Getting closer to a world without passwords
Today we are happy to announce that LINE has achieved the world’s first FIDO Universal Server certification (as a service provider1) for our authentication server — LINE Authentication Server.
With FIDO authentication, LINE users can sign in and authenticate both using biometrics (for example, face and fingerprint), as well as with external hardware tokens like Yubikey and Google Titan key. Regardless of the type of authenticator, all FIDO authentication leverages strong public key cryptography instead of shared credentials such as passwords and PINs.
Along with LINE’s rapid popularity growth, the risk our users face has also increased. Intruders have been trying to attack our users both by employing social engineering attacks and by trying to circumvent or bypass our network defenses. One of our top priorities as a global Internet company is to shield our users from such attacks.
User authentication is a gateway to our services and often one of the key user experiences. As such, user authentication is also an important security layer that protects access to both server systems, and personal or otherwise sensitive information. However, efforts to provide more secure user authentication are often plagued by usability problems, and thus get limited user adoption. We have been trying to find a solution that is both secure, intuitive, and easy-to-use for end users for some time now.
As part of out efforts, we joined FIDO Alliance2 in May 2017 as a board member. We have been contributing to FIDO design and standardization both by sharing our experience and major requirements as a global service provider, and by proposing workable solutions to common problems.
After joining the Alliance, we have been researching various authentication technologies, user scenarios, and current industry solutions. Mobile services are a large part of our company DNA, but we have now expanded our services to various platforms, and thus want to provide secure FIDO authentication to as many users as possible. To achieve this goal, we decided to develop a FIDO Universal Server and support all current FIDO specifications.
FIDO Alliance operates a certification program whose main goal is to validate interoperability among vendors within the FIDO ecosystem. The Alliance issues certificates to products that successfully demonstrate interoperability for all normative FIDO operations (registration, authentication, de-registration, and transaction confirmation for UAF authenticators). FIDO Alliance holds interoperability testing events every 90 days, where all vendors aiming to conform to a current FIDO specification demonstrate the interoperability of their products. We participated in the November 2018 interoperability testing event held in Seoul, Korea with our universal server implementation. We were able to successfully demonstrate that our server conforms to FIDO’s UAF, U2F, and FIDO2 specifications, and is interoperable with each of the other vendors’ FIDO authenticators (16 authenticator vendors in total).
We took a great first step today, and are now ready to provide FIDO authentication to our users. By leveraging our FIDO Universal Server, we can provide FIDO authentication for all FIDO specifications (UAF, U2F and FIDO2) in the full range of platforms, browsers, and devices that LINE services run on. Moreover, our server implements current FIDO specifications fully, and supports all of the currently defined signature algorithms and attestation formats.
FIDO protocol introduction
FIDO is an open, interoperable, and scalable authentication standard that aims to provide secure and simple authentication by leveraging public key cryptography. By leveraging FIDO’s online authentication protocol, which is based on public key credentials and local user verification, services can provide strong and simple authentication to their users. Additionally, since FIDO credentials are bound to a single origin (generally equivalent to a service’s Internet domain), the system is resilient to both man-in-the-middle and phishing attacks.
The FIDO protocol (all FIDO specifications) has two main user flows; registration and authentication.
Registration is the process of generating a user key pair and registering the public key with the FIDO server for use in subsequent authentication. Here is a brief description of FIDO’s registration flow.
First, the FIDO server sends a challenge and some additional parameters to the authenticator (implemented either by the user’s browser or OS, or a dedicated hardware device). Next, the authenticator verifies the user (usually via biometrics) and generates a new key pair and a public key attestation (additional data about the generated key and the authenticator device). Then, the authenticator bundles the authentication public key and attestation into an assertion, and signs it. The assertion is then sent to the FIDO server. Finally, the FIDO server checks the assertion by verifying its signature. If successfully validated, the server stores the received public key and maps it to the user’s account.
Authentication is the process of leveraging a pre-registered public key credential to authenticated the user. Here is a brief description of FIDO’s authentication flow.
After successful registration, the user can authenticate with the registered public key credential. The authentication process is very similar to the registration flow. First, the FIDO server sends a challenge and some additional parameters to the authenticator. Next, the authenticator verifies the user (if biometric authentication is supported) or checks that user is physically present, before unlocking the private key (generated during registration). The authenticator then generates an assertion, signs it with this key, and sends the signed assertion to the FIDO server. The FIDO server identifies the key to use, based on the key identifier in the assertion, locates the corresponding public key, and then verifies the signature with this public key. If successfully verified, the server generates a new authentication session and issues an authentication token or cookie to the client.
FIDO protocols leverage many cutting edge standards and technologies. Refer to the following links for details.
- CBOR (Concise Binary Object Representation)
- COSE (CBOR Object Signing and Encryption)
Our use cases
We’d like to introduce our typical FIDO use cases. In addition to the following examples, we are preparing for more service integrations and additional use cases, ranging from simple login to access control for IoT devices.
LINE Login integration
By introducing FIDO to LINE Login, our partners and third-party services leveraging LINE Login can take benefit of password-less authentication by simply having the user scan their fingerprint or face on their device. Additionally, users concerned about their security and privacy can select to use an external security token, and thus add an additional layer of account defense.
We plan to reduce and eventually remove all authentication screens that require username and password input from our services, with the end goal of users never having to use a password.
We are excited to work on integrating FIDO into LINE Login and look forward to introducing frictionless biometric authentication to our users and partners. You can expect to see this new feature next spring.
Transaction confirmation for LINE Pay and related financial services
We plan to leverage FIDO in LINE Pay for secure and simpler transaction confirmations for payments and money transfers. As we plan to introduce both fingerprint and face recognition as user verification methods, users will be able to simply touch or look at their device in order to confirm payments.
As we keep expanding our financial services, LINE Pay will become the base finance platform for other financial services. As a result, users will be able to use their LINE Pay credentials to authenticate to other services as well, greatly simplifying the user experience.
LINE Things and IoT device control
Various IoT devices, ranging from smart lights to AI speakers are quickly becoming a part of our everyday lives. While their usefulness is undeniable, IoT devices are connected both to the Internet and directly with each other, and are often deployed in uncontrolled, complex environments. Securing the resulting complex IoT environment presents a number of challenges. One of those challenges is to provide secure authentication, both for IoT devices, and for the users who access and control them. We think that FIDO is well fitted to this IoT ecosystem as it offers secure and easy-to-use authentication. With FIDO integrated into LINE, our users will be able to manage and control their devices in a secure manner.
If you want to get more information before our official release and experience FIDO authentication yourself, you can try our demo FIDO servers (FIDO2 and U2F supported) here.
For details about supported browsers, please refer to Mozilla MDN.
We are happy to hear your opinions and suggestions about LINE and FIDO. Please feel free to contact us.
1. FIDO Universal Server: Ensures interoperability with all FIDO certified authenticators↩
2. FIDO Alliance: The FIDO (Fast IDentity Online) Alliance, https://fidoalliance.org/, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.↩