6. Passwords are the root of all most of breaches.
Passwords are not secure
From 2016 to 2017
Security incidents
279%
Supports costs
Forgotten password
20%
Among breaches
Due to passwords
81%
source: Verizon cyber crime case study 2017
7. Indeed, they’re great solutions.
We have solutions
2 Factor Authentication
(OTP, SMS codes)
Federation and SSO
(OIDC, OAuth)
Biometrics
(Fingerprint, Face)
Password Managers
(1password and etc.)
and,
9. > Strong against various attacks
> Pluggable and interoperable
> Easy to use
Design Principles
> Privacy preserving
10. Strong assurance of “device possession”
The key has following security properties.
Generated randomly
(Guess)
Stored in secure area
(Extraction)
Attested by trust root
(Emulation)
Generating the signature
(Forgery)
> Strongly assure the authentication was performed with the device
which was registered before.
15. High-level architecture
LINE Pay App
LINE Pay RP Server
(for LINE Pay Japan)
LINE Pay Central
Server
LINE FIDO2 Server
(for LINE Pay Japan)
Passcode authentication
(or old biometric authentication)
FIDO Operations FIDO Operations
LINE FIDO2
Combo (iOS)
Compat (Android)
Authentication management
16. LINE FIDO2 Combo for iOS
Uses Touch ID and Face ID as UV and leverages WBC (Whitebox cryptography) for attestation
RP App (View)
LINE FIDO2 Combo
(FIDO2 Client, Authenticator Logic)
LTSM
(LINE Trusted Security Module)
WAL
(Whitebox Abstraction Layer)
KAL
(KeyChain Abstraction Layer)
Touch ID/Face ID
(Apple)
signing
attestation
User’s
private key
Whitebox
Encryption KeyChain
17. LINE FIDO2 Compat for Android
Abstraction layer supporting both Android native authenticator and LINE authenticator
RP App (Activity)
LINE FIDO2 Glue Layer
(Abstraction)
LINE Authenticator FIDO2 GMS Core
Single API entry point
FIDO Play service API
CTAP2
LTSM
Native Authenticator
(google)
External
Authenticator
Biometric API
(google)
signing attestation User’s
private key
Whitebox
Encryption
18. Utilities/helpers and etc
Services
LINE FIDO Server software stack
LINE FIDO Server is built on top of SpringBoot with React stack.
Repositories
Mongo DB
Redis
Routers/
Handlers
Framework (Library)
Challenge Response Attestation
Metadata SessionCertificate
SpringBoot Spring Webflux
Crypto COSE X509
Validator Mapper Config
SL4J PrometheusNetty
Metadata client
MDS client
Deserializer
Verifier
Convertor
Spring Security
Elastic search
19. Registration flow
Generates a key pair and registers the public part of the key to the server
iOS (Face ID, Touch ID) Android (Fingerprint, Face)
20. Authentication flow
Generates a digital signature and verifies it on the server with the public key
App launching Payment
User scans the QR code for payments and confirms the transaction .
22. Re-authentication
User tries to authenticates to a service again
LINE is trying to verify your
identity.
Verify your identity with biometric.
Confirm access to your
accountClova is requesting access to your
account
24. Go password-less
Mitigate password usecases
Integrate FIDO to more LINE services.
Encourage users to enroll multiple
authenticators.
Introduce multiple FIDO authenticators
Introduce FIDO to LINE Login and LINE Pay.
Educate users for the convenience.
FIDO authentication for user convenience