Authenticate Day 4 Brings Regulations and WebAuthn Into Focus
By: FIDO ALLIANCE STAFF
With a weekend sandwiched in between, Day 4 of the Authenticate Conference on Nov. 17, continued the solid lineup of speakers and topics that attendees learned from last week.
The morning sessions had a strong focus on the intersection of regulations, privacy and authentication. During the lunch and learn, attendees got a deep dive on biometrics and the FIDO Alliance’s Alliance’s Biometric Component Certification, including new updates to the program. During the afternoon sessions there were a pair of talks about the latest updates to the W3C Web Authentication specification, as well as insights into how developers can start to make use of technology in their own applications and services.
The Regulatory Environment and FIDO
According to Jeremy Grant Managing Director, Technology Business Strategy at Venable LLP, what governments have to say about authentication often has a significant impact on what types of authentication are used around the world.
In his session on What Regulators Want, Grant explained that authentication is important to governments for a few different reasons. Governments need to have strong authentication to protect access to their own assets and can also enable more high value citizen facing services. Overall, authentication is getting increasing attention as an important layer for cybersecurity risk management, to secure critical assets and infrastructure.
Over the last five years, Grant said that FIDO standards have started to find their way into governmental regulatory standards and guidance as an approach to help enable strong authentication.
“What we’re seeing now in 2020 is FIDO is increasingly emerging as the preferred choice of governments around the world,” Grant said.
In a panel session moderated by Grant, specific regulations in Europe including PSD2 (Payment Services Directive 2), GDPR (General Data Protection Regulation) and eIDAS (electronics IDentification, Authentication and trust Services) were detailed, and how FIDO Authentication can be used to comply with each regulation.
Grant explained that PSD2 is the European Union’s payment services directive that is focused on open banking and opening up the whole financial services ecosystem in terms of data and payments. The eIDAS initiative is about having electronic identification that can be used to help facilitate authentication in different industries including financial services. Finally, Grant noted that GDPR has emerged, not just as a European standard for privacy but arguably a global standard for privacy. While both PSD2 and eIDAS include some direction on strong authentication, that’s not the case with GDPR.
Alain Martin, Head of Consulting & Industry Relations, Banking & Payment Services at Thales stated that GDPR does not talk about authentication and access rights at all, rather it leaves it open.
“If you leave the access to the data protected by passwords, clearly there is a big gap,” Martin said. “In light of the heavy fines, our message is that generally speaking service providers should implement strong customer authentication in order to protect access to data.”
Privacy and Data Subject Rights
Looking beyond GDPR, a morning panel looked at the topic of Authentication as an Enabler of Better Privacy.
Annie C. Bai, Global Privacy Lead at Socure explained that governments and regulators are now trying to empower individuals with data subject rights. That said she noted that there are protections and safeguards that need to accompany them that shouldn’t necessarily be in the hands of individuals. Shannon Dahn, Chief of the Privacy Section & FDIC’s Office of the Chief Information Security Officer outlined what federal rights privacy exist. Those rights provide consumers with information about their data and transparency about how the data is collected.
“Certainly having your data kept secure is another privacy right,” Dahn said.
Jamie Danker, Director of Privacy at Easy Dynamics Corp, noted that it’s important for organizations to also consider how secure access to private information is enabled.
“If you are advising a program that’s building a product or service that’s creating records or data that can be about individuals, you also have to think about the capabilities for your organization to actually permit such access,” Danker said.
W3C Web Authentication Specification Moving Forward
One of the key technologies that is helping to enable strong authentication is FIDO2 WebAuthn, which is standardized as the W3C Web Authentication specification.
Jeff Hodges, Software Engineer at Google explained that WebAuthn is a web platform API that facilitates strong authentication for web applications.
“We care about it (WebAuthn) because it’s a replacement for username/password, bringing strong, phishing resistant authentication to the web,” Hodges said.
Version one of W3C Web Authentication was published in March 2019, and it’s now being updated in the second version, known as level two. Hodges noted that level two addresses some bugs that were found in the initial specification and it also benefits from a series of enhancements.
John Bradley, Senior Architect for Standards at Yubico highlighted the new Large Blob Storage extension in level two. He explained that the large Blob Storage extension allows a relying party to store encrypted arbitrary data along with the credential. He explained that a primary use case for this is to FIDO enable web based SSH sessions.
“So think, SSH public key certificates, being stored alongside the credentials on an authenticator,” Bradley said.
Looking beyond just the evolving WebAuthn standards, there is also a need to make sure the standards are adopted. That was the key theme in a session about democratizing WebAuthn that was delivered by Vittorio Bertocci, Principal Architect at Auth0.
Bertocci suggests that organizations embrace a staged approach to WebAuthn implementation. For each and every step, developers should be able to see how WebAuthn is advantageous, providing value for the organization and its users.
“The adoption of WebAuthn is a journey and the standardization was a huge step, but now, we’ve got to roll up our sleeves and help the industry to adopt it,” Bertocci said.
Day 5 is Up Next!
The Authenticate conference continues for its fifth day on Nov. 18 with another great lineup of sessions.
Among the insightful content, there is a user session from eBay, a panel on account recovery best practices and a lunch and learn on how FIDO, EMVCo and W3C specifications work together.