RE: added use case - Accessibility note addition to Biometric Authentication

Thank you Qian Sun.

 

Very nice. One of my tasks for this group is to provide accessibility
information to our work.

 

Therefore, I would want to add an Accessibility statement, such as has been
done for Privacy / Security.

 

I suggest:

 

Accessibility: It is important to recognize that some users may not have
fingers or fingerprints, therefore, when using one method of biometric
identification, at least one other form of biometric identification should
also be provided.

 

Thanks!

 

* katie *

 

Katie Haritos-Shea 
Senior Accessibility SME (WCAG/Section 508/ADA/AODA)

 

Cell: 703-371-5545 |  <mailto:ryladog@gmail.com> ryladog@gmail.com | Oakton,
VA |  <http://www.linkedin.com/in/katieharitosshea/> LinkedIn Profile |
Office: 703-371-5545

 

From: 孙倩(雪迪) [mailto:sunqian.sq@alibaba-inc.com] 
Sent: Thursday, March 26, 2015 2:00 AM
To: public-webpayments-ig@w3.org
Cc: Manu Sporny
Subject: added use case

 

Dear all: 

I am Qian Sun from Alibaba.

I have added a use case about Biometric Authentication to wiki. Please check
it.

https://www.w3.org/Payments/IG/wiki/Use_case

Biometric Authentication

In the current online and offline payment transactions, biometrics
authentication can be used to instead of inputting passwords, which can
carried out on POS, Mobile and wearable devices, etc. Web payment system
based on biometrics can achieve more reliable information security and
convenience, and have a broad market capacity and development prospects.

Some biometric authentication (e.g. face) can also be used in some other
situation，e.g. password modification.

Example：

Registration of a Fingerprint Payment

*  User: 

*  John logins the e-wallet app on mobile terminals, and requests to
register a fingerprint payment. 

*  E-wallet requests to verify password of the payment, John inputs the
password. 

*  E-wallet requests to verify the fingerprint. 

*  John inputs the fingerprint. 

*  E-wallet sends the information to payment server. 

*  The payment server finishes the registration of fingerprint payment and
returns the result to E-wallet app.

E-wallet app: 

*  E-wallet gets a request of a fingerprint payment registration.

*  E-wallet app requests to verify password of payment.

*  After John inputs the password, E-wallet verifies the password through
the payment server. 

*  E-wallet gets the registration request message from the payment server.

*  E-wallet verifies fingerprint on mobile and gets the ID of the matched
fingerprint template.

*  E-wallet generates key-pair of registration, and the response message
(including public key of registration, device-ID, ID of the matched
fingerprint template).

*  E-wallet sends the response message to payment server.

*  E-wallet shows the result from payment server.

*  Payment server:

*  Payment server verifies password of payment from E-wallet app.

*  Payment server generates a registration request message and returns it to
the e-wallet app.

*  Payment server gets the registration response message and finishes
registration 

*  Payment sever returns the result of registration to E-wallet

Authentication of a Fingerprint Payment

*  User: 

*  John orders a box of chocolates from a merchant app on a mobile phone.

*  Merchant system generates an order and requests for the payment of the
order.

*  E-wallet app requests fingerprint verification.

*  John inputs the fingerprint.

*  E-wallet app verifies the fingerprint and gets the ID of the matched
fingerprint template and sends the information to Payment server.

*  John receives the result of payment from the E-wallet

*  Merchant

*  Merchant app receives the information of chocolates order, and sends the
information to merchant server

*  Merchant server generates the order and returns the order information to
the merchant app.

*  Merchant app requests the e-wallet app for payment

*  Merchant app gets the result of payment from E-wallet and continues to
handle the order.

*  E-wallet app: 

*  E-wallet gets a payment request from the merchant app.

*  E-wallet sends an authentication request message to the payment server.

*  E-wallet app requests to verify the fingerprint and get the ID of the
matched fingerprint template, then E-wallet verifies the ID of the
fingerprint template. 

*  E-wallet generates the authentication response message (signed with the
private key generated when registration), and sends to the Payment server.

*  After the payment server returns the payment result, E-wallet displays
the result on app.

*  Payment server:

*  Payment server gets a payment request, and then generates an
authentication request message.

*  Payment server sends the authentication request message to the E-wallet
app.

*  After E-wallet verified the fingerprint, payment server gets the
authentication response message from the E-wallet app.

*  Payment server verifies the signature of the response message with the
public key generated when registration.

*  Payment server verifies other information of response message.

*  Payment server processes the payment.

*  Payment server returns the result of payment to E-wallet app.

 

Detail

 

Protecting the individual's privacy when performing fingerprint
authentication is an important concern. This use case attempts to ensure
that local fingerprint authentication is a fundamental part of fingerprint
payment mechanism.

 

Requirements

*  For protecting the individual's privacy and security, the important data
(the fingerprint template and private key) should be stored in TEE, and the
important process should be protected by TEE.

*  The fingerprint authentication protocol, which is capable of transmitting
a proof of fingerprint authentication credential, does not contain any
personal fingerprint data. 

Example

Face authentication in password modification

*  User: 

*  John forgets the password of the payment. 

*  John opens the E-wallet app and requests to modify the password

*  John inputs the username of E-wallet.

*  E-wallet app requests the face verification via camera on mobile
terminals.

*  John inputs the new password in the E-wallet app after the  face
verification 

*  E-wallet app: 

*  E-wallet gets a password modification request.

*  E-wallet calls the camera and begins to capture the face of John.

*  E-wallet sends the encrypted picture of face to the payment server.

*  E-wallet gets the result of face verification.

*  E-wallet asks John to input a new password and sends it to the payment
server

*  E-wallet gets the result of password modification, then informs John.

*  Payment server:

*  Payment server receives a password modification request.

*  Payment server sends the face verification request to E-wallet app.

*  Payment server receives the encrypted picture of face from the E-wallet
app.

*  Payment server verifies the face.

*  Payment server sends the result of face verification to E-wallet

*  Payment server receives the new password from E-wallet

*  Payment server returns the result to E-wallet app

 

Detail

 

Protecting an individual's privacy when performing face authentication is an
important concern.

 

Requirements

*  For protecting the individual's privacy and security, the important data
should be encrypted before sending to server.

*  The face authentication protocol is capable of transmitting the picture
of face, and the picture should be encrypted.