ntt docomo deployment case study: your security, more simple
Post on 15-Apr-2017
615 Views
Preview:
TRANSCRIPT
FIDO Alliance Seminar in Seoul
NTT DOCOMO Deployment Case Study:
“Your Security, More Simple.”
December 6, 2016
Koichi Moriyama
NTT DOCOMO, INC.
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Table of Contents • Motivation: “Your Security, More Simple.”
• Overview: NTT DOCOMO’s Deployment
• NTT DOCOMO FIDO-enabled Devices for d ACCOUNT™ - 20 Models in Total
Video Clip: “Let’s setup, use FIDO-enabled authentication for d ACCOUNT”
• Design Principles to Integrate the FIDO Standards
• Solution Architecture: Before & After the Deployment
• Security Architecture: Biometric Data and Secret Key stored in Secure Area
• Open Standards for Future Interoperability
• Varieties of FIDO® Certified Authenticator Solutions
• Deployment at More Scale – Rolled Out the same to iOS Customers
• NTT DOCOMO as a FIDO Alliance Board Member FIDO Seminar in Seoul 12/6/2016 2 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Motivation: “Your Security, More Simple.”
• NTT DOCOMO provides our customers OpenID based “d ACCOUNT” in addition to 4-digit passwords for online service access including DOCOMO branded services, partner services, and carrier billing payments.
• NTT DOCOMO wanted to help our customers, who always needed to remember their passwords, for their convenience in a secure way, and recognized that the FIDO standards may help.
FIDO Seminar in Seoul 12/6/2016 3 © 2016 NTT DOCOMO, INC. All Rights Reserved. https://www.youtube.com/watch?v=UP0DyYk5IXc
Iris Fingerprints
Passwords-less Authn using Biometrics
Login Unlock
Carrier Billing Payment
Overview: NTT DOCOMO’s Deployment (1/2)
• DOCOMO launched FIDO-enabled online authentication with biometric sensor equipped devices for “d ACCOUNT” (a.k.a. docomo ID) login and carrier billing payments from May 2015. DOCOMO has been continuing to extend FIDO-enabled experience, supporting legacy 4-digit pins and others including “d ACCOUNT” carrier billing partners.
FIDO Seminar in Seoul 12/6/2016 4 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Carrier Billing Payment
MARKET
Overview: NTT DOCOMO’s Deployment (2/2)
• NTT DOCOMO selected the FIDO UAF 1.0 standard due to reasons below:
1.) Easy, and fast online authentication using biometrics, 2.) Secure protocol that utilizes public key crypto, and 3.) Open-standard for interoperability in the future.
• NTT DOCOMO launched four FIDO® Certified devices and the FIDO-enabled server in May 2015. There were some world firsts, a.) as an MNO, b.) with multiple FIDO Certified devices from multiple OEMs, c.) with the world first Iris scanner equipped smartphone, and d.) for multiple services.
FIDO Seminar in Seoul 12/6/2016 5 © 2016 NTT DOCOMO, INC. All Rights Reserved.
FIDO-enabled Devices for d ACCOUNT 20 Models in Total
• 4 models for 2015 Summer, 6 for 2015-16 Winter/Spring, 4 for 2016 Summer, and 6 for 2016-17 Winter/Spring by
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved. 6
SH-01H SO-03H SO-01H SO-02H F-02H SC-05G
SH-04H F-04H SO-04H SC-02H
F-04G SC-04G F-01H SH-03G
SO-02J F-01J SH-02J DM-01J SO-01J L-01J
Coming soon! Coming soon!
Video Clip: Let’s setup, let’s use FIDO-enabled biometric authentication for d ACCOUNT!
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved. 7
Design Principles to Integrate the FIDO Standards
• Integrate the FIDO standards in a straightforward manner
– Create and maintain the FIDO eco-system, and align with it for sustainability
• Utilize the FIDO standards as much as possible
– Allow different type of authenticators e.g. fingerprint sensors and iris scanner
• Protect users and ecosystem partners in consideration of security
– Follow the FIDO privacy policy, “Biometric template and private keys never leave devices,”
– Realize that genuineness of authenticator shall be securely proven to servers,
– Keep the same security level of various devices from multiple OEMs, and
– Avoid to generate wrong perception in the market.
• Minimize the integration efforts, time and cost
– Gather FIDO-enabled service apps to a single point of I/F – d ACCOUNT to ASM
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved. 8
Solution Architecture: d ACCOUNT and 4-digits [before the FIDO integration]
• The d ACCOUNT app and system had already been introduced and operated for authentication and single-sign-on experience.
FIDO Seminar in Seoul 12/6/2016 9 © 2016 NTT DOCOMO, INC. All Rights Reserved.
…
DOCOMO Branded Devices by OEM Partners
Client App Pre-installed
… Web Browser
Pre-installed Service Apps
System Server
…
DOCOMO Branded Services
Carrier Billing Partner Services
Billing System Servers
Launched by Service Apps or Web Browser
Authenticate user by ID/Password or 4-digits ID/Password
• Single Sign-On
Solution Architecture: d ACCOUNT and 4-digits [after the FIDO integration]
• The d ACCOUNT app and system had already been introduced and operated for authentication and single-sign-on experience.
FIDO Seminar in Seoul 12/6/2016 10 © 2016 NTT DOCOMO, INC. All Rights Reserved.
DOCOMO Branded Devices by OEM Partners
… Web Browser
Pre-installed Service Apps …
DOCOMO Branded Services
Carrier Billing Partner Services
Billing System Servers
FIDO-enabled by xxxx Client SDK
FIDO-enabled by Server
FIDO-enabled w/ some additional requirements to adopt
…
In addition to ID/Password
• Single Sign-On • Biometric Authentication
without Passwords
Client App Pre-installed System Server
FIDO Enables Online Authentication by Utilizing Biometric Data in a Secure Manner
– Biometric Data and Secret Key stored in Secure Area –
FIDO Seminar in Seoul 12/6/2016 11 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Biometric Authentication Device
Secure Area (TEE)
User Verification through Matching
Secure App
Secure Folder
FIDO Client
Verified
FIDO Authenticator
FIDO Server
Challenge
Authentication is completed once the Signed Challenge is verified by Public Key
Sign the Challenge by Secret Key
✓ ✓
Signed Challenge
d ACCOUNT Server
d ACCOUNT App
Scope of FIDO UAF 1.0 Spec
✓
✓
Public Key Cryptography Secure Protocol
Biometric Data
Device Server FIDO-enabled services are enhanced gradually…
Registered Template
Secret Key
The FIDO Standards Connect Multiple Services – Open Standards for Future Interoperability –
FIDO Seminar in Seoul 12/6/2016 12 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Standards
SH-01H SO-03H SO-01H SO-02H F-02H F-01H
F-04H SH-04H SO-04H SC-02H
SO-02J F-01J SH-02J DM-01J SO-01J L-01J
2015 Summer models
2015-16 Winter/Spring models
2016 Summer models
2016-17 Winter/Spring models
Company A’s Server
Company B’s Server
Company C’s Server
d ACCOUNT DOCOMO Server
Implementations of the FIDO Authenticators – Varieties of FIDO® Certified FIDO Authenticator Solutions –
• OEMs may choose a FIDO® Certified authenticators solution from a variety of choices in order to meet their requirements.
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved. 13
FIDO-enabled by xxxx Client SDK
FIDO® Certified xxxxx Server
FIDO Standards
Client App Pre-installed System Server
14
NTT DOCOMO Rolls Out FIDO Biometric Authentication to iOS Customers
Underscores rapid market adoption of FIDO as the new standard for strong authentication Mountain View, Calif., March 7, 2016 – The FIDO® Alliance, the cross-industry creators of open standards for simpler, stronger authentication, announced today that Japan’s largest mobile network operator NTT DOCOMO, INC. (“DOCOMO”) has extended its market-leading deployment of FIDO® Certified strong authentication to its millions of customers with Touch ID®-equipped Apple iPhones and other iOS(1) devices. DOCOMO adds this new FIDO-for-iOS capability to an already impressive suite of 10 FIDO Certified Android devices from Samsung, Fujitsu, Sharp, and Sony Mobile, ensuring that their customers enjoy unprecedented choice between platforms, devices and biometric authentication modalities including fingerprint touch, fingerprint swipe, and iris recognition. (1) iOS 9 or later
DOCOMO’s decision to add support for FIDO strong authentication to the base capabilities of Touch ID underscores both the security benefits and the rapid market adoption of FIDO standards in just over a year since the specifications were published. Today more than 100 solutions have been FIDO Certified and, in addition to DOCOMO, hundreds of millions of end-users’ web and mobile apps have been FIDO-enabled for strong authentication protection by leading service providers, including Google, PayPal, Samsung, Bank of America, Dropbox, and GitHub.
“The expansion of cross-platform support from NTT DOCOMO highlights the growing global consensus that using open standards from FIDO Alliance is the right strategy for moving the connected economy off its dependency on passwords,” said Brett McDowell, executive director of the FIDO Alliance. “As more service providers look to reduce fraud risk and give customers a better, faster user experience, I believe they will be following DOCOMO’s example and deploying cross-platform FIDO-enabled, privacy-respecting biometric authentication that is simultaneously more secure and convenient.”
More details on DOCOMO’s FIDO-for-iOS deployment Using FIDO specifications, DOCOMO is enabling its customers to securely authenticate themselves with Touch ID instead of a password to the DOCOMO d ACCOUNT™ app, which will be available in the App Store on March 9. From there, they will have secure access to DOCOMO account details, billing and services, including mobile gaming and music platforms d game™ and d music™, and shopping sites such as d delivery™ and d shopping™. DOCOMO is also removing the password from carrier billing, allowing customers to approve their payments via Touch ID.
In a media update about this news, DOCOMO said, “The app will encourage more DOCOMO partner companies to incorporate the FIDO standard as users demand biometric authentication for an increasingly diverse range of mobile handsets.”
“d ACCOUNT,” “d game,” “d music,” “d delivery,” and “d shopping” are trademarks or registered trademarks of NTT DOCOMO, INC. NTT DOCOMO’s “d ACCOUNT,” “d delivery” and “d shopping” services are only available to subscribers in Japan. Touch ID is a registered trademark of Apple, Inc. iOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license. Android is a trademark or registered trademark of Google, Inc.
Media Contact Megan Shamas Montner Tech PR 203-226-9290 mshamas@montner.com
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Screen Shot Example: d ACCOUNT Login with Touch ID
FIDO Seminar in Seoul 12/6/2016 © 2016 NTT DOCOMO, INC. All Rights Reserved. 15
• “Login with Touch ID” button appears in addition to the legacy ID/password button. Once select to login with Touch ID, easy to login.
d ACCOUNT login screen supporting Touch ID
d ACCOUNT Touch ID app encourages you to do Touch ID
If you haven’t installed d ACCOUNT Touch ID app yet, you encouraged to install it
“Login with Touch ID”
Screen Shot Example: Shopping at d Shopping
© 2016 NTT DOCOMO, INC. All Rights Reserved. 16
• Shopping is the same. Once select to purchase with Touch ID, easy to go. d ACCOUNT app to support Touch ID on iOS 9 or later works behind of it.
Select what you purchase, and go next
Authenticate with Touch ID
d ACCOUNT Touch ID app encourages you to do Touch ID
That’s it!
FIDO Seminar in Seoul 12/6/2016
How NTT DOCOMO Implements FIDO UAF on iOS
© 2016 NTT DOCOMO, INC. All Rights Reserved. 17
• NTT DOCOMO developed “d ACCOUNT app” for iOS, incorporating Nok Nok Labs’ FIDO Certified FIDO UAF Client SDK to work with DOCOMO services and the FIDO-enabled d ACCOUNT server.
• NTT DOCOMO utilizes the Touch ID security feature of Secure Enclave that enables to keep the FIDO Privacy Policy.
FIDO Seminar in Seoul 12/6/2016 https://support.apple.com/en-us/HT204587
• The recent APIs enabled after iOS 9 help DOCOMO for friendly-fraud concerns.
d ACCOUNT App
FIDO Client
Touch ID
Secure Enclave
The Same Server Hosts Your Authentication!
© 2016 NTT DOCOMO, INC. All Rights Reserved. 18 FIDO Seminar in Seoul 12/6/2016
…
DOCOMO Branded Services
Carrier Billing Partner Services
Billing System Servers System Server
SH-01H SO-03H SO-01H SO-02H F-02H F-01H
F-04H SH-04H SO-04H SC-02H SO-02J F-01J SH-02J DM-01J SO-01J L-01J
iOS
Android
NTT DOCOMO as a FIDO Alliance Board Member
• NTT DOCOMO joined FIDO Alliance as a Board of Directors in May 2015, encouraged by FIDO Alliance with the accomplishment of some world’s firsts. e.g. as an MNO w/ the world first Iris scanner equipped smartphone.
• NTT DOCOMO is now chairing a WG “Deployment at Scale” in short “D@S”, where following themes have been addressed and being resolved:
– How to manage non-technical issues in business b/w FIDO authenticator manufactures and RPs. NOTE: NTT DOCOMO behaves as both…
– How to adopt the FIDO specs – through Case Studies in practice approach…
• Please join FIDO Alliance, join the D@SWG, and let’s make it happen together!
FIDO Seminar in Seoul 12/6/2016 19 © 2016 NTT DOCOMO, INC. All Rights Reserved.
Creating a World without Passwords
“The new of today, the norm of tomorrow.”
• Through collaboration with the FIDO Alliance, NTT DOCOMO will further deliver “Your Security, More Simple.”
FIDO Seminar in Seoul 12/6/2016 20 © 2016 NTT DOCOMO, INC. All Rights Reserved.
https://www.youtube.com/watch?v=QzM4PpXEqP8
References • 2015 May Announcements
- https://www.nttdocomo.co.jp/english/info/media_center/pr/2015/0526_00.html
Attachment: Biometric Authentication from DOCOMO (PDF format: 957KB)
Movie: Biometric Authentication
- https://fidoalliance.org/fido-alliance-welcomes-ntt-docomo-to-board/
- https://www.qualcomm.com/#/news/releases/2015/05/25
- https://www.noknok.com/what-they-say/press-releases/ntt-docomo-selects-nok-nok-labs-power-first-fido-enabled-ecosystem
• 2015 September Announcements - https://www.nttdocomo.co.jp/english/info/media_center/pr/2015/0930_01.html
- https://fidoalliance.org/worlds-first-mobile-network-operator-to-deploy-fido-authentication-ntt-docomo-extends-its-mobile-innovation-lead-with-new-fido-certified-devices-and-services/
Movie: Biometric Authentication Chapter II
• 2016 March Announcement (There are some more accouchements but in Japanese)
- https://fidoalliance.org/ntt-docomo-rolls-out-fido-biometric-authentication-to-ios-customers/
FIDO Seminar in Seoul 12/6/2016 21 © 2016 NTT DOCOMO, INC. All Rights Reserved.
top related