Smart Cards and Authentication. Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

Similar documents
OTP and Challenge/Response Algorithms for Financial and e-government Identity Assurance: Current Landscape and Trends

Strategies for the Implementation of PIV I Secure Identity Credentials

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

Meeting the requirements of PCI DSS 3.2 standard to user authentication

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Authentication Technology Alternatives. Mark G. McGovern Chief Technologist Smart Cards, Crypto, Stego, PKI Lockheed Martin

Secure Government Computing Initiatives & SecureZIP

Safelayer's Adaptive Authentication: Increased security through context information

SxS Authentication solution. - SXS

APG8205 OTP Generator

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

ASSESSMENT LAYERED SECURITY

EMERGING TRENDS AROUND AUTHENTICATION

A STUDY OF TWO-FACTOR AUTHENTICATION AGAINST ON-LINE IDENTITY THEFT

ITU-T SG 17 Q10/17. Trust Elevation Frameworks

IT Audit and Risk Trends for Credit Union Internal Auditors. Blair Bautista, Director Bob Grill, Manager David Dyk, Manager

The new standard for user authentication

Display Cards for Securing E Commerce

AUTHENTICATION IN THE AGE OF ELECTRONIC TRANSACTIONS

Interagency Advisory Board Meeting Agenda, Wednesday, April 24, 2013

FFIEC CONSUMER GUIDANCE

Prepaid Access MIDWEST ANTI-MONEY LAUNDERING CONFERENCE Federal Reserve Bank of Kansas City March 5, 2014

SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION

Online Banking Security

Achieving online trust through Mutual Authentication

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

APG8202 PINhandy 2 OTP Generator

Mobile: Purely a Powerful Platform; Or Panacea?

How Mobile is Reshaping Payments

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

Smart Card Alliance Update. Update to the Interagency Advisor Board (IAB) June 27, 2012

Charter Pacific Biometrics Acquisition

white paper SMS Authentication: 10 Things to Know Before You Buy

Jrsys Mobile Banking Solutions

How Next Generation Trusted Identities Can Help Transform Your Business

Initiative for Open Authentication OATH Interoperability without Sacrificing Security

APG8201 PINhandy 1. Technical Specifications. Subject to change without prior notice

FFIEC CONSUMER GUIDANCE

Signer Authentication

Effective Strategies for Managing Cybersecurity Risks

Put Identity at the Heart of Security

Global Trends in Payment Systems

FIDO AS REGTECH ADDRESSING GOVERNMENT REQUIREMENTS. Jeremy Grant. Managing Director, Technology Business Strategy Venable LLP

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

hidglobal.com Still Going Strong SECURITY TOKENS FROM HID GLOBAL

THE ROLE OF ADVANCED AUTHENTICATION IN CYBERSECURITY FOR CREDIT UNIONS AND BANKS

Will Federated Cross Credentialing Solutions Accelerate Adoption of Smart Card Based Identity Solutions?

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

Leveraging the LincPass in USDA

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

FAMILY BROCHURE. Gemalto SafeNet Authenticators. Diverse Form Factors for Convenient Strong Authentication

Secure Card Reader Authenticators

A Step By Step Guide To Use PayPal

Echidna Concepts Guide

Sphinx Feature List. Summary. Windows Logon Features. Card-secured logon to Windows. End-user managed Windows logon data

CS530 Authentication

Identification and Authentication

Digital Identity Trends in Banking

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

FINGER VEIN SERVER FOR RETAIL BANKS

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Lecture 9 User Authentication

Software-Based PIN Entry on COTS. Jeremy King International Director PCI Security Standards Council

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

Stop in the name of EMV! Is merchant regulation breaking your heart? April 4, Amegy Bank, a division of ZB, N.A. Member FDIC

Authentication and Fraud Detection Buyer s Guide

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Client Information Portal New User Security & Sign-On Guide. 500 West Jefferson Street Suite 700 Louisville, KY (888)

IDCore. Flexible, Trusted Open Platform. financial services & retail. Government. telecommunications. transport. Alexandra Miller

OATH : An Initiative for Open AuTHentication

Registration. Adding Accounts. How do I sign up for this service? The sign-up process for this service is quite simple.

Open Source Authentication: Security without High Cost. Donald E. Malloy LSExperts May 18 th, 2016

Dissecting NIST Digital Identity Guidelines

FSN-PalmSecureID-for ATM Machines

Oracle Banking Digital Experience

WHITE PAPER 2019 AUTHENTICATOR WHITE PAPER

Distributed Systems. Smart Cards, Biometrics, & CAPTCHA. Paul Krzyzanowski

Business ebanking User Guide May 2015

Using Biometric Authentication to Elevate Enterprise Security

University of Sunderland Business Assurance PCI Security Policy

Trusted Computing Group

Shareholder Authentication

Embracing the Phone as a Token What You Need To Know Andy Kemshall Co-Founder

FEITIAN Technologies, Co., Ltd.

Maintaining Trust: Visa Inc. Payment Security Strategy

Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg

ADOPTING FIDO SearchSecurity

PIN Entry & Management

AS emas emudhra Authentication Solution

huntington Business security suite user guide

E-commerce security: SSL/TLS, SET and others. 4.1

Using Security to Lock in Commercial Banking Customers

Mobile Identity Management

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Oracle Banking Digital Experience

CSCE 548 Building Secure Software Entity Authentication. Professor Lisa Luo Spring 2018

DigitalPersona Altus. Solution Guide

Identity and Authentication PKI Portfolio

Transcription:

Smart Cards and Authentication Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security

Payment Landscape Contactless payment technology being deployed Speeds up and simplifies payments process Replacement for cash, particularly for small transactions No user authentication for now Use of Automated Clearing House (ACH) for payments continues to increase 2008 ACH transaction volume was up 1.2 Billion payments over 2007 Internet-initiated ACH debits increased by 19.7% in 2008 Payment methods continue to expand Improved security is primary driver Primarily target on-line commerce Payment associated with credit card or bank account (ACH) Many leverage existing payment infrastructures Mobile phones/pdas seen as potential payment device Authentication and authorization are issues that need to be resolved Increased use of token-based or secondary channel authentication in high value environments Requirement for transparent user authentication in low value environments 2

Authentication Factors Type 1 Something You Know Password, PIN, lock combination, passphrase, knowledge based questions (mother s maiden name, favorite color) Type 2 Something You Have Token device, smart card, memory card, certificate Type 3 Something You Are Fingerprints, voice print, retina pattern, iris patterns, face shape, palm topology, hand geometry, location Two-factor authentication combines two of the three 3

FFIEC Guidance On Multifactor Authentication Financial institutions are being required to establish and execute a risk-based assessment of their respective online banking delivery channel Financial institutions are being required to implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks Agencies consider single-factor (e.g., ID/password) authentication to be insufficient as the only means of control for high risk transactions High risk transactions involve the movement of funds to other parties (even within the FI) or access to customer information www.ffiec.gov/pdf/authentication_guidance.pdf www.ffiec.gov/pdf/authentication_faq.pdf www.nacha.org FFIEC Federal Financial Institutions Examination Council 4

Authentication Functions What is a PIN Verification? A method to authenticate a customer Used for ATM and POS transactions How do we address authentication of customers on virtual storefronts or when the customer is not physically present? Web-based services? User ID Phone-based services? Password Other customer services? 5

A Variety of Choices Security Cost, Simplicity Risk Assessment User ID Password 6

Biometrics 7 Why All These Choices? Match authentication technology to the risk profile of the business process Smart Card Digital Certificate Handheld Token Encrypted Password Password Cost Security Relevant Options

OATH The Open AuTHentication Reference Architecture (OATH) initiative is a group of companies working together to help drive the adoption of open strong authentication technology across all networks 60+ members 40+ shipping products Standardized Authentication Algorithms Open and royalty free specifications Acronym Name Function HOTP HMAC-Based One Time Password algorithm Event-based OTP, RFC 4226 TOTP Time-based One Time Password algorithm Time-based OTP OCRA OATH Challenge Response Algorithm Challenge-response authentication, Short digital signatures OATH Token Identifier Specification Enables unique global identification of each authentication credential 8 HMAC Hashed Message Authentication Code IETF - Internet Engineering Task Force www.openauthentication.org

Smart Cards What are the Benefits? Secure and flexible technology for information and data storage PIN can be used to control access to the card Offers advanced fraud and risk management Card can be updated at the service point Can also provide cryptographic services such as key generation and encryption Foundation for EMV-based payment cards Excellent solution for secure storage of user credential information (e.g. certificate) Data Storage Computer Power 9

EMV-based Authentication Maximizing the use of EMV smart cards as a secure authentication token ATM withdrawal Point of sale payment Traditional Payment Environment Phone banking Internet banking Online payments New Applications 10

Programs for EMV-based Authentication MasterCard Chip Authentication Program (CAP) Visa Dynamic Passcode Authentication (DPA) 11

Smart Cards in Other Authentication Applications Becoming more common in Enterprise employee identification schemes Crossing over into authenticating users to network Cards contain certificate with user information Certificate signed by Issuing authority and verified during authentication process Securely stored on card, protected by PIN Dual interface cards (contact and contactless) facilitate use of smart cards for physical and logical access Federation of credential would allow extending use of certificate outside the Issuing Enterprise 12

Some Obstacles to Smart Card Use Device used to access a service needs to have a smart card reader Common in laptops, not so common in desktops Availability of smart cards in USB token format More flexibility for connectivity and use Some also provide contactless interface support USB Token 13

In Summary Payment methods continue to expand User authentication is a critical requirement No prevalent methodology has been adopted New standards may simplify interoperability Smart Cards offer many benefits for security, flexibility and ubiquity New form factors facilitate their interface with commonly used access devices 14

Jose Diaz Director, Technical & Strategic Business Development Thales Information Systems Security +1 954-888-6210 jose.diaz@thalesesec.com Smart Card Alliance 191 Clarksville Rd. Princeton Junction, NJ 08550 (800) 556-6828 www.smartcardalliance.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback