Is NASSCOM promoting an Online authentication system which is not ITA 2008 compliant?

Recently, NASSCOM (through DSCI) conducted product promotion seminars for FIDO alliance at Mumbai and Bangalore, introducing some online authentication solutions along with some partners of FIDO alliance in India like Persistent Systems.

According to the website of FIDO alliance, FIDO stands for Fast IDentity Online and FIDO alliance is a US based non profit organization [Section 501(c)(6) organization] nominally formed in July 2012 and has certain solutions which are aimed at helping the users who need strong authentication in the form of strong passwords but find it difficult to remember multiple passwords across different service providers. FIDO claims that they are creating a new open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. The objective is said to be to remove the world’s dependency on passwords.

FIDO claims membership of several organizations including Microsoft, Google, Paypal, Qualcomm, Bank of America etc who represent online service providers who need their customers to use passwords and two factor authentication for using their services.

Membership to the FIDO alliance is open to different organizations with the following fee structure.

a) Board Member : US $ 50,000

b)Sponsor : US $25,000

c) Government: US$ 15,000

d) Associate: US$ 2,500 to 15,000

Members may also pay fees for testing and certification after they implement the “Online authentication standard”. Basically, the members will be entitled to different commercial benefits such as use of FIDO alliance trademark, etc.

Each of the members may implement the common standards which are tested and certified to enable interoperability of what is called the “Standards” so that they may use the process as part of their authentication mechanism.

To be brief, what these standards imply are that there will be two kinds of solutions.

a) One is a solution that substitutes the OTP over mobile process as second factor authentication. (U2F)

b) Second is a solution where the biometrics of the user is used as a password to trigger a digital signature authentication. (UAF)

From the presentations made during the event in Bangalore, the following information emerged.

  1. Both UAF and U2F use an USB token
  2. In the UAF protocol, an user registers himself at a website (eg at Paypal) providing his biometric along with other profile details such as his name, address etc. This generates an RSA key pair in the token and the public key is sent to the web server where it is stored along with the profile details.
    1. When next time an authentication is required to be used, the user provides his biometric to the token which creates an authentication request encrypted with the private key developed during the registration process and sends it to the web service provider. It is decrypted with the public key already available and authentication is accepted as per the registered records.
    2. The system is said to be able to also capture additional parameters such as facial recognition and key stroke pattern as additional parameters of authentication.
  3. In the U2F protocol, the token will have a button which when pressed sends the private key encrypted message to the authentication server. Biometric is not used. This substitutes the current OTP mechanism where the user has to wait for a pin to be received either on his mobile or e-mail and submit it back for authentication.

It is clear that FIDO alliance is a sort of marketing alliance where all have agreed to use a common methodology and implement the “Standard” at their individual costs and benefit by the collective marketing. A 501 (c)(6) entity is called a “Non Profit” organization but is allowed to “perform activities dedicated to improving the conditions of their industry, including lobbying and promotion”. If lobbying is the organization’s primary purpose, it must notify its members of the percentage of dues being allocated to lobbying expenses.

As far as FIDO alliance is concerned, it is fine for the alliance to lobby and enroll members in India. However, NASSCOM joining in the promotion of the FIDO alliance raises certain questions which need to be answered by NASSCOM board and I look forward to their response.

Primarily,the so called “Standard” uses no “KYC” and the person declares himself as who ever he is. Even when a biometric is provided, it is not authenticated. On the other hand, in India we have the e-signature method where a biometric is authenticated with reference to the Aadhar data base which forms a KYC process. Similarly, even the simple OTP process through mobile has the backing of a KYC conducted by the  mobile operator. (We can ignore the problems arising out of inefficient KYC conducted by a Mobile service provider or Aadhaar enumerator at this point of time).

FIDO process is therefore not in conformity with the KYC process which is mandatory in India for Banking transactions above a certain limit.

Secondly, the public-private key pair used in FIDO alliance standard is not the system certified by a licensed certifying authority in India  who is responsible for KYC. (Again we can ignore the inefficiencies in this process).

The FIDO process therefore fails to comply with the RBI requirement of KYC and ITA 2000/8 requirement of a digital signature/electronic signature.

During the interaction, I was informed by one of the implementers namely Persistent Systems (a public limited company based in Pune) that at least two Banks in Mumbai have already signed up for the alliance and it would be necessary to know which are the Banks which have agreed to use this system and whether they have taken any special permission from RBI in this regard. (I look forward to more information in this regard).

Under these doubts it is surprising that NASSCOM is endorsing this event and misleading the industry.

Through these columns

I am requesting NASSCOM and DSCI  to inform me

-How it is endorsing this disguised marketing activity of a non Cyber Law Compliant process of digital authentication.

I am also requesting RBI to get information and reveal

-which are the two Banks which have signed up with Persistent Systems Pune for FIDO alliance system to be used for their authentication purpose and

-whether any assessment has been made on the compliance or otherwise of KYC and ITA 2008 compliance and approval given.

This information can be sought under RTI but I suppose it would not be required.

The objective of this article is to bring to the notice of NASSCOM and RBI that some commercial activities may be unwittingly promoted by Government agencies against the law of the land and if so they need to be identified and corrected.

At this point of time, I am not accusing FIDO alliance of trying to by-pass the Indian law since I presume that they are not aware of the existence of the legal provisions in ITA 2000/8 as well as the KYC procedures mentioned above. I also consider that Persistent Systems may not be aware of these provisions and hence there is no allegation on any of these parties that they have deliberately tried to flout the rules.

However, it is definitely necessary to bring these objections to the notice of the industry so that no entrepreneur including the start ups in Bangalore who are into many digital activities involving online authentication starts using this service in substitution of the mobile based OTP or e-sign or the traditional digital signature as a means of digital authentication like the two unnamed banks in Mumbai.

If NASSCOM and DSCI agree with my point of view, I expect them to respond and also send out circulars to all the participants of the two seminars in Mumbai and Bangalore disclaiming their responsibility on the legal validity of the said FIDO standard and giving reasons thereof.

I request readers to send this information to the relevant NASSCOM and DSCI members if they have their contacts. In case whatever mentioned above is not correct, I am willing to publish a suitable rejoinder as may be required. Those of the readers who are technically proficient may study the standard specifications available on the website and check if they provide any more information either in support of or in opposition to the views expressed here.

Naavi

 

Print Friendly, PDF & Email

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.