The
FIDO Authentication for mobile payments workshop was organised jointly by ITU and SBS Peru and is intended mainly for IT security professionals and auditors in Peru working in security of digital financial services. FIDO standards-based authentication eliminates many of the vulnerabilities and problems that arise from password-based authentication, one-time-passwords through SMS used in digital finance. Instead of passwords, it enables logins to be replaced by a secured and stronger user authentication mechanism employing biometrics, tokens, smart cards, near field communication devices, and many more authentication methods across the web and mobile applications.
The objectives of this workshop were to:
- Explain the security features of Fast Identity Online (FIDO) and how it can be used to implement password less strong authentication for digital financial services
- Compare FIDO authentication with other industry strong authentication technologies
- Discuss the privacy features in FIDO and how FIDO can prevent common attacks targeting users such as account takeover and phishing and
- Share lessons learned on use cases implemented on FIDO for payments.
Target Audience: IT security professionals and security auditors from regulators and payments service providers in Peru.
Programme
16:00 - 16:15
| Welcome Remarks by SBS Peru
|
|---|
16:15 - 17:30
| Session 1: Introduction to FIDO and state of strong authentication
This session introduced the FIDO specification, its main features and how it can implement passwordless authentication for digital financial services with biometric support as well as its privacy enhancing aspects. The session also discussed the ITU-T Recommendations for the FIDO specifications and specific implementation use cases related to payments. The session also compared FIDO authentication with other industry strong authentication mechanism and discuss their respective merits.
|
17:30 - 17:40
| Coffee Break
|
17:40 - 19:00
| Session 2: Preventing Phishing and account takeover attacks with FIDO
Account enrollment and account recovery processes can leave gaps in the credential management lifecycle that allow bad actors to perform account takeover and get unauthorised access to the system. This session discussed how account takeover and phishing accounts can be preventing using FIDO authentication as well as the process for account recovery. For accounts protected from phishing and other credential-based attacks with FIDO Authentication, the account recovery process when a FIDO device is lost or stolen becomes critical to maintaining the integrity of the user’s account.
- Alain Martin, Head of Consulting & Industry Relations, Banking & Payment Services, Thales: "Preventing Phishing and account takeover attacks with FIDO" [Presentation]
|
|---|
2 December 2022
|
|---|
16:00 - 17:45
| Session 3: FIDO authentication deployment Deep Dive
This session discussed how to deploy FIDO for mobile payment applications, focusing on specific implementations use cases for mobile payments.
|
|---|
