 Welcome to the ITU studio in Geneva where we're pleased to be joined today by Abby Barber who is here as co-chair of the security work stream for the Fiji Security Infrastructure and Trust Working Group. Fiji being the Financial Inclusion Global Initiative. Abby, welcome to the studio. Thank you. Now I'd like to start off by talking to you a little bit about the Fiji Security Infrastructure and Trust Working Group. So quite a long name there. It's developed a technical report on strong authentication technologies for digital financial services. Perhaps you could explain what strong authentication is and why it's needed for digital financial services or DFS. Yeah, so authentication, it's a must when you're doing business transactions. So once you enroll in a financial transaction, you get credentialed. And at the credentialing stage, you will be asked who are you and the proof who you are. And then we give you a credential. In so many cases, it's a username password. So next time you come to issue the service, the trick or the question is who are you. So you present back the challenge that I issued with the credential. And authentication worked that way. The problem with current authentication schemes is based on shared secret. And the shared secret is supposed to be shared between me and you only. No one else will know it, which is not true because people reuse their passwords, use weak passwords. A lot of the passwords are passwords or 1, 2, 3, 4. So they are broken because people cannot use so many strong passwords. You don't remember it. So a strong authentication come as a way to enhance on the security. So it's shared secret plus something else. Usually you have three categories. Something you know, something you are, and something you have. Something you know is the password. Something you are is your fingerprint, your biometric, your voice print. And something you have is like an extra card, like SIM card, for example, or a security token card. It become now, when you want to do a strong authentication, it become a matter of security versus user convenience. If the risk is high, you will inconvenient the user. For example, if you are a system admin, I can require you to have a security card, which is an extra card to use, but you have to carry it with you all the time. But this is part of the risk profile, it's part of your job. If you're doing consumer authentication, it's really not going to work out because you're not going to ask your consumer to remember a password and get a security card. So today what they do to do strong authentication, it default to what we call a multi-factor authentication solution. So basically what you have your password, and then I issue you another challenge from one of those categories. A lot of the times, if you notice now after all the breaches, someone will send you SMS to your phone. So every website you go to, you get an SMS. The issue here is it increases security more than the standard password, but does not really solve the problem of authentication. Because if you get phished and someone, you log on to the wrong website, the website will relay your password to the site, you're expecting an SMS, you enter the SMS, you're related to the website, so it cannot solve many in the middle. So this is what the industry is using today, including what regulators are using. They call strong authentication, it's much more into multi-factor authentication, but it's not a magic bullet. So this is what we needed to do in the working group report. There are technologies in progress today that enable us to solve for stronger authentication with user convenience based on public infrastructure, which the ITU have done, the X509, the certificate. So we could do that through public-private key pair, and this technology is based on FIDO, and some of the technology is also based on the security key and the SIM card, which is still PKI. So there are two techniques you could do. You have FIDO security and you have the mobile connect, and most of them do public-private key, key pair. And so what are the main recommendations for regulators and DFS providers for the adoption of strong authentication technologies? So, you know, the authentication is risk-based. So if, for example, you're going to your bank account and all what you need to do is balance, lower authentication is fine. But if you want to add a payee or make a payment or do money transfer, you need higher authentication. So by the work collaboration between the FIDO Alliance and the W3C, the World Wide Web Consortia, and also the ITU, now the FIDO specifications are becoming global, your international standard, and they are built into the infrastructure of every device you get. After Android 4.2, the FIDO client is native on Android. And iOS is on its way to come in as part of the FIDO ecosystem. So you have the ability to get rid of the password on every device through a standard interoperable interface. It's not fully there yet, but it's coming in there. I think what the regulators should start doing is saying we need really strong authentication on top of the MFA. MFA is not strong authentication because it does not solve man in the middle. So the advice here is start adopting what the industry is developing. And let's make that as a mandate with a clear definition of what strong authentication is. And in terms of the consumers, what's going to encourage them most to adopt strong authentication? Well, what will encourage is convenience. And FIDO is one way to use PKI in a convenient way. The challenge with PKI has always been its usability versus security. And it always came in the older days through an extra key, like the secure key, an OTP key. Now FIDO is replacing it by a client that's native on every device. Every phone you will have is FIDO enabled. Every browser that will be FIDO enabled. If your device or your system does not have a trusted program TPM that is enabled, there are means to use a combination of the phone and external device to get the security that you need. But it's getting there, the technology. So you cannot plan to adopt this technology in a few years. You have to start today because every year, every new edition, the compatible, open the box, support for it is coming in. And users will love it because you trouble the user once. And after that, once you have the relationship, you build on the trusted anchor of relationship. Safe and secure. Well, Abby, thank you very much for joining us in the studio. And we hopefully will catch up with you again some stage in the near future. Well, thank you. Thank you.