CMFA Use Case - External Authentication

[woodbe]

This use case is focused on providing the CMFA state/status to an external system. Here the actual "outcome" would be reported (not the individual components that make up the score), to an external system.

For example:

• The user has a CMFA system running on their device
• The user goes to a place where they need to prove their identity (for example a bank, but could be anything)
• To prove identity, the user must present the device to the system
• The device would provide information about the user identity (such as the device, who the user claims to be, and the CMFA status of the user to the device) to the requesting system

The key point here is that the CMFA is not unlocking something on the device, but providing proof of identity to an external system. It is possible that the external system could require additional information from the user, for example if the score on the device is 75, but the requesting system wants 90, it could require the user to present saw a face login to the device to boost the score that would be represented to the system.

The CMFA itself here is not unique, it is the presentation of the score outside the device that is the specific "unique" component. Questions that may need to be considered:

• Is the communications one way (i.e. the score is presented, but no response is provided, such as the "the user needs to improve the score"), or two way?
• How does the user authorize the passing of the score (is it enough to be verified already so the score can be shared with any system, or is there some additional component needed, like a direct input from the user, or a link between the device and the service)?
• How is the communications channel protected? Does it matter if it is encrypted, or is signed enough? Replay protection?

[woodbe]

This is specifically different from another similar use case, which would be to say unlock a door using NFC on the device if you are currently unlocked due to CMFA. In that case, I would expect that say a key provided by the door security system would have been loaded onto the device, and the user being authenticated on the device would allow this key to be unlocked and presented to the door via NFC. So in this case, any NFC system that works today would still work, but the user wouldn't have to say unlock the device with their fingerprint to unlock the key for the door, it would already be unlocked by an appropriate CMFA score.

[n-kai]

I devise the following more detail use case for the CMFA used for the online banking so that we can make more concrete discussion.

1. The user runs the mobile banking app
2. The app gets the CMFA score (CS) from the CMFA through the mobile OS
3. The app allows the user based on the value of CS, or the app send the user id with CS to the bank server and the server permit her/his action based on CS value as follows.

• If CS > 50, the user can check her/his account
• If CS > 80, the user can check her/his usage history
• If CS = 100 (max value and the user has to login with PIN or biometrics to gain this score), the user can transfer her/his money

In this use case, we can define the following security requirements (TOE is the CMFA and doesn’t include the mobile app)

• Protection of communication between CMFA and mobile banking app
• Protection of the CMFA and its data The CMFA needs to protect itself and its data at rest and in transit working with the secure execution environment
• Trustworthiness of the CS The vendor needs to explain what CS = 50 or CS = 100 means clearly in his ST. For example, the vendor can describe the following information in her/his ST so that the evaluator can test the TOE based on such information.

a) Brief overview about how the CMFA calculates the CS b) Sensors used to calculate the CS c) how frequently the CMFA update the CS d) Time to require re-login when the CMFA can’t get any input from sensors e) Mean time or actions to detect the imposter attack f) The performance of the CMFA (FAR and FRR)

• Configuration function The user can configure the CMFA, for example, required action to make CS = 80 (e.g. draw triangle with the device).