Page 19 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 19
Figure 4 – FIDO Registration of new keys
1. Initiate registration with Relying Party a registration response: device model number +
2. FIDO Server sends registration challenge and device attestation signature + user’s public key
requested registration options 5. Validate response and attestation. The device
3. Authenticator performs user verification on device model number (AAGUID) can be used to look up
to signal the user’s consent to registering with the metadata about the device, such as the attesta-
service tion public key, the type of user verification being
4. Authenticator generates a new key pair for the performed (e.g. – biometric, PIN), and the securi-
service and associates the private key with the ty characteristics of the device (e.g. – how private
service’s origin. The public key and device model keys are protected; how biometric templates are
number are signed over by a device model spe- protected; third-party security and biometric cer-
cific (shared across no less than 100,000 devices) tifications).
attestation private key. The authenticator sends 6. The service stores user’s public key for future
authentication requests.
Implementation of Secure Authentication Technologies for Digital Financial Services 17