[Openid-specs-fapi] Fwd: Letter from Vice-President Valdis Dombrovskis: Comments about Redirection

Henrik Biering hb at peercraft.com
Sat Mar 9 17:31:05 UTC 2019 

Probably Mr Dombrovski has been presented with the Danish "NemID" a 
/previously/ bank owned eID where service providers place a login applet 
on their own webpage. The 2. factor (which is partly optional for banks) 
has been paperbased ch/resp. But most recently an app redirect option 
has been available (and popular). But it is implemented in a way that 
still makes NemID extremely susceptible to realtime phishing.

There is no possibility for ordinary users to distinguish real RP's from 
fake - and not even requirements for authorized RP's to used encrypted 
connections.

It was originally planned to notify NemID under eIDAS by simply defining 
NemID to have the desired security level in the "National Standard for 
the Security Level of Identities". But as a result of a public hearing 
this "security by mere aspiration" definition was removed. And there is 
currently no intention from Danish authorities to notify NemID under 
eIDAS. This is planned for a next generation eID labeled "MitID" that 
will most likely be introduced in 2021.

So in short the Danish eID with the new 2. factor app actually uses 
redirection, but implemented in a way that still does not qualify it to 
be notified as an eID under the eIDAS scheme.

FYI:  Here is an article from the leading Danish IT-newssite Version2 
(hoping that it translates reasonably using online translation services):
https://www.version2.dk/artikel/digitaliseringsstyrelsen-efter-udvikler-angreb-ja-nemid-saarbar-phishing-1086131

Best,
Henrik Biering

Den 09-03-2019 kl. 15:30 skrev nat via Openid-specs-fapi:
> Restarting the thread as I want to make a youtube video on this one 
> and want to hear your opinions.
>
> So, Mr Dombrovskis says:
>
> "I would like to encourage industry players to shift their attention 
> away from authentication methods that are redirecting TPP customers to 
> the banks' webpages (or apps). This cannot be the basis for innovative 
> and competitive European payment services. Instead, the focus should 
> in my view be on the development of convenient and secure new 
> authentication methods. Such new forms of authentication, which are 
> now more and more widely used, can be linked to e-IDs, issued by 
> public authorities or private entities as in the Nordic countries, 
> that may be used by customers with numerous market participants..."
>
> What I do not understand is that why he thinks "Such new forms of 
> authentication" does not involve a redirect.
> As far as I understand, "private entities as in the Nordic countries" 
> uses either SAML or OpenID Connect and make use of "redirect" to 
> perform the user authentication that is linked to e-IDs, and they are 
> provided by banks. If I am right, then the above statement is saying:
>
> "Shift their attention away from authentication methods that are 
> redirecting TPP customers to the banks' webpages (or apps) to 
> authentication methods that are redirecting TPP customers to the 
> banks' webpages (or apps)."
>
> It just does not make sense...
>
> I could go on with a generic Youtube video showing how redirecting can 
> be non-intrusing but I wanted to understand the above statement better.
>
> Best,
>
> Nat
>
> On 2019-02-22 18:25, Dave Tonge via Openid-specs-fapi wrote:
>> Dear FAPI WG
>>
>> I just received this and think it may be of interest to you:
>>
>> Please find attached a letter and attachment from Commission Vice
>> President Dombrovskis.
>>
>> He has made some discouraging comments about redirection to webpages
>> and apps:
>>
>> “I WOULD LIKE TO ENCOURAGE INDUSTRY PLAYERS TO SHIFT THEIR ATTENTION
>> AWAY FROM AUTHENTICATION METHODS THAT ARE REDIRECTING TPP CUSTOMERS TO
>> THE BANKS' WEBPAGES (OR APPS). THIS CANNOT BE THE BASIS FOR
>> INNOVATIVE AND COMPETITIVE EUROPEAN PAYMENT SERVICES. Instead, the
>> focus should in my view be on the development of convenient and secure
>> new authentication methods. Such new forms of authentication, which
>> are now more and more widely used, can be linked to e-IDs, issued by
>> public authorities or private entities as in the Nordic countries,
>> that may be used by customers with numerous market participants…”
>>
>> …“I also invite industry players to work together to find
>> practical solutions to other problems that payment initiation service
>> and/or account information service providers are facing. One of them
>> is the regular renewal, every 90 days, of consent for the TPPs’
>> access to accounts. This consent renewal requires STRONG CUSTOMER
>> AUTHENTICATION, WHICH WOULD BE A MAJOR INCONVENIENCE IF DONE FOR EACH
>> BANK USING CONVENTIONAL AUTHENTICATION METHODS AND POSSIBLY
>> REDIRECTION TO THE BANKS’ AUTHENTICATION PAGES.”
>>
>> Dave
>> _______________________________________________
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190309/ff3a072c/attachment.html>

More information about the Openid-specs-fapi mailing list