, or their own FIDO Certified products.
All Rights Reserved | FIDO Alliance | Copyright 20197
A Big Success – Seminar & PR Conference
• Seminar - 5th annual event, 300+ actual audiences, 11 wonderful sponsorship,and 11 great speakers successfully made a great story of FIDO2, Security andPrivacy, Case Studies based on Real Deployments and their commitments.
All Rights Reserved | FIDO Alliance | Copyright 20198
Notable Continuing Deployment since 2015
Step-1: 36 UAF Certified docomo Android devices May 2015 through 2017 (UAF 1.0)
Step-3: UAF 1.1 app on any latest Android, now available for other MNOs since 2018
Step-2: All Touch ID or Face ID equipped iOS devices since Mar 2016 (UAF 1.0)
Carrier Billing Payment
Partner Services
Successfully migrated to a platform based implementation in 2018
All Rights Reserved | FIDO Alliance | Copyright 20199
Notable Deployments in Japan 2017-2018
Sep 2017 Feb 2018 Oct 2018 Nov 2018 Dec 2018
10
BTW, Why and What we expect FIDO?
11
Why and What we expect FIDO?
• (1) Password-less Experience makes both users and SPs happier
12
Why and What we expect FIDO?
• (2) Anti-Phishing
ServicePhishingUser ServicePhishingUser
ID, PasswordID, Password
Send One time password
OTPOTP
Access Token
non-FIDO 2FA FIDO2
ID, PasswordID, Password
FIDO protocol
13
Why and What we expect FIDO?
• (3) New era of “Digital Identity” is coming
Password-Less Account Recovery
PhishingPassword-list Attack
Re-use of same password problem
On one hand, Many issues for Password Authentication are remaining,
Forgotten Password
14
Why and What we expect FIDO?
• (3) New era of “Digital Identity” is coming
Mass Surveillance Automated StoreScoring
On one hand, Many issues for Password Authentication are remaining,On the other hand, AI-based tech is creating new values of digital identity
15
Why and What we expect FIDO?
• (3) New era of “Digital Identity” is coming
LINE Pay e-KYC
On one hand, Many issues for Password Authentication are remaining,On the other hand, AI-based tech is creating new values of digital identity
16
1. LINE introductionWho we are?
4 major regions
Japan Taiwan Thailand Indonesia
LINEのスピードと成長
B2C Platform
Payment Platform
Creator’s Sticker Market
BUSINESS CONNECT
IoT Platform
1. Introduction
Possibility as an IdP/Communication Platform
LINEのスピードと成長1. Introduction
Character Brand Business
Taxi Service
Food Delivery
MVNO
Bridging between Real & Digital
Digital Ticket
LINEのスピードと成長1. Introduction
AI Speakers Virtual Home Robot
Brand-new Communication
LINEのスピードと成長1. Introduction
Virtual Currency
Blockchain Platform and applications
Fin-Tech
“LINE Insurance” “LINE Bank”
23
2. Possibility of FIDOWhere and how we could apply FIDO in our service?
Authentication / Privacy related features
Account
Registration
Back-Up
Restore
Application
Unlock
Chat
History
Backup
/ Export
Account
Migration
Change
Email or
Password
Authentication / Privacy related features
Account
Registration
Back-Up
Restore
Application
Unlock
Chat
History
Backup
/ Export
Account
Migration
Change
Email or
Password
FIDO not available↑
“Account Recovery” issue
FIDO not available↑
Off-line UX
Only in case ofthe same device
Authenticationitself as Optional
Authenticationitself as Optional
Federation
Fin-Tech / Block chain
IoT
3rd Party App (Web) Clova
Desktop LINE app
“LINE Things”
LINE Pay
“LINE Login”
Federation
Fin-Tech / Block chain
IoT
3rd Party App (Web) Clova
Desktop LINE app
“LINE Login”
“LINE Things”
LINE Pay
28
3. Use cases AnalysisIntroduce how we integrate FIDO and our feasible use cases
(0) FIDO registration
Account
Registration
When login
in mobileFrom setting Just before using FIDO
access.line.me
Register your
Finger now?
1st factor authentication without email/pw
3rd party services can authenticate/authorize users secure and fast.
(1) Social Login (“LINE Login” in Mobile webs)
access.line.me
LINE Login can get high assurance level of user consent
User confirmation check
With single gesture, 3rd party native apps can provide easy account creation and authentication.
LINE app
(1) Social Login (“LINE Login” in Mobile native apps)
access.line.me
3rd party app
With single gesture, 3rd party native apps can provide easy account creation and authentication.
- Re-design for (1) login authentication screen and flow (2) anonymous auto-login? (3) FIDO-device MGT, ..
(1) Social Login (“LINE Login” in Web apps)
When changing email, password or in case of backup, export or restore of chat history
(2) Setting Confirmation
LINE app
access.line.me
(3-1) Bootstrap (currently, email + password -> QR code or PIN-code)
(3-2) Re-Auth (currently, email + password)
(3) Desktop App Login
LINE app
access.line.me
LINE app (Desktop)
Transaction confirmation for payment (Step-up authentication) across web and app
For high risk transaction, multi factor authentication is required
(4) Transaction Authentication (mobile)
LINE Pay
access.line.me
Add extra layer of security by leveraging secret keys (2nd factor authentication for login and withdrawal)
(4) Transaction Authentication (web)
bitbox.mebitbox.me
Manage and control IoT devices with secure manner
Users can control IoT devices
with LINE app
• Start the car engine
• Turn on the air conditioner
• Monitor and watch your house
LINE Things
(5) IoT Control
access.line.me
LINE app
Possible use cases
Web
LINE
Desktop App
3rd Party Web/Mobile App 3rd Party IoT
Mobile app
LINE Pay
LINE Pay App inside of LINE
Clova
LINE xxx
LINE family app
(normal)
AI speaker
Connected Car
LINE xxxLINE Game
LINE family app
(critical)
(1)Social Login
(federation)
(1) or (4)
(3) Desktop App
Login
(2) Setting
Confirmation
(4)(4) Transaction Auth
(5) IoT Control
(1) + (5)
(6)
Use cases and FIDO protocol
Use cases Scenes FIDO
(0) FIDO Registration Reg, Login, Setting, Just before usage UAF, U2F/FIDO2
(1) Social Login Mobile app UAF
Mobile web UAF
PC web U2F/FIDO2
(2) Setting Confirmation Email/PW change, Backup/Export chat history
UAF
(3) Desktop App Login Native desktop app, UAF
(4) Transaction Authentication Mobile / Payment, Transfer money, Invest, .. UAF
PC Web / (same as above) U2F/FIDO2
(5) IoT Control IoT with Mobile app UAF
40
4. Summary
UAF/U2F/FIDO2 (Universal)
Web / Mobile /
PC clientNot only LINE
Coverage
Harmonization
of UAF and FIDO2
Account
Recovery
Integration
as IdP
Issues
for Connected
World
for Digital Identity(beyond
authentication)
Disruption
Future of FIDO
2019Deployment
2018Certification
2020All Services
2017Joined FIDO
as a Board Member Open Source
45
LINE engineer blog