6  STRONG AUTHENTICATION TECHNOLOGIES AND SPECIFICATIONS

            Authentication systems  involve individuals,  creden-  systems are not easy for mobile users to interact
            tials issued to those individuals, and authenticators   with: on mobile devices, authentication events are
            used by the individual to prove they are the original   infrequent and rely on device security locks that may
            registered credential receiver. Authentication proto-  not be effective.
            cols  define  how  each  element  interacts  to  authen-  Advanced authentication systems are designed to
            ticate the individual. Each element has observable   address today’s threat models and design patterns.
            or measurable behaviors in the environment which   Compared to ‘strong’ authentication systems, there
            can be compared to previously-measured ‘normal’    is an increased emphasis on detection and authen-
            behavior.                                          tication of human users versus the client software
               Design decisions and technology choices for each   used by people through environmental and behav-
            authentication system element affect how ‘strong’   ioral analysis. New approaches are being implement-
            an authentication system is: how resistant to attack   ed to minimize friction for mobile and multi-factor
            and compromise due to common threats. ‘Strong’     use cases: many systems are now built with ‘mobile
            authentication systems are designed to mitigate    first’ designs. Authentication now happens at many
            threats that ‘weak’ authentication systems do not.  points during a user-system interaction: at identifi-
               For example, a weakness for individuals is having   cation time, at times when increased privileges are
            to deal with password systems. Passwords are hard to   invoked (so-called ‘step-up’ authentication), and
            remember, easy to steal, reused across services and   even continuously during the entire session.
            very inconvenient to use. Stronger authentication    Advanced authentication systems do not replace
            systems might choose to use a biometric to unlock   strong authentication systems – the technologies
            a local secure encryption key vault, which gives the   work together to address different threats and vul-
            individual a lower-friction, password-less experience.  nerabilities.
               Authenticators such as SMS-delivered one-time     The objective of advanced authentication systems
            codes that are subject to phishing could be replaced   is to provide a low-friction experience for users, while
            by hardware cryptographic authenticators such as a   reducing risk and increasing security assurance.
            Secure Element or Trusted Execution Environment in   See 7.1 Cognitive Continuous Authentication for
            mobile devices.                                    a  description  of  a  solution  that  embodies  these
               Authentication protocols that use shared secrets   advanced authentication system characteristics.
            or unencrypted transmissions could be replaced with
            asymmetric key cryptographic protocols, encrypt-   6�2  FIDO Alliance Specifications
            ed channels and different keys for each service.   The FIDO Alliance protocols use standard public
            Multi-factor authentication protocols have additional   key cryptography techniques to provide stronger
            attacker resistance than single-factor protocols.  authentication. During registration with an online
               The threat landscape changes regularly and      service, the user’s client device creates a new key
            design decisions must be made to address new or    pair. It retains the private key and registers the public
            commonly-used threats. For example, threats to web   key with the online service. Authentication is done
            site access from desktop computers are different   by the client device proving possession of the private
            from mobile-only apps and services which have been   key to the service by signing a challenge. The client’s
            invented in recent years.                          private keys can be used only after they are unlocked
                                                               locally on the device by the user called “user veri-
            6�1  Characteristics of Advanced Authentication    fication”. User verification can take the form of any
            Systems                                            number of user–friendly and secure action such as
            Typical authentication systems in use today were   swiping a finger, performing facial recognition, enter-
            designed for the pre-mobile-device internet. They   ing a PIN, or speaking into a microphone. Private keys
            are based on a single authentication event, typically   are bound to a device and prove that users are in
            performed at application start up, and assume that   possession of a specific device (i.e. – the “something
            the user, device and session do not change after that   you have” of authentication), and their combination
            single authentication event. Authentication tends to   with user verification ensures that every authentica-
            be a high friction activity with a poor user experience,   tion is multi-factor authentication.
            especially when password or multi-factor authenti-   FIDO protocols are designed to protect user pri-
            cation  are  used.  Current-generation  authentication   vacy. The protocols do not provide information that



                                             Implementation of Secure Authentication Technologies for Digital Financial Services  13