FIDO Authentication has reached broad support across the web – all major operating systems, browsers and billions of devices support FIDO Authentication today. Having reached such a milestone and the resulting FIDO roll outs from a broad array of service providers, the FIDO Alliance is increasingly focused on ways to make FIDO Authentication more usable and accessible for all. 

In achieving FIDO Alliance’s mission of more secure and password-free authentication, we must ensure that we meet the needs and preferences of people with disabilities. Today, we are pleased to announce the publication of “Guidance for Making FIDO Deployments Accessible to Users with Disabilities,” to provide guidance on planning FIDO deployments that are accessible to users with a wide range of disabilities. It also aims to help hardware manufacturers identify opportunities to deliver more accessible external authenticators.

An estimated 15% of the world’s population lives with some sort of disability today, and in many countries, laws prohibit discrimination to help ensure that these people can fully and equally participate in every aspect of society. Authentication is an important component of the ability to participate, as it provides digital access to many aspects of society including (but not limited to) education, employment, and entertainment. While legacy forms of multi-factor authentication (MFA) like SMS or email codes are technically “accessible,” they often require advanced skill, knowledge and/or assistive technology to enter the codes. FIDO, with its stronger and simpler authentication model, is well positioned to provide accessible authentication, as it supports a wide range of options that accommodate vastly diverse needs. The paper released today details why, and considerations for, deploying FIDO with the needs of people with disabilities in mind. We strongly encourage service providers to reference these guidelines in planning their FIDO deployments.

Much work and collaboration went into this paper. We would like to thank Yao Ming of Meta for his extensive work as lead author on this paper. We’d also like to thank Joyce Oshita of VMware for her contributions, including providing her own experiences leveraging various authentication methods, including FIDO, as a person who has lost her eyesight. 

In addition to the white paper, Yao and Joyce will be joining us on December 15, 2022 at 2pm ET for a webinar to discuss their perspectives on this topic. To attend the webinar, register here.

The paper is available here; feedback is always appreciated – please drop a line at info@fidoalliance.org.  

The post <strong>FIDO Alliance Provides Guidance on Making FIDO Deployments Accessible to People with Disabilities</strong> appeared first on FIDO Alliance.

The post White Paper: FIDO Authentication in Digital Payment Security appeared first on FIDO Alliance.

FIDO Alliance released a paper today that outlines the next steps in the evolution of FIDO and passwordless authentication adoption. Specifically, we are introducing the concept of multi-device FIDO credentials to address current challenges with account recovery for consumer deployments at scale.

FIDO Alliance has really been successful in changing the nature of authentication – FIDO Authentication is now built into every leading device and browser and many major brands have made FIDO logins available to their users. 

However, a challenge that persists is the requirement that users enroll their FIDO credentials for each service on each new device, which typically requires a password for that first sign-in. So what happens to your FIDO login credentials and how do you recover your account if you change your phone or laptop? They are not recoverable in today’s FIDO model. This presents issues for deploying FIDO at scale to consumers who are constantly moving between devices and updating to new ones. This is less of a challenge in the enterprise, where companies can solve this issue by deploying internal management tools used to support passwordless authentication, and for employees to recover accounts and credentials.

So while FIDO is available to deploy at scale today, a feature has been missing to make it as fully ubiquitous and available as passwords: the ability to have your FIDO credentials available to you across all of your devices, even a new one, without having to re-enroll for every account. 

Introducing multi-device FIDO credentials

The new paper released today outlines the next steps for the evolution of FIDO to address this limitation. The paper introduces multi-device FIDO credentials, also informally referred to by the industry as “passkeys,” which enable users to have their FIDO login credentials readily available across all of the user’s devices. This will help service providers bring passwordless sign-in to consumers at scale by addressing the issue of account recovery – the key barrier to mass adoption of cryptographically secure, passwordless authentication. 

The paper outlines how the FIDO Alliance and the W3C WebAuthn working group propose to achieve this, which includes two key updates:

• The ability to use a phone as a roaming authenticator through a defined protocol to communicate between the user’s phone (which becomes the FIDO authenticator) and the device from which the user is trying to authenticate.
• Making FIDO credentials universally available on all the user’s devices to ensure they can survive device loss and sync across different devices

By introducing these new capabilities, we hope to empower websites and apps to offer an end-to-end truly passwordless option; no passwords or one-time passcodes (OTP) required. The user experience of sign-in becomes a simple verification of a user’s biometric or a device PIN – the same consistent and simple action that consumers take multiple times each day to unlock their devices. The vision is that these experiences will be available across all our devices, operating systems and browsers.

FIDO Alliance sees the introduction of multi-device FIDO credentials to be an important step towards deployment of phishing-resistant FIDO authentication at a broader scale in many use cases that today are totally reliant on passwords or legacy forms of MFA such as SMS OTPs that are under increasing attack. 

We’re looking forward to hearing from industry stakeholders about this development and will be sharing more details on a webinar in April.

The post Charting an Accelerated Path Forward for Passwordless Authentication Adoption appeared first on FIDO Alliance.

The post The Value of Certification appeared first on FIDO Alliance.

FIDO Authentication has seen remarkable acceptance over the past few years, thanks in large part to standardization by the World Wide Web Consortium (W3C) and the subsequent adoption into leading device platforms and browsers. All told, we estimate over 4 billion devices (inclusive of Windows 10 PCs as well as every modern Apple and Android device) now support FIDO Authentication, as do over 88% of web browsers. Couple that addressable market with the ability for developers to write to the public FIDO2 WebAuthn API and you can see why so many enterprises are featuring FIDO support in request for proposals (RFPs) and accelerating related development plans.

However, while FIDO definitely does provide a simpler, stronger approach to user authentication, there is still a need to get users more accustomed to the user experience – and to optimize these flows as much as possible.  In short, “if you build it they will come” isn’t always sufficient for paradigm-changing technologies. We’ve heard from more and more relying parties that they would benefit from tips on how to most effectively implement FIDO in a way that resonates with consumers and works across major browsers and platforms.   

Over the past five years, the Alliance has conducted research that has consistently found consumers want to use FIDO authentication once they understand what it is and to have common “FIDO-enabled” signals to show where to obtain it. This illustrates the need for FIDO to be introduced to consumers in a user-friendly and consistent way in order for our protocols to be adopted at scale.  

To address this requirement, FIDO’s Board of Directors last year launched a User Experience (UX) Task Force (UXTF), drawing on world-class UX experts from many of our member companies, including Bank of America, eBay, Facebook, Google, HYPR, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa, and Wells Fargo. The UXTF was tasked with creating recommendations and best practices for how to deploy FIDO, factoring in utilization of FIDO messaging, logos and other visual cues. We partnered with consulting firm Blink UX to conduct the first formal usability research of FIDO user journeys, including registration and authentication steps and various use cases – all feeding into our Desktop Authenticator UX Guidelines.

To complement this effort, we constructed a strawman banking user journey that could be used to test various assumptions and to better examine the authentication steps actually employed by users. With IBM’s assistance, a website was created to reflect this use case and was utilized during our testing and analyses.  The site will remain live as a reference implementation of our UX Guidelines. 

We divided the typical FIDO journey into a series of four major steps:

• Promote awareness of the availability of various biometric sign-ins, then perform the actual sign-in and determine if a user has a FIDO-eligible device that can be used in the authentication process.
• Invite users to register via FIDO, especially if they are using Windows Hello or Apple TouchID.
• The actual FIDO registration of the user’s desktop authenticator, along with messages showing success or failure.
• Making FIDO the primary sign-in path, and issue appropriate confirmation messages.

The UX tests were done in three different rounds. First was a qualitative series where we walked participants through a mock-up of the site and test. This allowed us to get feedback on some of our initial messaging and visual assumptions, which fed into the final site design. Next, we ran 100 subjects through independent https://digitalbank-test.com/simple/ quantitative testing – where they were assigned and had to complete a mock banking task, which included a prompt to enroll for FIDO login. Our last round of testing were qualitative video interviews, which provided an invaluable human element and insights on the FIDO value proposition. 

Collectively, these tests are what helped define and focus our messaging, logos and various other iconography and logic flows that were useful in developing UX guidelines and other best practices for FIDO implementations.

Our preliminary recommendations from these tests are:

• Use a simple biometric image (such as a fingerprint icon) to trigger the initial user registration, then have FIDO logos at each touchpoint to confirm that a user is following the right sequence of steps.
• Make sure developers optimize for each type of environment (operating system and device form factors such as laptop or phone) for each FIDO-capable device. For example, Windows and MacOS have different icons that are used to designate fingerprint usage, as shown in the below screencaps.

• Use one of two suggested messaging styles: we tested and validated one style that is simple and one that is to “add an option.” For example, a simple message might say: “You’re eligible for a simpler sign-in! Learn how you can skip your password the next time you sign in. Register now.” And the optional message might say:  “Add an easy and safe way to access your account. Register now.”
• Take steps to educate consumers and customer support staff on FIDO. Promote FIDO awareness across multiple touch points and marketing channels such as email and direct postal mail campaigns and social media. This should include information about FIDO-capable device availability and how to use FIDO on Windows 10 Hello and Apple smartphones.  This also will help address potential user reluctance around using biometric sign-ins. Although many users view biometric sign-in as desirable, convenient, and secure, some users initially express hesitancy to share biometric or other computer sign-in information with their bank or with FIDO – and hence need to be educated that their biometrics stay safely on their device.
• Have a special “problem resolution” path for those customers who run into problems.

FIDO Alliance’s ultimate goal is to see as many service providers moving their customers away from password-based authentication as soon as possible – and we hope that these UX guidelines can help accelerate this movement.  As this is our first foray into usability guidance we’re also open to and appreciative of feedback from deploying organizations.  

 Read more about FIDO’s UX efforts and research here.

The post World’s Largest Tech Companies Drive FIDO Alliance’s New User Experience Guidelines appeared first on FIDO Alliance.

Contributed by Sebastian Elfors, Senior Solutions Architect, Yubico

Recognition of the value of FIDO in European digital identity systems and eIDAS continues to grow.  This month has featured two new updates in Europe on the FIDO front: the release of a landmark ENISA report that discusses the role FIDO2 plays in eIDAS, and the accreditation by the Czech government of a new eID solution using FIDO2.

In March 2021, the EU Cybersecurity Agency (ENISA) issued the report Remote ID Proofing, which describes the current regulatory landscape and supporting standards for the European countries’ remote identity proofing laws, regulations and practices. ENISA’s report is based on the ETSI TR 119 460 and ETSI TS 119 461 documents, which describe the policies and practices for remote identity proofing among trust service providers in the EU. Especially the eIDAS regulation, the AMLD5 directive to prevent money laundering, and EU directives on issuing ID-cards and exchanging identity information have been taken into account from a legal perspective.

Several methods for remote identification are proposed in the ENISA report: video recorded sessions, identification based on eID schemes or electronic signatures, bank identification, scanning of existing ID-cards, or a combination of several methods. In particular the option to identify a user with an eID scheme is of interest from a FIDO perspective. The following statement is written in section “2.2.4 Electronic identification means” of the ENISA report:

“A protocol used by several electronic identity means providers is OpenID connect. It is an authentication layer on top of OAuth 2.0 and is specified by the OpenID foundation. This protocol allows to verify the identity of the applicant based on the authentication performed by an Authorization Server, and by obtaining basic information about the applicant. Another technology that can be used in eID solutions is FIDO2. The FIDO Alliance explains in a whitepaper how FIDO2 can be used for eID means corresponding to eIDAS article 8.”

In the very same month, the Czech ministry of interior issued eIDAS accreditation for the Czech domain registry CZ.NIC, meaning that their identity provider mojeID can deploy FIDO2 as an eID scheme at eIDAS level of assurance High under the following conditions:

• The FIDO2 authenticator is FIDO certified at Level 2 (or higher)
• The FIDO2 authenticator is based on a secure element that is certified at FIPS 140-2 Level 3 or Common Criteria EAL4 + AVA_VAN.5
• The FIDO2 authenticator has a PIN set and the PIN is required for all transactions at level of assurance High
• Username and password are used in conjunction with FIDO2

Both ENISA’s report on remote identity proofing and the official approval of CZ.NIC’s FIDO-based eID scheme are great examples of how FIDO has been recognized as a viable authentication protocol for eIDAS compliant eID schemes in the EU.

The post FIDO Recognition for European Digital Identity Systems and eIDAS Grows appeared first on FIDO Alliance.

The authentication of consumers during remote transactions has undeniable benefits in terms of security and approval rates but raises concerns of transactions being abandoned by consumers, as those consumers are not always able to authenticate properly to their banks.

Merchants and wallet providers have an existing relationship with consumers, and there is an opportunity to leverage authentication mechanisms established during that relationship to authenticate to remote transactions as a delegation of the bank’s authentication.

This white paper reviews the different authentication mechanisms that can be used by merchants or wallet providers in the context of Strong Customer Authentication (SCA) Delegation and explains why FIDO is best positioned to meet the requirements from regulatory authorities, banks, merchants, or wallet providers.

The post White Paper: FIDO for SCA Delegation to Merchants or Wallet Providers appeared first on FIDO Alliance.

The post CHEDDAR: Making the Case for a Future Without Passwords appeared first on FIDO Alliance.

Joon Hyuk Lee and Atsuhiro Tscuhiya, APAC Market Development Team

[Snapshots of AMF Inauguration Members]

As the world struggles to contain the global pandemic, cybercriminals are launching their attacks and taking advantage of the anxiety and uncertainty that people are feeling. They impersonate trusted authorities or brands to mislead their victims. This is not surprising as cybercriminals are always on the lookout for opportunities and vulnerabilities.

Cybersecurity ranks amongst the top ten global risks, and reducing cyber-risk exposure has become a priority for business leaders, according to the World Economic Forum’s 2020 Global Risks Report.

Meanwhile, cybersecurity and technology experts overwhelmingly agree that reliance on passwords should be reduced if not totally scrapped: 80 percent of all data breaches involve weak or stolen passwords, and 29 percent of all attacks leverage the latter.

The use of passwords poses many challenges. As we increasingly live our lives and perform mission critical work online, safe access to connected devices and online services is more important than ever. The need to raise authentication standards and reduce reliance on passwords is now more urgent than ever.

APAC Marketing Forum

Since 2012, the FIDO Alliance has been working with organizations across Asia Pacific (APAC) to reduce the reliance on passwords and encourage the adoption of simpler and stronger approaches to authentication. Today, we have close to 40 members from both the public and private sector in this region.

Recently, more than 30 representatives from these member organizations got together for the very first FIDO Alliance APAC Marketing Forum (AMF). The AMF, held virtually, was an informal marketing related discussion.

The event provided a platform for members to connect, learn about each other’s markets and share best practices. It facilitated communication and cooperation amongst members, and the authentication industry as a whole.

Recent Initiatives in APAC

FIDO members in APAC also have made tremendous progress in recent months.

Companies that deployed FIDO authentication include PrivyID in Indonesia, and Japan-based NTT Docomo and KDDI. Furthermore, VinCSS became the first company in Vietnam to develop FIDO2-certified strong authentication servers.

FIDO also was included in official standards documents developed by the Taiwan Association of Information and Communication Standards (TAICS) and SEMI (Semiconductor Equipment and Materials International) Taiwan. 

Also in Taiwan, the Taiwan-Cathay United Bank has added the FIDO logo to the latest version of its app, which was released to customers in August.

Additionally, we had successful events like the FIDO Security Key Support Campaign, and 2020 FIDO Hackathon – Goodbye Password Challenge that offered member organizations opportunities to interact with each other despite physical distancing.

Activities in the Pipeline

Moving forward, we aim to organize more of both digital and onsite collaborative marketing events where members can promote their innovations and share case studies. Currently, planned initiatives include:

• FIDO Alliance virtual AMFs to be organized once every quarter, where post discussion updates will be shared through the FIDO Blog
• FIDO Alliance quarterly member newsletter 
• Updated FIDO Alliance orientation material with contents customized for the needs of APAC members

We look forward to seeing you at the next virtual meeting in October!

—

If you wish to take part in these exciting new initiatives, or have any inquiries, please do not hesitate to contact tsuchiya@fidoalliance.org.

By joining AMF, you will not only get to connect with key authentication players in APAC, but also gain benefits of participating in FIDO branded awareness and promotional activities together with global champions.

The post FIDO Alliance Members Meet Virtually in Inaugural APAC Marketing Forum appeared first on FIDO Alliance.

Today, secure access to online applications and services has evolved into a framework reliant on devices, public key cryptography and biometrics to replace the shared secrets of aging passwords. Since 2013, the FIDO Alliance has developed and advanced open and scalable standards to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, FIDO Alliance has developed a series of best practices and how-to white papers that match the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within all companies. 

Enterprises that accept FIDO credentials are participating in a digital credential exchange. This white paper is intended for CISOs and IT professionals who are considering deploying FIDO across their enterprise. In this paper, we provide a high-level overview of the most common digital exchange – the authentication exchange. We will examine the participants, protocols, and decisions that enterprises must make regarding the creation, management, and usage of FIDO credentials. 

The post White Paper: Accepting FIDO Credentials in the Enterprise appeared first on FIDO Alliance.

Andrew Shikiar, FIDO Alliance Executive Director & CMO 

The US Cybersecurity and Infrastructure Security Agency (CISA),  issued an advisory Thursday recommending cyber attack remedies for election-related activities  including the use of FIDO authentication to thwart phishing  attempts and account takeover. 

The advisory, entitled “ACTIONS TO COUNTER EMAIL-BASED ATTACKS ON ELECTION RELATED ENTITIES” noted that 78 percent of cyber-espionage incidents are enabled by phishing. CISA makes specific recommendations on protecting against cyber attacks to aid organizations involved in election-related activities.

Among other recommendations, FIDO Authentication was highlighted to thwart phishing attempts and protect against account takeover for cloud email and other high-value services. Specifically, CISA cites FIDO2 Security Keys as a tool that campaigns and organizations can, and should, use to protect themselves. The advisory also recommends that, when available, campaigns and organizations should enroll users in advanced protection services such as Google Advanced Protection, which leverages FIDO Security Keys as a best practice over other 2FA methodologies to protect workforces from account takeovers related to malicious attacks.

FIDO security keys offer protection against phishing attacks by working as a second, physical factor of authentication and only authenticating when a user is on the correct website. Thus, even if a user is tricked into supplying their password to a phishing website, the physical security key will still block attackers from accessing their account. 

Phishing continues to be a problem and remains one of the most popular means by which cybercriminals obtain data. Embracing FIDO technology is smart politics, and smart policy for those who understand the gravity of the cyber threat. As the election draws near, we’re increasingly seeing foreign agents attempting to infiltrate, influence and disrupt our elections.

As the CISA advisory implies, phishing and other cyber attacks are a critical issue with widespread and damaging implications to U.S. national security. The CISA advisory highlights the importance of locking down email systems, which have become a preferred vector for malicious activity. The CISA recommendations are intended as a preferred method for protecting the 2020 and future political campaigns. 

The post CISA Cites FIDO Authentication to Protect Political Campaigns appeared first on FIDO Alliance.

The post Forbes: Trust Is A Keystone Of Digital Transformation appeared first on FIDO Alliance.

The post Webinar: PSD2 Support: Why Change to FIDO appeared first on FIDO Alliance.

Banks in Europe have deployed customer authentication solutions for several years. These solutions have served their purpose well and enabled customers to safely log in to their bank accounts. In the world of e-commerce, these solutions, when used, have been successful in combatting online payment fraud. 

The Second Payment Services Directive (PSD2) and its associated Regulatory Technical Standards (RTS) dramatically change the payment landscape, considering:

• The mandate for strong, multi-factor authentication, 
• The emergence of Third Party Providers (TPP) accessing accounts via open APIs

The success of PSD2 will ultimately be determined by how well banks can balance user convenience with security obligations, while maximizing reach. As such, they may want to evaluate how well their legacy authentication solutions meet this new need. 

FIDO authentication standards have been proposed as a way for banks to meet all requirements in a PSD2 world — but is the change from a legacy method to FIDO worthwhile? This paper proposes guidance to banks to help them decide. 

The paper describes FIDO Authentication standards and compares it with legacy authentication methods used to access an account or secure an online payment. The methods compared are SMS OTPs, hardware OTP generators, CAP readers, and proprietary smartphone and biometrics-based solutions in terms of PSD2 compliance, security, usability and scalability. Ultimately, the paper answers the question: Why change to FIDO?

The post White Paper: PSD2 Support: Why Change to FIDO appeared first on FIDO Alliance.

Last week in Seoul, FIDO Alliance held a seminar for 300+ attendees eager to learn more about FIDO authentication. A big highlight was the case study track in the afternoon, which gave us a glimpse into the rise of FIDO Authentication in Asia, notably Korea and Japan. Here are a few notable takeaways from these sessions:

SK Telecom: With its 47,000 employees and more than 500 enterprise applications, SK Telecom (SKT) parent company SK in Korea deals with credential stuffing threats on a daily basis. To combat this issue, SKT has implemented FIDO for its Group Mobile Portal (GMP), which includes applications such as company mail, calendars and many others. Since implementing FIDO biometric login, SKT has reduced login time from 30 seconds to only five seconds, and now experiences zero successful credential stuffing attacks. This data showcases how FIDO can provide both increased productivity and security for the enterprise.

LINE: LINE announced at the seminar it has deployed FIDO2 for their mobile payment service “LINE Pay” for iOS as a native app with whitebox encryption and attestation. LINE Pay has more than 40 million users. Next, LINE plans to leverage FIDO authentication in more of its platforms including LINE Pay Android, payments in the LINE app or on the web, and in other countries. LINE’s FIDO deployment comes in addition to several other new deployments in Japan, as we heard from NTT DOCOMO, including Yahoo! Japan, Fujitsu and Japan Post Bank.

Samsung Mobile: Samsung has long supported FIDO standards, implementing FIDO biometrics five years ago on its Samsung Galaxy S5 handset. Last year, Samsung became the world’s first company to achieve FIDO Alliance Biometric Component Certification for its S10/S10+ handsets. Samsung also reported that over 90% of its products are now IoT-ready.  Next up, Samsung plans to work on implementing FIDO2 on its proprietary web browser, Samsung Internet, to make Samsung devices “completely FIDO ready.”

In addition to these deployments we heard about at the seminar, we were also pleased to learn that the Korean Government has implemented FIDO for login to several e-government services and plans to implement FIDO2 early next year. Look out for a case study on this implementation soon. 

Another highlight from the event was the awards ceremony for the Korea Hackathon, which we wrote about in July — watch for another post for information coming soon on the winners and their innovative FIDO implementations.

The post FIDO Seoul Seminar: Deployment Case Studies Highlight Rise of FIDO Authentication in Asia appeared first on FIDO Alliance.

Last Thursday, the House Committee on Financial Services held a hearing on “The Future of Identity in Financial Services: Threats, Challenges, and Opportunities.” Jeremy Grant’s testimony, on behalf of the Better Identity Coalition, is a great summary of the state of identity today – and the steps that need to be taken to get identity right for more secure and private transactions online.

According to Grant, there are three major challenges for financial institutions: 1. Validating an identity for account creation; 2. Synthetic identity fraud; and 3. Authentication. He points out that “authentication is getting easier, but identity proofing is getting harder.”

On authentication, Grant calls FIDO standards “the most significant development in the authentication marketplace in the last 20 years.” He explains how this has made strong authentication much more accessible:

“The ability of consumers and businesses to access tools that they can use in addition to – or in lieu of – passwords is greater than it’s ever been. And with multi-stakeholder industry initiatives like the FIDO Alliance creating next-generation authentication standards that are getting baked into most devices, browsers and operating systems, it is becoming easier than ever to deliver on the vision of better security, privacy and convenience.”

But, he points out, “identity proofing is getting harder. By that, I mean the ability of consumers during initial account creation to prove that they are who they really claim to be is harder than ever – in part because attackers have caught up to the tools we have depended on for identity proofing and verification.” He calls on government and industry to prioritize the development of next-generation remote identity proofing and verification systems, amongst other priorities.

The FIDO Alliance could not agree more. This is the reason why we’ve added a focus on identity verification and binding – to close the gap between the high assurance provided by FIDO authentication standards and the lower assurance methods used in identity verification for account recovery.

You can read Jeremy Grant’s full testimony at https://financialservices.house.gov/uploadedfiles/hhrg-116-ba00-wstate-grantj-20190912.pdf.

Those that want to learn more about our new identity verification and binding initiative should join a webinar this Wednesday, September 18 at 2pm ET. Click here to register for the webinar.

The post House Hearing on Identity Sheds Light on Need for Stronger Identity Verification Procedures appeared first on FIDO Alliance.

Identity professionals (the Identerati, if you will) look forward to Ping Identity’s Identiverse every year and it’s easy to see why. Between the packed agenda with content for all levels and the busy show floor, it’s a great opportunity to learn something new and meet the professionals that are in the trenches of identity within their own organizations.

This year, FIDO came to the fore. Jack Madden of tech publication BrianMadden.com summed it up well in his Identiverse recap:

“Without a doubt, the biggest buzz in identity today is FIDO2 and WebAuthn, the phishing-resistant authentication standards. They’ve made a lot of progress in the last year with many more certified implementations, and I don’t think a single conference session failed to mention how big of a deal they are.”

Between numerous keynote mentions, a masterclass from Google, and deployment sessions from companies like Netflix, Intuit and T-Mobile, FIDO Authentication and our newest set of standards, FIDO2, were a recurring theme throughout the conference. At our booth, we had a lot of meaningful conversations with professionals either just starting with FIDO or far along in their implementations or somewhere in between. In all cases, the identity community is eager to be involved.

We were enthused not only by the great FIDO content at the show, but for the opportunity to take the keynote stage and share some news of our own. We announced two new standards and certification initiatives in identity verification and the Internet of Things (IoT).

Why? Over time, we’ve seen a growing gap between the high-assurance authentication that FIDO provides, and lower assurance methods used for identity verification and in IoT. Addressing these adjacent technology areas that leave security vulnerabilities on the web will ultimately help drive the efficacy and market adoption of FIDO Authentication. The Alliance has the right mix of companies and the right structure of collaboration to address these gaps, as opposed to siloed proprietary approaches.

We’ve formed two new working groups, the IoT Technical Working Group (IoT TWG) and the Identity Verification and Binding Working Group (IDWG), to drive these new initiatives. These groups are now actively meeting and open to participation. If your organization would like to contribute to these efforts, I encourage you to reach out to me about membership in the Alliance.

You can read more about our new work areas at our IoT and Identity webpages.

Lastly, if you missed Identiverse but still want to hear the latest on FIDO, check out my slides from the event (The State of FIDO) and watch for more educational materials, including case studies and webinars, coming soon. Thanks again to Identiverse for a great show, and see you next year!

The post FIDO Focus, New Work Area News Made Identiverse 2019 the Best Yet appeared first on FIDO Alliance.

The post FIDO & PSD2 – Achieving Strong Customer Authentication Compliance Webinar appeared first on FIDO Alliance.

The post FIDO2 & PSD2: Achieving Strong Customer Authentication Compliance appeared first on FIDO Alliance.

Get the answer to this question and more in this video on the report, featuring Al Pascual, senior vice president and research director, Javelin Strategy & Research and Andrew Shikiar, CMO, FIDO Alliance. These speakers share analysis on the state of consumer and enterprise authentication among U.S. businesses and the role that strong authentication is playing in protecting accounts and securing access to valuable data and critical systems.

The post Javelin Research’s State of Strong Authentication 2019 Report appeared first on FIDO Alliance.

Get the answer to this question and more in this video on the report, featuring Al Pascual, senior vice president and research director, Javelin Strategy & Research and Andrew Shikiar, CMO, FIDO Alliance. These speakers share analysis on the state of consumer and enterprise authentication among U.S. businesses and the role that strong authentication is playing in protecting accounts and securing access to valuable data and critical systems.

The post Javelin Research’s State of Strong Authentication 2019 Report appeared first on FIDO Alliance.

There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.

Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company,  there has not been a successful phishing attack against their 85,000+ employees  since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other  notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.

Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.

With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.

Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The post Google Case Study appeared first on FIDO Alliance.

ITU-T is the standardization arm of ITU, the United Nations specialized agency for ICT. The FIDO Alliance went through a thorough process before its specifications were approved as official ITU-T Recommendations by ITU members including national administrations and the world’s front-running ICT companies. The new ITU-T Recommendations are under the responsibility of ITU’s standardization expert group for security, ITU-T Study Group 17.

“The FIDO Alliance is working to improve online authentication through open standards based on public key cryptography that make authentication stronger and easier to use than passwords or OTPs. One of the ways that we fulfill this mission is by submitting our mature technical specifications to internationally recognized standards groups like ITU-T for formal standardization,” said Brett McDowell, executive director of the FIDO Alliance. “This recognition from ITU-T, arguably the highest bar in ICT standardization, illustrates the maturity of FIDO authentication technology and complements our web standardization work with the World Wide Web Consortium (W3C).”

“ITU-T Study Group 17 will continue to strengthen its collaboration with the FIDO Alliance. These two FIDO Alliance specifications, adopted as ITU standards recently, are being widely used in various industries such as the financial sector to provide strong online authentication based on public key cryptography and various user verification methods,” said Heung Youl Youm, Chairman of ITU-T Study Group 17. “These new ITU standards will provide a concrete basis for the two FIDO specifications to be adopted across the 193 ITU Member States.”

“Our working group within ITU-T Study Group 17 was pleased to be able to collaborate with the FIDO Alliance to promote the standardization of state-of-the-art security technologies,” said Abbie Barbir, Rapporteur for ITU’s working group on ‘Identity management architecture and mechanisms’ (Q10/17). “This work will help address and solve the security limitations of passwords.”

The specifications that are now ITU-T Recommendations are:

• FIDO UAF 1.1 (Recommendation ITU-T X.1277). A mobile standard providing authentication without passwords by using biometrics and other modalities to authenticate users to their local device.
• CTAP (Recommendation ITU-T X.1278). Part of FIDO2 specifications along with the W3C Web Authentication standard, CTAP includes FIDO U2F 1.2 and allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.

For more information on the FIDO Alliance and FIDO Authentication, visit https://fidoalliance.org.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Specifications Now Adopted As ITU International Standards appeared first on FIDO Alliance.

FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.

This video covers:
Key GDPR considerations when deploying strong authentication
Where FIDO Authentication relates to GDPR articles on data protection, consent of data subject and data subject rights
How FIDO can help your organization meet GDPR requirements

The post FIDO Authentication for GDPR appeared first on FIDO Alliance.

FIDO Alliance standards were created from the outset with a “privacy by design” approach and are a strong fit for GDPR compliance. Crucially, FIDO delivers authentication with no third-party involvement or tracking between accounts and services. And when it comes to biometrics, FIDO standards prevent this information from being stored and matched in servers – it never leaves the user’s device – and FIDO(R) Certified devices do not allow for any biometric data to be captured.

This presentation covers:
Key GDPR considerations when deploying strong authentication
Where FIDO Authentication relates to GDPR articles on data protection, consent of data subject and data subject rights
How FIDO can help your organization meet GDPR requirements

The post FIDO Authentication and GDPR appeared first on FIDO Alliance.

Overview

Customer

Aetna is a leading health care organization serving about 37.9 million people.

Challenge

Better authentication for Aetna’s online services customers, partners, and employees. Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and avoid costly fines and lawsuits due to data exposure.

Solutions

Aetna has adopted the FIDO standard for user authentication, using biometrics to verify customers and its next-generation authentication process (behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app).

Results

• Within two weeks of app usage, Aetna was able to set user baselines for behavior.
• Aetna is using the behavioral data to help protect users, feeding it into the FIDO NGA risk engine that continuously inputs data, then ultimately discarding it. The risk engine is protected with six layers of security controls.

The FIDO Solution

Aetna needed user authentication integrated within the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that their data is safe. Aetna is proud to be using the FIDO standard for user authentication, biometrics, and next-generation authentication.

FIDO Delivers

The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

“The FIDO Alliance develops user authentication based on open standards so companies like Aetna can adopt the best modern technologies without being tied into their proprietary offerings,” said Brett McDowell, executive director, The FIDO Alliance, “Standards-based architectures can evolve with the market, are less costly to operate and reduce the risk of operating and maintaining end-of-life systems.”

The Details

Challenge

Health care organizations are seeking to evolve user authentication for a new era of risks and threats. Health care data is highly valued by cybercriminals, because it provides rich personal, financial and medical data that can be used for multiple types of fraud, including insurance claims, health savings accounts, flexible savings accounts and more.

Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and to avoid costly fines and lawsuits due to data exposure.

Health care security leaders also want to avoid account takeovers, where cybercriminals use the personal demographic information to bypass password reset functions. After several major data breaches, including Anthem, Equifax, Yahoo and others, cybercriminals are able to assemble rich profiles they can use to impersonate users at scale. “The reality is that the industry is getting more and more account takeover attempts,” said Jim Routh of Aetna, who serves as the health care company’s chief security officer (CSO). “Binary authentication [using passwords] has reached obsolescence today.”

Creating Phishing-Resistant Security in the Health Care Industry

Solution: Routh wanted to find a better way to authenticate the customers, partners and employees who use Aetna’s online services. The company is rolling out next-generation authentication (NGA) across its mobile and web platforms, taking a two-phased approach to improving the security and usability of its online services.

First, Aetna has adopted the FIDO standard for user authentication, using biometrics, rather than passwords, to verify customers. Biometric capabilities are evolving rapidly and Aetna wanted to empower consumers with choice while using a standard interface across software and devices. In addition, standards-based architectures cost less to operate versus non- standards-based architectures.

FIDO Authentication Future-Proofs and Simplifies User Authentication

“Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process,” says Routh. “FIDO insulates us from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer, so regardless of the configuration of mobile carrier, device maker or online service, we can authenticate every time. More importantly, a member’s biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.”

Developing user authentication based on open standards also “future- proofs” solutions, so that companies like Aetna can adopt the best modern technologies without being tied into a vendor’s proprietary offerings.

Standards-based architectures can evolve and scale with the market, are less costly to operate than proprietary architectures and also reduce the risk of operating and maintaining systems.

Aetna Uses Up to 60 Behaviors to Authenticate Users During Online Sessions

In the second phase of the program, Aetna rolled out its next-generation authentication process: behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app. Aetna continuously reviews 30 to 60 different behaviors, such as location, time of access, thumbprint and keystroke style, to ensure that the user remains constant. Thus, for example, if an individual handed a phone to a friend, the app would recognize the new user and ask for another form of authentication.

Setting a New Standard for Security with FIDO

The FIDO standard supports the continuous input of behavioral data into the NGA risk engine. It took Aetna one to two weeks of app usage to set user baselines for behavior. Aetna is using the behavioral data solely to help protect users, feeding it into a risk engine and then ultimately discarding it. The risk engine is protected with six layers of security controls.

Aetna understands that user authentication can be part of the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that Aetna takes protecting their data seriously. Numerous analysts have stated that exceptional information risk management capabilities and practices (which includes multi-factor authentication) can help differentiate a company in an era of constant hacks and data breaches.

“We have an opportunity to improve security, while also significantly improving the way Aetna joins consumers by eliminating the need to remember passwords,” said Routh.

The post Case Study: Aetna Advances User Authentication Based on the FIDO Standard appeared first on FIDO Alliance.

As mobile payment usage increases, mobile service providers are looking for more secure authentication measures for their users. BC Card’s mobile payment app, paybooc, offers both online and offline payment services through registration with a single ID and login using FIDO-based biometric authentication.

Customer

BC Card is the largest payment processing company in South Korea. BC Card’s mobile payment app, paybooc, offers both online and offline payment services through registration with a single ID and login using FIDO-based biometric authentication.

Challenge

BC Card wanted a more secure way to authenticate their paybooc users that had a positive impact on the user experience.

Solution

BC Card adopted FIDO Authentication using fingerprint, facial and voice biometrics for paybooc login.

Results

More than 1.2 million users have registered in paybooc using FIDO Authentication, making over 1 million transactions monthly.

THE FIDO SOLUTION

FIDO Authentication is proven to provide simpler, stronger authentication. BC Card’s use of the FIDO standards is helping to ensure their paybooc customers can simply log in with a single gesture with stronger security.

The Details

The Challenge: Security that Doesn’t Compromise Usability

Many online payments services rely on password-based logins, which are the most insecure of authentication methods. Passwords have been cited as the root cause for the vast majority of data breaches in recent years and are often frustrating for consumers because they can be complex and hard-to-remember.

With the rise in biometric authentication services, consumers are coming to realize the convenience of using this method for easy login. Recognizing the opportunity to leverage existing smartphone features such as cameras, BC Card set forward to integrate biometrics into the paybooc application.

The Solution

BC Card wanted to find a better way to authenticate paybooc users for an easier and more secure payment experience. After considering a number of authentication methods, the company launched FIDO-based fingerprint, voice and facial biometric authentication methods for paybooc users.

paybooc was the first system among Korean financial institutions to provide FIDO® Certified voice and facial recognition.

The FIDO-based voice authentication system is built to identify distinct features of the user’s voice, and is able to distinguish between a recording and an authentic voice. The FIDO-based facial authentication system recognizes the user’s facial features through the mobile device camera. Both systems utilize on-device cryptographic credentials and biometric data to protect from remote spoof and other attacks (i.e. the use of sounds, pictures and videos to mimic the user).

Verifying customers has become an important issue for the mobile payments industry, and biometric capabilities are rapidly evolving to create a safer and more reliable service for users. BC Card chose FIDO Authentication as a way for consumers to have secure logins with the ease of standards-based, interoperable authentication utilizing biometrics.

The Result: 1.2 Million Registered Users, 1 Million Monthly Transactions

As of May 2018, over 1.2 million users have registered in paybooc using biometric authentication, making over 1 million transactions monthly. This number is on a steady increase, as users recognize the ease of using biometrics as authentication as well as the extra security FIDO standards provide users. In the payments industry, mobile transactions are on the rise, and paybooc’s FIDO biometric authentication can adapt to any device.

Why FIDO?

BC Card’s decision to adopt the FIDO standard for authentication with biometrics was prompted by a need for stronger authentication for its mobile payments services, but also a seamless user experience. FIDO provides interoperability, ensuring that users can be authenticated on a wide array of device choices regardless of mobile carrier, device maker or online service. FIDO Authentication is a fast and convenient alternative to solutions like passwords, which are often difficult to remember, because it requires only a single gesture to log on.

BC Card also chose FIDO as a safeguard against fraud. Spoofing, phishing and other attacks are a direct concern for any payments service looking to best authenticate users. The FIDO protocols use of on-device cryptographic credentials and biometric data cut out third-party and man-in-the-middle involvement and significantly reduce the chance for hacks or phishing.

This assurance, along with the standards-based architectures that can evolve, scale and change with the market make FIDO Authentication a secure, cost-effective, and simple choice for BC Card paybooc. Many biometric authentication services, including Samsung Pay, are FIDO-based, and the quickly spreading FIDO2 standard is well-known throughout Korea.

The post Case Study: BC Card Provides Advanced User Authentication Based on the FIDO Standard appeared first on FIDO Alliance.

The post FAQ on FIDO Relevance for the GDPR appeared first on FIDO Alliance.

By Brett McDowell, Executive Director, FIDO Alliance

Thousands of people have lost millions of dollars and their personal information to tax scams, and the U.S. Government Accountability Office (GAO) is now pointing to FIDO Authentication as a way to help.

One of the most common ways that criminals collect information for tax scams is through phishing and social engineering attacks – emails and phone calls aiming to trick citizens into handing over their personal information like passwords and social security numbers. These attacks show no signs of stopping; the IRS reports “a steady onslaught of new and evolving phishing schemes as scam artists work to victimize taxpayers during filing season.”

Given the persistence of taxpayer fraud, the GAO published a public report, “Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts,” to determine what the IRS can do to strengthen its authentication methods while improving services to taxpayers in the future.

FIDO Authentication is one of the authentication options that the GAO recommends the IRS consider. The report states that possession-based authentication, such as solutions using FIDO standards, offer users “a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication.” In other words, allowing citizens to use a FIDO-enabled device to log in to IRS services would give them additional protection without impacting convenience.   

In addition, FIDO Authentication meets National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication at the highest level of assurance, which the GAO recommends the IRS implement as a priority.

This is not the first time that a government agency has been urged to adopt FIDO Authentication. Last year, Sen. Ron Wyden (D-Ore.) wrote a letter to the Social Security Administration (SSA) asking the agency to support FIDO Security Keys because they are “resistant to all phishing.”

FIDO Authentication is proven to work against phishing and social engineering attacks. None of Google’s 85,000+ employees have been phished since early 2017 when the company began requiring all employees to use FIDO-based Security Keys. If the IRS follows the GAO recommendations and enables users to login with FIDO Authentication, we can expect a drastic reduction in phishing-related tax scams – saving money, time and hassle for citizens and government.

The post New GAO Report Recommends IRS Adopt FIDO to Strengthen Taxpayer Authentication appeared first on FIDO Alliance.

Brett McDowell, Executive Director, FIDO Alliance

The Timehop data breach that affected 21 million users offers a teachable moment for the rest of the online services industry, especially in light of new GDPR and PSD2 requirements taking hold in Europe.

As Timehop explained, “the breach occurred because an access credential to our cloud computing environment was compromised” and in an apparent effort to reassure their customers this won’t happen again, they quickly added “we have now taken steps that include multi-factor authentication to secure our authorization and access controls on all accounts.”

So far, this is all fairly standard for an all-too-common data breach notification. What caught my eye, however, was their emphasis in bold type that their users’ social media posts and photos were not breached while clarifying the data lost included “names, email addresses, and some phone numbers.” There are a few key takeaways from this incident I hope get noticed by online services security teams and the executives responsible for their budgets.  

First, why wait to be breached before you invest in multi-factor authentication (MFA)? Industry data begs service providers to protect their users. Not only did the industry see a 45% year-over-year increase in data breaches last year, we know over 80% of those incidents were the result of password compromise. Inexpensive remote attacks, such as password phishing, are increasingly the initial step to a breach. Your risk is increasing every day. An investment in MFA is all but inevitable. The only way to lower the cost to your enterprise is to make that investment before you get breached.

Second, if you have personal information on file from European customers, you are already held to a higher standard for data protection through the now fully-enforced General Data Protection Regulation (GDPR). That means what once may have been considered less important than social media posts, personal photos, or even financial data, is now critically important if you cannot demonstrate to regulators you had taken risk-appropriate measures ahead of any data breach incident. If you process payments and do business in Europe, you are also about to be required by PSD2 to provide Secure Customer Authentication for those transactions, which explicitly requires at least two of the three factors of authentication: something you know (like a password), something you are (like a biometric), and/or something you have (like a cryptographic signature from a trusted device).

While you consider your options, be mindful that GDPR also has special requirements about collecting and handling biometric data. You will save a lot of added costs and liability by using built-in, on-device biometric matching if that’s your chosen user experience.

Last, but not least, don’t waste your budget investing in yesterday’s MFA when the industry has just delivered a future-proof open standard for precisely this purpose. Too many professionals still assume MFA means a password and a SMS-delivered one-time-passcode. Both of those solutions are “shared secrets,” which are inherently vulnerable to inexpensive phishing style attacks, and we know these attacks are on the rise and highly effective.

This fact was further clarified last year by the analyst firm Javelin when it published a study on the state of strong authentication that recognized “high-assurance strong authentication” as a new category of MFA. Javelin cited updated guidance from the U.S. National Institute of Standards and Technology that now requires one of the factors to be a cryptographic proof-of-possession in order to achieve top marks for authentication assurance.

At FIDO Alliance, together with the W3C, we have developed an open industry standard for high-assurance strong authentication that is already being built into Windows 10, Android, the world’s most popular web browsers, as well as iOS SDK’s and a variety of hardware security keys. With these native capabilities coming standard on most new devices, FIDO has become the best choice for businesses looking to invest in MFA capabilities. It is the only choice that: delivers the highest level of protection from the commercial and regulatory costs of data breaches; is standards-based, vendor agnostic and future-proof; and is compatible with best-of-breed user experiences by replacing typing passcodes with an easy touch of a button or a glance at a sensor. This is why leading service providers like Google, Facebook, Microsoft, PayPal, eBay, T-Mobile, ING, Mastercard, Intuit and many more have invested in FIDO Authentication to protect their businesses from the increasing cost of data breaches.

The post Three Lessons From the Timehop Data Breach appeared first on FIDO Alliance.

Last month, the FIDO Alliance was in Tokyo where we hosted a standing-room-only seminar to inform key industry stakeholders of the latest updates around FIDO Authentication and activities in Japan. From the news shared, it’s very clear that 2017 was a year of great progress for FIDO Authentication in Japan, particularly in fintech. This is in line with what we’re seeing globally, where organizations are recognizing they need to reduce their reliance on passwords and other older forms of authentication, and move towards FIDO Authentication that is stronger and easier to use.  

The first example of this is the growing membership in the FIDO Japan Working Group (FJWG), which was formed in December of 2016 and is the center of the FIDO Alliance’s business activities in Japan. Membership in the FJWG more than doubled to 25 companies this year, consisting of many global leading organizations with vested interest in the Japanese market. Most recently, Japan’s only international payment brand, JCB, joined and is actively taking part in working group activities. Additionally, mobile network operator KDDI has joined FIDO as a member – meaning that all three of Japan’s MNOs are now actively taking part in the organization.

The Alliance and the FJWG is clearly making an impact, as deployments of FIDO Authentication by major organizations has accelerated in Japan (and throughout Asia) over the past year. Most often these deployments utilize FIDO biometric authentication on mobile devices. Some examples of FIDO rollouts this year include:

• Fujitsu launched “Finplex Online Authentication Service for FIDO,” which was adopted by Mizuho Bank’s “Mizuho Direct” application for customer login

• NEC Corporation deployed FIDO authentication for mobile identity proofing based on face recognition, which is starting to be utilized by the Bank of Okinawa

• Dai Nippon Printing Co., Ltd. (DNP) announced the launch of an identity proofing service based on FIDO authentication which is an active Proof of Concept with the Japan Net Bank, Ltd.

Notably, the Alliance also announced the first certified implementation of FIDO UAF 1.1. NTT DOCOMO now supports the protocol in its d ACCOUNT() application. This implementation showcases an important enhancement to the FIDO UAF specification — support for native hardware-backed key attestation in Android 8.0. This means that all developers and service providers now have APIs for adding FIDO Authentication to native applications they build on any Android 8.0 (or later) device. This brings substantial time and cost savings over past implementations that required custom integration for each device model to enable FIDO UAF authentication capabilities. Get all of the details on this important news at https://fidoalliance.org/first-fido-uaf-1-1-implementations-ease-deployment-advanced-biometric-authentication-android-devices/

From these roll outs, tens of millions of online users in the Japanese market are now experiencing the more secure, faster and convenient experiences that FIDO Authentication provides — while deploying organizations enjoy the benefit of lower fraud risk.

The post Commercial Momentum for FIDO Authentication Accelerates in Japan appeared first on FIDO Alliance.

Google Demonstrates Seamless Payments with W3C and FIDO Standards

There is no doubt that friction still exists in online and mobile payments, despite the industry’s best efforts to optimize the experience. Payment processes are inconsistent and filling in forms on small screens is a hassle, as is needing a separate, complex password across sites. Yesterday, Google’s Christiaan Brand took the stage with FIDO Alliance Executive Director Brett McDowell to demonstrate exciting upcoming Android capabilities utilizing World Wide Web Consortium (W3C) and FIDO standards to enable biometric-based payment and authentication on the web.

Brand’s demo illustrated how two soon-to-be-published standards, W3C’s Web Authentication and Web Payments (the former based on FIDO2 specifications), will be implemented on Android platforms. First, it allows online shoppers to checkout without having to fill in any forms – payment and shipping information is automatically filled in (Web Payments standard). Then, the shopper can simply authenticate themselves via fingerprint (Web Authentication standard) and the payment is authorized. The result is a significantly faster online payments experience with no passwords and no form filling. It’s also a great example of how the two standards work well when implemented together, as Google plans for Android.

Want to see the demo in action? Check out this video!

Bank of America to use FIDO-Certified Intel Technology to Expand Biometric Authentication Offering

Bank of America announced that it will begin implementing Intel’s FIDO® Certified Online Connect technology in its online banking platform.

The solution combines Intel Online Connect and Intel Software Guard Extension technology with Bank of America’s existing FIDO Certified authentication infrastructure to deliver an improved user experience with fingerprint biometrics that use public key cryptography instead of passwords. Because of its use of FIDO specifications, Intel’s technology requires that the biometric data is stored only on the user’s device and not on a public server or cloud, which provides an additional level of protection to Bank of America customers.

This news showcases Bank of America’s ongoing commitment to online banking security and convenience, by first adopting biometric-based FIDO authentication for mobile banking and now expanding that today to PC’s using FIDO Certified Intel technology. Bank of America can be confident knowing that its best-of-breed user experiences are backed by FIDO’s cryptographic security and that a  customer’s biometric data never leaves their device.

Visit the FIDO Pavilion

If you’re attending Money20/20 2017, visit us on the show floor at Booth 1465. Our participating members – Aware, Inc.; FaceTec; Feitian; Nok Nok Labs; Raonsecure Co Ltd; StrongAuth; and TRUXTUN Capital – have some great demos and are ready to engage with you on how they’re changing the high-water mark for authentication in the payments ecosystem.

The post Money20/20: FIDO Standards a Key Enabler of Secure and Convenient Commerce appeared first on FIDO Alliance.

MONEY20/20 LAS VEGAS, October 24, 2017 — Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS one-time passwords (OTPs) that leave them vulnerable to data breaches, according to Javelin Strategy & Research’s new “2017 State of Authentication Report” released today. Javelin recommends businesses adopt readily-available high-assurance strong authentication, which utilizes public key cryptography as one of multiple factors, to bolster security in light of increasingly effective attacks against traditional authentication methods.

The report, sponsored by the FIDO Alliance, analyzes the state of customer and enterprise (employee) authentication amongst U.S. businesses. It examines how strong authentication is evolving, and offers a detailed breakdown on the factors influencing industries’ adoption of authentication solutions. It is available for download at https://fidoalliance.org/2017-state-authentication-report/.

The report’s key findings show:

• In most cases the only thing between company IP and hackers is a password: The mass compromise of passwords has contributed to increased risk of fraud on consumer accounts and network-level attacks from credential-stuffing botnet attacks, yet over half of all businesses still use only passwords to protect company IP and financial data.
• Companies are more likely to offer strong authentication to their customers than their employees within the enterprise, but both segments are lagging in adopting high-assurance strong authentication: 50 percent of businesses offer at least two factors when authenticating their customers but only 35 percent of enterprises use two or more factors for authenticating their employees to data and systems. Amongst both, high-assurance strong authentication is rare — only five percent of businesses offer the capability to customers or leverage it within the enterprise.
• Companies still rely upon knowledge and not possession: The weakest authentication factors remain the most popular and common, and they’re based on knowledge, not possession. Businesses are using passwords plus static questions (31 percent) or SMS OTPs (25 percent) as their additional factors for customer authentication online. In enterprise, the next most common authentication method to passwords is static questions (26 percent). Factors predicated on possession such as a security key or on-device biometrics remain the exception and not the norm.
• Integration and user experience are the priority: Companies’ implementation of authentication solutions is mostly driven by a solution’s ease of integration, according to the report. Also, if a solution has a perceived negative impact on the user experience, companies will resort to the easier second factors like static security questions.

“Not all multi-factor authentication combinations are created equal, and it’s time to set a new yardstick with which to measure strong authentication methods, with the strongest deemed ‘high assurance’,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “Many consumer devices are coming equipped with built-in capabilities that enable high-assurance strong authentication, reducing costs and complexity for all stakeholders. We believe that the adoption of high-assurance strong authentication will only increase in the months and years to come — and data breaches as the result of credential theft to decline.”

High-assurance strong authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials — which are known vulnerabilities with passwords, static questions and OTPs. Javelin recommends companies strongly consider high-assurance strong authentication:

• To bolster authentication after a breach. Supplement and possibly knowledge factor solutions. In the event of a breach, businesses would do well to layer additional, high-assurance authentication solutions simultaneously with their remediation plan.
• As a differentiator when emphasizing the value proposition with prospective clients. Using high-assurance strong authentication is both an effective preventative measure and a message to prospects and clients that they are safe doing business with a vendor.
• Where it counts within the enterprise. Anything internet-facing and internal systems that are attractive targets for insider threats should have high-assurance strong authentication.

“So many of our commercial transactions today take place over the internet, and we’ve seen time and again that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. “Stronger ‘high-assurance’ authentication options that bind credentials to the device so they cannot be stolen are now widely available and this report provides businesses a clear guide to make those options available to both customers and employees.”

Javelin’s Al Pascual and the FIDO Alliance’s Brett McDowell will discuss the “2017 State of Authentication Report” during a workshop, “Identity is Fundamental: What You Need to Know About Identity & The Future of Money” on Oct. 25 at Money20/20. For more details, visit: https://us.money2020.com/sessions/identity-is-fundamental-what-you-need-to-know-about-identity-the-future-of-money

Anyone interested taking a deep dive into the 2017 State of Authentication Report should attend a free webinar on Thursday, Nov. 16 at 12:00pm ET. Register here for the Javelin Research 2017 State of Authentication Report Webinar. 

Report methodology:

The “2017 State of Authentication Report” was developed by Javelin Strategy & Research and sponsored by the FIDO Alliance. The report findings are based on data and insights gathered from two online surveys of 200 businesses who possess authenticated customer online or mobile portals and 200 businesses who possess authenticated employee portals. Findings are also augmented by in-depth interviews conducted with industry executives in roles influencing enterprise authentication policies.  The definition of High Assurance Strong Authentication is based on updated guidance from the National Institute of Standards and Technology (NIST SP800-63-3).

About FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

The post Javelin Study Finds Authentication at Crossroads as Password Reliance Persists, Availability for Stronger Options Increases appeared first on FIDO Alliance.

For a an industry that had been bracing for “old school” multi-factor authentication requirements that would have introduced unwanted friction into the online payment process, there is good news: with FIDO standards, you have an easy-to-deploy way to meet PSD2 SCA requirements, while meeting organizational and user demand for transaction convenience. In a paper released today, we detail exactly why and how. Read the paper, “FIDO & PSD2: Meeting the Needs for Strong Consumer Authentication,” here.

The final language in the regulation reflects a modern understanding of multi-factor authentication, thanks in large part to the outreach by FIDO Alliance and several of its members. Here’s what is new and different in the final language and why payment service providers should be happy. While the final draft RTS requires two secure and distinct factors of authentication, it also recognizes that these factors can be housed in a single “multi-purpose” device – such as a mobile phone, tablet or PC – as long as “separate secure execution environments” are used (such as trusted execution environments (TEE), secure elements (SE) and trusted platform modules (TPM)).

Most consumer-grade devices, such as laptops and mobile phones, are shipping with these security capabilities already built in, as well as on-device biometric authenticators. Organizations can leverage these devices and capabilities to meet PSD2 SCA requirements simply by implementing support for FIDO authentication standards in their payment applications, such as card-on-file wallet services and merchant applications.

FIDO Authentication is available to any organization to implement freely and once deployed, banks and PSPs may accept a variety of FIDO-compliant authenticators in the market. FIDO certified products are tested for interoperability, whether based on a mobile phone, a PC-based browser or external hardware device such as a FIDO security key – regardless of operating system, therefore reducing costs and simplifying deployment.

The FIDO architecture offers a truly “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements:

• With asymmetric cryptography at the heart of the security model, FIDO addresses the security requirement designed to mitigate theft of payment service credentials by all known attacks that successfully harvest “shared secret” credentials like passwords, effectively mitigating the techniques that are behind 95 percent of all web app attacks that lead to data breaches.
• With biometrics and security keys being used as convenient  “something you are” and “something you have” authentication factors, respectively, FIDO is addressing increased market demand for greater usability than anything previously applied to online payments.
• FIDO privacy requirements ensure biometric data, when used, is never shared, addressing requirements by data protection authorities and consumer concerns about sharing biometric information online.

The result is a single-gesture, multi-factor authentication event packaged for consumers in a very simple user experience.

To learn more about how FIDO Authentication meets the PSD2 requirements for strong online authentication, visit our new landing page dedicated to the topic, read the new white paper, and/or request a briefing from the FIDO Alliance by filling out the form here.

The post FIDO Standards Provide Easy, Secure Way for European Payments Industry to Meet PSD2 Strong Authentication Requirements appeared first on FIDO Alliance.

Should screen scraping be allowed, even as a fallback option, under Payment Services Directive 2 (PSD2)? The FIDO Alliance has been closely observing the discussions on this topic between the European Commission (EC) and European Banking Authority (EBA) as it relates to the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA) under PSD2. I detailed the FIDO Alliance’s answer to that question in a letter to the European Commission and European Parliament last week, the key points of which are summarized below (you can read the full letter here).

“Screen scraping” is the practice where third-party Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) access bank accounts on the client’s behalf using the client’s username and password credentials. The practice was prohibited in the EBA’s final draft RTS. However, several FinTech firms are coming forward and reporting a general lack of readiness by banks to implement newer, safer methods of delegated access control.  As a result, the EC is now urging the EBA to let companies use screen scraping as a “fallback option” to more secure methods, such as application programming interfaces (APIs).  

Because it involves the sharing of and use of customer passwords, the FIDO Alliance sees three main problems with endorsing screen scraping:

1. It doesn’t meet the security requirements called for in PSD2.
2. It puts consumers at increased risk.
3. Any approach where a third-party can “log in as if they were a consumer” puts all parties at risk.

We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2. There are far more secure ways for consumers to delegate access to their bank accounts, involving APIs protected by strong customer authentication credentials. These API solutions, based around proven global standards such as OAuth 2.0 and OpenID Connect (OIDC), have the added benefit of providing not just better security but also better privacy. They   let consumers grant access to their bank accounts and share some details but not others. When paired with FIDO standards for strong authentication, API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easier for consumers to use than typing codes into a form.

To the extent that the EC believes a “fallback option” such as screen scraping needs to be supported while banks come up to speed with PSD2, we suggest that this may be better addressed through a policy exemption to the RTS, rather than in the RTS itself. The RTS, by its nature, is an important technical standard that will guide the market for years to come. As such, the RTS should focus on setting a high mark for SCA and common and secure communication under PSD2 – not articulate methods for stakeholders to avoid their responsibilities under this historic advancement in consumer protection policy. Inclusion of the “fallback option” in the RTS itself would dilute its message, undermine the intent of PSD2 and its requirements for SCA, and place consumers at increased risk.

To read Brett’s full letter to the European Commission and European Parliament, click here.

The post FIDO Alliance Addresses PSD2 Screen Scraping Debate in Letter to European Commission and European Parliament appeared first on FIDO Alliance.

The FIDO Alliance team is back from a productive week at Cloud Identity Summit (CIS), the event focused on the past, present and future of identity management and security. Given the sessions lineup and the chatter on the show floor, it was clear that FIDO is top of mind for all of the main players contributing to the future of identity. Here are our top three takeaways from the show:

1. Identity leaders are recognizing that open FIDO standards are a key component for the future of identity. Many sessions at CIS focused on FIDO’s role in creating an intelligent identity ecosystem, including a keynote from Microsoft’s Alex Simons and Nitika Gupta that previewed FIDO-based passwordless login simply by touching a FIDO security key. This is just one example of the future of authentication with FIDO, which provides user-friendly, privacy-aware user experiences (spanning biometrics, security keys, wearables and more) across platforms to meet varying requirements.
2. Executives in the identity space are eager to stay up-to-date on FIDO Authentication. This was apparent by the attendance at the FIDO workshop on the first day, which provided a number of updates and case studies from members and other key stakeholders in the FIDO ecosystem. It also was apparent by the heavy traffic and great conversations at the FIDO pavilion featuring FIDO members Feitian, Hypersecu, Gallagher and Nok Nok Labs, as well as members’ booths from companies including Yubico and Microsoft.
3. Policy is evolving to keep up with the changing nature of authentication. In his session, FIDO Alliance Executive Director Brett McDowell talked about the changing nature of authentication and the ways that policy must — and is — evolving to keep up. For one example, “old” strong authentication required that authentication factors be sent over different channels and/or devices, while modern authentication takes advantage of new security properties in most consumer devices to create separation between “what you have” and “what you are” authentication factors to allow for true strong authentication on a single device. McDowell pointed to several examples of policy recognizing this, including U.S. NIST/OMB guidance and the European Banking Authority’s PSD2.

At the show, we also learned that the conference will evolve and be rebranded as Identiverse for 2018. According to the event’s founder and Ping Identity CEO Andre Durand, “Our event’s name is changing, but the mission stays the same. Cloud Identity Summit served us well. But it’s time to embrace something bigger — a community, an Identiverse that lives year-round, and still summons the brightest minds in identity and security to gather once a year.”

The FIDO Alliance and FIDO Authentication are now clearly an integral part of this flourishing community, and we are happy to contribute our brightest minds to the collective Identiverse.

The post Cloud Identity Summit Recap: FIDO Authentication is Critical to the Present and Future of Identity appeared first on FIDO Alliance.

Many private and public sector organizations look to NIST’s Framework for Improving Critical Infrastructure Cybersecurity, first published in February 2014, as a guide to building a solid cybersecurity strategy. But one critical piece of any modern cybersecurity strategy is missing from the original Framework – recommendations for multi-factor authentication (MFA, aka strong authentication). This exclusion, according to NIST, was due to challenges associated with authentication in 2013-2014, including lack of standards to promote security and interoperability and inherent usability challenges with the solutions available.

Fast forward to today, and NIST has put forth draft updates to the Framework. The FIDO Alliance welcomed the opportunity to review and comment on the proposed updates. You can view the full comments we submitted on the FIDO Alliance website.

In its comments, the FIDO Alliance recommends that NIST clarify their language and explicitly require MFA in the next update to the Framework. We are urging NIST to add a new “authentication” sub-category to the Framework core with the recommendation that: “authentication of authorized users is protected by multiple factors.” Explicitly addressing MFA with this language is necessary to help government and industry address growing risks caused by weak authentication, and should be part of any proper update of the Framework.

While there are several positive identity-centric changes in the proposed update to the Framework that the FIDO Alliance strongly supports, MFA must be explicitly recommended. Two things have happened since the Framework was first published – one positive and one not-so-positive – that make strong authentication an essential requirement for any framework for improving cybersecurity today.

First, the good news. The challenges associated with implementing strong authentication back in 2014, which led to excluding MFA in the Framework, have been addressed by industry through public-private, multi-stakeholder collaboration with NIST and other standards bodies and policy makers worldwide. In particular, the FIDO Alliance has delivered a comprehensive framework of open industry standards for simpler, stronger authentication, fundamentally changing the landscape and closing the gaps originally observed by the authors of Framework. These open industry standards, which have been broadly adopted by trusted brands and technology providers, improve online authentication by leveraging proven public key cryptography for stronger security and privacy preserving on-device user verification for better usability.

The FIDO ecosystem now includes hundreds of millions of FIDO-compliant devices and billions of compliant accounts worldwide. That, however, is not the only advancement in strong authentication since 2014, but it is an important example of how a large-scale, industry-led, multi-stakeholder initiative has responded to market challenges and changed the landscape in a fundamental way that must be recognized when NIST updates the Framework.

Now, the bad news. The problems caused by single-factor password authentication have only gotten worse even though the industry has made significant progress addressing the need for strong authentication standards that ensure user privacy and enable single-gesture usability innovation. Just last week, Verizon’s Data Breach Investigations Report that 81 percent of hacking-related breaches last year were attributable to stolen or guessable/crackable passwords — up from 63 percent the year prior. This has resulted in an emerging consensus among cybersecurity thought leaders that “the password is by far the weakest link in cybersecurity today” as noted recently by former DHS Secretary Michael Chertoff.

There is certainly no doubt that multi-factor authentication is a critical requirement for improving critical infrastructure cybersecurity, and that NIST should include it as a requirement in its next update to the Framework.

The post Why Strong Authentication is a Critical Requirement for Improving Critical Infrastructure Cybersecurity appeared first on FIDO Alliance.

Pursuant to this effort, the Commission recommended that all agencies be required to use strong authentication across all government systems. Further, they pointed out that the tools used to fulfill this requirement should not be limited to the government’s PKI-based Personal Identity Verification (PIV) credentials. Instead, the Commission recommended that the requirements for authentication “should be made performance based (i.e., strong) so they include other (i.e., non-PIV) forms of authentication.”

The FIDO Alliance is pleased to release a new white paper in support of the Commission’s recommendations. Titled “Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies,” the paper discusses how FIDO solutions are used to enhance cybersecurity within the government environment and act as a complement to traditional PKI. The paper was developed by FIDO’s Public Policy and Privacy Working Group (P3WG).

As the paper details, the benefits of a FIDO-inclusive approach are to offer additional authentication solutions that are easier to use and easier to integrate with legacy applications. These solutions, however, still retain the core security associated with asymmetric public key cryptography

• For example, much as the Derived PIV Credential (DPC) program allows for a separate PKI certificate to be issued by proving possession of a PIV Card, the DPC workflow specified in NIST 800-157 can be used to issue a FIDO public/private key pair, linked to the same identity record associated with the  PIV card. The primary difference is that the key pair is not part of a “full” public key infrastructure, but rather a “lightweight” key pair.

• Moreover, for people in the government ecosystem that are not required to get a PIV, FIDO offers an alternative that is cheaper to issue and maintain and easy to use. This ensures that individuals have at least some sort of strong authentication based on public key cryptography.

The new paper makes clear that PIV remains the gold-standard for authentication in the U.S. government, and will remain a core component of the federal enterprise. But as agencies strive to achieve the Commission’s recommendations, an approach that augments PIV solutions with FIDO can improve cyber hygiene across the Federal enterprise and help the U.S. to more effectively secure digital assets.

Eliminating password-based breaches by 2021 is an ambitious goal, but it’s not one that is impossible. With more than 300 FIDO® Certified products, the United States and other governments around the world can look to the growing ecosystem of FIDO solutions to deliver simpler, stronger authentication.

>>Download the white paper

[1] See the Commission on Enhancing National Cybersecurity’s Report on Securing and Growing the Digital Economy, available at https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-commission-report-final-post.pdf

The post Extending the PKI Security Model with FIDO Authentication Standards appeared first on FIDO Alliance.

We are back from an educational and productive week at RSA Conference 2017 that saw over 40 FIDO members exhibiting an array of security solutions, including dozens of FIDO® Certified offerings. Despite the fact that RSAC is a large show with more than 40,000 attendees, we still heard many common themes in our travels around the sessions and the show floor. These are our top three takeaways from the event:

Authentication is a C-Suite Issue. There was a theme at the conference that CISOs need to “get back to basics” to defend against the growing list of cyberthreats. As Fahimda Rashid says in her kick-off for RSAC last week for InfoWorld, “Attacks succeed when enterprises fail to get the basics right.” Those “basics” include best practices for identity and access management, including FIDO Authentication to combat phishing and man-in-the-middle attacks. Judging from the attendance at the FIDO implementer session, the traffic on the show floor at the FIDO Alliance booth and the strong FIDO presence at our members’ booths, attendees agreed with this need and were clamoring for information on how to implement FIDO Authentication today.

Securing the Internet of Things (IoT) is a Top Concern. Amongst the steady stream of traffic at the FIDO Alliance booth were security executives with questions about how FIDO Authentication can secure the Internet of Things. Indeed, the growing number connected devices and the corresponding growth of IoT-related breaches (e.g., Forrester has predicted that more than 500,000 IoT devices will be compromised in 2017) has highlighted the importance of strong, standards-based authentication over passwords to secure IoT. FIDO Authentication is ideally suited to provide simpler, stronger authentication for users to control their IoT-connected devices. In fact, we are already seeing organizations earn FIDO certification for IoT-specific devices and connected cars — most recently, Fujitsu announced it’s FIDO-based platform for IoT authentication.

Leading Security Practitioners Believe in FIDO Authentication. The panel of FIDO present and future implementers — Google’s Christiaan Brand, USAA’s Wil Bennett and Aetna’s Abbie Barbir and moderated by RSA’s Kayvan Alikhani — made the virtues of FIDO Authentication clear. Aetna’s Barbir said that “FIDO is a building block for simplicity, scale and security,” while USAA’s Bennett said that “FIDO gives USAA a way to implement standards-based authentication across heterogeneous architecture while navigating regulatory requirements.” In regards to user protection, Google’s Brand stated that “FIDO affords the highest level of protection against phishing and forms the basis for all authentication at Google”. FIDO Alliance Executive Director and fellow panelist Brett McDowell agreed, saying that “if the problem you are trying to address is phishing, then now is the time to deploy FIDO Authentication.” That’s just the tip of the iceberg of what the panelists shared; be sure to check out the recording to hear the full session.

The post RSA Conference Wrap Up: FIDO Authentication Grabs the Attention of C-Suite Executives appeared first on FIDO Alliance.

“Certification matters.” That is one of the biggest takeaways for FIDO authentication in 2016, as we achieved 200% market growth of FIDO® Certified products. Since its launch, the FIDO Certified program has been a central component to achieving the FIDO Alliance vision for universal and interoperable strong authentication. Certification lets organizations test and validate their FIDO implementations to prove that their products truly conform to the FIDO specifications and work together.

The 200% growth of FIDO Certified products in the past year demonstrates that, globally, technology providers, service providers and enterprises not only understand the importance of certification when implementing and/or deploying FIDO authentication, but require it. It’s also important to note that it’s not just technology vendors that achieve FIDO certification; service providers that have deployed FIDO authentication understand too that certification matters. Take a look at the FIDO Certified list and you’ll see familiar names (Bank of America, eBay and Google for a few examples) that attest to this. And, it’s not just FIDO Alliance members that are becoming certified; non-member organizations can, and do, participate in the program.

Adding to this growth are the organizations with new FIDO Certified products announced today, including: certSIGN; EyeVerify; Feitian Technologies Co., Ltd.; i-Sprint Innovations Pte Ltd; Intel; IRISYS Co., Ltd.; Jilin University Information Technologies CO., LTD.; NBREDS; openit Inc.; SK Telecom and ubivelox.

This round of certifications also marks an important first: the first certification for FIDO-enabled biometric authentication on the desktop, from Intel. This comes after the announcement last fall that Intel, Lenovo, PayPal and Synaptics, all FIDO Alliance board members, were collaborating to bring FIDO authentication to Lenovo laptops. This certification is likely just the start of FIDO authentication on desktops, and I’m looking forward to seeing more progress on this front from other organizations throughout 2017.

What else to know about the FIDO Certified program in 2017: getting started is as easy as signing up for the test tools. We are also looking forward to upcoming announcements about several new certification programs currently under development to accommodate new specifications and maturing requirements for organizations implementing and deploying FIDO-based solutions — 2017 should be a very busy year for FIDO certification!

The post FIDO Certified Products Growth of 200% in 2016 Demonstrates Accelerating Global Support for FIDO Authentication appeared first on FIDO Alliance.

At Google, we prefer to make data-driven decisions based on statistical and empirical verification. This is particularly true when the security and privacy of more than billion users are stake, so we applied this philosophy to verify the practical benefits of deploying FIDO-based Security Keys to our more than 50,000 employees.

Security Keys are devices that make 2-Step Verification for our users easier, and more secure. Our two-year deployment and its analysis provide clear confirmation of how well FIDO’s approach is suited to making strong authentication more usable. During this time, we also integrated support for Security Keys in Google’s Chrome browser and consumer-facing web applications.

The full results of our two-year research study are available in our paper Security Keys: Practical Cryptographic Second Factors for the Modern Web; here’s a synopsis:

What We Set Out To Do

The goal for Security Keys is stronger security, high user satisfaction, and lower support costs. Our system design goals required Security Keys to be easy to use; easy for developers to integrate with a website via simple APIs; non-trackability to ensure privacy; and protect users from password reuse, phishing, and man-in-the-middle attacks. The currently most common version of our Security Key is a tiny dongle that plugs into a computer’s USB port, although the Security Key’s underlying protocols are standardized and can also be used via NFC (contactless) and Bluetooth Low Energy.

Comparing Options

In our evaluation, we compared the standard baseline of password authentication, shown in Table 1, with Security Keys, smartphone-based one-time password (OTP) generators, and Two-Step verification over Short Message System (SMS). Benefits of each were noted for usability, deployability and security. Our evaluation of these technologies and criteria followed The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes by Joseph Bonneau et al.

While no option is perfect, we found that Security Keys provide the strongest security with the best mix of usability and deployability. See details of the comparison in Table 1 of our published study.

Performance Results

Some metrics of performance are pretty hard to quantify, such as ease of use. Our employees have been very happy with the switch to Security Keys and we have received many instances of unsolicited positive feedback. With Security Keys, Google employees (and external consumers using this supported option) now have stronger protection against phishing, including well-known campaigns that have elsewhere resulted in major breaches. However, since the impact of this benefit can only be measured in terms of what did not happen, it’s quite difficult to quantify the result.

We can, however, quantify other benefits: for time spent authenticating with security keys, total average time for the process dropped nearly two-thirds compared to an OTP with SMS (see “Fig. 6” below, from our study). Since an authentication executes in milliseconds, virtually all of this time savings directly benefits users, which may account for the overwhelmingly positive reaction.

With Security Keys, there were zero authentication failures. In our examination of the time period studied, the failure rate for OTP-based authentications was 3%.

Google’s support costs also dropped with Security Keys. Our support organization estimates that we save thousands of hours per year by using Security Keys instead of OTPs for authentication.

Google issued one Security Key per computer or about two Security Keys per employee. With the associated boost in user productivity and lower support cost, we felt this was worth the extra hardware cost. For consumers, multiple vendors provide Security Keys at different prices – some as low as $6 USD. Since consumers need only one device rather than one device per account or site, the resulting cost, in our opinion, approaches the “negligible cost per user” suggested by Bonneau et al.

Conclusion

Our study documents how Security Keys improve 2-SV on the web. They protect users against password reuse, phishing, and man-in-the-middle attacks by generating cryptographic assertions over the website’s URL and properties of the transport layer security (TLS) connection. Security Keys also score favorably in the usability framework established by Bonneau et al. Our analysis of performance benefits in the two-year deployment study measures a significant reduction of sign-in times experienced by users and a reduction in burden on a support organization. Our Security Key deployment is based on the open Security Key protocol as standardized in the FIDO Alliance as U2F. This standard is supported by major browsers and login system of large web service providers such as Google, GitHub and Dropbox. We hope our research serves as an academic foundation to study and improve Security Keys going forward.

Google Case Study: Strong Authentication for Employees and Consumers from FIDO Alliance

The post Case Study: Google Security Keys Work appeared first on FIDO Alliance.

With a new President about to take office in the U.S., it is still unclear what specific actions his administration will take to improve cybersecurity. According to a new report published late last week by a prestigious, non-partisan commission of experts, authentication needs to be at the top of his list.

The U.S. Commission on Enhancing National Cybersecurity – created by the White House in February 2016 to craft recommendations for the next President – issued its comprehensive Report on Securing and Growing the Digital Economy, which lays out 16 key recommendations for the incoming Trump administration. Among them: a recommendation that the government “should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.”

To that end, the Commission lays out an ambitious goal that will require the development and broad adoption of innovative identity authentication technologies:

“An ambitious but important goal for the next administration should be to see no major breaches by 2021 in which identity—especially the use of passwords—is the primary vector of attack.”

The Commission wisely noted that achieving this goal was not just about security, pointing out that success “…will require identity solutions that are secure, privacy-enhancing, efficient, usable, and interoperable. Ultimately, these solutions need to be easy to use by individuals who are accessing digital devices and networks; otherwise identity management will remain a vector for attack.”

The Commission not only knows what they need to execute on this national priority, but also where to get it. They specifically noted the role the FIDO Alliance plays in achieving this goal, stating:

“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance,” highlighting how FIDO enables “delivery [of] multifactor authentication to the masses, all based on industry standard public key cryptography.”

I am thrilled to see the Commission recognize the gravity of the password problem and the important role that the FIDO Alliance plays in addressing it. With more than 250 members from across the world – including technology companies, device manufacturers, major banks and health firms, all major payment card networks, several governments and dozens of security and biometrics vendors – the FIDO Alliance has emerged as the critical force for change in creating a foundation for simpler, stronger authentication.

As the Commission noted, “a review of the major breaches over the past six years reveals that compromised identity characteristics have consistently been the main point of entry.” They recognize, as we have since the FIDO Alliance was formed in 2012, that solving this issue and closing off identity as an easily exploited vector of attack is a clear priority.

The Commission called for several key action items around authentication, including:

• Requiring that all citizen-facing digital government services require strong authentication – not only to protect citizens, but also because “the most important action that government can take to catalyze private-sector adoption of the right kind of solutions for consumers is to use these solutions in its own citizen-facing applications.”
• Calling for “private-sector organizations, including top online retailers, large health insurers, social media companies, and major financial institutions, [to] use strong authentication solutions as the default for major online applications.”
• Requiring all federal agencies to require the use of strong authentication by their employees and contractors, with a call for “updated policies and guidance that continue to focus on increased adoption of strong authentication solutions, including but, importantly, not limited to personal identity verification (PIV) credentials.” This last statement, if implemented as policy by the next administration, opens the door to a wider array of solutions to be used to protect government resources, with a focus on performance rather than form factor or legacy infrastructure.

Note that this is the second time in the last 30 days that FIDO has been called out by a government as being critical to solving national cybersecurity challenges – just a month ago, the U.K. government, in its new UK National Cyber Security Strategy, laid out its specific plans to invest in FIDO authentication to move their country beyond the password.

A common theme in both countries has been the need to balance security with usability, privacy and interoperability – both the U.S. and U.K. have made clear that solutions designed with nothing but security in mind may in fact fail due to lack of adoption.

It’s also worth noting that the Commission’s 90-page report contains several other important recommendations that have nothing to do with authentication. In addition to highly constructive recommendations on remote identity proofing and security for the Internet of Things (IoT), I was pleased to see the Commission highlight the value of partnerships between government and the private sector as “a powerful tool for encouraging the technology, policies and practices we need to secure and grow the digital economy.” The FIDO Alliance launched a government membership program last year to ensure leading governments from around the world were included in our multi-stakeholder collaborative development process. It is probably not a coincidence that our first two FIDO Alliance government members – the U.K. and U.S. – are also now the first two countries to publish significant cybersecurity strategies naming FIDO authentication standards as a key enabling technology.

There is a lot of work in the days ahead, as the new administration chooses people for key positions and lays out its cybersecurity agenda. As the Commission’s report makes clear, improving the reliability of online identity infrastructure is an essential component of improving cybersecurity, and starts with reducing the reliance on passwords with innovative technologies like FIDO authentication. Through continued partnership between industry and government – and by following the Commission’s recommendations around identity and authentication – I am confident the new U.S. administration, with the help of global consortia like the FIDO Alliance, can make meaningful progress toward that five-year goal of eliminating identity-related data breaches.

The post US Commission on Enhancing National Cybersecurity Calls for an End to Password-based Breaches by 2021, Highlights the Importance of FIDO Standards appeared first on FIDO Alliance.

The U.K. government is taking cyber defense seriously, announcing last week that it will invest £1.9 billion ($2.3 billion) in cybersecurity over the next five years. In the 84-page UK National Cyber Security Strategy, the U.K. government lays out its plan, which is built on three core pillars: defend cyberspace, deter adversaries, and develop capabilities.

A critical component of the U.K.’s “defend” strategy is to better secure their internet-dependent systems and infrastructure by “ensuring that future online products and services coming into use are ‘secure by default’” and empowering consumers to “choose products and services that have built-in security as a default setting.” One of the ways the U.K. government plans to ensure this is by investing in FIDO authentication to move beyond passwords. Per the government’s strategy:

“[we will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.”

With this, the U.K. government is demonstrating leadership by acknowledging two critical aspects of improving authentication — both of which the FIDO authentication specifications were created to address.

One, that passwords are an unsustainable form of authentication, and we need to stop relying on them to secure internet-connected applications. The many recent data breaches and resulting password credential leaks make this extremely clear.

Two, that we need a positive user experience to go along with strong security. Users should no longer need to type in a one-time code and/or deal with extra screens; rather, modern authentication can leverage increasingly-available devices being shipped with built-in FIDO “single gesture, multi-factor” authentication technology, e.g., swipe a fingerprint, take a selfie, touch a security key. These new solutions are “secure by default” and provide a user experience that is highly secure and extremely easy to use.

This announcement expands the U.K. government’s investments in FIDO authentication — the U.K. government is a FIDO Alliance member and the GOV.UK Verify program focused on citizen services already supports FIDO authentication.

In addition to the U.K., there are signs that other governments are beginning to understand the importance of authentication reform in overall cybersecurity policy. The U.S., for example, has shown understanding of the need to move beyond passwords for years.

Former Secretary of Homeland Security Michael Chertoff said last month, “the password is by far the weakest link in cybersecurity today.” In terms of action, the White House Cybersecurity National Action Plan (CNAP) has a focus on securing accounts with strong authentication. And NIST – also a FIDO Alliance member – recently made updates to Special Publication (SP) 800-63-3 that recommend strong authentication for all assurance levels.

Although FIDO authentication already has significant support from large global organizations in the private sector, governments can and should play an important role in accelerating widespread adoption of FIDO authentication. They are in a unique position to provide guidance, update aging regulations, and lead by example in deploying emerging standards like the U.K. government is doing with FIDO specifications.

The U.K.’s updated strategy is part of a growing trend that started in the U.S. with the National Strategy for Trusted Identities in Cyberspace (NSTIC). Given the clear value, I believe that other governments around the world would benefit from following the U.K.’s lead by investing in initiatives that will accelerate the evolution of their internet-dependent economies from highly vulnerable password-based security to hardened FIDO-based security based on public key cryptography, often with on-device biometrics or convenient second factors that facilitate ease-of-use. I foresee a bright future that begins with the ubiquitous adoption of FIDO authentication by both developed and developing economies worldwide.

The post New UK National Cyber Security Strategy Calls for FIDO Authentication appeared first on FIDO Alliance.

FIDO Alliance is back from Money20/20 in Las Vegas, where we continued to spread the word about how we are enabling simpler, stronger authentication for payments over a busy (and productive!) four days.

On the agenda, discussions around mobile payments, the various “Pay” wallets, EMV migration, authentication and biometrics dominated. It was only fitting, then, that the show kicked off Monday morning with an announcement from the FIDO Alliance, covering all of these hot topics. 

FIDO News @ Money20/20

FIDO Alliance Executive Director Brett McDowell was joined on stage by EMVCo’s Director of Operations Brian Byrne to announce that  the FIDO Alliance will work with EMVCo to develop a new technical specification for mobile wallet providers and payment application developers to support Consumer Device Cardholder Verification Method (CDCVM).  This will enable consumers to conveniently use on-device FIDO® Certified authenticators – such as a fingerprint or “selfie” biometrics – to securely verify their presence when making in-store or in-app mobile payments. The specification will be developed as an extension to the Web Authentication specification already in development by the World Wide Web Consortium (W3C).

This specification will greatly simplify the development and support for CDCVM across mobile devices and other platforms. Watch this space as we announce updates on the development of the W3C Web Authentication specification and this extension specification in the coming months.

The FIDO Ecosystem Pavilion

For those less familiar with FIDO authentication, the announcement drew a lot of attendees to the FIDO Ecosystem Pavilion to learn more. At the pavilion, members AustriaCard, Aware, Inc., Egis Technology, Inc., Excelsecu, Feitian, Infineon, Nok Nok Labs, and TRUXTUN Capital showed off their innovative FIDO® Certified products for the financial services and payments sectors. Inside the pavilion, we also featured 40 of the hardware-, mobile- and biometrics-based devices from throughout the FIDO ecosystem providing simpler, stronger authentication.

Moving Forward

Overall, the feedback from attendees that toured the pavilion was agreement that the payments industry as a whole needs to move beyond passwords, and excitement over how strong authentication can be super simple. We want to give a big thanks to all of our members that took part in the pavilion and/or the FIDO Device Showcase — and also to the hundreds of visitors who took time to learn more about FIDO and our members throughout the show floor.  We hope to have an even larger presence next year in order to support the rapidly growing and evolving FIDO ecosystem!

The post FIDO Authentication Takes Center Stage at Money20/20 appeared first on FIDO Alliance.

The disclosure last week of the Yahoo data breach, executed in 2014, is the largest single breach of user account data ever reported. The frequency and severity of these data breaches – and the resulting password theft – is increasing year-over-year. The only way to stop this trend is to end our dependency on password security and adopt unphishable strong authentication.

At a time when this problem is more serious than ever, we’re excited to partner in the development and launch of the new “Lock Down Your Login” public awareness campaign led by the National Cyber Security Alliance (NCSA), with support and backing from the White House and many other institutions. The campaign is focused on raising awareness among all Americans about the importance of strong authentication, with a call “for all Americans to fortify their online accounts by enabling the strongest authentication tools available so everyone can enjoy a greater peace of mind knowing their online accounts are more secure.” This is the latest in a series of collaborations between the FIDO Alliance and NCSA in support of National Cyber Security Awareness Month.

The FIDO Alliance was launched in 2013 around a simple premise: that authentication should not only be more secure, but also easier to use. Three years later, the Alliance has more than 250 member organizations who have worked together to create open industry standards that can enable online service providers to replace passwords with something better: better security as well as a much better customer experience.

The idea of building authentication that consumers actually want to use is not a novel one, but is something that has eluded the security industry for years. First-generation strong authentication solutions, such as short-lived codes sent to your mobile phone or read from a dedicated security token, did improve security but degraded the user experience. This prompted consumers to reject these solutions rather than embrace them. Worse yet, the security of these solutions has degraded over time because they share too many of the same vulnerabilities that plague passwords, primarily phishing.

Thankfully, the industry has responded; next-generation solutions built upon the FIDO standards deliver authentication that is not only more secure – through use of public key cryptography – but also easy to use thanks to FIDO’s on-device approach that leverages sensors you need only touch, look at, or talk to. So as consumers are urged to lock down their logins, we’re excited that the more than 250 FIDO Certified solutions in the market today make it easier than ever to deliver unphishable strong authentication that consumers actually want to use. And consumers can use FIDO today – Bank of America, Dropbox, Github, Google, Microsoft, and PayPal have already begun to incorporate FIDO authentication into their services.

In support of this new campaign, we’ll be partnering with the NCSA and the Electronic Transactions Association (ETA) to host a Future of Authentication Policy Day in Washington, D.C. on October 27th. Featuring an array of speakers from both government and industry, the event will highlight advances in strong authentication being driven by next-generation efforts like the FIDO Alliance, exploring how the authentication market has evolved, and how policy must evolve with it.

We hope to see you at the event, and in the meantime: take a moment to Lock Down Your Login!

The post FIDO Alliance Supports White House Initiative to Move Beyond Passwords appeared first on FIDO Alliance.

Industry standards have always provided a foundation upon which developers can build proprietary value. Rather than having to reinvent the wheel, standards enable developers to leverage common underlying technologies so they can spend more time concentrating on and creating differentiating value for their offerings. Standards also make it easy for individual products to interoperate with other products in the ecosystem. From the customer’s perspective, standards guard against vendor lock-in and maximize the opportunity to take advantage of industry innovations.

The FIDO (Fast Identity Online) Alliance has developed technical specifications that define an open scalable, interoperable set of mechanisms that make strong biometric authentication easy to deploy and use.  The nature of FIDO’s remit requires broad participation and collaboration — channeling authentication requirements from banks, telcos and a variety of service providers into FIDO’s specifications.

Since the FIDO Alliance standards were finalized and published in December of 2014, more than 200 FIDO® Certified products have become available on the market. In addition, many leading banks, telcos, governments and other service providers in Europe, North America and Asia have created or deployed a variety of solutions that take advantage of FIDO authentication.

Two of the key areas where the industry has seen third-party innovations around FIDO have been in second factor/biometric authentication methods, the form factors of which the FIDO specifications do not define, and in the user experience (UX).

Innovative Biometric or Second Factor Authentication Types
Many companies in the FIDO ecosystem have leveraged the FIDO Universal Authentication Framework (UAF) specifications to introduce new biometric authentication solutions. These solutions incorporate palm and thumbprint recognition, voice and face, retinal scan, and even unique pulse.  These are typically available as SDKs from companies such as Daon, Nok Nok Labs, Qualcomm and Samsung SDS or as sensor packages from companies such as CrucialTec, Egis, IDEX, Sensory, or Synaptics.  Ultimately these FIDO biometric authentication capabilities are realized in dozens of consumer handset models from manufacturers such as Samsung (across their range of Galaxy devices), LG, Sony, Huawei, Fujitsu, and Lenovo.

Additionally, we’ve seen a variety of implementations on top of the FIDO Universal 2^nd Factor (U2F) open authentication standard, which allows internet users to securely access any number of online services with a single device instantly and without special drivers or client software.  These implementations include new form factors that are leveraging new Bluetooth Low Energy (BLE) and NFC capabilities – enabling second factor authentication without leveraging a USB port, which is handy for tablets and other mobile hardware.

Freedom of User Experience
Similarly, because FIDO doesn’t define the user experience, service providers are stepping in to implement the most suitable UXs for their customers. For example, in Korea and Japan, banks and network operators are deploying FIDO-enabled services that allow users to authenticate through a variety of mechanisms depending on their device and preference.

Looking Forward
Today, we’re seeing a surge of innovation in biometrics and second factor authentication types.  By providing standards, FIDO fosters that innovation and lays the groundwork for widespread adoption of these new technologies.  Similar to how Bluetooth enabled a thriving ecosystem of devices, apps and value-added services that couldn’t have been envisioned when the standard was established, it makes sense to anticipate a fascinating future with a wide array of FIDO Certified products that will only be possible due to industry-wide collaboration and standardization.

The post How FIDO Standardization Enables Innovation appeared first on FIDO Alliance.

A recent feature story in The Wall Street Journal brought back to light mobile banking malware as a renewed consumer scourge.  With mobile banking malware names including Acecard, GM Bot, Spy.Agent, various malware variants harvest consumer banking information and pass it to the bad guys.  The approaches run the gamut from simple (grab the login credentials with simulated bank login page) to sophisticated (simulating bank login page and grabbing SMS One Time Passcodes (OTPs).  

A common theme in the attack vector is the use of a shared secret. In the context of a mobile banking application, the secret is shared between the consumer and the financial institution and can come in forms including a password or an OTP that’s shared via SMS.   

So what does the FIDO protocol do to counter such threats? You can review the FIDO Security Reference (the threat model for FIDO) to understand the variety of threats that FIDO mitigates against. Long story short: the FIDO approach to strong authentication avoids shared secrets and is not prone to the existing malware attack vectors compromising those secrets.  Why is it better?

• FIDO uses a challenge/response approach where the private key used to sign the challenge resides on the device and is unlocked with multi-factor authentication that includes something the user has (e.g., a mobile device) and something they are (e.g., a biometric) or something they know (e.g., a PIN).  
• The challenge gets sent to the device and the user unlocks the private key to sign the challenge. The signed challenge is compared on the server using the corresponding public key.  
• The public/private keypair approach mitigates against scalable malware attacks since there is no shared secret that resides on the device and on the server.  

In the context of biometrics, the FIDO UAF protocol uses client-side matching rather than server-side matching, so there is no biometric repository that can be compromised. You can see some of the trade-offs in client vs server-side biometric matching at a Nok Nok Labs blog published following the US Federal Government Office of Personnel Management breach.

As you work on your strategy to avoid mobile malware, the FIDO protocols can help you down the path to combining a great user experience with exceptional security.

The post FIDO: Kryptonite for Banking Malware appeared first on FIDO Alliance.

Why did Feitian decide to upgrade its membership from Sponsor to join the FIDO Board of Directors? What benefits will this bring to Feitian?
Feitian is excited to ascend to the FIDO Board of Directors in order to not only demonstrate our commitment to the organization, but also to help accelerate the deployment of FIDO-based solutions to new regions in the world. As a board member, Feitian aims to organize some FIDO-related events in these target areas. Also, we will be able to use our deep understanding of the Chinese security industry to help set the strategic direction of FIDO in China.

What products does Feitian have today that support FIDO specifications? Are there plans for future products?Feitian is an innovative technology company, and we have been committed to sustaining innovations and developing various new security hardware. We’ve been closely following key trends in the security market and are constantly trying to put emerging new technologies into products that support the FIDO specifications. In a recent example, we combined the BLE smart card technology and the latest FIDO U2F specification to produce a powerful BLE FIDO U2F authenticator featuring both token and card form factors. 

We also think that biometric authentication that uses the smartphone touch sensor and camera is important for the future of authentication, and Feitian has already developed software products based on the FIDO UAF standard for a passwordless experience.

Could Feitian share its perspectives on how the authentication market has evolved? What kind of role do you think FIDO standards will play in the future?
Feitian has been focused on global markets for several years now and has witnessed how the authentication landscape has developed and evolved.  People no longer believe that passwords alone are enough to protect data from the threats of phishing, man-in-the-middle attacks, malware, etc. As a result, Public Key Infrastructure, One Time Password and other multi-factor authentication products emerged to combat these threats. But companies and consumers are now tired of the complexities associated with using these “traditional” approaches. Feitian needed to find a new solution to fulfill these market requirements, and the FIDO specifications meet this need. We think that FIDO standards are the technical foundation that the authentication market needs because it balances security and usability.

What will Feitian do to promote FIDO adoption worldwide and in China?
Feitian has over a decade of experience providing security-related services, especially in banking, e-commerce, and government. We are very happy to share the experiences that we have accumulated in banking and e-commerce areas to all of the FIDO Alliance members in order to speed up the use of FIDO in global e-commercial applications. As a Board member of the FIDO Alliance, Feitian can bring the latest standards, applications and methods to the Chinese market and continue to be a powerful force in helping spread FIDO-based authentication worldwide.  Feitian will also actively participate in the FIDO China Working Group and work together with other Chinese FIDO Alliance members. 

In what ways do you believe your company can help FIDO Alliance successfully fulfill its mission?
Feitian has a deep understanding of the security and usability requirements for strong authentication in APAC and beyond. There is a very strong consistency between Feitian’s market strategy and the FIDO Alliance mission.

Feitian has many valuable customers in banking, enterprise, government and other fields. The leading market share and high brand trust of Feitian provide solid bases, strong support, and great opportunity for spreading the FIDO standard into our pre-existing and rapidly developing customer base.

The post Q&A with FIDO Alliance’s Latest Board Company, Feitian Technologies appeared first on FIDO Alliance.

From the buzz in the technology press over the last two weeks, one might think that end times are nigh in the world of authentication. Several media outlets wrote stories discussing NIST’s recent proposal around use of SMS-based solutions for digital authentication in the U.S. government, with headlines like “NIST axes SMS-based two factor authentication” and “U.S. government says SMS codes aren’t safe – so now what?”

While NIST weighed in with a blog of its own clarifying its intent – including making clear that it was not yet banning use of SMS, only discouraging its use – the notion that a commonly-used authentication technology is facing its end-of-life ought to be cause for celebration, not dismay.

Technology constantly evolves – and as it does, security evolves with it. NIST, for example, withdrew support for the Data Encryption Standard (DES) in 2004, after it became clear that DES was increasingly vulnerable, and steered agencies toward use of the faster, stronger Advanced Encryption Standard (AES). Likewise, NIST guided agencies to stop using the SHA-1 family of hash functions in 2006, instead recommending the more secure SHA-2 algorithms.

As technology continues to change, the obsolescence of some solutions shouldn’t be feared, it should be welcomed. Particularly when the reason the obsolescence is happening is because old technologies are being replaced with ones that are more secure and easier to use.

We’ve seen this with clunky single-use cell phones being replaced by sophisticated smartphones designed to make every interaction easy and natural. And we’ve seen it with the emergence of new operating systems and computing platforms that build security in from the start, rather than require end-users to struggle with managing an array of different security controls on their own.

This same evolution is happening in authentication, and not a moment too soon. We’re coming off yet another year where the password was the vector of attack in the majority of breaches. The need for authentication solutions that go beyond passwords is stronger than ever.

But with this need in mind, the reality is that the first generation of “multi-factor” authentication solutions the market produced – tools like SMS and One Time Passwords (OTP) – might have improved security, but they degraded the user experience. Consumers do not want – and have demonstrated they are not willing – to use security technologies that create extra burdens for them.

The good news is that the market is responding – and innovating to create a new set of next generation authentication tools that can address the old “security vs usability” tradeoff that plagued the first set of technologies. New industry efforts like the FIDO Alliance have brought together not just security vendors, but also banks, online retailers, payment card networks, mobile network operators (MNOs), handset manufacturers, health insurers and others to collaborate to create new standards that enable not only great security, but also a terrific user experience.

The cycle has been logical – the security tools we use follow advances in technology:

• The creation of SMS and widespread penetration of first-generation cell phones created an out-of-band channel for organizations to text out an OTP.
• The move to smartphones enabled firms like RSA, Google, and Authy to create OTP apps that were more secure than SMS and offered the ability to function even in cellular “dead zones.” But while offering security advantages, these apps have not caught on due to the need 1) for consumers to actively download a dedicated app for strong authentication and 2) a mediocre user experience requiring consumers to stop what they are doing, launch an app and then enter a code.
• Today we’re seeing a third evolution, driven by the fact that most mobile devices and computers are shipping with a secure, embedded hardware root of trust such as a Trusted Execution Environment (TEE), Trusted Platform Module (TPM) or Secure Enclave (SE), as well as multiple biometric sensors. This is a remarkably significant development in the market — it means that the “primitives” are in place for stronger authentication solutions that blow away legacy SMS and OTP in both security and usability. The FIDO Alliance specifications are specifically designed to take advantage of these primitives, enabling stronger authentication solutions that are also simpler to use.

Next generation solutions like FIDO are coming not a moment too soon. NIST’s warnings about the risks of SMS are hardly the first; Google publicly flagged the issues they were seeing with SMS and other one-time password approaches in June 2015, specifically noting the problems with increased phishing of OTPs. Gartner likewise raised this issue last November, and the U.S. Federal Trade Commission (FTC) issued a warning in June.

FIDO addresses phishing vulnerabilities that have plagued old authentication technologies through a novel approach that uses public key cryptography – replacing the old “shared secrets” model of SMS and OTP with an asymmetric cryptographic key pair. This key pair means there are no “shared secrets” such as passcodes that hackers can intercept; FIDO authentication is unphishable.

Authentication is an important enough issue that the White House made it a centerpiece of its Cybersecurity National Action Plan (CNAP) earlier this year, launching an effort in partnership with the private sector to promote the use of strong, multi-factor authentication for all Americans.

As that effort spurs a new, public-facing campaign around authentication this fall, it will be important for companies to note what NIST, Google and Gartner have stated – that all authentication technologies are not created equal. Next generation authentication solutions are here today that address the weaknesses of SMS and other “shared secrets” technology, providing tools that are not only more secure, but also easier to use.

The post Authentication Tools Are Getting Better; Don’t Get Stuck in the Past appeared first on FIDO Alliance.

Last month FIDO held our first events in India – half-day seminars in Mumbai and Bangalore.  It was an eye opening experience in many ways, and it’s clear that the desire for simpler, stronger authentication spans borders and use cases.  The audiences were very savvy and engaged in both sessions – asking pointed questions and sparking fresh ideas that will be brought back into FIDO’s working groups.The Tour was generously sponsored by Persistent Systems and the Data Security Council of India (DSCI), with additional support from Egis Technologies, Feitian, Nok Nok Labs and NXP.  

India is home to a bustling economy that is driven by a technology sector providing product development and integration services on a global scale. This economy serves a population that is more connected by the day.  In fact, India has passed the United States and is now the second biggest consumer of the Internet (behind China).  This latter trend in connecting the previously unconnected is where the Indian government has been very proactive in creating relevant technology policies and initiatives – and also is where FIDO stands to have the greatest impact.

For starters, some key numbers give you a feel for the types of transformations that are possible in India.  In telecommunications – just 20 years ago it could take even city-dwellers weeks or longer to get landline service due to the vastness and complexity of the infrastructure.  As a result, in 2001 there were less than 37 million fixed and mobile subscribers. Today, however, there are over a billion mobile subscribers and still only 25 million fixed line subscribers – which enables the next frontier for Indian transformation:  payments.

While Indian society is clearly becoming increasingly connected, it is still a cash-driven economy with less than 5% of transactions happening electronically as recently as 2014. The country’s goal is to bring this ratio more in line with countries like the United States or United Kingdom, where the majority of transactions are handled electronically. But as more and more people leverage electronic or mobile transactions, opportunities increase for hacking and fraud.

Fortunately, the Indian government is well ahead of the curve on this matter, and has mandated second-factor authentication for all online and mobile transactions. This currently manifests itself via one-time passcodes delivered over SMS, which while certainly better than single-factor does have its usability and security challenges.  As part of FIDO’s efforts in India, we will be engaging with leaders in policy and commerce to introduce the added security benefits that FIDO authentication brings to the table versus one-time passcodes (OTPs).  In addition, much of India uses PKI and digital certificates to ensure secure online transactions – this is a bulky and time-consuming process that stands to be vastly improved through FIDO authentication.

Successive generations of technology have required users to become more and more savvy. In the context of India and other emerging populations, however, the challenge is to simplify the usage of technology. FIDO, with its option for biometric-based strong authentication, is ideally suited to offer a viable solution.  In fact, one of the founding visions for FIDO was to have a solution protecting the next billion users who don’t know what a password is, and who shouldn’t have the pain of passwords inflicted upon them.

These ideals also pertain to the “newly banked” in India – where there are now tens of millions of people using mobile devices to make purchases and small peer- to-peer transactions.  This demographic will be conducting mobile transactions before they’ve ever seen a web page or have ever received an email, which makes them particularly susceptible to phishing attacks.  Eventually they will receive email – and as 12% of links in phishing emails are currently opened today, there’s a good chance that less experienced users will take the bait.  As such, it’s critical that their service providers deploy FIDO authentication solutions which are architected to prevent phishing and man-in-the-middle attacks.

We’re excited to build on this initial foray into India, and in the near future will be launching a dedicated effort in the region in order to support and grow the local FIDO community.  Stay tuned for more details!

The post FIDO Authentication in India appeared first on FIDO Alliance.

FIDO Alliance: Why did Shinhan Bank decide to offer fingerprint authentication to the Sunny Bank application? What problem were you trying to solve?
Hyoung Woo Kim: Shinhan Bank was looking for a trusted biometric solution to add value for their customers using the Sunny Bank app. We chose this because FIDO has been developed as a biometric standard specifically for the mobile online environment, and biometric-based identity authentication systems through FIDO has been proven to be a secure infrastructure to provide a convenient and strong authentication service. It is used as a second-factor authentication or an easy alternative login of the app (ID/password) in conjunction with the existing banking app.

FIDO Alliance: Please tell us more about Shinhan Bank.
Hyoung Woo Kim: Shinhan Bank was founded in 1897 and operates banking, foreign exchange operations, and trust-services businesses. Its capitalization is 8 trillion KRW ($6.7 billion USD), and the corporation has a turnover of 14.8 trillion KRW ($12.3 billion USD). It has roughly 15,000 employees.

FIDO Alliance: Please describe the new service.
Hyoung Woo Kim: Shinhan Bank has introduced the first FIDO-based biometric authentication technology in the domestic banking services market. This service is a specialized mobile banking platform for Shinhan Bank called ‘Sunny Bank’. By introducing the first non-face-to-face personal identity authentication system, it makes possible a variety of traditional banking services such as opening a new account, deposit and withdrawal inquiry, currency exchange services, MyCar loan applications, and so forth without visiting a bank branch.

FIDO-based fingerprint authentication services with OnePass replace the existing certificate verification system so that the Shinhan Bank app service increases security as well as convenience for its customers in the financial services sector.

FIDO Alliance: Why did Shinhan Bank choose to use FIDO standards for this service?
Hyoung Woo Kim: With the explosive growth in mobile and online banking services, coupled with mandatory regulations changes related to banking and finance security, the need for a new secure authentication method that is also convenient for mobile users was very pressing.

Furthermore, the FIDO protocol is built around the secure storage of biometric information on the local device, with no transmission of the information necessary for authentication. The FIDO system locally verifies the user on his or her own device and then authorizes an encrypted authentication response to the server.

In order to satisfy both security concerns as well as customers’ requirements, building a convenient and secure authentication service that combines identity services with secure authentication is a real challenge. For Shinhan, the FIDO-based OnePass system was a clear choice to answer that challenge.

FIDO Alliance: What partners worked with you to enable FIDO authentication for the service?
Hyoung Woo Kim: FIDO authentication for the service has been built with Raonsecure, which is a leading FIDO-based biometric solution, mobile security, and PKI security technology provider. Raonsecure was one of the first companies to earn FIDO certification and is a leading FIDO authentication technology provider in Korea. Based on strong financial services management know-how, Raonsecure offers a range of technologies for clear understanding and meeting the requirements of Shinhan Bank.

FIDO Alliance: How many customers are now using the Shinhan Bank service and has Shinhan Bank seen any other positive results?
Hyoung Woo Kim: Shinhan Bank serves approximately 23 million customer accounts, which is roughly half the total population of the Republic of Korea (excluding duplicate customers in 2014).

FIDO Alliance: What role do you see FIDO-based authentication playing for Shinhan Bank in the future?
We are currently providing FIDO-based fingerprint authentication login services with enhanced security to an existing simple login method for customers using the Sunny Bank app, and as an additional authentication method. Currently, it is provided for Android and iOS Smartphone devices with the fingerprint authentication function.

Login, signup products, and funds transaction services provided with existing certificate verification will be gradually changed to the FIDO-based biometric solution, such as fingerprint authentication services via the smartphone application. It will maximize security in financial services and customer convenience simultaneously. Other means of authentication are also being planned in order to expand the variety of other authenticator types, such as iris scan and facial recognition-based authentication.

The post Case Study: Korea’s Shinhan Bank Deploys FIDO Authentication appeared first on FIDO Alliance.