The Natural Security standard defines a strong authentication method dedicated to online and offline transactions. This standard is based on a unique combination of pairing technology, local biometric verification and a personal device. As the concept of Authenticator hit the news, it was interesting to ask Victor DUSAUTOIS, CTO, Head of the Technical Advisory Committee of Natural Security Alliance to give his vision of what an authenticator should be.
What is an authenticator?
Broadly speaking, the term “authenticator” refers to any technology that can authenticate a user before he or she reaches an interface that provides access to a service. Authenticators can come in different formats such as a chip card and reader (e.g. for payment in a store), an OTP token or even a simple login and password on a computer.
What features does the market require?
Actors such as banks that traditionally make authentication technologies available to their clients are generally not responsible for developing the technologies themselves. Instead, they rely on technologies delivered by phone or mobile device manufacturers, according to what their clients—attracted by how user-friendly these devices are—use on a daily basis.
Biometrics is becoming increasingly commonplace, but questions around implementation, openness and evaluation have not really been addressed.
The market is clearly waiting for certain key features to be fleshed out before it will really take off. For example, interoperability must be made standard, so service providers can accept the authenticators deployed and consumers are not limited in where they can shop for goods and services. Similarly, a simple, consistent user approach needs to be developed and deployed so consumers can enjoy the same experience for all services. Finally, security must be made a priority right from the beginning of the design phase and evaluation and certification schemes must be set up and recognized.
How does Natural Security’s standard compare to FIDO Alliance’s standard?
FIDO and Natural Security build on the same principle: both approaches are driven by user needs. Natural Security focuses specifically on defining an authenticator that addresses the limitations of existing authenticators.
In fact, Natural Security’s standard differs from FIDO’s on many fronts. For one, it offers comprehensive compatibility because Natural Security authenticators are designed to provide access to countless services, including payment, digital wallets, online services (including FIDO services), logical and physical access control, and ATM services. Natural Security’s standard also defines a protocol (WBIR) that guarantees the integrity and confidentiality of data exchanged between an authenticator and a service, ensuring data communication is secure. In addition to safeguarding data integrity during communication and service provision, it protects authentication and service access data by defining how data are stored locally. It is the only standard that defines how to implement biometrics for authentication in the private sector, building on a user-centric approach implementing form factors and a user experience that meet market and user needs and expectations. Finally, it defines a communication-agnostic implementation, with online and offline availability, that works with contact, contactless and mid-range wireless communication technologies.
In a nutshell, the Natural Security standard defines an authenticator while FIDO defines an interface for accessing online services.
Authentication under the Natural Security standard
The Natural Security standard defines a robust authentication method that goes beyond satisfying the payment industry’s existing requirements to anticipate and address emerging needs. Adopting a deliberate approach to privacy and data confidentiality right from the design phase (Privacy by Design), through implementation (Privacy by Default) and into deployment (Privacy Rules), it offers a consistent user experience for all services that can be implemented in all form factors. Its two-factor strong authentication approach ensures user consent is explicit and cannot be replayed, and complies with regulatory recommendations.
A 2 pages document, with a more detailed chart, is available in the resource center under the name : authenticators and the Natural Security standard.
About the Natural Security Standard
Natural Security has defined the only specifications for a strong authentication method that makes use of a personal device (e.g. smart card, mobile, connected device) capable of communicating with biometric readers via contact, NFC or mid-range (e.g. BLE, WPAN) technologies. This standard can serve as the foundation on which to build an interoperability scheme compatible with all the different implementations possible in terms of both form factors and services (e.g. EMV solutions, digital wallets, ATMs, kiosks, online services such as FIDO).