Intuit saw the potential of the FIDO Alliance early on and began a multi-year FIDO journey in 2018 to reduce customer friction and enhance security – all at lower operating costs. Join this webinar to learn why and how Intuit deployed FIDO, the challenges faced and benefits achieved, and get a sneak peek into how Intuit plans to leverage passkeys to further enhance its FIDO rollout!

The post Webinar: Inside Intuit’s FIDO Journey appeared first on FIDO Alliance.

Business Situation

Intuit is the global financial technology platform that powers prosperity for more than 100 million consumers and businesses around the world using TurboTax, Credit Karma, QuickBooks and Mailchimp. The company’s long- held commitment to Design for Delight principles has been a key ingredient of its success in fueling innovation across its products, services and customer touchpoints to create bold new AI and data-driven personalized experiences at scale.

To execute on a user-centric focus, Intuit’s customer authentication products team, led by Rakan Khalid, Intuit Group Product Manager, Identity, justifies and prioritizes development of new authentication capabilities based on user research, security trends and technology advancements in the industry. This has led to an overarching strategy that emphasizes secure and convenient authentication experiences on its platform.

Intuit saw the potential of the FIDO (Fast ID Online) Alliance early on and began a multi-year FIDO journey in 2018 to reduce customer friction and enhance security, at lower operating costs.

Business Challenges

Intuit set out to address several challenges when evolving its customer authentication strategy to serve a growing customer base across a diverse set of product offerings and user personas:

• Customers experienced friction when logging on, which negatively impacted key business metrics.

• Sign-in times (time to successful sign-in) were getting longer, and calls into customer care for account sign-in-related issues were increasing.
• Product teams were challenged to balance ease-of-use and convenience for users with appropriate levels of security.

Business Objectives

The team set out to achieve the following business objectives for customer authentication across Intuit’s product portfolio:

Results and Benefits

1. Deliver a delightful and seamless customer authentication experience that “just works” across multiple devices.
2. Push the envelope on customer authentication technology to further enhance the security posture of Intuit.
3. Build a resilient, scalable, durable customer authentication capability for its current and future business needs.

OVERVIEW

“As an early adopter of FIDO, we’ve seen
significant business benefits and are completely on board with continuing to leverage the latest FIDO innovations with our partner, Nok Nok.”

Rakan Khalid, Intuit Group Product Manager, Identity

Intuit was able to reduce customer friction, resulting in authentication success rates of 95% to 97% and 70% faster sign-in speeds.

FIDO Authentication Deployment – Measured Steps

Intuit implemented a FIDO-based customer authentication solution in line with the FIDO Alliance’s founding members’ goals. FIDO protocols are based on an asymmetric cryptographic authentication framework designed to enhance security, provide a better user experience (compared to traditional passwords) and reduce cost and complexity.

Although FIDO is an open standard, the expertise required to code and deploy a scalable FIDO solution for millions of consumer and small business customers led Intuit to license a FIDO authentication platform.

Intuit selected the Nok Nok^TM S3 Authentication Suite (S3 Suite) for its advanced FIDO features and capabilities; optional on-prem deployment model; and speed, scale, and resilience, which was validated by Nok Nok enterprise customers.

Intuit’s authentication team placed a high priority on working with a FIDO leader with deep and relevant experience in customer authentication and therefore well-equipped to keep pace with industry progress with this fast- evolving technology.

Build vs. Buy: Intuit recognized that the company would benefit from the expertise of a vendor with experience working with other major companies on its authentication journey, and enjoy access to innovative product enhancements along the way.

Progressive Deployment: Intuit opted to deploy Nok Nok’s customer authentication solution across multiple apps in a controlled and measurable manner:

• Intuit’s authentication team initially tested Nok Nok’s FIDO passwordless customer authentication on the mobile iOS version of an Intuit product with a small customer base.

• Over the next few months, the team rolled out Nok Nok’s FIDO passwordless solution on mobile iOS and Android platforms for a broader customer base on multiple Intuit products.

• The team added FIDO as an option to Intuit’s passwordless customer onboarding flow, which improved onboarding conversion rates and reduced subsequent sign-in times.
• Over the last 5 years, Intuit has grown its total FIDO registrations to over 77 million.

Authentication Solution Delivers on Business Objectives

Intuit has been able to achieve all of its business objectives, while simultaneously addressing new use cases for a growing customer base:

1. Delightful Customer Sign-in – FIDO-based multi-factor authentication (MFA) for customer sign-in dramatically improves and simplifies the user sign-in experience because it’s completed in a single user step. This reduces the need for a multi-step authentication process (e.g., password, texting one-time passcodes). Using FIDO, Intuit users are presented with a seamless, passwordless flow using device-based platform authenticators, such as biometrics with which they’re already comfortable.

Today, more than 85% of all customer authentications on Intuit’s mobile apps are now done using FIDO

2. Enhanced Customer Security – When FIDO authentication is used, it eliminates the passing of passwords and one-time tokens between apps and services, which can reduce the risk of interception attacks.
3. Global Scale – Since Nok Nok’s S3 platform is trusted by some of the largest banks, telcos and fintech brands across five continents and has been proven to scale across demanding customer environments, it’s given Intuit the confidence that it will continue to scale with the company’s future growth to match uptime and authentication speeds.

Business Results

By deploying a passwordless solution for customer authentication, Intuit was able to reduce customer friction, thereby reducing operating expenses. Users who adopted the FIDO passwordless authentication option experienced authentication success rates of 95% to 97% when compared to a baseline of 80% for legacy multi-factor authentication and 70% faster sign-in speeds over non-FIDO sign-ins.

Looking Ahead

Over the past several years, Intuit has experienced the power of FIDO customer authentication for its consumer and small business customers, and validated its benefits with its product, technology, security, user experience and customer care teams. Looking ahead, the company intends to explore multi-device passkey technology as the next frontier on its authentication journey.

The post Intuit’s ROI from Passwordless Customer Authentication appeared first on FIDO Alliance.

The post White Paper: High Assurance Enterprise FIDO Authentication appeared first on FIDO Alliance.

The post White Paper: FIDO Authentication for Moderate Assurance Use Cases appeared first on FIDO Alliance.

The post White Paper: Replacing Password-Only Authentication with Passkeys in the Enterprise appeared first on FIDO Alliance.

The post White Paper: Introduction: Deploying Passkeys in the Enterprise appeared first on FIDO Alliance.

Corporate overview and challenge

As the “CASE” trend is gaining ground in the automotive industry, Toyota Motor Corporation, a leader and evolving company in the industry, is changing its model from a “car company” to a “mobility company”. In the area of “C: Connected,” Toyota is working to realize its vision of “Mobility for All – Freedom and Enjoyment of Mobility for All People,” and is developing a number of new services, including a “digital key” that allows the use of smartphones as keys, as well as a website and smartphone applications, for a wide range of users.

The “TOYOTA/LEXUS common ID” (“common ID”), a customer authentication service for safe and comfortable use of various services provided by Toyota, plays an important role in the provision of a series of services. The 5 million TOYOTA common IDs are linked to about 40 different services, and the multiple smartphone applications provided to customers required the input of IDs/passwords for each application.

FIDO 2 deployment

Toyota Motor Corporation has decided to deploy FIDO authentication as an optional authentication function for the “Common ID,” the major advantage of which is that by registering FIDO authentication credentials in advance, users will no longer need to go through the process of entering their ID/password each time they use each smartphone application.

Prior to deploying FIDO authentication, Toyota Motor Corporation had been using one-time password authentication and backup code authentication as a means of multi-factor authentication for common IDs. The main reason for choosing FIDO as one of the new options for multi-factor authentication this time was the consideration of the robust security and usability of FIDO authentication. By utilizing FIDO, which is a multi-factor authentication that involves possession using biometrics on the smartphone used in everyday life, a high level of security was ensured, and it also contributed to an improved user experience.

NRI Secure Technologies, Inc. (NRI Secure), which manages common IDs, has an authentication infrastructure called “Uni-ID Libra” that is compliant with FIDO authentication, and we requested their cooperation for implementation.

Until the introduction of FIDO authentication for iOS and Android devices, the differences in behavior depending on the OS (whether or not Discoverable Credential (formerly known as Resident Key) is supported, explicit user interaction during key registration is required for Safari for iOS, etc.) The issue was the impact on the UX.In the end, we were able to absorb the differences in UX by modifying the authentication web screen, and this led to a solution.

With this implementation, Toyota Motor Corporation has also focused on the importance of designing the life cycle of FIDO authenticators together. In providing services, it is necessary to prepare not only for authentication, but also for registration, device switching, and account recovery in case of loss. If other companies that provide services to consumers consider FIDO authentication, they should have a method that can maintain security strength when switching devices or recovering accounts.

OVERVIEW
Toyota Motor Corporation, headquartered in Toyota City, Japan, is Japan’s largest automobile manufacturer.

C (Connected):
IoT for automobiles

A (Autonomous):
Automated driving

S (Shared & Services):
From ownership to sharing

E (Electric):
Electric vehicles

“With the expansion of the connected strategy, the number of operations that can be carried out on smartphone applications and websites has been increasing. While convenient, they can also lead to accidents if misused, so more security measures are required. We believe that FIDO authentication will contribute as one piece to continue providing convenient and safe mobility services to our customers.”

Finally, Masatoshi Hayashi, Toyota Motor Corporation’s Connected Company Value Chain Infrastructure Development Department, who spoke with us about this case study, made the following comments.

(*) To obtain a common ID and register FIDO credentials, please visit https://id.toyota

The post Toyota Motor Corporation turns to FIDO Authentication for Enhanced Login in Japan appeared first on FIDO Alliance.

Why PNC Opted for FIDO

Security is of critical importance to PNC and its customers. PNC’s approach to provide digital services is founded on a strong commitment to privacy protection to those who use its services. Multi-factor authentication is a key component to protecting customer identities and data, and FIDO’s standard helped provide a roadmap to implementation. 

As a result, PNC has been able to provide customers authentication options that are easy to use but still afford consistency in terms of protection. This translates into high-quality identity assurance to verify and validate that the right customer is enrolled and minimize the risk of impersonation. 

“We needed to find a way to create a user-friendly mechanism to improve customer security without creating a burdensome process that required so many steps that it dissuaded customers from enrolling or engaging,” said Susan Koski, Chief Information Security Officer at PNC.

Benefits Realized

By using FIDO standards, PNC has been able to manage the authentication experience in such a way that it leverages the security features of a customer’s device, applying industry best practices for designing this identity protection mechanism. Ultimately, FIDO standards have been a core component to PNC’s cybersecurity strategy to minimize the risk of authorized access to customer credentials.

“We continue to identify ways to improve security for our customers, ultimately reducing the reliance on passwords and other phishable credentials from our ecosystem is a critical aspect to protecting our customers” Koski said.

OVERVIEW

PNC Financial Services is a coast-to-coast franchise with an extensive retail branch network and a presence in the country’s 30 largest markets. As one of the largest diversified financial services institutions in the United States and across four strategic international offices, PNC provides retail banking, corporate and institutional banking, and asset management. In a rapidly changing financial industry, PNC is focused on providing control and functionality that customers want – in a secure environment. To advance this goal, PNC has implemented FIDO authentication in specific use cases to help reduce security risks and improve user experience.

PNC Bank, National Association, is a member of The PNC Financial Services Group, Inc. (NYSE: PNC). PNC is one of the largest diversified financial services institutions in the United States, organized around its customers and communities for strong relationships and local delivery of retail and business banking including a full range of lending products; specialized services for corporations and government entities, including corporate banking, real estate finance and asset-based lending; wealth management and asset management. For information about PNC, visit www.pnc.com.

The post PNC Uses FIDO Authentication to Reduce Security Risks, Improve User Experience appeared first on FIDO Alliance.

This white paper is aimed at governmental agencies that are interested in using FIDO for the EUDI Wallet according to the eIDAS2 regulation. The intended readers are project managers, technical experts, and developers.

The post White Paper: Using FIDO for the EUDI Wallet appeared first on FIDO Alliance.

SK Telecom, a leading mobile phone service provider in Korea, is taking a big step forward in terms of user authentication by adopting passkeys for their online users. 

Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing resistant. They eliminate the need for users to remember complex passwords and the authentication process is much faster. Passkeys are based on FIDO authentication, which is proven to be resistant to threats of phishing, credential stuffing and other remote attacks. 

SK Telecom has introduced passkeys as a means of user authentication to PASS, their identity verification services with over 18 million users. Customers using iOS16 or higher devices can use the passkeys for PASS login, identity verification through PASS, and electronic signature. Depending on the device, user authentication is performed using Face ID and Touch ID. Android users can now use FIDO2 based authentication methods and perform authentication by utilizing screen locks (biometrics, PINs, patterns, etc.) provided by their devices. In the future, SK Telecom plans to make sign-ins with passkeys available to Android users as well. SK Telecom will introduce new user scenarios in a variety of ways to better protect customers’ assets and identity through the introduction of the passkeys.

[Passkey Registration Process on SK Telecom PASS]

SK Telecom Developed support for passkeys through cooperation with platform operators, and the FIDO authentication server for processing sign-ins with passkeys was developed by SK Telecom’s own technology. By actively introducing not only PASS but also various services provided by SK Telecom, they hope that many customers who use SK Telecom services will be able to use the service more conveniently and without worrying about security.

This deployment represents a new milestone in SK Telecom’s journey with FIDO. In 2019, during the FIDO Alliance Public Seminar in Korea, SK Telecom reported zero credential stuffing once the company adopted FIDO Authentication for internal usage. They also claimed that their FIDO-based biometric authentication reduced the average authentication time to less than 5 seconds, which previously took more than 30 seconds on average, when the internal users tried logging in with ID and passwords. It is great to see that they continue to innovate and now provide the benefits of FIDO Authentication to the general public.

Through this milestone, many users in Korea will be safe from various threats stemming from passwords, and SK Telecom’s movement as an innovator will have a positive impact on spreading password-less authentication not only in Korea but also globally.

To learn more about SK Telecom, please visit their corporate website. You can also download the PASS apps by visiting the App Store or Google Play.

The post <strong>SK Telecom announces adoption of passkeys for online users in Korea</strong> appeared first on FIDO Alliance.

Yahoo! JAPAN is an industry pioneer known for being an early adopter of new technologies to improve the security and usability of its services for its customers. Today, the company is continuing that tradition with its adoption of passkeys across Apple’s iOS, iPad OS, MacOS, and Google’s Android operating systems.

“Yahoo! JAPAN is one of the first companies to support passkeys from Apple and Google,” said Yuya Ito, ID Division, Yahoo! JAPAN. “Passkeys solve the usability issues that FIDO authentication has traditionally faced and dramatically improve users’ difficulties in using FIDO authentication. Through these initiatives, Yahoo! JAPAN and the FIDO Alliance will promote the shift away from passwords and the spread of passkeys and contribute to providing more secure and simple authentication on the Web.”

Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​ Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​

Passkeys stand to fundamentally shift the way that consumers sign into apps and services across the web and across world, moving away from the burden and vulnerabilities of passwords and OTPs to a fundamentally stronger and simpler approach that allows users to sign in by taking the same action they use to unlock their device dozens of times each day – typically a biometric or local PIN code. 

According to Yahoo! JAPAN, more than 70% of its active users use either SMS or FIDO-based biometric passwordless authentication. With passkeys, Yahoo! JAPAN’s customers can access their FIDO sign-in credentials on many of their devices, even new ones, without having to re-enroll every device on every account. 

By enabling its users to sign in with passkeys, Yahoo! Japan continues to serve as a leading innovator in Japan and in the FIDO Alliance, where it has played a vital role on the Alliance’s Board of Directors, the FIDO Japan Working Group and other FIDO Alliance bodies.

Read Yahoo! JAPAN’s announcement here.

The post <strong>Yahoo! JAPAN announces support for passkeys across available platforms</strong> appeared first on FIDO Alliance.

THE CHALLENGE:
Improving Employee Access with Zero Trust

When Cloudflare started the company provided its employees with access to internal applications via a virtual private network (VPN). Access to some, but not all applications behind the VPN required two factor authentication, typically done with One Time Passcodes (OTP) generated by applications like Authy or Google Authenticator.

Cloudflare realized that it needed a more secure and scalable approach than VPN and started a process of moving toward a Zero Trust architecture utilizing Cloudflare Access.

From OTP to unphishable FIDO authentication

As part of its migration to a zero trust architecture, starting in 2018 Cloudflare began its usage of FIDO based security keys.

The goal behind using FIDO2 was to provide strong authentication that would enable Cloudflare’s zero trust model.

“I wanted something that was unphishable,” said Derek Pitts, director of enterprise security at Cloudflare. “If we were going to go through all the trouble of redoing a lot of our identity and access management infrastructure, I wanted it to be future proof and resilient.”

Overcoming barriers to adoption with selective enforcement

Cloudflare’s path to adoption of FIDO security keys was not an entirely straight path. Initially there were concerns around account recovery and replacement of lost physical security keys.

Another challenge was the fact that Cloudflare’s users were used to using OTP technology with Google Authenticator, or Authy. Managing user change aversion and education were key components in the switch from OTP to FIDO security keys. This led Cloudflare to a selective enforcement approach, so as not to force change on users that could potentially lock them out.

What Cloudflare did was to integrate FIDO into its access identity aware proxy that internal users used to access internal sites. Instead of immediately requiring FIDO for all internal sites, Cloudflare initially only required the use of security keys on three of its sites. Selective enforcement for FIDO security keys were activated on July 20, 2020, which is the day Twitter fell victim to a social engineering attack.

“That day was mayhem and we wanted to ensure
that didn’t happen to us,” Pitts said.

Pitts said that by requiring the use of FIDO2/WebAuthn for its three more most sensitive internal apps, adoption grew as it gave employees a training ground to get familiar with the technology. In 2021, Cloudflare made the switch to requiring FIDO security keys across its network.

OVERVIEW

Founded in 2010, Cloudflare is one of the world’s leading internet content delivery and security platforms.

Overview
Cloudflare is one of the world’s most deployed security and content delivery platforms. Cloudflare’s products include a range of services including web performance, application network, zero trust and developer services.

Cloudflare’s network handles over 36 million HTTP requests per second and blocks over 124 billion cyber attacks a day. The Cloudflare network has over 200 points of presence around the globe.

“Selective enforcement ended up being a huge deal for us,” Pitts said. “That was one of the biggest forcing functions and things that made this project successful.”

Read Cloudflare’s blog, “How Cloudflare implemented hardware keys with FIDO2 and Zero Trust to prevent phishing,” to learn more about their FIDO Authentication implementation.

LESSONS LEARNED:
Take the small wins where you can

From the outset, the movement toward strong authentication had top down support from Cloudflare’s CEO, CIO and CSO. Pitts said that having the executive buy in was important as it helped his team to push through when it ran into issues.

Cloudflare has a large and complex network architecture and it didn’t move to WebAuth/FIDO2 overnight. Pitts said that it was a multi-year effort that was successful on the foundation of a series of incremental small wins that helped to prove that the technology can work to improve security.

The small wins approach incorporated Cloudflare’s selective enforcement approach. Pitts said that it’s important to have a training ground that will allow users to try out security keys and get familiar with the approach.

The post Cloudflare embraces FIDO to help its own security appeared first on FIDO Alliance.

During this webinar accessibility experts from FIDO Alliance board member companies Meta and VMware discussed how to make your FIDO deployment accessible to users with a wide range of disabilities. 

View the presentation.

Speakers:

• Yao Ding, Accessibility Research Lead, Meta
• Joyce Oshita, Accessibility Test Engineer, VMware

The post Webinar: Making FIDO Deployments Accessible to Users with Disabilities appeared first on FIDO Alliance.

During this webinar accessibility experts from FIDO Alliance board member companies Meta and VMware discussed how to make your FIDO deployment accessible to users with a wide range of disabilities. 

Watch the video.

Speakers:

• Yao Ding, Accessibility Research Lead, Meta
• Joyce Oshita, Accessibility Test Engineer, VMware

The post Webinar: Making FIDO Deployments Accessible to Users with Disabilities appeared first on FIDO Alliance.

FIDO Authentication has reached broad support across the web – all major operating systems, browsers and billions of devices support FIDO Authentication today. Having reached such a milestone and the resulting FIDO roll outs from a broad array of service providers, the FIDO Alliance is increasingly focused on ways to make FIDO Authentication more usable and accessible for all. 

In achieving FIDO Alliance’s mission of more secure and password-free authentication, we must ensure that we meet the needs and preferences of people with disabilities. Today, we are pleased to announce the publication of “Guidance for Making FIDO Deployments Accessible to Users with Disabilities,” to provide guidance on planning FIDO deployments that are accessible to users with a wide range of disabilities. It also aims to help hardware manufacturers identify opportunities to deliver more accessible external authenticators.

An estimated 15% of the world’s population lives with some sort of disability today, and in many countries, laws prohibit discrimination to help ensure that these people can fully and equally participate in every aspect of society. Authentication is an important component of the ability to participate, as it provides digital access to many aspects of society including (but not limited to) education, employment, and entertainment. While legacy forms of multi-factor authentication (MFA) like SMS or email codes are technically “accessible,” they often require advanced skill, knowledge and/or assistive technology to enter the codes. FIDO, with its stronger and simpler authentication model, is well positioned to provide accessible authentication, as it supports a wide range of options that accommodate vastly diverse needs. The paper released today details why, and considerations for, deploying FIDO with the needs of people with disabilities in mind. We strongly encourage service providers to reference these guidelines in planning their FIDO deployments.

Much work and collaboration went into this paper. We would like to thank Yao Ming of Meta for his extensive work as lead author on this paper. We’d also like to thank Joyce Oshita of VMware for her contributions, including providing her own experiences leveraging various authentication methods, including FIDO, as a person who has lost her eyesight. 

In addition to the white paper, Yao and Joyce will be joining us on December 15, 2022 at 2pm ET for a webinar to discuss their perspectives on this topic. To attend the webinar, register here.

The paper is available here; feedback is always appreciated – please drop a line at info@fidoalliance.org.  

The post <strong>FIDO Alliance Provides Guidance on Making FIDO Deployments Accessible to People with Disabilities</strong> appeared first on FIDO Alliance.

This white paper is intended for information security executives, product owners, identity and access management, attorneys, accessibility practitioners, and others who are considering deploying FIDO Authenticators across their enterprises. This white paper may also help hardware manufacturers identify opportunities to deliver more accessible external authenticators. 

The post White Paper:  Guidance for Making FIDO Deployments Accessible to Users with Disabilities  appeared first on FIDO Alliance.

FIDO security keys have been deemed the “gold standard” for multi-factor authentication. With this in mind, the FIDO Alliance published user experience guidelines earlier this year to help online service providers design a better, more consistent user experience for the consumer security key audience and ultimately maximize adoption. View the slides.

The post Webinar: Optimizing User Experiences with FIDO Security Keys appeared first on FIDO Alliance.

FIDO security keys have been deemed the “gold standard” for multi-factor authentication. With this in mind, the FIDO Alliance published user experience guidelines earlier this year to help online service providers design a better, more consistent user experience for the consumer security key audience and ultimately maximize adoption. View the video.

The post Webinar: Optimizing User Experiences with FIDO Security Keys appeared first on FIDO Alliance.

Why passwordless?

As Yahoo! JAPAN offers e-commerce and other money-related services, there’s a risk of significant damage to users in the event of unauthorized access or account loss.

The most common attacks related to passwords were password list attacks and phishing scams. One of the reasons why password list attacks are common and effective is many people’s habit of using the same password for multiple applications and websites.

The following figures are the results of a survey conducted by Yahoo! JAPAN.

Overview

Yahoo! JAPAN is one of the largest media companies in Japan, providing services such as search, news, e-commerce, and e-mail. Over 50 million users log in to Yahoo! JAPAN services every month. Over the years, there were many attacks on user accounts and issues that led to lost account access. Most of these issues were related to password usage for authentication. With recent advances in authentication technology, Yahoo! JAPAN has decided to move from password-based to passwordless authentication.

Yahoo! JAPAN’s passwordless initiatives

Yahoo! JAPAN is taking a number of steps to promote passwordless authentication, which can be broadly divided into three categories:

1. Provide an alternative means of authentication to passwords.
2. Password deactivation.
3. Passwordless account registration.

The first two initiatives aimed at existing users, while passwordless registration is aimed at new users.

1. Providing an alternative means of authentication to passwords

Yahoo! JAPAN offers the following alternatives to passwords.

1. SMS authentication
2. FIDO with WebAuthn

In addition, we also offer authentication methods such as e-mail authentication, password combined with SMS OTP (one time password), and password combined with email OTP.

Important

Yahoo! JAPAN restricts their service to phone carriers operating inside Japan and prohibits VoIP SMS.

SMS authentication

SMS authentication is a system which allows a registered user to receive a six-digit authentication code through SMS. Once the user receives the SMS, they can enter the authentication code in the app or website.

Apple has long allowed iOS to read SMS messages and suggest authentication codes from the text body. Recently, it’s become possible to use suggestions by specifying “one-time-code” in the autocomplete attribute of the input element. Chrome on Android, Windows, and Mac can provide the same experience using the WebOTP API.

For example:

<form>
  <input type="text" id="code" autocomplete="one-time-code"/>
  <button type="submit">sign in</button>
</form>

if ('OTPCredential' in window) {
  const input = document.getElementById('code');
  if (!input) return;
  const ac = new AbortController();
  const form = input.closest('form');
  if (form) {
    form.addEventListener('submit', e => {
      ac.abort();
    });
  }
  navigator.credentials.get({
    otp: { transport:['sms'] },
    signal: ac.signal
  }).then(otp => {
    input.value = otp.code;
  }).catch(err => {
    console.log(err);
  });
}

Both approaches are designed to prevent phishing by including the domain in the SMS body and providing suggestions only for the specified domain.

For more information about the WebOTP API and autocomplete="one-time-code", check out SMS OTP form best practices.

FIDO with WebAuthn

FIDO with WebAuthn uses a hardware authenticator to generate a public key cipher pair and prove possession. When a smartphone is used as the authenticator, it can be combined with biometric authentication (such as fingerprint sensors or facial recognition) to perform one-step two-factor authentication. In this case, only the signature and the success indication from the biometric authentication are sent to the server, so there is no risk of biometric data theft.

The following diagram shows the server-client configuration for FIDO. The client authenticator authenticates the user with biometrics and signs the result using public key cryptography. The private key used to create the signature is securely stored in a TEE (Trusted Execution Environment) or similar location. A service provider that uses FIDO is called an RP (relying party).

For more information, read authentication guidelines from the FIDO Alliance.

Yahoo! JAPAN supports FIDO on Android (mobile app and web), iOS (mobile app and web), Windows (Edge, Chrome, Firefox), and macOS (Safari, Chrome). As a consumer service, FIDO can be used on almost any device, which makes it a good option for promoting passwordless authentication.

Operating System	Support for FIDO
Android	Apps, Browser (Chrome)
iOS	Apps (iOS14 or later), Browser (Safari 14 or later)
Windows	Browser (Edge, Chrome, Firefox)
Mac (Big Sur or later)	Browser (Safari, Chrome)

Yahoo! JAPAN recommends that users register for FIDO with WebAuthn, if they’ve not already authenticated through other means. When a user needs to log in with the same device, they can quickly authenticate using a biometric sensor.

Users must set up FIDO authentication with all devices they use to log in to Yahoo! JAPAN.

To promote passwordless authentication and be considerate of users who are transitioning away from passwords, we provide multiple means of authentication. This means that different users can have different authentication method settings, and the authentication methods they can use may differ from browser to browser. We believe it’s a better experience if users log in using the same authentication method each time.

To meet these requirements, it’s necessary to track previous authentication methods and link this information to the client by storing it in the form of cookies, etc. We can then analyze how different browsers and applications are used for authentication. The user is asked to provide appropriate authentication based on the user’s settings, the previous authentication methods used, and the minimum level of authentication required.

2. Password deactivation

Yahoo! JAPAN asks users to set up an alternative authentication method and then disable their password so that it cannot be used. In addition to setting up alternative authentication, disabling password authentication (therefore making it impossible to sign in with only a password) helps protect users from list-based attacks.

We’ve taken the following steps to encourage users to disable their passwords.

• Promoting alternative authentication methods when users reset their passwords.
• Encouraging users to set up easy-to-use authentication methods (such as FIDO) and disable passwords for situations that require frequent authentication.
• Urging users to disable their passwords before using high-risk services, such as e-commerce payments.

If a user forgets their password, they can run an account recovery. Previously this involved a password reset. Now, users can choose to set up a different authentication method, and we encourage them to do so.

3. Passwordless account registration

New users can create password-free Yahoo! JAPAN accounts. Users are first required to register with an SMS authentication. Once they’ve logged in, we encourage the user to set up FIDO authentication.

Since FIDO is a per-device setting, it can be difficult to recover an account, should the device become inoperable. Therefore, we require users to keep their phone number registered, even after they’ve set up additional authentication.

Key challenges for passwordless authentication

Passwords rely on human memory and are device-independent. On the other hand, the authentication methods introduced thus far in our passwordless initiative are device-dependent. This poses several challenges.

When multiple devices are used, there are some issues related to usability:

• When using SMS authentication to log in from a PC, users must check their mobile phone for incoming SMS messages. This may be inconvenient, as it requires the user’s phone to be available and easy to access at any time.
• With FIDO, especially with platform authenticators, a user with multiple devices will be unable to authenticate on unregistered devices. Registration must be completed for each device they intend to use.

FIDO authentication is tied to specific devices, which requires they remain in the user’s possession and active.

• If the service contract is canceled, it will no longer be possible to send SMS messages to the registered phone number.
• FIDO stores private keys on a specific device. If the device is lost, those keys are unusable.

Yahoo! JAPAN is taking various steps to address these problems.

The most important solution is to encourage users to set up multiple authentication methods. This provides alternative account access when devices are lost. Since FIDO keys are device-dependent, it is also good practice to register FIDO private keys on multiple devices.

Alternatively, users can use the WebOTP API to pass SMS verification codes from an Android phone to Chrome on a PC.

Apple recently announced the passkeys feature. Apple uses iCloud Keychain to share the private key (stored on the device) among devices that are signed in with the same Apple ID, which eliminates the need for registration for each device. The FIDO Alliance recognizes the importance of account recovery issues and has published a white paper.

We believe that addressing these issues will become even more important as passwordless authentication spreads.

Promoting passwordless authentication

Yahoo! JAPAN has been working on these passwordless initiatives since 2015. This began with the acquisition of FIDO server certification in May 2015, followed by the introduction of SMS authentication, a password deactivation feature, and FIDO support for each device.

Today, more than 30 million monthly active users have already disabled their passwords and are using non-password authentication methods. Yahoo! JAPAN’s support for FIDO started with Chrome on Android, and now more than 10 million users have set up FIDO authentication.

As a result of Yahoo! JAPAN’s initiatives, the percentage of inquiries involving forgotten login IDs or passwords has decreased by 25% compared to the period when the number of such inquiries was at its highest, and we have also been able to confirm that unauthorized access has declined as a result of the increase in the number of passwordless accounts.

Since FIDO is so easy to set up, it has a particularly high conversion rate. In fact, Yahoo! JAPAN has found that FIDO has a higher CVR than SMS authentication.

FIDO has a higher success rate than SMS authentication, and faster average and median authentication times. As for passwords, some groups have short authentication times, and we suspect that this is due to the browser’s autocomplete="current-password".

The greatest difficulty for offering passwordless accounts is not the addition of authentication methods, but popularizing the use of authenticators. If the experience of using a passwordless service is not user-friendly, the transition will not be easy.

We believe that to achieve improved security we must first improve usability, which will require unique innovations for each service.

Conclusion

Password authentication is risky in terms of security, and it also poses challenges in terms of usability. Now that technologies supporting non-password authentication, such as WebOTP API and FIDO, are more widely available, it’s time to start working toward passwordless authentication.

At Yahoo! JAPAN, taking this approach has had a definite effect on both usability and security. However, many users are still using passwords, so we will continue to encourage more users to switch to passwordless authentication methods. We will also continue improving our products to optimize the user experience for passwordless authentication methods.

View the Yahoo! JAPAN’s Case Study PDF document here.

Source: https://web.dev/yahoo-japan-identity-case-study

The post Yahoo! JAPAN’s password-free authentication reduced inquiries by 25%, sped up sign-in time by 2.6x appeared first on FIDO Alliance.

The Challenge:

At the Authenticate 2021 event, Jay Leslie, CIO of the Cambridge Housing Authority, recounted that his organization was the victim of spear phishing attack and he was looking for a way to help provide a more secure approach to user account authentication.

To help improve its security posture, the CHA was initially looking for a method of multi-factor authentication (MFA) to better secure access to the agency’s information resources. 

CHA had a number of key requirements for its MFA adoption. One of the requirements was that the MFA method should not require a phone authenticator app, as the CHA doesn’t issue company mobile phones broadly. Additionally, there was some resistance to using personal devices for work by CHA staff. 

Another primary requirement was that the MFA could not require an additional object for users and IT to keep track of, such as hardware authenticator keys.

The Road to FIDO: Enabling a Better User Experience

CHA considered a number of different approaches before settling on FIDO Authentication.

CHA’s users have HID for physical access to CHA offices and an initial idea was to use the smart cards for MFA. The specific HID cards used by CHA however are older and couldn’t be reused for access to computer resources.

While researching multi-factor authentication options, CHA came across the FIDO Alliance website. CHA realized that FIDO Authentication could be supported within its existing environment with a lot of the organization’s existing processes and infrastructure.

Further investigation led CHA to realize that simple convenient multi-factor authentication was too narrow a goal and that FIDO adoption offered the opportunity for something much greater.

FIDO offered CHA the chance to revolutionize the user experience for its staff. With FIDO, not only could secure Windows authentication be achieved, but by leveraging WebAuthn and SAML single sign on, it also helps to enable secure, seamless passwordless authentication to every major system and application used at the agency.

Overview

The Cambridge Housing Authority (CHA) helps to provide rental assistance and affordable long-term rental housing to low income residents of Cambridge, Mass. The CHA uses IT throughout its organization to help onboard residents into public housing and has limited IT staff.

Convenient, Efficient and More Secure

“A 6-digit PIN that doesn’t need to be changed periodically is far more convenient to remember and type than a long password. I have found it very easy and efficient to use. The IT department assures me it’s more secure, too.” — John Filip, CFO, Cambridge Housing Authority

Why FIDO Standards Matter

For CHA, choosing a standards based approach was a critical factor for multi-factor authentication. 

With a small IT staff and limited resources, choosing a technology approach that will stand the test of time is an important factor.  

A standards-based approach to strong authentication allows CHA to benefit from industry efforts to utilize a solution that has broad and growing support. A standards based approach with FIDO can be supported for years to come and is a better option than CHA going it alone to cobble together a kludge that’s just good enough today, but that may be left behind in a year or two.

The post Cambridge Housing Authority’s Road to FIDO appeared first on FIDO Alliance.

In this paper, we explain how FIDO and WebAuthn standards previously enabled low-cost deployments of authentication mechanisms with very high assurance levels. While this has proved an attractive alternative to traditional smart card authentication, and even opened the door to high-assurance authentication in the consumer space, we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space. We explain how the introduction of multi-device FIDO credentials will enable FIDO technology to supplant passwords for many consumer use cases as they make the FIDO credentials available to users whenever they need them—even if they replace their device.

The post White Paper: Multi-Device FIDO Credentials appeared first on FIDO Alliance.

Secure access to online applications and services has evolved into a framework reliant on devices, public-key cryptography, and biometrics to replace the shared secrets of aging passwords. Since 2013, the FIDO Alliance has developed open and scalable advancements to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, the FIDO Alliance has established a series of best practices and how-to white papers that align the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within the enterprise. 

This white paper is intended for IT administrators and Enterprise Security Architects who are considering deploying FIDO Authenticators across their enterprise and defining life cycle management policies. In this paper, we provide an overview of the different use cases for multi-factor authentication and the FIDO Authenticator choices administrators have. The intent is to help and guide administrators in choosing the right authenticator types for their specific environment.

The post White Paper: Choosing FIDO Authenticators for Enterprise Use Cases  appeared first on FIDO Alliance.

The Road to FIDO: Weighing PSD2-compliant options

Customer authentication procedures have become more complex in the EU due to the introduction of PSD2 and strong customer authentication (SCA). Under the regulation, processing via mobile devices guarantees compliance with the stricter requirements, while offering a better payment experience for consumers at the same time.

While many opted to use SMS OTPs, PLUSCARD prioritized security and usability from the beginning of their journey by initially opting for a proprietary mobile app in combination with biometrics. This met their needs for mobile-based users, but left a gap for customers who preferred or only had access to computers. To fill that gap, PLUSCARD concluded that FIDO2 Security Keys not only met regulations, but they weren’t tied to possession of a mobile device and excelled in both security and usability.

The post PLUSCARD uses FIDO as Innovative Alternative to App-based Payment Authentication appeared first on FIDO Alliance.

The post Solving the IoT Onboarding Challenge appeared first on FIDO Alliance.

This white paper is intended for IT administrators and enterprise security architects who are considering deploying FIDO Authenticators across their enterprises and defining life cycle management policies. In this paper, we provide an overview of the different use cases for multi-factor authentication and the FIDO Authenticator choices administrators have. The intent is to help and guide administrators in choosing the right authenticator types for their specific environment.

The post White Paper: Choosing FIDO Authenticators for Enterprise Use Cases appeared first on FIDO Alliance.

Yahoo Japan Corporation is an internet company offering more than 100 services, including search engine, auction, news, weather, sport, email and shopping to the more than 51 million active users on its platform.

For Yahoo! JAPAN, the act of signing in is the entry point to all of its services. This makes it critical that the experience at that entry point is a positive one for all users. At the same time, it’s equally critical that every user’s personal information is well protected.

To find the right balance between convenience and security, Yahoo! JAPAN turned to FIDO Authentication.

From Early Member to Early Adopter

Yahoo! JAPAN was one of the earliest members of the FIDO Alliance, joining in April 2014. In its role as a member, executives from Yahoo! JAPAN participated in user authentication specifications development, particularly the FIDO2 standards, and best practices for FIDO adoption for consumers via the Alliance’s Consumer Deployment Working Group. Yahoo! JAPAN was appointed to the FIDO Alliance board of directors in 2019.

During this time of actively contributing to the FIDO Alliance, Yahoo! JAPAN was evaluating FIDO for its own services. Yahoo! JAPAN had been offering SMS one-time passcodes for two-factor authentication but they weren’t quick, secure or easy enough for their users. By taking a standards-based approach with FIDO, specifically the FIDO2 standards, Yahoo! JAPAN learned it could provide strong authentication in a very simple way via on-device biometrics on billions of supported mobile, desktop and laptop devices.

Yahoo! JAPAN’s journey with FIDO deployment began in 2018 when the company became the first in Japan to certify a FIDO2 server, a necessary component to delivering FIDO Authentication to its users. After extensive internal testing and piloting, Yahoo! JAPAN unveiled its first deployment on Android Chrome in October 2018, the first deployment by a relying party. Today, the company now offers FIDO Authentication on Android and iOS both in the browser and for native applications (see figure 1 for the deployment journey). Next up, Yahoo! JAPAN plans to offer FIDO Authentication on desktop and laptop PCs.

Simultaneously with its FIDO deployment, Yahoo! JAPAN began offering its users the opportunity to disable passwords entirely, and register new accounts without having to establish a password.

For Yahoo! JAPAN users that have opted in to FIDO, sign in is very simple
(see figure 2):

1. The user inputs their user ID and clicks next
2. Their device prompts them for their biometric, such a fingerprint
3. The user presents their biometrics and is successful signed in

OVERVIEW

The FIDO protocols, including FIDO UAF and FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks. The protocols are also designed from the ground up to protect user privacy.

The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at login, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second- factor device or pressing a button.

For its deployment, Yahoo! JAPAN leveraged FIDO2 standards with biometric authenticators.

“Password disablement is the end goal for us for the overall security and usability of our platform, and we see FIDO as a key factor in helping us get there faster,” — Yumi Ashida, product manager at Yahoo! JAPAN

Yahoo! JAPAN also values its membership in the FIDO Alliance for its role in helping to easing deployment and increasing adoption. Membership provides a platform for the company to provide direct feedback to other stakeholders including the operating system platform providers and work directly with them on overcoming challenges they face. And, it allows them to work with other service providers working on deployments to share experiences and best practices.

“For others deploying FIDO Authentication in the consumer environment, it’s important to understand the time and resources that it will require. But considering the meaningful impact that FIDO brings — it’s well worth it,” — Yumi Ashida, product manager at Yahoo! JAPAN

Realizing the Benefits of FIDO

For users of FIDO to access Yahoo! JAPAN’s services, their sign in time has decreased dramatically — by 37% compared to other login methods. ”Because signing in is the entry point to all of our services, quicker and more successful sign ins means our users can access our services that more quickly — this makes a hugely positive impact on our users’ overall experience on our platform,” said Yumi Ashida, product manager at Yahoo! JAPAN.

To increase adoption and get more users to experience these benefits, Yahoo! JAPAN leverages many tactics, including email promotion and pop up notifications at login to invite users to enroll with FIDO. Key to this strategy is conveying the benefits of FIDO Authentication, including faster sign ins, more security and the ability to remove the password from the login flow. At the same time, Yahoo! JAPAN is continuously working to ensure its user experience with FIDO is optimized.

The post Yahoo! JAPAN turns to FIDO Authentication for Enhanced Login appeared first on FIDO Alliance.

The post Webinar: Considerations for Deploying FIDO in the Enterprise appeared first on FIDO Alliance.

http://www.buyxanax.org/

Speakers: 

Salah Machani, Director of Technology, RSA Security
Shane Weeden,  Senior Technical Staff Member, IBM
Moderator: John Fontana, Solutions Analyst, Yubico

The post Webinar: Considerations for Deploying FIDO in the Enterprise appeared first on FIDO Alliance.

Beyond those core benefits, we’re seeing growing use cases and demand for more advanced Certified Authenticators – as well as in FIDO’s biometric component certification program, which is a useful http://rxreviewz.com/ mechanism for assessing how well biometric products perform against industry standard metrics.  

Are you thinking about developing FIDO products and getting certified? Are you a service provider wondering what FIDO Certified means for you? Are you just wondering what the different certification programs are and how they relate to each other? Watch the video.

The post Webinar: Ask FIDO Anything: All About Certification appeared first on FIDO Alliance.

Beyond those core benefits, we’re seeing growing use cases and demand for more advanced Certified Authenticators – as well as in FIDO’s biometric component certification program, which is a useful mechanism for assessing how well biometric products perform against industry standard metrics.  

Are you thinking about developing FIDO products and getting certified? Are you a service provider wondering what FIDO Certified means for you? Are you just wondering what the different certification programs are and how they relate to each other? View the presentation!

The post Webinar: Ask FIDO Anything: All About Certification appeared first on FIDO Alliance.

By Rae Rivera, Ph.D., Director of Certification, FIDO Alliance

The FIDO Alliance today  introduced a significant update to its Metadata Service (MDS). The service provides information about the certification status of authenticators, authenticator capabilities, and any known security issues. The FIDO MDS provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators. 

MDS is a web-based repository where vendors can publish metadata about their certified FIDO authenticators. Relying parties use this information  to validate authenticator attestation and prove the authenticity of the device model. 

With over 100 authenticator products on the market today, and demand for strong authentication on the rise, the need for an easy-to-use repository to load and view FIDO Certified authenticators has grown in importance. 

Just last week, the Biden administration mandated multi-factor authentication for all government agencies to thwart phishing attempts and protect against account takeover.  Governments and other regulated industries such as banking and healthcare especially need to know that authenticators being used to access their systems are genuine and meet certain requirements, including FIDO Certification status, compliance and other organizational requirements. The new features in the FIDO MDS allow organizations to more quickly and easily verify the attributes of the FIDO Authenticators being used to log in to their web services and applications. 

Today’s news is significant in several areas:

1. The new MDS has a more efficient and effective user interface that greatly simplifies the uploading and publishing of metadata. 
2. There is a simplified API for relying parties to download metadata.
3. Metadata updates are now available daily instead of monthly, which ensures relying parties have access to the most up-to-date information.
4. The new MDS data format is now a single JSON structure, making it more compatible with standard web development tools. The new MDS format uses human-readable strings instead of numerical values, making it easier to read and understand.
5. The MDS data is now linked to the FIDO Certification program, which will ensure the reliability of the validity of metadata of FIDO Certified products. 
6. The service now uses cloud caching to provide high availability and download performance. 

For more information visit https://fidoalliance.org/metadata/. 

The post Announcing the New Streamlined and Simplified Metadata Service for Authenticator Vendors and Customers appeared first on FIDO Alliance.

This white paper targets IT administrators and Enterprise Security Architects considering deploying FIDO Authenticators across their enterprises and defining lifecycle management policies.

The post White Paper: FIDO Authenticator Lifecycle Management for IT Administrators appeared first on FIDO Alliance.

A major milestone has been realized, with the German Federal Office for Information Security (BSI-Bundesamt für Sicherheit in der Informationstechnik) becoming the first organization to the achieve the Certified Authenticator Level 3+ level, which is the highest level of validation currently offered by the FIDO Alliance. 

The path toward the Level 3+ designation has been several years in the making.

Dr. Rae Rivera, Certification Director for the FIDO Alliance explained that the Certified Authenticator program was originally launched in August 2018 in a bid to define greater levels of assurance for FIDO authenticators. She noted that the FIDO Specifications include an inherent amount of security and privacy. The goal with the Certified Authenticator program is to provide additional security assurances for the authenticators themselves. 

With the first Certified Authenticator Level 3+ designation now granted, Rivera expects other organizations will follow, helping to improve strong authentication for users and organizations around the world.

“We’re continuing to see more pickup and uptake in the Certified Authenticator program,” Rivera said. “At each higher level, there’s less risk of a vulnerability.”

Understanding the Different Certified Authenticator Levels

There are three core levels (L1, L2, L3 and ) in the Certified Authenticator program with each level building on the requirements of the preceding level. Incremental additional assurance can be obtained to allow a vendor to achieve a “+” within each level (L1+, L2+, L3+). 

The program evaluates authenticators to answer the question ‘how well does the authenticator protect the private key?The most basic entry level is L1 which Rivera said a vendor can achieve by supporting and implementing the FIDO specifications. An authenticator certified at L1 provides protection against phishing and credential abuse.

Moving up to L2, Rivera noted that restricted operating environments are required to protect against malware attacks. When you get to L3 and L3+, Rivera said that it’s all about looking at hardware authenticators, and how they provide protection against brute force attacks. 

“One of the core attributes of our higher level programs, specifically level three and three plus, is that they require the product to have what we call a companion program certification,” Rivera said. 

She noted that the companion program certification that has been defined for those higher levels is Common Criteria  which provides sets of evaluations and designations to help define the security posture for a given device or service.

“The higher level that you go, the less vulnerable the authenticator is to any kind of attack,” Rivera said.

Why the Level 3+ Certification is Significant

With BSI now certified at L3+ the door is open to others to follow the same path toward the highest level of security assurance.

“Personally I feel like this is a huge leap forward for the program,” Rivera said.

Rivera noted that to date there have been many products that have been certified at the lower levels of the Certified Authenticator program. Now that the first L3+ has been achieved she anticipates that there will be more interest from organizations to go through the program to gain that additional higher level of assurance.

“This certification clearly demonstrates the value of our certified authenticator program – particularly at the higher levels,” she said. “Government and regulated industries such as finance, healthcare, energy and education often have more sensitive use cases that require specific types of authentication into their networks. Vendors and relying parties in these markets see this as a benefit because it meets the need for hardware protection and is also Common Criteria certified.” 

How Others Can Benefit from the First Level 3+ Certification

Now that BSI has hit the Level 3+ certification, there is now quite literally a path for others to follow.

Rivera explained that with the L3+ certification there is a protection profile associated with it. The protection profile contains all the components that are used to achieve the L3+. As such, another vendor could utilize the protection profile to develop their product to get certified at the higher level.

“The protection profile serves as good guidance for those that are seeking the higher levels as to what they need to do and what modifications they need to make to their implementation,” Rivera said. “BSI getting certified at Level 3+ has made it a little easier for others to start achieving this level.”

The post Authenticator Certification Hits a New Milestone with First L3+ appeared first on FIDO Alliance.

The post eBay’s Journey to Passwordless with FIDO appeared first on FIDO Alliance.

To make it easier and faster for patients throughout England to securely access multiple digital health and social care services, the National Health Service (NHS) created NHS login, an authentication and identity verification service based on OpenID Connect that allows the public to access NHS resources with a single login. NHS login can be used to securely access confidential health and care information through apps and websites that display the NHS login button.

The NHS App, which provides simple and secure access to a range of NHS services such as booking medical appointments and ordering repeat prescriptions on iOS and Android, was the first service to use NHS login to identify and verify users. NHS login and the NHS App were initially rolled out in tandem, which created a natural opportunity for the two programmes to work closely and gather initial user feedback.

With NHS login and the NHS App, the NHS was challenged with delivering secure, userfriendly multifactor authentication mechanisms which met the standards and guidelines set for public services in a short timeframe. The NHS turned to FIDO Authentication to solve the challenge.

CHALLENGE
Compliant, User-Friendly Login

Due to the sensitive nature of the information provided by the NHS App, security is of utmost importance. As such, users had to use a two-factor authentication (2FA) method when logging into the app, which required both a password and an SMS onetime passcode (OTP). It quickly became evident that the method of authentication was too cumbersome for users and became a real barrier to adoption. The NHS realized an alternative, password-free login method was needed to simplify everyday access for users.

This posed a challenge for the NHS Digital team that created NHS login and the NHS App: Not only did the new solution need to meet the security standards and guidelines set for public services, it had to be done on a very tight deadline due to a ministerial-level commitment.

THE ROAD TO FIDO:
The NHS’s Evaluation Process for NHS login & NHS App

A fundamental requirement of NHS login and NHS App is a nationally agreed-upon approach to identity management for health and care, conformant with identity assurance principles endorsed by the U.K. government. NHS Digital decided that to meet these standards, biometric login would be the alternative login method for the applications. Since NHS login was already using OpenID Connect Authorisation Code Flow protocol – an open standard and decentralized authentication protocol – for user authentication, any platform used to develop biometric login would need to place great emphasis on developing a platform with open and scalable standards.

The NHS login team looked at a number of platforms that could meet their needs, and measured each on six criteria including:

1. Open, scalable standards

2. Public key cryptography

3. Biometric information stored on the user’s device, not the NHS or medical provider’s servers

4. Support for Android and iOS mobile platforms

5. Market/sector agnostic

6. Used by well-established applications and organizations

The NHS login team’s research revealed that FIDO Authentication, specifically the FIDO UAF protocol from FIDO Alliance, met all of the above criteria. They found that using FIDO in combination with the OpenID Connect Authorisation Code Flow would help NHS login to enable their partners to offer an enhanced login experience to their patients through device-based biometric authentication.

OVERVIEW

The FIDO protocols, including FIDO UAF and FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at login, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second- factor device or pressing a button.

The Solution
NHS Digital decided that biometric authentication would best address its needs and, following a search of platforms that complied with their requirements, FIDO UAF from the FIDO Alliance was found to best fulfill the criteria, including open and scalable standards and support for mobile browsers.

The Results
NHS App with the option for biometric authentication login has a user base of approximately 1.2 million and is growing at an average rate of 32,000 new users per week. The number of SMS OTPs that NHS Digital has needed to send to users has dropped by nearly two-thirds, to about 1.5 per user per month down from about four per user per month, which represents a significant cost savings for the organisation.

Inside the FIDO protocols

The FIDO protocols, including FIDO UAF, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometric information never leaves the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at log in, such as fingerprint or facial biometrics.

“FIDO biometrics has enabled users to use device-based authentication making access to NHS services using an NHS login even easier. We continually receive positive feedback regarding the speed and straightforwardness of accessing health and care websites and apps using fingerprint and facial recognition.”

– Melissa Ruscoe, Programme Head at NHS login

The post National Health Service uses FIDO Authentication for Enhanced Login appeared first on FIDO Alliance.

Today, secure access to online applications and services has evolved into a model based on devices, public key cryptography and biometrics to replace the anachronistic use of passwords as shared secrets. Since 2013, the FIDO Alliance has developed open and scalable advancements to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, FIDO Alliance has developed a series of best practices and how-to white papers that match the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within all companies. 

A FIDO server is a necessary component in a FIDO implementation. The FIDO server stores the user’s public key credential and account information. During a FIDO Authentication or registration flow, the server generates a cryptographic challenge in response to a request from the application. The server then verifies the signature provided by the client using the server’s corresponding public key, and logs the user in. 

This white paper is intended for IT professionals and identity architects to guide them in choosing the right FIDO server implementation and deployment architecture when integrating and enabling FIDO-based authentication in enterprise applications. Enterprises must consider several factors in their planning to select and deploy a FIDO server, including build vs. buy assessment (and the risks and benefits associated with each), the desired deployment model, the required server capabilities, and the security and privacy requirements. 

The post White Paper: Considerations for Deploying FIDO Servers in the Enterprise appeared first on FIDO Alliance.

SBI Sumishin Net Bank is an Internet-focused bank jointly established in 2007 by SBI Holdings and Sumitomo Mitsui Trust Bank. In keeping with their aim to be recognized for innovation, the bank deployed FIDO Authentication in July 2020. We had an interview with the bank about the details of their deployment.

Q. Describe your service and how it’s using FIDO Authentication.

We have incorporated  FIDO-compliant authentication into our  existing “SBI Sumishin Net Bank” mobile application. Now, a single application is available to provide both banking and authentication functions to our customers. This eliminates the need for our customers to enter passwords and verification codes for each transaction. Instead, they can simply log in to the SBI Sumishin Net Bank App with biometric authentication. Even when transactions are made from a PC or other non-mobile application environments, the application will confirm and approve the transaction details before they are executed, preventing unauthorized transfers. Furthermore, when using the login approval function, only the registered smartphone can remove any control, which prevents unauthorized logins.

Q. What FIDO specification(s) did you implement? 

We have deployed a solution based on FIDO UAF, which uses biometrics (fingerprint and facial recognition) and PIN as the authentication methods.

Q. What other approaches did you consider before choosing FIDO? 

We looked at continuing with the existing smartphone application “Smart Authentication,” which is a separate application the customer would have to authenticate logins and bank transactions. However, we saw it as difficult to operate two applications separately and saw it as a burden for our customers to have to use two separate applications just to bank with us.

Q. Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

Although there are various types of authentication methods available, the fact that FIDO Authentication is a global standard developed by a global consortium FIDO Alliance, and that we have seen is increasingly being deployed in Japan and globally – were two factors that made it very appealing to us. 

Q. Why did you decide on a standards-based approach? 

There are two main reasons why we chose to take a FIDO standards-based approach.

First, FIDO Authentication provides stronger security. FIDO Authentication enables safe exchange of authentication results over the network, and the credential is stored only on the device that performs the authentication (in our case, the smartphone) and does not need to be transmitted over the network or stored on the server side. 

Second, FIDO improves convenience for our customers. By incorporating authentication into our existing banking app, we are making it possible to complete both banking and authentication functions in a single app, enabling smooth transactions without having to enter passwords or other information.

Q. What steps were involved in your roll out of FIDO Authentication? Did you work with a partner? 

We implemented the FIDO-compliant “SaAT Pokepass Authentication Service” provided by Net Move Corporation (“Net Move”), a wholly owned subsidiary of SBI Sumishin Net Bank. The new authentication function “Smart Authentication NEO” was deployed by incorporating the client SDK for this service into the bank application.

Q. What other data points can you share that show the impact FIDO authentication has had?

On July 31, 2020, we launched a new authentication feature, “Smart Authentication NEO.” On the quantitative side, the number of new registered customers has reached approximately 100,000 in just three weeks since its launch, and we expect this number to increase further in the future.

On the qualitative side, many customers have commented on the convenience of being able to use a single app for both banking and authentication functions.

Q. What advice would you give to other organizations considering rolling out FIDO authentication? 

Again, our company’s FIDO authentication uses Net Move’s “SaAT Pokepass Authentication Service.” By collaborating with Net Move, we were able to deployed the new authentication function “Smart Authentication NEO” in a short period of time.

In addition to FIDO authentication, Net Move already has an installed at more than 100 financial institutions, including “SaAT Netizen,” an anti-fraudulent remittance service, and we believe that Net Move can help to solve these issues.

Q. What role do you see FIDO Authentication playing for your company in the future?

The “Smart Authentication” service will be discontinued after January 2021, and we will move exclusively to the FIDO-enabled “Smart Authentication Neo” app. We see moving to the FIDO-enabled app  as the key authentication function will further allow us to provide secure and convenient experiences for our customers.

Q. If you are able, please provide a quote from an executive regarding this deployment and the impact FIDO has had for your organization.

Quote from the project manager of SBI Sumishin Net Bank:

“Our goal is to revolutionize financial services and make society more comfortable and convenient by utilizing the most advanced technology with a customer-centric approach. Security is an extremely important factor in achieving this goal, and we believe that the introduction of FIDO will make a significant contribution.”

The post Deploying FIDO in Japan: An Interview with SBI Sumishin Net Bank appeared first on FIDO Alliance.

This document focuses on the role of the merchant as the FIDO or WebAuthn relying party and defines the methods for the merchant to leverage EMV 3DS as the conduit to report FIDO Authentication Data to the issuing bank. This data, along with the other transaction details sent using EMV 3DS messaging via the 3DS Authentication Request message, can help ensure minimized friction through risk-based authentication at the time of online payment. Although the resultant assurance level is reduced using this method, as opposed to an issuer-managed credential, and it will need to be viewed within the context of the entire EMV 3DS message, it can provide an approach that can be more easily deployed at scale than issuer-managed FIDO Authentication methods. 

The post Technical Note: FIDO Authentication and EMV 3-D Secure – Using FIDO for Payment Authentication appeared first on FIDO Alliance.

Florida-based First Citrus Bank provides premier independent community banking services to individuals, professionals, executives and entrepreneurs. With 70 employees in five locations, First Citrus is ranked in the top five Tampa Bay community banks by asset size.

Struggling with costs, complexities and security issues with passwords, First Citrus sought to increase security and usability for its employees logging into its various systems on shared Windows workstations. After testing several alternative authentication methods, First Citrus turned to FIDO Authentication as the best option to provide strong cryptographic authentication with a much easier passwordless user experience.

Eliminating the password

First Citrus sought to move away from passwords as the primary form of authentication for its employees logging on to its systems on shared Windows workstations. Between costly resets and a negative impact on employee productivity, First Citrus’s main objective was to eliminate the need for its employees to have to enter a password while providing secure user authentication.

The bank evaluated several desktop authentication options including smart cards and time-based one-time passwords (TOTPs), but found that these options added friction for their employees’ logins, creating a poor user experience while not providing enough additional security. All of the options they reviewed also still required password entry.

Taking a standards-based approach to passwordless authentication

First Citrus then looked to FIDO Authentication, a standards-based approach to strong authentication. The interoperability that comes with taking a standards-based approach fit well into First Citrus’s broader security strategy.

FIDO standards use on-device public key cryptography techniques to provide stronger authentication over passwords and other forms of strong authentication; user credentials are never shared and never leave the user’s device. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometric information never leaves the user’s device. This is all balanced with a simple user experience that meets passwordless use cases with native biometrics on the user’s device.

It was important to First Citrus to choose an end-to-end FIDO Certified solution in order to roll out FIDO Authentication to all of its access points with assured security and interoperability. The bank chose to work with HYPR, which offers FIDO Certified platforms for FIDO UAF (mobile-based passwordless authentication) and FIDO2 (mobile and desktop passwordless and second-factor authentication) standards. The mixture of these FIDO specifications allows First Citrus to cover mobile and desktop requirements for user authentication.

Simpler, mobile-initiated authentication for all employees

First Citrus deployed HYPR’s FIDO platform to provide truly passwordless authentication for all of its employees logging into Windows 7 and 10 workstations. Deployment was straightforward: within an hour, the bank was able to have computers leveraging FIDO Authentication. After a several-month evaluation period, First Citrus rolled out the FIDO solution to all of its employees in February 2019.

For First Citrus employees, logging in is now mobile-initiated. They simply use the native biometrics on their mobile device (iOS or Android) to log in to any First Citrus desktop workstation, with far higher FIDO security and privacy over the old password model. Employee feedback has been positive; the chief financial officer has joked, “I’ve completely forgotten my password!” HYPR’s FIDO Certified platform has now become a core component of First Citrus’s internal authentication strategy, with the possibility of extending FIDO authentication options to its online banking customers in the future.

View the First Citrus Bank Case Study PDF document here.

OVERVIEW

First Citrus is ranked in the top five Tampa Bay community banks by asset size, with 70 employees in five locations.

Objective
First Citrus sought to eliminate the need for employees to have to enter a password while providing secure user authentication.

Solution
First Citrus implemented HYPR’s FIDO Certified authentication platform, which provides simpler and secure mobile-initiated biometric logins for all employees to Windows workstations.

What’s Next
FIDO and HYPR have now become core components of First Citrus’s authentication strategy, with the possibility of extending FIDO authentication options to its online banking customers in the future.

“I’ve completely
forgotten my
password!“

The post First Citrus Bank Eliminates the Password for Employees appeared first on FIDO Alliance.

Today, secure access to online applications and services has evolved into a framework reliant on devices, public key cryptography and biometrics to replace the shared secrets of aging passwords. Since 2013, the FIDO Alliance has developed open and scalable advancements to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, FIDO Alliance has developed a series of best practices and how-to white papers that match the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within all companies. 

This white paper answers the most common questions from CXOs about the value proposition of FIDO Authentication and how the FIDO2 passwordless framework addresses the authentication needs and challenges of companies for the modern workforce. The goal of this document is to guide executive leaders within an organization as to why they should invest in FIDO2 deployment for their employees. 

The post White Paper: CXO Explanation: Why Use FIDO for Passwordless Employee Logins? appeared first on FIDO Alliance.

Banks in Europe have deployed customer authentication solutions for several years. These solutions have served their purpose well and enabled customers to safely log in to their bank accounts. In the world of e-commerce, these solutions, when used, have been successful in combating online payment fraud. 

The Second Payment Services Directive (PSD2) and its associated Regulatory Technical Standards (RTS) dramatically change the payment landscape, considering:

• The mandate for strong, multi-factor authentication, 
• The emergence of Third Party Providers (TPP) accessing accounts via open APIs

The success of PSD2 will ultimately be determined by how well banks can balance user convenience with security obligations, while maximizing reach. As such, they may want to evaluate how well their legacy authentication solutions meet this new need. 

FIDO authentication standards have been proposed as a way for banks to meet all requirements in a PSD2 world — but is the change from a legacy method to FIDO worthwhile? 

Join this webinar to learn more about FIDO Authentication standards and how they compare with legacy authentication methods used to access an account or secure an online payment. The methods compared are SMS OTPs, hardware OTP generators, CAP readers, and proprietary smartphone and biometrics-based solutions in terms of PSD2 compliance, security, usability and scalability. 

Join us to find out: Why change to FIDO?

Register for the webinar here.

July 16th at 3pm CET | July 16th at 9am EST

Speakers: Alain Martin, co-chair of the FIDO Europe Working Group and Head of Consulting and Industry Relations, Thales

Moderator: Andrew Shikiar, Executive Director and CMO, FIDO Alliance

The post PSD2 Support: Why Change to FIDO appeared first on FIDO Alliance.

Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance

Editor’s note: For background on the 2020 Hackathon in Korea, see the April blog post: “2020 FIDO Hackathon: Goodbye Password Challenge in Korea.”

These are the faces of 2020 FIDO Hackathon – Goodbye Password Challenge participants, captured during online interviews which took place in the first two weeks of May.

A little over 40 applications were received by the end of proposal submission deadline, and 25 teams were given the opportunity to have online interviews, which helped them to crystalize their ideas and understand the full details of the Goodbye Password Challenge Program. About 100 people from 22 teams are now at the Learn and Implement Phase, which is being delivered through a specialized designated online communication platform.

We will not be sharing full details of the participating teams until they reach the final evaluation date the first week of August, but we would like to share some examples of proposed development ideas:

On July 1, we will have the mid-term meet-up event to share each team’s current development status and plans for the rest of the implementation phase.

Please stay tuned and we will come back with more updates on 2020 FIDO Hackathon in Korea.

The post 2020 FIDO Hackathon in Korea: Learn & Implement Phase appeared first on FIDO Alliance.

When a service deploys FIDO Authentication, it must have a secure account recovery process to address lost, damaged or stolen FIDO authenticators. A previous FIDO Alliance white paper, Recommended Account Recovery Practices for FIDO Relying Parties, recommends two strategies:

1. Require the user to register multiple authenticators, to reduce the need for account recovery; 

if #1 is not feasible:

2. Re-run the initial identity proofing or user onboarding process to recover the account.

The first strategy, to require multiple authenticators, plays a very important role for FIDO-enabled consumer-facing accounts where the number of account recovery options can be limited. This includes scenarios where the password has been disabled after FIDO credentials are registered, or where passwords and FIDO credentials are registered for two-step authentication. 

This paper focuses on the first strategy and provides guidance on how to deploy FIDO Authentication with multiple authenticators. It discusses how to register new authenticators bound to an already-registered authenticator, security considerations, coverage/authenticator options, usability, and policy, based on FIDO-enabled browsers and platforms. It provides recommendations for registration methods and policy examples for deploying the solution.

The post White Paper: Multiple Authenticators for Reducing Account-Recovery Needs for FIDO-Enabled Consumer Accounts appeared first on FIDO Alliance.

Megan Shamas, Director of Marketing, FIDO Alliance

Over the last several years, eIDAS regulation has been widely adopted by the EU member states, and several eIDAS-compliant services and eID schemes have been rolled out across Europe.

eIDAS stands for “electronic identification, authentication and trust services.” It builds the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States. eIDAS is meant to enable mutual recognition of eID and trust services across the EU in a regulated, secure and private manner. In a world where transactions are increasingly digital and without borders, this recognition and trust is essential.

FIDO Authentication is a natural fit for the delivery of services that meet eIDAS regulations, and many of our members are working with governments and service providers to enable secure and seamless electronic interactions throughout the EU. To give an overview and more in-depth details on how FIDO and eIDAS intersect, we’ve released two new white papers. The first, “Introduction of FIDO and eIDAS Services” serves as an introductory white paper describing the relationship between FIDO2 standards and eIDAS compliant schemes that can accommodate modern authentication protocols. The second, “Using FIDO with eIDAS Services” is a more detailed look at how FIDO can be used with eIDAS services, including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework.

Sebastian Elfors, Solutions Architect at Yubico, the lead contributor for the new papers, had this to say about the intersection of FIDO and eIDAS:

“The modern FIDO standard, and its wide adoption by the largest IT-companies all over the globe, provides a viable framework for expanding and modernizing eIDAS services across Europe. In the intersection between eIDAS and FIDO, there are a number of emerging deployment scenarios that will benefit the public sector in the European Union. There are already several eID schemes being notified by the EU Commission this year, the number of Qualified Trust Service Providers are constantly growing, and more government services are enabling cross-border eID support.”

To expand on this topic and information in the new white papers, Sebastian will join our executive director and CMO Andrew Shikiar to lead a webinar on May 28 at 15:00 CEST. The webinar will include:

• An introduction to eIDAS
• An overview on how to use FIDO as part of an eID scheme
• An overview on using FIDO2 for authentication to Qualified Trust Service Providers (QTSPs)

There will be time for Q&A, so please bring your questions! 

Register for the eIDAS webinar here.

Speakers: Sebastian Elfors, Senior Solutions Architect, Yubico and Andrew Shikiar, Executive Director and CMO, FIDO Alliance

Download the Introduction to FIDO & eIDAS Services white paper here.

For details, including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework, please read the complementary white paper, “Using FIDO with eIDAS Services.”

The post FIDO & eIDAS: Providing Secure and Seamless Electronic Services in the EU appeared first on FIDO Alliance.

eIDAS stands for “electronic identification, authentication and trust services” It builds the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States.

This introductory white paper describes the relationship between FIDO2 standards and eIDAS compliant schemes that can accommodate modern authentication protocols. The paper includes:

• An introduction to eIDAS
• An overview on how to use FIDO as part of an eID scheme
• An overview on using FIDO2 for authentication to Qualified Trust Service Providers (QTSPs)

This paper is intended for governmental agencies that are interested in using FIDO2 as part of an eIDAS notified eID scheme, and QTSPs who are interested in deploying eIDAS remote signing services that leverage the FIDO2 standard.

For details, including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework, please read the complementary white paper, “Using FIDO with eIDAS Services.”

The post White Paper: Introduction of FIDO & eIDAS Services appeared first on FIDO Alliance.

eIDAS stands for “electronic identification, authentication and trust services” It builds the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States.

This white paper describes how to use FIDO2 standards with eIDAS compliant schemes and Qualified Trust Service Providers (QTSPs), including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework. The paper includes: 

• An introduction to eIDAS
• Detailed information on how FIDO as part of an eID scheme
• Detailed information on how to use FIDO2 for secured access to QTSPs

This paper is intended for governmental agencies that are interested in using FIDO2 as part of an eIDAS notified eID scheme, and QTSPs who are interested in deploying eIDAS remote signing services that leverage the FIDO2 standard.

For introductory level information on the relationship between FIDO and eIDAS, please read the complementary white paper, “Introduction to FIDO and eIDAS.”

The post White Paper: Using FIDO with eIDAS Services appeared first on FIDO Alliance.

Can you tell us about KDDI?

KDDI is a telecommunication service provider in Japan, offering both mobile and fixed-line communications. KDDI has a well-established base of over 40 million customers and offers mobile services and shopping through its “au” brand. KDDI is also expanding its services into the “Life Design” business, which includes e-commerce, fintech, nationwide electric power utility services, entertainment and education. With a 60-year history, KDDI is now focusing on creating smart infrastructure through IoT technologies and open innovation with partners and start-up companies in diverse industries. KDDI is accelerating the global growth of its telecommunications consumer business, with operations in Myanmar and Mongolia, and in the global ICT business with the “TELEHOUSE” brand. KDDI (TYO:9433) is listed on the Tokyo stock exchange. 

How are you using FIDO?

Today we are using FIDO authentication in a few different areas. The first, just launched on April 14, 2020, is our “au ID” platform, which is our service for our users to identify themselves and access our services; we have a huge number of active users. FIDO is one of the authentication methods available for “au ID.” We offer FIDO on web browsers and Android initially, and plan to support iOS in the future.

The other area where we offer FIDO is our Software-as-a-Service (SaaS) solution. This solution enables online service providers to deploy FIDO2 easily. As a network operator, we have experiences and the FIDO solution we offer is no exception.

It’s important that we can support online service providers along their customers’ entire authentication journey: onboarding, authentication and account recovery. So, we also offer customer identification services to fit in with our FIDO offering. There’s a gap in the customer journey with FIDO, which is account recovery. How do you recover your account if you lose your FIDO authenticator? We aim to fill this gap by providing identity verification of our large customer base. Thus, we’re supporting online service providers along the entire customer journey.

What specification(s) did you implement?

We implemented a FIDO2 server with biometric authentication.

Why did you choose FIDO standards? What were the challenges you were trying to overcome? 

There are several reasons why we chose FIDO. The first is security; FIDO is the best way to counter phishing attacks. The second is user experience; biometric authentication is much easier than passwords. The third is interoperability. With other approaches, developers have to implement authentication logic for each platform – iOS, Android and web. We wanted to design a “write once, work everywhere” system. FIDO helped us achieve that goal.   

Why did you choose FIDO authentication over other options? 

For us, the most important thing about adopting FIDO was that it was a web (W3C) standard. Again, this helped us to achieve our goal of “write once, work everywhere.”

What steps were involved in your roll out of FIDO authentication? Did you work with a partner?

We developed and implemented FIDO authenticator and server from scratch. We worked closely with the FIDO Japan Working Group through the development; I would like to thank them for their support. It was very exciting to work with them. 

What role do you see FIDO authentication playing for your company in the future?

We believe that FIDO will accelerate our identity business even further. It will also enhance the security of our internal systems.

What advice would you give to other organizations considering rolling out FIDO authentication?

Talk to other stakeholders; companies, such as KDDI, are offering turnkey solutions! 

Thank you for talking with us! Where can we learn more about KDDI?

You can find KDDI on the web at http://www.kddi.com/english/.

The post Deploying FIDO in Japan: An Interview with KDDI appeared first on FIDO Alliance.

The post Webinar: Securing IoT with FIDO Authentication appeared first on FIDO Alliance.

Security

One of the options for MFA GSA examined was SMS one-time passwords (SMS OTPs).

They found that SMS OTPs were a popular MFA option for users. Although convenient, SMS OTPs introduce avoidable security risks to users; this includes malware inadvertently downloaded onto a mobile phone that could monitor the user’s text messages. Additionally, GSA experienced a lot of issues with phishing, especially targeting accounts that were controlling bank information and personally identifiable information, including the user’s date of birth and Social Security Number. For login.gov, GSA wanted to offer a secure alternative to SMS OTPs that could prevent phishing, and began evaluation of FIDO2 authentication standards.

FIDO2 is a set of strong authentication standards that enables users to leverage common devices like on-device biometrics and FIDO security keys to authenticate to online services with phishing-resistant cryptographic security. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

After reviewing the FIDO Alliance’s FIDO2 standards, GSA found that FIDO2’s phishing resistance made it the most appropriate approach to address its security challenges.

INSIDE FIDO STANDARDS

The FIDO protocols, including the FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks.

The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device.

This is all balanced with a user-friendly and secure user experience through a simple action at log in, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.

Reduce Costs

In addition to security concerns, GSA found SMS OTPs quite expensive to manage. Without alternatives, those expenses would continue to escalate as more and more users are onboarded to login.gov.

With FIDO2, GSA could leverage a “bring your own FIDO security key” approach, making it more cost effective. The federal government does not sell or provision authenticators, but enables the use of authenticators previously provisioned.

Compliance

NIST’s Digital Identity Guidelines – Authentication and Lifecycle Management (Special Publication 800-63B) is the guidance that federal agencies must adhere to as it pertains to authenticating users to its networks. The 2017 guidance reclassified SMS OTPs as a “restricted” authentication technology. This means that agencies need to offer users at least one alternate authenticator that is not restricted. They also must provide users with meaningful information on the security risks of the restricted authenticator (SMS OTP) and availability of alternatives. FIDO standards provide a secure alternative that meets NIST guidelines for high assurance strong authentication.

FIDO2 Development

Prior to development, GSA utilized a Google developer resource on enabling strong authentication with FIDO2 WebAuthn on developers.google.com. To assist with server-side processing, GSA leveraged a WebAuthn-ruby gem on GitHub. That greatly benefited and expedited the development including backend processing. In addition, GSA used the W3C reference material for further clarification on any issues encountered.

All of GSA’s code for login.gov is on open source and it’s on GitHub under a repo 18F/ identity-idp. Because it is a standards-based authentication technology, implementing support for FIDO2 was extremely fast. It took a small team of three developers just two weeks to develop and move into production.

Deployment and User Experience with FIDO2

GSA rolled out authentication with FIDO2 in September 2018. login.gov supports FIDO2 through the use of FIDO security keys and built-in FIDO authenticators like Windows Hello biometrics. For users, these are all referred to as “security keys” during user onboarding. The process for setting up FIDO2 at login.gov works like this:

1. When a user is creating a login.gov account, they enter their email address and create a password. Login.gov will first send an auto-generated email for the new user to confirm their email address.
2. Then, they are instructed to select and set up MFA from a menu of options, including SMS OTP, FIDO2 security keys, and backup codes.
3. To set up FIDO2, the user will select the “Security Key” option.
4. The user can create a nickname for their security key.
5. They are prompted to either insert a hardware security key into their computer and touch it or, if their device has a supported built-in authenticator, be prompted to use it by looking into the camera or touching a biometric sensor (for two examples).
6. The user is presented with a “success screen” and then they can access their login.gov account.

Many users take advantage of the “Remember Device” option when signing in. For example, if the user is using a laptop and checks “Remember Device,” they will not need MFA on that laptop again for another 30 days.

Support of Non-FIDO2 Security Keys

During testing, the development team discovered that several hardware security keys were failing. They found that the majority of the failures were because they were not FIDO2-compliant. After considering to add support for nonFIDO2 security keys, the decision was made not to support them because it would have considerable time and effort than simply implementing WebAuthn. GSA plans to revisit support for non-FIDO2 keys at a later date. A listing of FIDO2 Certified authenticators can be found on the FIDO Alliance website.

FIDO User Adoption: On the Upswing

Initially, users registered about 2,000 new FIDO2 keys per month, which equates to about 0.2% of new users. In analyzing authentication statistics, GSA found that more users were choosing mobile/SMS OTP options for MFA more often. In May 2019, GSA began requiring new users to register a second MFA option to increase awareness and adoption of FIDO2. That change increased the number of new FIDO2 authenticators to 17,000 per month. This number increased to 27,000 just in the month of June and the adoption rate increased to about 3% of all new users, representing a significant increase from initial rollout. GSA is considering the same requirement for existing users, but is looking at doing so without hindering the user experience.

As of June 2019, login.gov onboards about one million new users per month and that is expected to grow as agencies continue to add additional services. GSA has high expectations for the use of built-in authenticators to increase adoption, because it does not require users to acquire a separate FIDO security key.

Future Improvements for Increased Adoption

One of the challenges login.gov has faced is user education. Specifically, informing users that they have the option to enroll with FIDO2 and educating them about what FIDO is and how to set it up. It can be a challenge to accomplish this without confusing the set of users who are not able to set up FIDO, either because they don’t have a FIDO2 security key or don’t have a built-in authenticator.

Another area that GSA is working on is the onboarding process and the use of the term “security key” for all FIDO authenticators. User research is currently underway as of September 2019 around prompting users to set-up whatever their device is named rather using the security key language. Preliminary findings indicate that it would help adoption to keep the security key option for users who have the physical security key and then adding additional options for users with built-in authenticators i.e. “use your Android phone,” or “use your Windows Hello device,” etc. This will help give users clarity around their options so they will be more likely to set it up.

Another enhancement under consideration is a feature called “MFA Checkup.” This is to address the real-world problem that occurs when users change their smartphone and lose their backup codes. Login.gov would display a screen informing the user of the methods available or provide the user with the option to replace a method.

Ultimately, GSA sees these actions to streamline user communications and make user authentication options more clear as key to increasing user adoption and help both GSA and end users realize the full security, usability and cost reduction benefits that FIDO Authentication provides. As one of the first governments to offer FIDO Authentication for login to e-government services, GSA strives to be a model for other governments to follow.

View the U.S. General Services Administration’s Rollout of FIDO2 on login.gov PDF here.

The post U.S. General Services Administration’s Rollout of FIDO2 on login.gov appeared first on FIDO Alliance.

The post FIDO Alliance Webinar: Intuit’s Journey with FIDO Authentication appeared first on FIDO Alliance.

The post Webinar: The Right Mix Intuit’s Journey with FIDO Authentication appeared first on FIDO Alliance.

NTT DOCOMO, INC. is Japan’s largest mobile network operator with over 78 million subscriptions — and is responsible for protecting the data of each one.

To provide access to DOCOMO-branded services, partner services, and carrier billing payments, DOCOMO long allowed customers to log in and authenticate using passwords including a four-digit password. This created a number of challenges — particularly because passwords are frustrating to use, and it is difficult to have to remember multiple passwords.

DOCOMO needed to find a solution that may resolve their password-related issues.

The Best of Both Worlds with FIDO Authentication
After reviewing the different approaches to authentication available, DOCOMO settled on the FIDO authentication model as the best strategy for solving the current and future authentication needs of its customers. It found that by deploying cross-platform FIDOenabled, privacy-respecting biometric authentication, they could have a solution that is simultaneously more secure and convenient. It is worth noting that such biometric information never leaves their devices for their privacy.

FIDO-based biometric authentication relies on FIDO standards that use public key cryptography to protect users against a variety of attacks including phishing, brute force and man-in-the-middle attacks. Users register their on-device biometric with any online service that supports the protocol.

When considering a new authentication approach, DOCOMO found FIDO to be the best option because it allowed them to:
• Implement in a straightforward manner that aligns with the FIDO ecosystem for long term
sustainability and continuity of authentication as a service
• Utilize the standards in a way that allows different types of authenticators, such as
fingerprint sensors and iris scanners
• Protect the security of users and ecosystem partners with FIDO’s privacy policy that
states biometric data and private cryptographic keys will never leave the user’s device

NTT DOCOMO Overview

In May 2015, NTT DOCOMO began offering FIDO Authentication in four devices (including the world’s first iris scanner equipped smartphone) from multiple OEMs and a FIDOenabled server. With this, DOCOMO became the world’s first mobile network operator to deploy FIDO Authentication throughout its network, delivering simple, strong authentication for DOCOMO’s millions of customers across multiple services with d ACCOUNT, which is an OpenID based account for customers nationwide.

By eliminating passwords with FIDO standards, DOCOMO is able to deliver a superior end-user experience that includes enhanced security features. It is also able to introduce innovative new services and product offerings that can utilize standards-based platforms and devices.

NTT DOCOMO’s FIDO-based Solutions in Practice

Today, DOCOMO has shipped an impressive suite of more than 60 FIDO-enabled d ACCOUNT Authentication compliant Android devices. Of these, DOCOMO has shipped 36 FIDO UAF 1.0 Certified Android devices, while newer devices have been shipped with a pre-installed FIDO UAF 1.1 application to utilize Android’s built-in FIDO capabilities.

In addition, all Touch ID/Face ID-equipped iOS devices are also available for d ACCOUNT Authentication.

Using FIDO specifications, DOCOMO is enabling its customers to securely authenticate themselves with fingerprint or iris biometrics instead of a password with the DOCOMO d ACCOUNT app that incorporates FIDO Authentication. From there, they have secure access to DOCOMO account details, billing and services, including mobile gaming and music platforms d game and d music, and shopping sites such as d delivery and d shopping. DOCOMO also replaced carrier billing password authentication, allowing customers to approve their payments via biometrics built into their device.

In addition to DOCOMO-branded services at d market, various partner services are able to utilize FIDO Authentication through carrier billing payment and as a federated ID utilizing OpenID Connect without any modifications.

DOCOMO also provides FIDO Authentication at scale by allowing other relying parties to utilize its FIDO Certified ondevice biometrics. For example, Mizuho Bank, a major bank in Japan, uses DOCOMO’s FIDO Certified authenticator to allow its own customers to access their mobile banking app.

Enabling a More Secure Future
As a market leader with a clear strategic investment in the FIDO ecosystem, DOCOMO joined the FIDO Alliance as a Board Director in 2015 and has been contributing to the development of FIDO standards and best practices.

DOCOMO is responsible for establishing and chairing the FIDO Deployment-at-Scale Working Group (D@SWG), which was formed to accelerate overall deployments of FIDO solutions by bringing together online service providers and device manufacturers to share lessons learned, produce case studies, and establish industry best practices for deploying FIDO Authentication at internet scale. This group has since spun off three Deployment Working Groups for consumer, enterprise, and government, with DOCOMO chairing the FIDO Consumer Deployment Working Group (CDWG).

In addition, DOCOMO drove the formation of the FIDO Japan Working Group (FJWG) in 2016 and has taken a leadership role as Chair. The FJWG has been driving FIDO adoption in Japan by facilitating communication, cooperation and improved awareness of FIDO Alliance and FIDO Authentication in Japan.

View the NTT DOCOMO Deployment Case Study PDF document here.

The post NTT DOCOMO Deployment Case Study: Your Security, More Simple appeared first on FIDO Alliance.

The post Going Passwordless with Microsoft appeared first on FIDO Alliance.

The post Webinar: Deployment Case Study: Login.gov & FIDO2 Presentation appeared first on FIDO Alliance.

The post Webinar: Deployment Case Study: Login.gov & FIDO2 appeared first on FIDO Alliance.

The web portion covers how to build a website with a simple re-authentication functionality using a fingerprint sensor. Re-authentication is a concept where a user signs into a website once, then authenticate again as they try to enter important sections of the website, or come back after a certain interval, etc in order to protect the account. (Your First WebAuthn Codelab via Google)

The Android portion covers how to build an Android app with a simple re-authentication functionality using fingerprint sensor. (Your First Android FIDO2 API Codelab via Google)

The post Developer Tutorial: WebAuthn for Web & FIDO2 for Android appeared first on FIDO Alliance.

The post Developer Tutorial: Getting Started with WebAuthn appeared first on FIDO Alliance.

The post Developer Tutorial: Securing a Web App with FIDO Security Keys appeared first on FIDO Alliance.

This white paper is aimed at enterprises and government agencies looking to expand their authentication capabilities to include FIDO technology, and have FIDO work in conjunction with other authentication systems such as a Public Key Infrastructure (PKI), Kerberos, and Lightweight Directory Access Protocol (LDAP) that may be in place at the organization.  This document specifically focuses on the use and coexistence of FIDO with a PKI, and answers the following questions:

• How can FIDO protocols deliver new and/or enhanced business benefits to the enterprise?
• Which enterprise applications (and application layer protocols) can use PKI?
• Can FIDO be used to provide similar services as PKI for applications that use or can use public key cryptography?
• Which enterprise security needs and security threats are best addressed using FIDO?
• How can an expanded public-key cryptographic system incorporating PKI and FIDO benefit an enterprise?
• What are the business implications for adding FIDO technology within an enterprise that already operates other authentication systems?

This document covers enterprise and government use cases. Consumer use cases are not in the scope of the whitepaper.

The post White Paper: FIDO and PKI Integration in the Enterprise appeared first on FIDO Alliance.

The post Recommended Account Recovery Practices for FIDO Relying Parties appeared first on FIDO Alliance.

With ID Intelligence, organization work through a single source to integrate a select set of identification and authentication solutions. These solutions fall into four categories:

• Authenticate with biometrics
• Authenticate with a photo ID and selfie
• Authenticate the data provided by the user (PII validation)
• Authenticate the device data (trusted vs. suspicious)

There is a wide variety of biometric platform providers in the market today. For ID intelligence, Visa partnered with Daon to deliver FIDO-compliant biometrics capabilities. Daon offers both a FIDO-compliant and non-FIDO solution, but only the FIDO-compliant solution is part of the ID Intelligence suite. The appeal of the FIDO protocol came from its alignment with Visa’s approach to authentication which prioritizes how best to protect user data, leverage available data to make better decision, devaluing data when it is compromised and empowering the customer.

Implementation requires an integration of the SDK with the client’s mobile application, which is typically a six to twelve month process, along with on premises hosting of the FIDO server. And while Visa is looking to extend the range of authentication solutions it offers as part of the ID Intelligence suite, the FIDO-compliant biometrics capability is available today.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The post Visa Case Study appeared first on FIDO Alliance.

The organization decided the Internet was going to be how it managed communications. It made security a priority and leveraged public key infrastructure (PKI). Originally used for communications between the HK government and traders, the technology was eventually opened up to the banking industry.

Since that time, Tradelink’s approach to authentication has continued to evolve leading the organization to FIDO. At first there was a trend to move away from the digital certificates and towards one-time passwords. And approximately four years ago, they began to explore biometrics as a solution in partnership with the banking industry, which helped fund the effort. After examining different technologies and standards worldwide, Tradelink decided to use FIDO-based authetication starting in 2016.

In their estimation, adoption by banks has been strong because no information about the user is sent from mobile devices. And whoever is the service provider, whether the banks or Tradelink, doesn’t need to transmit or store the biometric data which is important to the stringent requirement on data privacy protection in Hong Kong. This together with the adoption of the Public Key Cryptography as the backbone for the FIDO Standard were the other major factors driving banks to rapidly adopt the FIDO standard.

In fact, the appeal of this biometric approach has resonated extremely well in Hong Kong. As evidence, the Hong Kong Government will launch a new initiative for electronic ID in 2020 that will leverage FIDO to authenticate citizens online.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The post Tradelink Case Study appeared first on FIDO Alliance.

The document analyses articles in the following relevant sections of the RTS:

• [RTS Chapter I] General provisions
• [RTS Chapter II] Security measures for the application of Strong Customer Authentication
• [RTS Chapter IV] Confidentiality and integrity of the Payment Service User’s security credentials

The post How FIDO Standards Meet PSD2’s Regulatory Technical Standards Requirements On Strong Customer Authentication appeared first on FIDO Alliance.

This white paper is aimed at enterprises deploying FIDO for strong authentication. It is intended to provide guidance to architects and developers on how to integrate FIDO authentication and existing federation protocols, namely SAML and OpenID Connect.

It is assumed that the reader has an understanding of FIDO architecture and protocols.

The post White Paper: Enterprise Adoption Best Practices – Integrating FIDO & Federation Protocols appeared first on FIDO Alliance.

By Brett McDowell, Executive Director, FIDO Alliance

Thousands of people have lost millions of dollars and their personal information to tax scams, and the U.S. Government Accountability Office (GAO) is now pointing to FIDO Authentication as a way to help.

One of the most common ways that criminals collect information for tax scams is through phishing and social engineering attacks – emails and phone calls aiming to trick citizens into handing over their personal information like passwords and social security numbers. These attacks show no signs of stopping; the IRS reports “a steady onslaught of new and evolving phishing schemes as scam artists work to victimize taxpayers during filing season.”

Given the persistence of taxpayer fraud, the GAO published a public report, “Identity Theft: IRS Needs to Strengthen Taxpayer Authentication Efforts,” to determine what the IRS can do to strengthen its authentication methods while improving services to taxpayers in the future.

FIDO Authentication is one of the authentication options that the GAO recommends the IRS consider. The report states that possession-based authentication, such as solutions using FIDO standards, offer users “a convenient, added layer of security when used as a second factor for accessing websites or systems that would otherwise rely on a username and password for single-factor authentication.” In other words, allowing citizens to use a FIDO-enabled device to log in to IRS services would give them additional protection without impacting convenience.   

In addition, FIDO Authentication meets National Institute of Standards and Technology’s (NIST) new guidance for secure digital authentication at the highest level of assurance, which the GAO recommends the IRS implement as a priority.

This is not the first time that a government agency has been urged to adopt FIDO Authentication. Last year, Sen. Ron Wyden (D-Ore.) wrote a letter to the Social Security Administration (SSA) asking the agency to support FIDO Security Keys because they are “resistant to all phishing.”

FIDO Authentication is proven to work against phishing and social engineering attacks. None of Google’s 85,000+ employees have been phished since early 2017 when the company began requiring all employees to use FIDO-based Security Keys. If the IRS follows the GAO recommendations and enables users to login with FIDO Authentication, we can expect a drastic reduction in phishing-related tax scams – saving money, time and hassle for citizens and government.

The post New GAO Report Recommends IRS Adopt FIDO to Strengthen Taxpayer Authentication appeared first on FIDO Alliance.

Brett McDowell, Executive Director, FIDO Alliance

The Timehop data breach that affected 21 million users offers a teachable moment for the rest of the online services industry, especially in light of new GDPR and PSD2 requirements taking hold in Europe.

As Timehop explained, “the breach occurred because an access credential to our cloud computing environment was compromised” and in an apparent effort to reassure their customers this won’t happen again, they quickly added “we have now taken steps that include multi-factor authentication to secure our authorization and access controls on all accounts.”

So far, this is all fairly standard for an all-too-common data breach notification. What caught my eye, however, was their emphasis in bold type that their users’ social media posts and photos were not breached while clarifying the data lost included “names, email addresses, and some phone numbers.” There are a few key takeaways from this incident I hope get noticed by online services security teams and the executives responsible for their budgets.  

First, why wait to be breached before you invest in multi-factor authentication (MFA)? Industry data begs service providers to protect their users. Not only did the industry see a 45% year-over-year increase in data breaches last year, we know over 80% of those incidents were the result of password compromise. Inexpensive remote attacks, such as password phishing, are increasingly the initial step to a breach. Your risk is increasing every day. An investment in MFA is all but inevitable. The only way to lower the cost to your enterprise is to make that investment before you get breached.

Second, if you have personal information on file from European customers, you are already held to a higher standard for data protection through the now fully-enforced General Data Protection Regulation (GDPR). That means what once may have been considered less important than social media posts, personal photos, or even financial data, is now critically important if you cannot demonstrate to regulators you had taken risk-appropriate measures ahead of any data breach incident. If you process payments and do business in Europe, you are also about to be required by PSD2 to provide Secure Customer Authentication for those transactions, which explicitly requires at least two of the three factors of authentication: something you know (like a password), something you are (like a biometric), and/or something you have (like a cryptographic signature from a trusted device).

While you consider your options, be mindful that GDPR also has special requirements about collecting and handling biometric data. You will save a lot of added costs and liability by using built-in, on-device biometric matching if that’s your chosen user experience.

Last, but not least, don’t waste your budget investing in yesterday’s MFA when the industry has just delivered a future-proof open standard for precisely this purpose. Too many professionals still assume MFA means a password and a SMS-delivered one-time-passcode. Both of those solutions are “shared secrets,” which are inherently vulnerable to inexpensive phishing style attacks, and we know these attacks are on the rise and highly effective.

This fact was further clarified last year by the analyst firm Javelin when it published a study on the state of strong authentication that recognized “high-assurance strong authentication” as a new category of MFA. Javelin cited updated guidance from the U.S. National Institute of Standards and Technology that now requires one of the factors to be a cryptographic proof-of-possession in order to achieve top marks for authentication assurance.

At FIDO Alliance, together with the W3C, we have developed an open industry standard for high-assurance strong authentication that is already being built into Windows 10, Android, the world’s most popular web browsers, as well as iOS SDK’s and a variety of hardware security keys. With these native capabilities coming standard on most new devices, FIDO has become the best choice for businesses looking to invest in MFA capabilities. It is the only choice that: delivers the highest level of protection from the commercial and regulatory costs of data breaches; is standards-based, vendor agnostic and future-proof; and is compatible with best-of-breed user experiences by replacing typing passcodes with an easy touch of a button or a glance at a sensor. This is why leading service providers like Google, Facebook, Microsoft, PayPal, eBay, T-Mobile, ING, Mastercard, Intuit and many more have invested in FIDO Authentication to protect their businesses from the increasing cost of data breaches.

The post Three Lessons From the Timehop Data Breach appeared first on FIDO Alliance.

This paper introduces the details of a hardware-backed Keystore authenticators (HKA) implementation approach, based on the first commercial deployment. It takes advantage of secure Android Keystore with key attestation and fingerprint sensors in hardware on standard off-the-shelf Android 8.0 or later mobile devices. Since it is enabled only by Android applications, any RPs and application developers can develop their own secure FIDO UAF 1.1 authenticators.

The post White Paper: Hardware-backed Keystore Authenticators (HKA) on Android 8.0 or Later Mobile Devices appeared first on FIDO Alliance.

This work builds upon the pre-existing liaison relationship between the organizations. The initial collaboration focused on how FIDO’s authentication protocol can be used to support EMVCo’s cardholder verification technology, leading to User Verification Caching (UVC) extensions of the FIDO specifications. UVC allows an app to specify user caching time — i.e., how long a user who has already been verified by his/her authenticator can wait before being required to re-authenticate.  

“The EMV 3DS Specification promotes more secure, consistent consumer e-commerce transactions across browser and in-app channels, while optimizing the cardholder’s experience,” comments Cheryl Mish, EMVCo Board of Managers Chair. “Incorporating support for the FIDO Authentication protocol will provide stronger authentication, enhance transaction security and provide a more convenient and simpler authentication experience for cardholders. Our expanded collaboration with FIDO will support EMVCo’s efforts to deliver a consistent and more secure global solution that will be less likely to compromise user experience.”

“FIDO’s approach to modern authentication has taken root in devices around the world, and we’re happy to work with EMVCo to further expand this paradigm into the EMV payments arena,” said Brett McDowell, executive director of FIDO Alliance. “By ensuring interoperability of privacy-respecting authentication metadata between merchants, payment service providers, and banks in a 3DS transaction, fraud risk is reduced whenever FIDO Certified devices are used.”

– ENDS –

Notes to Editors
EMV^® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

About EMVCo
EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. EMV is a technology toolbox that enables globally interoperable secure payments across face-to-face and remote environments. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are available royalty free, designed to be flexible, and can be adapted regionally to meet national payment requirements and accommodate local regulations.

EMVCo is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, and focuses on the technical advancement of the EMV Specifications. To provide all payment stakeholders with a platform to engage in its strategic and technical direction, EMVCo operates an Associates Programme and encourages all interested parties to get involved.

Visit www.emvco.com for further information and join EMVCo on LinkedIn.

About The FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact:
press@fidoalliance.org

The post EMVCo and the FIDO Alliance to Address FIDO Authentication in EMV® 3-D Secure Use Cases appeared first on FIDO Alliance.

The post White Paper: Enterprise Adoption Best Practices – Managing FIDO Credential Lifecycle for Enterprises appeared first on FIDO Alliance.

Last month at the FIDO Seminar in San Francisco, I had the pleasure of speaking to attendees about the latest innovations and adoption trends for FIDO Authentication in Korea, and how Korea leads in the number of companies building FIDO Certified products. Looking forward, it is clear that Korea’s adoption of FIDO specifications will continue to expand and solidify in 2018 and beyond.

Added indicators of continued expansion in Korea can be found in the January 22nd proposal by Korea’s government to abolish the mandate to use public certificates as part of the regulatory reforms initiative driven by President Moon. Specifically, the most anticipated area of cybersecurity growth in Korea is on-device biometric authentication, and henceforth expanded deployment of the FIDO standard.

This builds upon Korea’s status as the country with the highest rate of FIDO adoption, evidenced by impressive statistics such as:  

• 21 out of the 23 largest banks have adopted the FIDO solution, a 91% adoption rate
• 7 out of 8 credit companies (88% adoption rate) leverage FIDO authentication
• 22 out of 47 insurance and securities companies (47% adoption rate) have applied the FIDO solution to their business practices

These percentages (as independently researched by Global PD) are expected to grow along with a further push towards biometric authentication within the country.

With the introduction of FIDO specifications, and support from the FIDO Forum Korea and other organizations that have been sponsored by the Ministry of Science and Technology in Korea, the country has experienced steady adoption of the FIDO standard across multiple markets including: finance, telecommunications, portal/education, enterprise, public and government sectors. Previously, South Korea was at heightened risk due to a policy requiring any user of online financial services or payments to obtain a digital certificate tied specifically to the use of Internet Explorer and ActiveX controls.  

FIDO Alliance last month announced the formation of the FIDO Korea Working Group with a goal to accelerate awareness and increase momentum for FIDO authentication in Korea. With executive representation from leading Korea-based companies such as Samsung Electronics Co., Ltd., BC Card Co., Ltd. and Raonsecure comprising the working group’s leadership, deployment of FIDO standards is expected to resonate with even more companies within Korea in the coming year.

The FIDO Alliance vision and the resulting authentication platforms support Korea’s goal of providing a more secure cyber network. As the country takes note of the security advantages of on-device biometric authentication and the interoperable authentication of FIDO certified solutions, we can expect to see deployment of the FIDO standard by an even broader range of companies within Korea in 2018. With each application that adds support for the FIDO standard, users in the Korean market experience a simpler, more secure authentication platform and a greatly reduced risk of fraud.

The post FIDO Adoption and Innovation Continues to Accelerate in Korea   appeared first on FIDO Alliance.