Carlsbad, Calif., August 3, 2023 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2023, the only industry conference dedicated to all aspects of user authentication.

This year’s featured keynote will be presented by Rachel Tobac, white hat hacker and social engineering expert whose exploits have been featured on CNN, 60 Minutes and more. Additional keynote presentations providing diverse and global perspectives on modern authentication will be delivered by speakers from 1Password, Amazon, Google, Microsoft, Yubico and others.

Authenticate 2023 will be held at the Omni La Costa Resort and Spa and from October 16-18, 2023 – with virtual attendance options for those unable to be there in person. Now in its fourth year, the event is focused on providing education, tools and best practices for modern authentication across web, enterprise and government applications. CISOs, security strategists, enterprise architects and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2023/.

In response to its rising popularity, the conference now includes 90+ sessions from 125 speakers spread across three content tracks — as well as interactive half-day workshops for developers and user experience leads. Speakers from Alibaba Group, Fox Corporation, GitHub, Intuit, Mercari, Pinterest, Salesforce, Starbucks, Shopify, Target and others will deliver a diverse set of sessions, detailed case studies, technical tutorials and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead generation capabilities and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/sponsors/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2023, Authenticate will be held October 16-18 at the Omni La Costa Resort and Spa in Carlsbad, CA and virtually. Early bird registration discounts are available through August 18, 2023. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2023 are 1Password, Google, Microsoft and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

The post FIDO Alliance Details Agenda for Authenticate 2023, Featuring Keynote from Rachel Tobac, Noted White Hat Hacker & SocialProof Security CEO appeared first on FIDO Alliance.

Singapore, August 1, 2023 — The FIDO Alliance today provided an updated list of speakers and sponsors for its first-ever FIDO APAC Summit, the premier event dedicated to advancing and promoting phishing-resistant FIDO authentication in the region. Co-hosted by the Ministry of Information and Communications (Vietnam), the summit will take place in Vinpearl Nha Trang, Vietnam, on 28 – 30 August 2023, and centers on the theme of “Connecting for a Safer Digital Future”.

With hundreds of attendees expected, the summit will feature more than 25 VIP guests and speakers from the APAC region. Hieu Minh Ngo, a former hacker turned cybersecurity specialist, will be joining these prominent industry leaders to discuss the latest developments and share best practices. Drawing on his insider knowledge of cybercriminal tactics, Hieu offers insights into common cybersecurity traps and vulnerabilities, and how passwordless authentication technologies can boost organizations’ defenses against hackers.

“As a former hacker turned cybersecurity specialist, I know firsthand how cybercriminals are always looking for loopholes to exploit for their gain. That is why it is imperative for organizations to ensure a robust cybersecurity strategy to safeguard users online,” said Hieu. “Embracing passwordless authentication can offer the highest levels of security and mitigate potential cyber threats from malicious hackers. I am excited to be part of the FIDO APAC Summit 2023 to share my experiences on how going passwordless can thwart phishing attacks and impart valuable lessons to attendees.”

Regional Cybersecurity Thought Leaders

The keynote speakers at the FIDO APAC Summit include:

• Nguyen Huy Dung, Deputy Minister of Information and Communications (Vietnam)
• Andrew Shikiar, Executive Director of FIDO Alliance
• Do Ngoc Duy Trac (Simon), CEO of VinCSS

The summit will also feature case studies and tutorials delivered by industry experts from government organizations and leading technology companies, including:

• Hieu Minh Ngo, Threat Hunter, NCSC Viet Nam & Co-founder of Chongluadao.vn
• Khanit Phatong, Senior Management Officer, Thailand Electronic Transactions Development Agency 
• Teresa Wu, Vice President, Smart Credentials – Civil Identity IDEMIA Identity & Security North America 
• Paul Heim, Director, FIDO Alliance
• Sea Chong Seak, CTO of SecureMetric
• Alex Wilson, Director Engineering, Yubico
• Dovlet Tekeyev (Dave), Director, AirCuve
• Hyung Chul Jung, Head of Security Engineering Group, Samsung Electronics
• Eiji Kitamura, Developer Advocate, Google
• Gautam Pande, Vice President, Identity Solutions, Asia Pacific, Mastercard
• Masao Kubo, Manager, Product Design Department, Smart Life Business Company, NTT DOCOMO
• Henry (Haixin) Chai, CEO of GMRZ Technology, Lenovo
• Cuong Tran, CTO, Pavana
• Thang Phan, Passwordless Transformation Lead, VNPAY
• Truong Nguyen, Back End Developer, PayPay Corporation
• Naohisa Ichihara, CISO, Mercari
• Jaebeom Kim, Principal Researcher, Telecommunications Technology Association

The updated list of speakers can be found here.

In addition, the APAC Summit will feature a busy expo hall, with demo booths from VinCSS, Securemetric Technology, Yubico, AirCuve, CyStack, iProov, Thales, ISR, SMARTdisplayer Technology, and TrustKey.

Event Registration and Sponsorship Opportunities

Attendance is free of charge. For more information and to register your interest in the summit, please visit the website here.

“The FIDO Alliance is excited to host its first Asia-Pacific Summit 2023 in Vietnam, which will feature content presented by some of the brightest minds in authentication from around the world,” said Andrew Shikiar, executive director & CMO of the FIDO Alliance. “As cyber attacks continue to grow in volume and sophistication, it is more important than ever for companies to put passwords in the rear view mirror in favor of passkeys — which present a user-friendly alternative based upon FIDO standards.”

At the initial announcement of the event, Deputy Minister of Information and Communications (Vietnam), Nguyen Huy Dung said, “We are delighted to take part in organizing this event. We fully endorse the adoption of passwordless authentication technology to secure Vietnam’s digital economy. Our aspiration is to foster connections and collaborations with the FIDO Alliance and other APAC region countries for a safer digital future.”

Registrations are now open to the public. While the event is offered free of charge, all delegates are required to book a minimum of three nights at the event venue, Vinpearl Resort Nha Trang. For more information and to register your interest in the summit, please visit the website here.

For companies interested in sponsorship opportunities, please contact events@fidoalliance.org. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 
press@fidoalliance.org 

APAC Media Contact
Evelyn Owen & Farah Aqilah
FINN Partners on behalf of FIDO Alliance
yingFIDO@finnpartners.com 
+65 9109 6954

The post FIDO APAC Summit Keynotes and Sponsors Announced appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., June 27, 2023 – Passkeys are a gamechanger for signing to online services and apps, providing phishing-resistant security and easy user experience far superior to passwords and other phishable forms of authentication. Enterprises globally are interested in passkeys but may be wondering: how do I start? And “what type of passkey is right for my environment?” 

The FIDO Alliance addresses these questions in a new series of papers providing considerations for leveraging passkeys across different enterprise use cases. The series was developed by the FIDO Alliance’s Enterprise Deployment Working Group (EDWG) and can be found at https://fidoalliance.org/fido-in-the-enterprise/.  

The papers in the series are:

• FIDO Deploying Passkeys in the Enterprise – Introduction
• Replacing Password-Only Authentication with Passkeys in the Enterprise
• FIDO Authentication for Moderate Assurance Use Cases 
• High Assurance Enterprise FIDO Authentication 

A fifth paper in the series, “Displacing Password + SMS OTP Authentication with Passkeys,” is expected to publish later this summer.

“Passkeys are a new concept to many enterprise organizations, in terms of both terminology and FIDO authentication capabilities,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “These papers demystify synced and device-bound passkeys and provide the decision points for how to leverage them across a variety of use cases, whether they are using passwords alone, legacy MFA or FIDO-based solutions today. These papers provide a great foundation for anyone looking to understand how passkeys can increase their organization’s security posture, meet legal and regulatory requirements and decrease support and other costs associated with authentication.” 

Get an Overview Live at Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise

Those interested in this topic are encouraged to join the FIDO Alliance and members of its Enterprise Deployment Working Group on June 29, 2023 at 9:00 am PT / 12:00 pm ET for the free Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise to learn how passkeys can fit into a variety of enterprise environments.

Sessions will cover introductory material, considerations across various use cases, and criteria to evaluate how synced passkeys and device-bound passkeys can meet varying legal, regulatory, and security requirements across enterprise environments.

Learn more and register for the free virtual summit at https://authenticatecon.com/event/passkeys-in-the-enterprise/.

About the Enterprise Deployment Working Group (EDWG)

The FIDO Alliance’s Enterprise Deployment Working Group (EDWG) aims to accelerate enterprise deployments of FIDO solutions and advance the FIDO Alliance’s vision for a strong, interoperable modern authentication ecosystem. The EDWG acts as a group of subject matter experts and internal advisors within the FIDO Alliance on issues affecting the deployment of FIDO solutions at the enterprise level. FIDO Alliance members interested in joining the EDWG can contact info@fidoalliance.org for information on how to participate.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact
press@fidoalliance.org

The post FIDO Alliance Publishes Guidance for Deploying Passkeys in the Enterprise appeared first on FIDO Alliance.

Singapore, June 26, 2023 — The FIDO Alliance announced today its first-ever FIDO APAC Summit 2023, the premier event dedicated to advancing and promoting phishing-resistant FIDO authentication in the region. The summit, co-hosted by Vietnam Ministry of Information and Communications, will take place in Vinpearl Nha Trang, Vietnam, on August 28 – 30, 2023.

For more information and to register your interest in the summit, please visit the website here. 

The cybersecurity landscape in Asia-Pacific has undergone significant growth and transformation in recent years, driven by the rapid digitalization, increased internet penetration, and the rapid adoption of advanced technologies such as cloud computing, AI, and the Internet of Things (IoT). As businesses and governments become more reliant on digital infrastructure, cyber threats have grown increasingly sophisticated and widespread, resulting in a surge in prominent cyberattacks and data breaches. With Asia-Pacific accounting for 31% of all incidents globally in 2022, there is a crucial need for more robust authentication methods — and there is no better time than now for organizations to take the necessary steps forward.

The theme for this year’s event is “Connecting for a Safer Digital Future” which aims to highlight the importance of secure, phishing-resistant authentication methods, specifically focusing on FIDO standards and passkeys. The summit will bring together various industry leaders, cybersecurity experts, and government representatives from the region to discuss the latest developments and share best practices and success stories. Attendees can expect insightful keynote presentations, engaging panel discussions, comprehensive technical workshops, and ample networking opportunities. 

“The FIDO Alliance is excited to host its first Asia-Pacific Summit 2023 in Vietnam. Around the globe, we are witnessing an increasing number of cyberattacks and scams stemming from weak or stolen credentials — and this is no different in the APAC region. Fortunately, there has been a steady momentum toward adopting passkeys based on phishing-resistant, FIDO authentication by organizations here to combat these threats,” said Andrew Shikiar, executive director of the FIDO Alliance. “Through this summit, we hope to facilitate knowledge sharing in the various areas of authentication, and we encourage anyone interested to learn more to join us.”

Deputy Minister of Vietnam’s Ministry of Information and Communications, Nguyen Huy Dung, said, “We are delighted to take part in organizing this event.” He emphasized, “We fully endorse the adoption of passwordless authentication technology to secure Vietnam’s digital economy.” He continued, “Our aspiration is to foster connections and collaborations with the FIDO Alliance and other APAC region countries for a safer digital future.”

The conference will feature more than 25 VIP guests and speakers from the APAC region, with over 300 attendees expected. Key summit speakers this year include member companies from the FIDO Alliance, such as VinCSS, Google, Mastercard, Samsung Electronics, NTT Docomo, SK Telecom, SecureMetric, AirCuve, ETDA and Thales, among many others.

Registrations are now open to the public. While the event is offered free of charge, all delegates are required to book a minimum of three nights at the event venue, Vinpearl Resort Nha Trang. For more information and to register your interest in the summit, please visit the website here. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

APAC Media Contact

Evelyn Owen & Farah Aqilah

FINN Partners on behalf of FIDO Alliance

yingFIDO@finnpartners.com 

+65 9109 6954

The post FIDO Alliance Opens Registration for Its First-Ever Asia-Pacific Summit 2023 in Vietnam appeared first on FIDO Alliance.

ITU-T is the standardization arm of ITU, the United Nations specialized agency for ICT. The FIDO Alliance specifications were approved as official ITU-T Recommendations by ITU members including national administrations and the world’s front-running ICT companies. The new ITU-T Recommendations are under the responsibility of ITU’s standardization expert group for security, ITU-T Study Group 17.

“The FIDO Alliance is improving online authentication through open standards based on public key cryptography that make authentication stronger and easier to use than passwords or one-time passcodes. One of the ways that we fulfill this mission is by submitting our mature technical specifications to internationally recognized standards groups like ITU-T for formal standardization,” said David Turner, senior director of standards development at the FIDO Alliance. “This recognition from ITU-T illustrates the maturity of FIDO authentication technology and complements our web standardization work with the World Wide Web Consortium (W3C).”

“Predecessors of these FIDO UAF and CTAP specifications were first adopted as ITU standards in 2018. ITU-T Study Group 17 will continue to strengthen its collaboration with the FIDO Alliance. These two FIDO Alliance specifications, adopted as ITU standards recently, are being widely used in various industries such as the financial sector to provide strong online authentication based on public key cryptography and various user verification methods,” said Heung Youl Youm, Chairman of ITU-T Study Group 17. “These new ITU standards will provide a concrete basis for the two FIDO specifications to be adopted across the 193 ITU Member States.”

“Our working group within ITU-T Study Group 17 was pleased to be able to collaborate with the FIDO Alliance to promote the standardization of state-of-the-art security technologies,” said Abbie Barbir, Rapporteur for ITU-T’s working group on ‘Identity management and telebiometrics architecture and mechanisms’ (Q10/17). “This work will help address and solve the security limitations of passwords and move the world closer to passwordless solutions.” 

The specifications that are now ITU-T Recommendations are:

• FIDO UAF 1.2 (Recommendation ITU-T X.1277.2). A mobile standard providing authentication without passwords by using biometrics and other modalities to authenticate users to their local device.
• CTAP 2.1 (Recommendation ITU-T X.1278.2). Part of FIDO2 specifications along with the W3C Web Authentication standard,  allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.

For more information on the FIDO Alliance and FIDO authentication, visit http://www.fidoalliance.org.

For more information on ITU-T SG 17 visit https://www.itu.int/en/ITU-T/studygroups/2022-2024/17/Pages/default.aspx.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About ITU-T SG 17

The ITU Telecommunication Standardization Sector (ITU-T) is one of the three Sectors (branches) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Communication Technology such as X.509 for cybersecurity, Y.3172 and Y.3173 for machine learning, and H.264/MPEG-4 AVC for video compression, between its Member States, Private Sector Members, and Academia Members.

FIDO Alliance Contact
press@fidoalliance.org 

ITU Contact
tsbsg17@itu.int

The post Updated FIDO Alliance Specifications Adopted as ITU International Standards appeared first on FIDO Alliance.

CARLSBAD, Calif., June 6, 2023  —  The FIDO Alliance is pleased to announce registration is now open for Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on passkeys and related FIDO-based solutions. Authenticate will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego – with virtual attendance options also available.

To register, visit https://authenticatecon.com/event/authenticate-2023/. Early bird registration discounts are available through August 18.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

“Passkeys are the hottest topic in digital identity and authentication as the world accelerates its efforts to put passwords in the rear-view mirror,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. “Authenticate has rapidly established itself as a must-attend event for those interested in learning about how to apply passkeys and other cutting-edge authentication solutions to their business. Between the dozens of sessions and countless networking opportunities, Authenticate attendees will come away from this year’s conference with actionable insights to help accelerate their companies’ transition to a password-free future.”

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. The full 2023 agenda will be published later this month. Attendees benefit again from a dynamic expo hall and engaging networking opportunities. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are 1Password, Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on passkeys and FIDO-based solutions. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org

PR Contact 

press@fidoalliance.org

The post FIDO Alliance Opens Registration for Authenticate 2023 appeared first on FIDO Alliance.

The FIDO Alliance UX Guidelines for Passkey Creation and Sign-ins aim to help online service providers design a better, more consistent user experience when signing in with passkeys. The guidelines are available at https://fidoalliance.org/ux-guidelines/. 

Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. While far easier and more secure than passwords and legacy forms of 2FA, the research performed for these guidelines found that passkey sign-ins present a distinct user journey that service providers need to consider before providing passkey support. The FIDO Alliance UX Guidelines provide evidence-based best practices for key steps in the user journey for passkey creation and sign-in.

“As companies around the world accelerate their move toward passwordless authentication based on FIDO standards, the topic of user experience has risen to the forefront,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Passkeys uniquely can provide a phishing-resistant sign-in as well as a superior user experience which can drive top-line growth by enabling more seamless access to online services and engendering stronger brand affinity. We encourage online service providers to use these guidelines in their journey to rolling out passkeys to ensure a consistent, thoughtful, and simple user experience for their users.”

Passkeys are supported in the vast majority of consumer devices: Apple and Google have readied their operating systems for service providers to enable sign-ins with passkeys that sync across devices; Windows 10 and 11 have long supported device-bound passkeys in Windows Hello – and passkeys from iOS or Android devices can also be used to sign into sites in Chrome or Edge on Windows. 

Many leading service providers including Google, PayPal, Yahoo! Japan, NTT DOCOMO, CVS Health, Shopify, Hyatt, Instacart, Robinhood, Mercari and Kayak are providing their customers with passkey sign-ins. 

“When it comes to providing passkeys to consumers, technical implementation is only one piece of the puzzle,” said Kevin Goldman, chair of the FIDO Alliance UX Working Group and Chief Experience Officer at Trusona. “Simply put, the UX is a critical component in helping consumers adopt passkeys as a password replacement. These guidelines are a carefully researched set of best practices that will help online service providers design a better, more consistent user experience when signing in with passkeys and ultimately maximize adoption.”

The guidelines were created by the FIDO Alliance UX Working Group in partnership with usability research firm Blink UX – with added underwriting support from 1Password, Google, Trusona and US Bank. This group collectively conducted formal research of FIDO user journeys and actively engaged with FIDO Alliance stakeholders to establish these UX best practices. 

Learn more about the FIDO UX Guidelines for Passkeys at Identiverse 2023

Attending Identiverse? Learn more about the guidelines today, May 31, during the session “Optimizing UX for Passkeys” at 2:00 pm PDT.

Attend the Webinar Series

The FIDO Alliance is hosting a three-part webinar series to educate on the findings and best practices developed through the intensive research for the UX guidelines for passkeys. Attendees will get actionable tools to accelerate and optimize deployments of passkeys for consumer sign-ins. 

Webinars include:

• 10 UX Guidelines for Passkeys (June 13, 2023 at 10am PDT / 1pm EDT)
• Driving Adoption of Passkeys with UX (June 20, 2023 at 10am PDT / 1pm EDT)
• UX and Content Strategy Workshop for Passkeys (June 27, 2023 at 10am PDT / 1pm EDT)

Register for the webinar series here.

About the FIDO UX Working Group

In order to accelerate adoption of FIDO solutions and achieve the FIDO Alliance’s vision of helping reduce the world’s overreliance on passwords, the UX Working Group (UXWG) serves as subject matter experts and internal advisors within the FIDO Alliance on issues related to usability and UX. The FIDO Alliance UXWG is composed of 79 product, design, accessibility, marketing and technical leaders from 31 diverse companies. A full list of members who contributed to this project can be found in the guidelines.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact
press@fidoalliance.org 

The post FIDO Alliance Publishes Research-backed Guidelines for Optimizing User Sign-in Experience with Passkeys appeared first on FIDO Alliance.

Andrew Shikiar, FIDO Alliance Executive Director & CMO

Yesterday, Google announced support for simple and secure sign-ins with passkeys for all Google Account users. This is a huge milestone in our journey towards a passwordless future. Why?

It’s been only a year since Apple, Google and Microsoft announced their commitment to passkeys with plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. Since then, Apple and Google have readied their operating systems for service providers to enable sign-ins with passkeys that sync across devices; Windows 10 and 11 have long supported device-bound passkeys in Windows Hello – and passkeys from iOS or Android devices can also be used to sign into sites in Chrome or Edge on Windows.

Additionally, service providers like PayPal, Yahoo! Japan, NTT DOCOMO, CVS Health, Shopify, Mercari, Kayak, SK Telecom and more are committed to or already providing passkey sign-ins. Google now joins them, and will serve as a great way for large swathes of consumers to become familiar with passkeys, while also helping accelerate deployments from other service providers.

Consumer Readiness On the Rise
The growing number of service providers supporting passkeys matches a growth in consumer awareness and readiness.

According to a new survey released today by FIDO Alliance, over 57% of U.S. consumers said they are interested in using passkeys to replace passwords, compared with 39% who said they were familiar with the concept of passkeys in FIDO’s 2022 Online Authentication Barometer, released in October 2022.

Recovering or resetting passwords is one of the many hassles that consumers face. Only 9% of those surveyed report that they never need to recover their password – with 13% having to recover passwords daily or several times per week and nearly 60% reporting several password resets per quarter.  It is little wonder then that 29% of consumers prefer signing in with biometrics (e.g. fingerprint or face scan) versus 19% who prefer to enter a password manually.

Passkeys are resistant to threats of phishing, credential stuffing and other remote attacks often used to take over online accounts. Based on the survey, approximately 65% of people who prefer to use biometrics to sign in would be interested in using a passkey and nearly half (45%) of people who prefer to use passwords to sign in would be interested in using a passkey. This is another clear signal telling us that consumers want less friction and greater ease of signing into their online accounts.

Passwords Create More Friction for Online Transactions

Consumers are tired of the hassle and complexity of passwords and are ready to embrace passkey sign-ins, which enable them to access online services simply and securely. Passkeys can help reduce shopping cart abandonment and turn the tide against the ongoing plague of data breaches and identity theft.

In addition to security implications, passwords continue to be costly for online retailers – according to the survey, nearly 60% of consumers said they have abandoned their carts due to a forgotten password in the past six months. 

Simply put, passkeys stand to dramatically improve consumers’ online shopping experiences – as well as their service providers’ bottom lines.

Perceived Password Risk
Despite the large number of breaches and warnings, many consumers maintain poor password hygiene, unmoved by the risks passwords pose to their digital lives. According to the survey, 70% of people use passwords that are at least one year old. Despite the known risks of phishing attacks and other security breaches, the survey shows that 21% of respondents believe entering their password manually is the most secure authentication method. 

Nearly 60% said they would not pay for increased security measures or official verification on social media platforms. Earlier this year, Twitter warned users they would lose the ability to secure access to their account via text message two-factor authentication unless they pay to subscribe to Twitter Blue. It seems clear from this data that consumers would naturally look to passkeys as a seamless and secure alternative.

To review the FIDO Alliance’s full survey results, click here.

What’s next?
Both the data and the increasing number of organizations rolling out passkeys shows that the future of authentication is here. But this does not mean the work is done. The FIDO Alliance and its members continue to iterate to improve the experience of passkeys. Be on the lookout for upcoming UX research and guidelines to further increase the adoption and usability of passkeys. The FIDO Alliance is also continuing to provide education, UX guidance, adoption perspectives and more through upcoming industry events. Attend our sessions at Identiverse and be sure to attend the FIDO Alliance’s conference, Authenticate, in Carlsbad, CA (or virtually) on October 16-18, 2023.

The post <strong>An Inflection Point in the Journey to Passwordless</strong> appeared first on FIDO Alliance.

Passwords are everywhere with both enterprises and e-commerce organizations feeling the pain as much, if not more, than most.

At the Authenticate Virtual Summit: Authentication in Financial Services and Commerce on March 29, industry experts and practitioners outlined The FIDO Fit for Enterprise and Customer Sign-ins. Throughout the half-day event, the topic of passkeys was a primary theme, with speakers outlining how they work, where they fit in and why they are essential to helping the world move away from legacy passwords and less secure multi-factor authentication.

Andrew Shikiar, executive director and CMO of the FIDO Alliance opened the event with some insights on the many positive benefits that passkeys can bring to enterprise and commerce users. Those benefits include helping users to get online faster with higher levels of satisfaction. Passkeys may also be able to help improve the bottom line for e-commerce vendors as well.

“If you’re an e-commerce vendor, imagine reducing the shopping cart abandonment rate by even 10%,” Shikiar said. “Our data shows that 50% of consumers that had to abandon a purchase in the past six months did so because they forgot your password and that’s a huge opportunity cost.”

While FIDO authentication has been available for anyone to use for over a decade, Shikiar noted that there have been some adoption challenges. Passkeys are, in part, a solution to some of those adoption challenges. With passkeys, there is a more recognizable set of common terminology and the technology also provides a familiar flow for users that aims to reduce friction.

In the enterprise, Shikiar said that passkeys are a very natural fit for things like BYOD [Bring Your Own Device] authentication, allowing employees to sign in with apps on their phones.

“This is becoming more the norm than the exception, and passkeys are just a very natural fit for that environment,” Shikiar said.

The State of Authentication 2023 

Make no mistake about it, there are a lot of problems with passwords. To add some metrics to the argument against passwords, Jay Roxe, CMO at HYPR provided some insights from his firm’s State of Passwordless Security 2023 report.

Roxe noted that one of the things that really jumped out to him was that three out of five of the organizations that HYPR talked to for the report, had an authentication related breach over the past year. He added that each of those organizations had nearly $3 million dollars in costs associated with those breaches on a 12 month basis. Financial Services was the most highly attacked industry vertical with 81% of financial services organizations having recorded some type of attack or breach related to authentication.

The HYPR report also attempted to discover why organizations will move to deploy strong authentication passwordless approaches. Roxe emphasized that it’s critical to have a good user interface and flow, otherwise the technology won’t get adopted. In fact the report found the top reason why organizations are looking to adopt passwordless is to improve the user experience.

“Until we nail that user experience, we’re fundamentally not going to be any better off than we are today,” Roxe said.

Passkeys 101

Among the most interactive sessions of the event was one on the basics of how passkeys work, which kept moderator Megan Shamas, senior director of marketing at the FIDO Alliance very busy handling questions from the engaged audience at the end of the session.

The session actually got started with Tim Cappalli, identity standards architect at Microsoft outlining the historical path of FIDO standards. The big milestones along the path include the debut of the U2F specifications in 2014, FIDO2 in 2017, WebAuthn in 2019 and just last year the emergence of passkeys.

“It has been a journey,” Cappalli said. “We think that in the last two to three years, we really have been moving towards the last step to moving people beyond passwords.”

Cappalli outlined how passkeys works and what the primary advantages are for the approach. He explained that a passkey is fundamentally a FIDO credential with some new properties. Among the properties highlighted by Cappalli are:

• Autofill. With Autofill, much like the experience users have today with a password manager, a passkey can be automatically injected into an authentication flow into existing websites.
• Cross Device Authentication. Instead of a credential being tethered strictly to a single device, passkeys enable a credential to be durable across environments, enabling a phone for example to be able to bootstrap another device or ecosystem.

Championing FIDO adoption at scale

Few professionals have had as much experience deploying FIDO at scale as Marcio Mello, who has led efforts at PayPal, Intuit and eBay.

Mello outlined in great detail the steps that organizations can and should take to support FIDO strong authentication. In his view, the benefits are obvious.

“As soon as we could, we started doing WebAuthn deployment at eBay and saw the benefits almost immediately,” Mello said.

For Mello, passkeys are the next massive step forward as it’s an approach that will reduce consumer friction and hopefully enable adoption at scale. It is fundamentally the ease of use that passkeys promise that is literally the key.

“Consumers expect to see and use a password,” he said. “Yes, everybody’s tired of them, but it’s like smoking, most smokers would like to stop but they can’t, sure they know it’s bad, but you need to have the motivation and a very low bar of ability to be able to drive a habit change.”

FIDO and Zero Trust

In the security world, zero trust is an increasingly common concept that advocates an approach where users and entities need to be constantly validated to limit risks.

For Kurt Johnson, chief strategy officer at Beyond Identity, there is a clear intersection between FIDO authentication and zero trust. After all, a core foundation of zero trust is the need to constantly authenticate users and if organization’s aren’t using strong authentication, that’s a weak link.

Johnson said that with zero trust there is a need to assess and establish a high level of trust in the user identity. That just can’t be done effectively through passwords and that’s where there is a need for FIDO Certified authentication, that’s unphishable.

Helping Amazon’s drive to be customer-obsessed

Amazon operates one of the world’s largest e-commerce sites and it’s also a strong advocate and supporter of the FIDO Alliance.

Yash Patodia, principal product manager, tech, world wide consumer at Amazon said that his team is always looking to improve usability. One of the efforts to improve has been a move to remove passwords wherever possible. Patodia said that Amazon uses FIDO security keys for its own internal security which has worked well.

While security keys have worked for Amazon’s own internal needs, he noted that they can be difficult for consumers to adopt. That’s one of the many reasons why he’s particularly excited about passkeys.

“I think it’s a great leap forward from the password, OTP (one time passwords) and the security keys world,” Patodia said. “Some of the benefits I can see for passkey is that it really makes it very easy for the customer to use.”

Making it easier for consumers is critical for Amazon overall as it’s core to the company’s mission.

“We have this term at Amazon we use a lot called customer obsession,” Patodia said. “And this fits perfectly for us in that this is actually a customer obsessed product where we are making it very easy for the customer to do what they want to do.”

PNC BANK looks to protect its users with FIDO

Susan Koski, CISO of PNC Bank, knows all too well the challenges of password, that’s why she’s such a strong advocate and supporter of FIDO.

She noted that criminals are going after user passwords in a bid to take over accounts. Among the risks that she is trying to help limit is that of phishable credentials, such as passwords.

“We really do want to reduce those phishable  credentials but we do it in a way that a customer wants to use the service,” Koski said. “Balancing security and the customer experience. I think that’s just been a mantra for us in information security in cyberspace for a while.”

Koski said that PNC Bank has embraced FIDO as a way to help move towards passwordless over time. The importance of taking a standardized approach that benefits from the support and participation of a broad array of participants is critical as well.

“Passwords have been around for 50 plus years and it’s time, it’s beyond time for us to move past passwords,” Koski said.

Enterprise guidance for passkeys is on the way

Looking forward, Megan Shamas of FIDO Alliance outlined a series of efforts that are underway to help provide more enterprise guidance for passkeys.

“We will be publishing a group of five papers that address what we hope to be the majority of the use cases that are out there on the enterprise,” Shamas said.

The five papers include:

• Introduction to passkeys in the enterprise
• How to replace password-only authentication with passkeys
• How to displace password + SMS OTP authentication with passkeys
• FIDO authentication for moderate assurance use
• High Assurance Enterprise FIDO Authentication

“If you would like to be part of the conversation around enterprise requirements, please do get in touch with us,” Shamas said. “This is the time now really to give your input on how we’re looking at passkeys from an enterprise perspective.”

Registrants can now view the event recording online. If you missed the event and would like to view the recording, visit the event website to register for access.

The post Recap: Authenticate Virtual Summit: Authentication in Financial Services and Commerce appeared first on FIDO Alliance.

SK Telecom, a leading mobile phone service provider in Korea, is taking a big step forward in terms of user authentication by adopting passkeys for their online users. 

Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing resistant. They eliminate the need for users to remember complex passwords and the authentication process is much faster. Passkeys are based on FIDO authentication, which is proven to be resistant to threats of phishing, credential stuffing and other remote attacks. 

SK Telecom has introduced passkeys as a means of user authentication to PASS, their identity verification services with over 18 million users. Customers using iOS16 or higher devices can use the passkeys for PASS login, identity verification through PASS, and electronic signature. Depending on the device, user authentication is performed using Face ID and Touch ID. Android users can now use FIDO2 based authentication methods and perform authentication by utilizing screen locks (biometrics, PINs, patterns, etc.) provided by their devices. In the future, SK Telecom plans to make sign-ins with passkeys available to Android users as well. SK Telecom will introduce new user scenarios in a variety of ways to better protect customers’ assets and identity through the introduction of the passkeys.

[Passkey Registration Process on SK Telecom PASS]

SK Telecom Developed support for passkeys through cooperation with platform operators, and the FIDO authentication server for processing sign-ins with passkeys was developed by SK Telecom’s own technology. By actively introducing not only PASS but also various services provided by SK Telecom, they hope that many customers who use SK Telecom services will be able to use the service more conveniently and without worrying about security.

This deployment represents a new milestone in SK Telecom’s journey with FIDO. In 2019, during the FIDO Alliance Public Seminar in Korea, SK Telecom reported zero credential stuffing once the company adopted FIDO Authentication for internal usage. They also claimed that their FIDO-based biometric authentication reduced the average authentication time to less than 5 seconds, which previously took more than 30 seconds on average, when the internal users tried logging in with ID and passwords. It is great to see that they continue to innovate and now provide the benefits of FIDO Authentication to the general public.

Through this milestone, many users in Korea will be safe from various threats stemming from passwords, and SK Telecom’s movement as an innovator will have a positive impact on spreading password-less authentication not only in Korea but also globally.

To learn more about SK Telecom, please visit their corporate website. You can also download the PASS apps by visiting the App Store or Google Play.

The post <strong>SK Telecom announces adoption of passkeys for online users in Korea</strong> appeared first on FIDO Alliance.

Yahoo! JAPAN is an industry pioneer known for being an early adopter of new technologies to improve the security and usability of its services for its customers. Today, the company is continuing that tradition with its adoption of passkeys across Apple’s iOS, iPad OS, MacOS, and Google’s Android operating systems.

“Yahoo! JAPAN is one of the first companies to support passkeys from Apple and Google,” said Yuya Ito, ID Division, Yahoo! JAPAN. “Passkeys solve the usability issues that FIDO authentication has traditionally faced and dramatically improve users’ difficulties in using FIDO authentication. Through these initiatives, Yahoo! JAPAN and the FIDO Alliance will promote the shift away from passwords and the spread of passkeys and contribute to providing more secure and simple authentication on the Web.”

Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.​ Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.​

Passkeys stand to fundamentally shift the way that consumers sign into apps and services across the web and across world, moving away from the burden and vulnerabilities of passwords and OTPs to a fundamentally stronger and simpler approach that allows users to sign in by taking the same action they use to unlock their device dozens of times each day – typically a biometric or local PIN code. 

According to Yahoo! JAPAN, more than 70% of its active users use either SMS or FIDO-based biometric passwordless authentication. With passkeys, Yahoo! JAPAN’s customers can access their FIDO sign-in credentials on many of their devices, even new ones, without having to re-enroll every device on every account. 

By enabling its users to sign in with passkeys, Yahoo! Japan continues to serve as a leading innovator in Japan and in the FIDO Alliance, where it has played a vital role on the Alliance’s Board of Directors, the FIDO Japan Working Group and other FIDO Alliance bodies.

Read Yahoo! JAPAN’s announcement here.

The post <strong>Yahoo! JAPAN announces support for passkeys across available platforms</strong> appeared first on FIDO Alliance.

CARLSBAD, CALIF, February 23, 2023  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. 

Authenticate 2023, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just North of San Diego. Visit our website for information on submitting a speaking proposal and becoming a sponsor.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities. 

Authenticate Call For Speakers

The Authenticate 2023 conference program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.  

The committee is looking for vendor-neutral, educational presentations that focus on authentication strategies and best practices. Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication should also be submitted. The committee is looking for a variety of session types and formats including main stage storytelling, introductory “101’s”, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels.

Diverse, global perspectives and presentations that focus on the following topic areas are welcome: 

• Authentication trends & insights 
• Modern authentication case studies & implementation strategy

• Hands-on implementation guidance and best practices 
• Government impact on authentication

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 31, 2023. To submit an application, please visit https://authenticatecon.com/authenticate-2023-call-for-speakers/.

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort in Carlsbad, CA, just North of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact 

press@fidoalliance.org

The post FIDO Alliance Announces Authenticate 2023 Conference appeared first on FIDO Alliance.

The FIDO Developer Challenge 2022 – India has come to a successful close with the award ceremony held on January 20th, 2023, at the Samsung R&D Institute in Noida. The challenge aimed to educate and support local adoption of FIDO technology.

First place was awarded to MonitorExam for their innovative FIDO-based online exam proctoring system. AyanWorks, with their FIDO-based SSI wallet, and AllSafe, a team of students with a FIDO-based SSO service, were also recognized as the other two top finalists.  For the full details of ideas presented by the top three finalists, please view the recorded sessions:

We would like to extend our gratitude to our sponsors, including Visa, Samsung, Infineon, Ensurity, TrustKey, and Octatco, for their support in making this event a success.

Departing Thoughts

The Indian government agencies, including Data Security Council India (DSCI), our local liaison partner, and the Controller of Certifying Authorities (CCA), which officially endorses FIDO as the 2nd factor authentication, are dedicated to promoting robust and user-friendly cybersecurity measures. We are confident that the India-focused FIDO Developer Challenge has made a positive impact by empowering local developers to rapidly deploy FIDO-based services, which provide enhanced protection against phishing-related cyber-attacks while maintaining ease of use for all online users.

Editor’s Note: This is the final blog posting covering the 2022 FIDO Developer Challenge – India. We invite you to read the announcement message to learn more about the background and processes.

The post <strong>FIDO Alliance Awards Winner and Top Finalists of Developer Challenge – India</strong> appeared first on FIDO Alliance.

The identity landscape is set to undergo tremendous transformation in 2023 as lawmakers and regulators alike struggle to help protect individual privacy and improve access to services and the digital economy. A primary underpinning for what will enable the new identity landscape is strong authentication.

On Jan. 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum in Washington, D.C. to discuss the challenges and opportunities of identity and authentication. 

The full-day event included sessions loaded with data on the current state of data breaches, presentations by government leaders, panels on the state of passkeys and the path toward better identity in 2023 and beyond. A key theme that was often repeated throughout the day, by experts from government and industry alike, was the complexity of the identity landscape and the need for more collaboration and interoperable standards.

“A lot of our ability to make progress on the set of problems starts with a bigger issue, the recognition that identity is critical infrastructure and needs to be treated as such,” Jeremy Grant, Managing Director, Technology Business Strategy at Venable LLP and Coordinator, Better Identity Coalition said during his opening remarks for the event.

“Until we start to think about identity that way we’re going to continue to struggle to address challenges in this space.”

Identity risk continues to grow

In the opening keynote session, Jimmy Kirby, Acting Deputy Director of FinCEN (Financial Crimes Enforcement Network) outlined the identity related issues his agency has seen in recent years.

Kirby said that in recent years financial services have been increasingly migrating towards a primarily online environment. It’s a trend that creates new opportunities for abuse. As a result, FinCEN has been thinking about how it can leverage all of the data that financial institutions send to it to help stem the tide of abuse.  He noted that identity related suspicious activity reports (SARs) submitted to FinCEN grew more than 15%, from 2021 to 2022.

According to Kirby, reports of threats at each stage of the customer identification process continue to grow from the proofing and enrollment stage to the authentication stage, including the use of compromised credentials, impersonation and artificial intelligence to conduct illicit finance.

While there are challenges, there are also opportunities.

“We see opportunities for digital identity to address customer identification breakdowns in customer onboarding, account logins, transaction monitoring, as well as in investigations,” Kirby said. “There are a number of features of a digital identity framework that, taken together, have the potential to address threats and spur innovation across all types of financial services.”

FinCEN isn’t the only organization seeing a spike in cybercrime. James Lee, COO of the ITRC (Identity Theft Resource Center) presented data from his organization’s annual data breach report. Among the top line highlights of the report is that there were 1,802 data breaches during the year impacting over 422 million victims.

Lee commented that a prevailing trend was an increase in supply chain attacks as a preferred attack vector over just malware. He also emphatically complained about the lack of information present in many data breach disclosures. Lee said that 66% of data breaches did not include information about the root cause of the attack which led to the breach or any victims details.

In a panel session, titled “Data Breach Notices Suck,” John Breyault, Vice President, Public Policy, Telecommunications and Fraud at National Consumers League (NCL) lamented the current state of password usage, which inevitably is a root cause for many data breaches.

“I have been doing consumer education work for 15 years now at NCL, and not a day goes by it seems that I don’t tell consumers to not use the same password across multiple accounts,” Breyault said.

Towards the U.S. Government plan on secure digital identity

In a lunchtime keynote, Congressman Bill Foster (IL-11), outlined his view on Congressional efforts to introduce a secure digital identity policy for the U.S. 

Foster emphasized time and again during his keynote that secure digital identity needs to be a bipartisan effort in the U.S. Congress as it’s an issue that impacts all Americans. While he noted that there might be some concerns about the U.S. government having a database of user identities that it issues, he argued that to most people, the real life threat to their privacy comes more from having someone impersonate them online.

The lack of secure digital identity may have also been a factor in the massive volume of fraud experienced by the U.S. government over COVID benefits. Conversely, the fact there wasn’t a secure digital identity scheme in place may have made it more difficult than necessary for some to be able to get benefits. Overall, Foster said that he’s hopeful Congress can put something together.

“It can serve as a gentle reminder that the government does some good in your life,” Foster said. “One of the things that we could do a much better job with is preventing identity fraud, because that’s a real life pain for tens of millions of Americans every year.”

Bias and diversity is a requirement of digital identity

In multiple sessions over the course of the event, the topic of fairness, bias and diversity in relation to digital identity was discussed.

Jordan Burris, VP and Head of Public Sector Strategy at Socure commented that in his view, bias a lot of times comes down to the reality that an identity approach is taken that is solving for the majority of the population, and as such, the minority or those who operate on the fringes are being left out of the ecosystem.

Andrew Stettner, Deputy Director for Policy at the Office of Unemployment Insurance Modernization at the U.S. Department of Labor argued that his agency and the entire administration are taking equity in identity very seriously.

“We’re looking at equity in a much more conscious way, for us is a very key element of identification going forward,” Stettner said.

Why FIDO is critical for better identity

A critical element of secure identity is having strong authentication.

In a keynote session, Andrew Shikiar, Executive Director and CMO of FIDO Alliance, outlined the ways that FIDO is playing a role in helping to improve the state of identity today across multiple efforts. He also predicted that FIDO will become increasingly relevant in the year ahead.

“The average person on the street will start to understand what identity verification means, and actually start to understand what digital identity means,” Shikiar said. “That’s a net benefit because the more people understand what their identity means, and the importance of it, the more steps they’ll take to actually protect it.”

Among the FIDO efforts to help improve identity outlined by Shikiar are:

• Biometric performance criteria. This is a biometric certification program, where FIDO helps to assess the performance of different biometric components that are critical to identity verification.
• Remote Identity Verification. This includes the Document Authenticity (DocAuth) Certification for mobile document verification, with ongoing work into face verification for liveness and selfie-match.

Shikiar also talked at length about passkeys, which brings added usability to FIDO based strong authentication.

“FIDO Alliance’s mission is to reduce the industry reliance on passwords,” Shikiar said. “Simply put, passkeys stand to take passwords out of play for the vast majority of consumer use cases.”

The passkey future for authentication

In a panel session on passkeys, panelists discussed the benefits and opportunities that passkeys will bring.

Tim Cappalli, Identity Standards Architect at Microsoft detailed what passkeys enable, including the ability to take a FIDO credential and use it in a similar way to how password managers work today. Passkeys can also be synchronized with a cloud provider and are interoperable across platform vendors enabling better usability overall.

Panelists emphasized that the promise of passkeys is to more easily enable users to benefit from strong authentication. Christiaan Brand, Product Manager, Identity and Security at Google explained that Google has been supporting FIDO for years, including supporting security key based approaches. In his view, passkeys represent the usability necessary to actually make strong authentication with un-phishable credentials a reality for Google’s users.

Usability was also a theme that Paul Grassi, Principal Product Manager – Identity Services at Amazon emphasized, since in in his view, past efforts to get strong authentication adoption haven’t been entirely successful

“It breaks my heart to say it but consumers are not adopting security keys, they’re not adopting Google Authenticator they’re not adopting two-factor,” Grassi said. “We’re excited to see passkeys as that replacement, and to see the adoption numbers skyrocket, reducing friction while increasing security, which is, I think, the goal of any security practitioner.”

The recording of the full event is available here.

The post Recap: 2023 Identity, Authentication and the Road Ahead #IDPolicyForum appeared first on FIDO Alliance.

TOKYO, December 9, 2022 – Global, industry-wide commitment is bringing the passwordless future closer to reality, FIDO Alliance members shared today at the first in-person FIDO seminar in Japan since December 2019. During the seminar, leading organizations shared major updates that will further the Alliance’s mission to replace passwords with simpler and stronger authentication. 

A significant milestone came last May when Apple, Google and Microsoft announced plans to expand support for FIDO with passkeys, a phishing-resistant replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Passkeys can be leveraged across devices and platforms to offer an end-to-end passwordless sign-in option, or bound to a particular device such as a FIDO security key for high-assurance use cases. Passkeys are supported today in iOS 16, macOS Ventura, Android and ChromeOS, with Windows coming soon.

Notably, global service providers such as PayPal have expanded their FIDO support and are offering passkey sign-ins, while early FIDO adopters in Japan have announced passkey commitments or adoption as their next steps towards passwordless:

• Yahoo! JAPAN has been working on passwordless initiatives with FIDO since 2015, and more than 38 million active users in 2022 are signing in without passwords. Yahoo! JAPAN now supports passkeys iOS, iPadOS and MacOS.
• KDDI has first launched FIDO in 2020 for its au ID platform with more than 30 million customers. Now au ID is accessible with passkeys on iOS and FIDO2 on Android. 
• NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015 and is the first mobile operator to deploy FIDO authentication at scale. DOCOMO has announced its intention to support passkeys for its more than 50 million of d ACCOUNT users beginning in early 2023. 

“From the very beginning of the FIDO Alliance, Japan has been a global hub of innovation, support and deployments of FIDO authentication. It is not a surprise that several leading organizations in the region will be some of the first globally to offer their customers FIDO sign-ins with passkeys,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This is illustrative of our global membership’s commitment to the passwordless future, and their collaboration to maximize the reach, usability and security of FIDO authentication.” 

Within the FIDO Alliance’s 250+ members, 58 actively take part in the FIDO Japan Working Group, now beginning its 7th year working together to spread awareness and adoption of FIDO in the region. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post Momentum for FIDO in Japan Grows as Major Companies Commit to Passwordless Sign-ins with Passkeys appeared first on FIDO Alliance.

The Internet of Things (IoT) is an increasingly critical and difficult area for IT devices that need to be secured.

At the Authenticate Virtual Summit: The FIDO Fit in IoT held on Dec. 7, a series of experts outlined FIDO Alliance efforts to help device manufacturers and developers better secure IoT. A key theme of the event was all about understanding how the FIDO Device Onboarding (FDO) specifications can help improve IoT security.

David Turner, director of standards development at FIDO Alliance, kicked off the event by noting that passwords remain a large problem across the IT industry. The challenge of passwords is compounded with IoT devices, which scale into the millions and potentially billions of devices. Challenges with passwords for IoT include password re-use, which can be a huge problem with IoT. If a system ships with a default password, it can be trivially easy for attackers to exploit.

“Hackers don’t break into IoT, they log into it,” Turner said.

One way to help secure IoT is with the FIDO Alliance’s FDO standard. Turner explained that FDO is an open standard that allows organizations to quickly and securely onboard IoT devices.

Small things, big impact: The path to FDO

Rolf Lindemann, director of product at Nok Nok and one of the leaders of the FIDO Alliance IoT Technical Working Group, explained that FIDO authentication standards are applicable to users as well as device authentication.

Lindermann said that there is a clear need to have a strong foundation to help secure IoT. The first step is to have hardened hardware elements at the CPU level including things like TPMs, TrustZone and SGX which are provided by the silicon vendors. The next critical step is to add device level attestation to help with supply chain integrity that also helps to reduce the complexity for device onboarding. The third step is to have strong authentication, that ensures only legitimate entries get access.

“To make the IoT ecosystem more secure, you need strong authentication that’s the front door providing fishing resistance and being still practical for daily large scale use,” Lindermann said. 

How FDO tackles the onboarding challenge

The challenge of onboarding is where the FDO specifications come into play.

Richard Kerslake, general manager of industrial controls and robotics, IoT business unit at Intel, explained that onboarding is the process by which a device can establish a trusted connection with a service or platform.

“We have an IoT device, it’s going to connect to a platform or service and we just need to be sure that everyone in that equation is who they say they are,” Kerslake explained. “Is the device talking to the platform that it thinks it is talking to, and is the platform talking to the device that it thinks it is talking to. So we really need to make sure that both sides of that equation are true.”

Onboarding today is often a very manual process. The promise of FDO is an automated approach that benefits from strong authentication. Kerslake explained that in December 2019 the decision was made to base the FDO specification on Intel’s Secure Device Onboard technology. The FDO 1.0 specification was released in March 2021 and updated to version 1.1 in April 2022.

Going a step further beyond just the specifications FIDO has worked with the Linux Foundation’s LF Edge project which has an open source implementation of FDO.

Going for a deep dive with FDO

There is a fair amount of nuance and details that go into the FDO specification.

In a deep dive session, Geoffrey Cooper, principal engineer, IoTG at Intel, explained the workflow, technical specification and procedures that enable FDO implementations.

Cooper explained that for example if a device is drop-shipped to a location and the device gets powered up and connected to the network, the goal with FDO is to enable that device to figure out who it’s supposed to connect to with proper authentication, sets everything up, and then it goes right into service.

“The idea is we’re taking something that was a very heavy touch kind of operation that we’re turning it into a zero touch operation,” Cooper said.

Enabling that zero-touch approach with FDO involves a series of protocols that are part of the specification. The protocols include device initialization and onboarding components. There is also a concept known as the FDO Service Info Module (FSIM) that provides an extension mechanism to help support devices.

During a robust Q&A session during the Authenticate virtual event, attendees asked a wide variety of questions.

Among the questions was one about what’s needed to help spur adoption for FDO.  Kerslake said there are companies today in different industry verticals including the energy sector, where operators are saying they will not proceed with bringing in new devices without an automated secure onboarding solution.

There are also a growing number of industry solutions that support FDO. Megan Shamas, senior director of marketing at the FIDO Alliance, said that by developing FDO in an industry standards body there are lots of opportunities for collaboration and promotion as well.

“We are in the midst of creating an implementer showcase, which should be live on the website soon,” Shamas said.

The path toward FDO certification

Looking beyond just the FDO specification there is also a need for certification, which is something the FIDO Alliance is now working on.

Paul Heim, director of certification at FIDO Alliance, said that  product certification ensures standardization and interoperability of products within an industry. He added that one of the most important factors about certification is that it helps to ensure consumer enterprise, and industrial protection. The lifecycle for FDO certification includes both functional and security certification.

“The FIDO device onboard certification program is intended to certify IoT devices and onboarding services certification that will be available for both FIDO members, and non-members,” Heim said.

The certification effort is still in development with a program launch set for the first quarter of 2023.

The post Authenticate Summit Recap: The FIDO Fit in IoT appeared first on FIDO Alliance.

FIDO Authentication has reached broad support across the web – all major operating systems, browsers and billions of devices support FIDO Authentication today. Having reached such a milestone and the resulting FIDO roll outs from a broad array of service providers, the FIDO Alliance is increasingly focused on ways to make FIDO Authentication more usable and accessible for all. 

In achieving FIDO Alliance’s mission of more secure and password-free authentication, we must ensure that we meet the needs and preferences of people with disabilities. Today, we are pleased to announce the publication of “Guidance for Making FIDO Deployments Accessible to Users with Disabilities,” to provide guidance on planning FIDO deployments that are accessible to users with a wide range of disabilities. It also aims to help hardware manufacturers identify opportunities to deliver more accessible external authenticators.

An estimated 15% of the world’s population lives with some sort of disability today, and in many countries, laws prohibit discrimination to help ensure that these people can fully and equally participate in every aspect of society. Authentication is an important component of the ability to participate, as it provides digital access to many aspects of society including (but not limited to) education, employment, and entertainment. While legacy forms of multi-factor authentication (MFA) like SMS or email codes are technically “accessible,” they often require advanced skill, knowledge and/or assistive technology to enter the codes. FIDO, with its stronger and simpler authentication model, is well positioned to provide accessible authentication, as it supports a wide range of options that accommodate vastly diverse needs. The paper released today details why, and considerations for, deploying FIDO with the needs of people with disabilities in mind. We strongly encourage service providers to reference these guidelines in planning their FIDO deployments.

Much work and collaboration went into this paper. We would like to thank Yao Ming of Meta for his extensive work as lead author on this paper. We’d also like to thank Joyce Oshita of VMware for her contributions, including providing her own experiences leveraging various authentication methods, including FIDO, as a person who has lost her eyesight. 

In addition to the white paper, Yao and Joyce will be joining us on December 15, 2022 at 2pm ET for a webinar to discuss their perspectives on this topic. To attend the webinar, register here.

The paper is available here; feedback is always appreciated – please drop a line at info@fidoalliance.org.  

The post <strong>FIDO Alliance Provides Guidance on Making FIDO Deployments Accessible to People with Disabilities</strong> appeared first on FIDO Alliance.

If your organisation were hit by a cyber attack, would you tell anyone?

Historically, the answer would be an unequivocal no. Many believe that sharing that you were a target exposes your company’s (or your personal) vulnerabilities, making you more susceptible to further attack or ridicule. But this ‘security by obscurity’ mindset is not only outdated, it hinders the industry’s ability to harden our collective defences, most notably by eliminating our dependence on passwords and other knowledge-based credentials. 

While this year saw a 5%-7% drop globally in the use of passwords for entry, it is still by far the most popular online authentication method, which is a big problem. Passwords are not only highly insecure, but they also cause major consumer headaches and are costing businesses; 59% of consumers gave up on accessing an online service and 43% abandoned a purchase when asked for a password in the past month. More than 82% of data breaches are caused by weak or stolen login credentials. 

The benefits of multi-factor authentication (MFA) are widely reported but many firms have been sheepish about sharing their adoption figures. 

This may be because the figures weren’t great. Twitter revealed its two-factor-authentication adoption figures last summer, revealing that just 2.3% of accounts had it enabled. Of those, 80% relied on SMS-based backup, the least secure mode. Communicating this doesn’t make Twitter any less secure. Instead, it sets a powerful benchmark for improvement, and gives the industry a reality check that considerable work remains to get more customers using MFA. 

Other organisations to be applauded are Cloudflare and Twilio. The two cloud computing giants recently reported that they were targeted by a near-exact phishing attack. Employees were targeted with a text message from a supposed IT department, directing them to a fake website requesting a password change. Neither Twilio nor Cloudflare’s monitoring systems detected the attack, and, as you’d expect, some employees were caught off-guard and shared credentials. 

While Twilio fell victim to the attack (along with dozens of other companies), Cloudflare’s employees were protected because they use Fast ID Online (FIDO) security keys which are tied to users. Origin binding also prevented any credentials from being shared. Since the incident, Twilio has followed Cloudflare’s lead, as it shared in its updated incident report. This is a great example of how sharing successes and failures alike leads to two on the whole. 

At the FIDO Alliance, we’re working with the world’s leading tech companies and consumer service providers to solve this challenge. Together, we’ve created technology that’s increasingly cited as a ‘gold standard’ by governments, including the US’s cybersecurity body, CISA, and the UK’s National Cyber Security Centre. 

To best defend against cyber attacks, organisations should take inspiration from the Twilio and Cloudflare story and build in security protocols that are phishing-resistant. These protocols are often implemented with USB keys or built-in biometric authentication on devices, and can be added as a critical layer of security to both an organisation’s own network and information, and for customers accessing its services. 

Of course, the work we do at the FIDO Alliance, creating and implementing new technology, is an important part of moving the world away from passwords and other weak forms of legacy authentication – but it isn’t the most critical piece. Industry-wide commitment to creating intuitive and common user journeys, underpinned by architectural best practices, will enable the kind of cultural shift and mass adoption of this technology that will be required if we want to remove passwords from our daily lives. 

Collaboration and transparency are key ingredients that raise the bar for all involved – including for hackers, who need to have a far harder time executing remote attacks.

The post Raconteur 2022 Report: Authentication & Digital Identity appeared first on FIDO Alliance.

Mountain View, Calif., November 22, 2022 – The FIDO Alliance today announces its latest Authenticate Virtual Summit: Securely Onboarding All the Things: The FIDO Fit in IoT, sponsored by Daon and Nok Nok. Responding to rising industry demand for more insight into the role of FIDO and passwordless technology in IoT, the free event will offer attendees expert perspectives and education from leading industry organizations and solution providers on strengthening authentication in IoT. The program will take place virtually on December 7 2022, from 8:00am – 12:00pm PT, and will be made available to registrants on-demand following the event. 

Lack of IoT security standards and outdated processes, such as shipping with default password credentials and manual onboarding, leave devices and the networks they operate on open to large-scale attacks. As the IoT market continues to grow, projected to surpass the $1 trillion mark in 2022, the FIDO Alliance formed the IoT Technical Working Group to address these challenges – aiming to provide a comprehensive authentication framework for IoT devices relying on passwordless authentication. 

Launched in 2021, the FIDO Device Onboard (FDO) specification is the working group’s first output: an open IoT standard which enables devices to simply and securely onboard to cloud and on-premise management platforms. The upcoming virtual summit will delve into this specification and FIDO’s role in IoT with speakers from Intel, Qualcomm, FIDO Alliance and more:

• Introduction: The FIDO Fit in IoT
• Introduction to FIDO Device Onboard
• FIDO Device Onboard: Technical Deep Dive
• FDO Demo
• FDO Case Study
• FDO Certification 101

Register for the event here. 

Sponsorship Opportunities 

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities. Visit the Authenticate sponsorship page for more information or contact authenticate@fidoalliance.org.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate Virtual Summit focused on Securing IoT appeared first on FIDO Alliance.

The final day of the Authenticate 2022 conference was packed with user stories, thought leadership and panel discussions about the challenges and opportunities for FIDO strong authentication today and in the years to come.

The first user story of the day was from global science and technology company EMD Group / Merck KGaA which is now using FIDO to help improve its own authentication system. Dennis Kniep, domain architecture for Identity and access management at the company explained that his team’s mission is to help secure the company where he sees FIDO as playing a major role.

A challenge that EMD Group / Merck KGaA faced with its implementation of FIDO is that there were a number of legacy applications and services that did not support modern web standards.

“We developed the detach authentication mechanism,” Kniep explained. “With that mechanism the users are able to authenticate with FIDO in a phishing resistant way, even if the user needs access to apps with legacy backends, meaning we can enforce FIDO.”

Equity and inclusion matter

A recurring theme through the Authenticate 2022 conference is the need for equity and inclusion.

One panel on the topic specifically looking at the issue of inclusiveness in authentication and identity systems. Jamie Danker, senior director of cybersecurity services at Venable LLP, commented that when solving a problem, the makeup of the people trying to solve a given problem will have an impact on the solution.

Danker noted that a recent equity and inclusion study completed by the U.S. government’s  General Services Administration (GSA) provides some real empirical data on how remote identity proofing solutions will actually operate. 

Danker also mentioned the NIST digital identity guidelines, which are currently being updated to revision 4. She noted that NIST has been very clear that equity considerations are going to be part of that.

Security is more than just the web interface

FIDO strong authentication helps to provide authentication into many different types of systems, but it’s not a ubiquitous option for all types of access.

“Everybody’s talking about web and mobile, and nobody’s talking about the contact center,” John Poirier, Lead Director – EIS at CVS Health said.

Poirier explained that when a password doesn’t work, or a user can’t get access, they will call into a contact center for help. He emphasized that there is a need to make sure there are security policies, procedures and technology in place at contact centers, that secure access, without introducing too much friction.

The idea of extending strong authentication to all types of devices was also discussed by Chad Spensky, CEO of Allthenticate and his co-founder and COO, Rita Mounir.

“The FIDO protocol right now only talks to websites and computers,” Spensky said.

Spensky wants to help bring strong authentication to all types of devices and access ranging from cars, to office doors and everything in between.

Navigating the authentication landscape

In a thematic presentation, Pamela Dingle, director of identity standards at Microsoft, spoke like a pirate and warned about passengers falling off the boat. 

The analogy of the boat is that of helping passengers safely get to their destination, which isn’t always an easy task. Dingle said that Microsoft blocks more than 1000 Password attacks every second, and outlined the multiple reasons why passwords are a weak link. She emphasized that users should wear a life jacket, which in the real world translates into user multi-factor authentication (MFA).

While there are risks with MFA, Dingle said it’s the right first step for many, until they are able to move to phishing resistant strong authentication with FIDO.

“Out of 10,000 compromised accounts, only one will be an MFA credential attack,” she said. “It’s really important to understand the difference in risk between being vulnerable to a password attack, and being vulnerable to an MFA bypass attack.”

That said, she noted that what makes phishing resistant credentials so great, is that they are not susceptible to exactly the same predictable behaviors that make MFA vulnerable. Dingle also noted that she’s very optimistic about the potential for passkeys.

“If we get it right. passkeys become the seat cushion that becomes a flotation device for our passengers,” she said.

Earning Trust in Identity at Scale

With one of the largest ecommerce  and cloud platforms in existence Amazon has a real need for strong authentication and it is increasingly relying on FIDO for those needs.

Sarah Cecchetti, head of product for Amazon Cognito explained that identity is handled by the platform team within Amazon Web Services. She noted that identity needs to have a consistent security and usability bar for every service at AWS. To that end, AWS has built out a modular, but centralized approach that uses FIDO.

Arynn Crow, Senior Manager, User Authentication Product at AWS, said that her company has invested really heavily into FIDO2.

“We continue to invest because fundamentally we believe that FIDO supports greater flexibility,” Crow said. “We have fewer trade-offs between our user’s experience and their security.”

Usability is the key to strong authentication adoption

In a panel session on usability, a key theme that emerged is the foundational need for good usability in order for FIDO adoption to grow.

Judy Clare, vice president, product manager, digital authentication at JP Morgan Chase commented that it’s critical to put strong authentication messages and workflow in the right tone. 

“The right wording and to make it clear, simple and understandable for the average user is very important so that you’re not ostracizing anybody by using all technical jargon,” Clare said.

The need for clear language was echoed by Sierre Wolfkostin, senior product designer at Duo Security. Wolfkostin said that it’s hard to adopt what you can’t understand. 

“Getting to simple human language is really important,” Wolfkostin said.

Usability is also about making sure there is a vibrant ecosystem of vendors and technologies that can help businesses small and large to actually implement FIDO strong authentication in the first place. 

In the closing panel of the event, Christiaan Brand, product manager at Google commented that while well staffed organizations might be able to implement strong authentication and passkey options on their own, many other organizations will need help. It’s a situation much like any other enterprise technology where organizations make use of consultants and service providers to implement complex technology.

Bob Lord, senior technical advisor at CISA argued that the best thing to do is to just start with FIDO. He emphasized the organization should focus on what they can do, not what they can’t.

“I think there’s a lot of hesitation at starting,” Lord said. “I think a lot of misconceptions out there would go away if they were to just start the journey, they would find their misconceptions are wrong.”

Next year in San Diego

In the closing session, Andrew Shikiar, executive director of the FIDO Alliance highlighted the key themes of the event.

Those themes are that deployments are real and organization can and should start today. Usability was another strong recurring theme, as a key to helping to ensure adoption. The concept of security by community also resonated at the conference, with users learning from each other about lessons learned.

In the final analysis the Authenticate 2022 was a stellar success with 90 sessions, spread across three tracks and three days of content.

For next year’s event, Authenticate 2023 will be moving to San Diego.

The post Authenticate 2022: Day 3 Recap appeared first on FIDO Alliance.

The Authenticate 2022 conference got underway on Oct. 17 with a stellar lineup of speakers that included enterprises, service providers and government agencies, all gathered to talk about the current and future state of strong authentication.

The opening session was led by FIDO Alliance Executive Director and CMO Andrew Shikiar who detailed the progress that has been made this past year. Among the highlights mentioned by Shikiar was the launch of passkeys. 

The FIDO Certified Professional program also got underway in 2022 providing a way for professionals to validate skills. There has also been work done to help with usability as well as adoption with initiatives designed to help accelerate broad deployment of FIDO strong authentication.

“Our mission is to reduce industry’s reliance on passwords and legacy multi factor authentication,” Shikiar said. “From day-one we’ve had this audacious goal of shifting away from centrally stored shared secrets to a model that is more possession based in nature and relies on common end user devices, that has been our guiding principle.”

Marcio Mello, head of product, PayPal identity platform, talked about how the online payment plans to leverage passkeys as a way to realize the promise of passwordless. Mello demonstrated workflows using passkeys showing how easy it is for a user to authenticate.

“I would say this is an inflection point in our decade-long commitment as an industry, to a passwordless world,” Mello said about passkeys.

NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015. DOCOMO has helped shape FIDO specifications and is the first mobile operator to deploy FIDO authentication at scale. Shikiar welcomed Koichi Moriyama, a Chief Security Architect at NTT DOCOMO, to the keynote stage where he announced DOCOMO’s intention to support passkeys for its millions of d ACCOUNT users. Moriyama said support would begin in early 2023.

U.S Government sees FIDO as the gold standard for MFA

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) is taking a very active interest in strong authentication.

“We’ve known for decades that passwords are a weak link in cybersecurity and that the extra layer of protection provided by multi factor authentication prevents cyber attacks,” CISA Director, Jen Easterly said. “Yet only a small percentage of people are using it.”

Easterly emphasized that CISA is aggressively pursuing multiple initiatives to help spur adoption of multi-factor authentication (MFA) and more specifically FIDO standards-based strong authentication.

“We’re using this opportunity to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication method.”

Bob Lord, senior technical advisor, cybersecurity division at CISA, told the Authenticate 2022 audience that it is a weird thing that the technology industry has normalized the idea that the burden of staying safe is placed on those organizations that are least able to understand things like threat landscapes.

“We see far too many organizations failing in part because they have no idea they need to do this,” Lord said about strong authentication and FIDO adoption. “And that’s because they don’t have something that is nudging them in the right direction.”

Both Lord and Easterly advocated for technology vendors to make it easier for users to have strong authentication and provide security by default.

“Security features our customer rights, they’re not luxury goods,” Lord said.

FIDO Authentication has social impact

Jonathan Bellack, senior director, identity and counter-abuse technology at Google outlined some of the challenges that Google has seen for users adopting MFA and passwordless security.

“Our user research has shown at least from a consumer point of view, users don’t draw a distinction between any of the words we use in the industry like security, privacy, abuse as it all just kind of fits into this great amorphous blob of safety,” Bellack said.

He noted that consumers have very little time and they just want to know if they can do whatever task they want or need to complete online. To that end, Bellack detailed multiple efforts that Google has underway to embed security in a way that doesn’t introduce friction.

Christopher Harrell, CTO at Yubico, explained during his session how the use of FIDO authentication is being used by organizations around the world to help protect freedom and privacy. Yubico is working with the Freedom of the Press Foundation and Operation Safe Escape among other organizations. The company has donated over 20,000 keys to support many different government agencies in Ukraine. 

“We do hope that the war ends soon but in the interim, we hope that we can help protect infrastructure from cyber attacks,” Harrell said.

FIDO users detail adoption challenges and opportunities

A key part of the program for Authenticate 2022 are user stories and there were plenty to be told on the first day of the conference.

Ian Glazer, SVP product management at Salesforce, described the highs and the lows of his company’s MFA adoption efforts. Salesforce decided in the fall of 2019 that it wanted to achieve 100% adoption of MFA across its services and it’s a journey the company has been on ever since.

Salesforce’s path toward 100% MFA adoption involved both technical considerations as well as a massive effort to engage with users, which led to solid results. Glazer noted that at the end of Salesforce’s fiscal year approximately 80% of its monthly active users were using MFA or SSO. While 80% is a noticeable achievement, it’s not the 100% goal that Salesforce has set. Glazer emphasized that the pursuit of the 100% adoption figure forces his team to continue to innovate and find ways to push adoption.

Salesforce has noticed multiple benefits from MFA adoption so far, including cost reduction and security improvements.

“Because we adopted MFA, we have seen a dramatic reduction in account takeovers,” Glazer said.

Microsoft is also pushing hard for broad adoption as it aims to enable a passwordless experience for its users. Scott Bingham, Senior Program Manager in Identity, and Emily Houlihan, Senior Product Manager at Microsoft, explained in their session what lessons have learned so far on their passwordless journey.

Bingham said that Microsoft has spent years rolling out support for temporary one time passwords, security keys, authenticator apps and Windows Hello as different password replacement offerings. Microsoft is increasingly moving toward eliminating passwords entirely.

“People want passwordless,” Bingham said. “Security is important, but user experience is critical and helps to drive demand.”

USAA, which provides financial services to members of the U.S. military and veterans, is also adopting FIDO and MFA to help secure its users. Dereck Henson, technical security architect at USAA, provided a series of key lessons learned during his session.

His first lesson learned is that it’s a good idea to default to strong authentication from the start. 

“We found that it’s a whole lot easier to start someone in an MFA, highly secured program, rather than to convince them to change their mind later,” Henson said.

Another key lesson that USAA has learned is that when it comes to a passwordless approach, being entirely passive and not showing users that authentication in place, is not a winning scenario. Henson said that USAA members were calling in saying they had been members for decades and couldn’t believe they could just log in with a fingerprint. To that end, USAA has had to add some interstitial screens to its authentication workflow that tell users their access is being secured.

“So not only do you have to be secure, you have to actually look secure,” he said.

Financial service giant Citi has also embraced the FIDO strong authentication approach. Matthew Nunn, Director, Secure Authentication Architecture & Technology Engineering at Citi, did not mince words in his session about why there is a need to move away from passwords.

Nunn said that there really isn’t a meaningful way to make passwords more secure.

“The reason you’re doing passwords and we’ve been doing it for so long is because we are held hostage to the keyboard being the interface to use in order to interact with the system,” Nunn said.

He added that with passwordless, users are no longer held hostage and there is the ability to take advantage of capabilities in devices to authenticate, instead of users needing to regurgitate a password.

Day 2 of Authenticate 2022 is looking to be another packed day full of insightful content and discussion, with sessions on biometrics, consumer authentication habits, FIDO initiatives and more user sessions.Want to attend the next two days of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

The post Authenticate 2022: Day 1 Recap appeared first on FIDO Alliance.

By: FIDO Staff

The second day of the Authenticate 2022 conference had a mix of topics and speakers that spanned multiple facets of the authentication world including payment security, biometrics, national identity and design systems.

The day got started with a keynote from Doug Fisher, senior director at Visa, who discussed the current state of the global payments system and the challenges it faces. Fisher noted that while ecommerce fraud remains a pervasive risk, strong online authentication is helpful to help reduce that fraud.  

A challenge for stronger forms of authentication for ecommerce is often that it introduces more friction into the consumer buying process, which can lead to shopping cart abandonment. To help solve that issue, Fisher explained that the FIDO Alliance, EMVCo and the W3C have been working together to help improve interoperability in a bid to reduce payment authentication friction. The joint effort had led to the Secure Payment Confirmation (SPC) standard that is currently in development

“SPC is a web standard currently in development that is built on WebAuthn to support streamlined authentication during a paymen

t transaction,” Fisher said. “SPC and FIDO go together like peanut butter and jelly.”

The perils of MFA

Not all multi-factor authentication (MFA) technologies are equal was the primary message in a session led by Roger Grimes, data-driven defense evangelist at KnowBe4.

Grimes outlined a litany of MFA bypass techniques that could potentially enable attackers to exploit vulnerable users. He emphasized however that FIDO based strong authentication is unlike MFA in that it can help to eliminate many of the man-in-the-middle attacks that enable bypassing techniques.

“MFA attacks have been around for decades but it certainly is going mainstream this year,” Grimes said.

The risks of non-FIDO MFA is top of mind for Heikki Palm Henriksen, CTO of BankID.

Henriksen’s organization provides a digital identification that is widely used in Norway. BankID started to look at FIDO in 2020 and discovered the insightful white papers produced by the alliance which helped Henriksen and his team to choose FIDO and begin implementation.

“We realized that FIDO2 was the best solution to modernize BankID to reach our goals,” Henriksen said.

Biometric considerations for FIDO

Strong authentication can make use of biometrics such as a fingerprint reader or facial recognition system, as an authenticator.

Biometric systems however are not universally without fault or bias, which is an issue that was discussed by Stephanie Schuckers, director, Center for Identification Technology Research (CITeR) at Clarkson University.

“When we talk about bias related to biometrics, what we’re really talking about is variability in performance due to demographics or demographic differentials,” she said.

Shuckers emphasized that bias relates to the specific technology implementation being used, not the whole field of biometric recognition. Through testing and certification, it is possible to better understand and reduce the risk of potential bias.

Greg Cannon, principal AI/ML standards at Amazon joined Schuckers for a panel session, emphasizing that the goal is to help eliminate passwords and biometrics is a great technology for doing that.

To help illustrate the point that biometrics spoofing is a concern that testing can help to solve, Shuckers brought some props on stage, including a mask of her own face, which apparently did not fool the facial detection system on her phone.

Consumer authentication habits

Understanding how users view authentication is an important aspect of understanding what needs to be done to help improve adoption.

The FIDO Alliance conducts an annual survey that looks at consumer habits for trends and adoption of authentication technologies. Megan Shamas, senior director of marketing at FIDO Alliance, said that the 2022 survey shows users are in some respects entering their passwords less than prior years, though the data is far from being definitive.

Perception of biometrics is also re-assuring as a potential way to help eliminate the use of passwords.

“We have actually been very pleased with consumer sentiment towards biometrics,” Shamas said. “In fact, a lot of consumers that we surveyed find it to be the most secure way to log in.”

Helping to reduce remote authentication fraud

Marianne Crowe, vice president, secure payments innovation and research at Federal Reserve Bank of Boston, used her time on stage to ask for more cooperation across the authentication ecosystem to help secure against fraud.

Crowe noted that there is consumer fatigue with passwords and many users will just reuse the same passwords on multiple sites which is an unsafe practice. MFA is helpful, but she noted that it is often inconsistent today in how it is presented to consumers.

“We’ve got to try to increase implementation and adoption of MFA even in industries and businesses that aren’t required to do it,” Crowe said.

Design system comes to FIDO

One of the ways consistency can come to authentication and specifically to FIDO based strong authentication is with the use of a design system. 

Organizations can now benefit from the FIDO design system at fidoalliance.org/design-system that provides principles, patterns and reusable components.

“Our intention for putting all this together is to make FIDO deployments simpler and faster for product designers, for project managers, product managers and engineers,” Kevin Goldman, chief experience officer at Trusona, said. “Our intention is to fill the gaps that they might have around authentication in their own design systems.”

The final day of Authenticate 2022 is looking to be another day loaded with useful content, thoughtful discussion, more user stories and best practices to help organizations move to the passwordless future.Want to attend the final day of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

The post Authenticate 2022: Day 2 Recap appeared first on FIDO Alliance.

FIDO Alliance’s second annual Online Authentication Barometer reveals the habits, trends and adoption of authentication technologies

Summary of key findings:

• Entering passwords has dropped globally – by 5% – 9% across all use-cases tracked, as people adopt more convenient ways of logging in.
• Yet passwords are still the most-used authentication method and they are proving costly to service providers – 59% of people gave up on accessing online services and 43% abandoned purchases in a given month.
• The use of SMS OTPs has increased globally – by 1% – 4% as it is increasingly offered by service providers as a multi-factor authentication method.
• Businesses need a way to offer people the convenience they want without sacrificing security – passkeys is one new approach and is on the radars of 48% of 18-34 year-olds.
• The metaverse has gained traction yet phishable authentication dominates despite security concerns – 61% of metaverse users are concerned over their security and privacy yet 38% use a password.

SEATTLE, WA, October 18, 2022 — The FIDO Alliance today published its second annual Online Authentication Barometer, which gathers insights into the state of online authentication in 10 countries across the globe. New to the Barometer this year, the FIDO Alliance has begun tracking authentication in the metaverse, and plans to incorporate utilization of technologies like passkeys in future editions of the report.

Key findings

The 2022 Online Authentication Barometer has identified that entering passwords online has dropped by 5% – 9% across all five major use-cases that it tracks – including accessing financial services, work computers and accounts, social media, streaming services, and smart home devices – compared to last year.

Despite this, passwords remain the dominant form of online authentication and cause major issues for people and businesses. For example, 70% of people had to recover a password at least once in a given month. Service providers and retailers also were impacted, with 59% of people giving up on accessing online services in a given month and 43% abandoning purchases because they couldn’t remember their password.

Data from the Barometer also suggests these issues with remembering and entering passwords are leading more people to stay logged into accounts, rising by 5% – 11% across all use-cases, as people opt for greater convenience. Other notable trends include multi-factor authentication through SMS One-Time Passcodes (OTPs) rising between 1% – 4% across all use-cases, as this legacy form of second-factor authentication is increasingly offered by service providers to rapidly improve consumer security and to meet regulatory requirements.

“This year’s Barometer data reveals that people see entering passwords as a pain and avoid it when they can,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Service providers realize the inconvenience and security issues with passwords and are offering more ways to authenticate such as cookies to stay logged in and/or legacy MFA like SMS OTPs.” 

Shikiar added: “However, these attempts at convenience and security are still based on outdated and phishable authentication technologies that everyone needs to move away from if we are ever going to stop the constant onslaught of data breaches. Organizations should all have implementation of modern, phishing-resistant authentication on their roadmaps, whether it is via on-device biometrics, FIDO security keys or passkeys.” 

Tracking emerging technologies

The FIDO Alliance’s Online Authentication Barometer is designed to track habits, trends and adoption across key use-cases, including new technologies and use-cases as they are adopted. This year, it began tracking the metaverse as one of its key online use-cases. The Barometer also sampled early insights into passkeys, which are FIDO credentials designed to replace passwords that provide faster, easier, and more secure sign-ins to websites and apps.

Almost a third of people (31%) have logged into the metaverse recently, with 61% concerned over their security and privacy. Despite this, phishable authentication methods dominate with 38% of people logging in with passwords, 24% using password plus OTPs, and 21% remaining logged in. Other, more secure, possession-based methods like biometrics (26%) and physical security keys (16%) are also prevalent.

Passkeys, which provide secure and convenient passwordless sign-ins to online services, appear to 

have a high level of awareness, despite only being announced this year. The data shows that 39% of people are familiar with the concept of passkeys – and this is especially high among 18-34 year-olds at 48%. FIDO’s Online Authentication Barometer will track the adoption of passkeys in next year’s report and determine how far this early awareness translates into usage.

Ends

Notes to editors:

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,044 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

The post FIDO Alliance study reveals global password usage is down – yet its continued dominance is proving costly appeared first on FIDO Alliance.

FIDO Alliance’s second annual Online Authentication Barometer reveals the habits, trends and adoption of authentication technologies

Summary of key findings:

• Entering passwords has dropped globally – by 5% – 9% across all use-cases tracked, as people adopt more convenient ways of logging in.
• Yet passwords are still the most-used authentication method and they are proving costly to service providers – 59% of people gave up on accessing online services and 43% abandoned purchases in a given month.
• The use of SMS OTPs has increased globally – by 1% – 4% as it is increasingly offered by service providers as a multi-factor authentication method.
• Businesses need a way to offer people the convenience they want without sacrificing security – passkeys is one new approach and is on the radars of 48% of 18-34 year-olds.
• The metaverse has gained traction yet phishable authentication dominates despite security concerns – 61% of metaverse users are concerned over their security and privacy yet 38% use a password.

SEATTLE, WA, October 18, 2022 — The FIDO Alliance today published its second annual Online Authentication Barometer, which gathers insights into the state of online authentication in 10 countries across the globe. New to the Barometer this year, the FIDO Alliance has begun tracking authentication in the metaverse, and plans to incorporate utilization of technologies like passkeys in future editions of the report.

Key findings

The 2022 Online Authentication Barometer has identified that entering passwords online has dropped by 5% – 9% across all five major use-cases that it tracks – including accessing financial services, work computers and accounts, social media, streaming services, and smart home devices – compared to last year.

Despite this, passwords remain the dominant form of online authentication and cause major issues for people and businesses. For example, 70% of people had to recover a password at least once in a given month. Service providers and retailers also were impacted, with 59% of people giving up on accessing online services in a given month and 43% abandoning purchases because they couldn’t remember their password.

Data from the Barometer also suggests these issues with remembering and entering passwords are leading more people to stay logged into accounts, rising by 5% – 11% across all use-cases, as people opt for greater convenience. Other notable trends include multi-factor authentication through SMS One-Time Passcodes (OTPs) rising between 1% – 4% across all use-cases, as this legacy form of second-factor authentication is increasingly offered by service providers to rapidly improve consumer security and to meet regulatory requirements.

“This year’s Barometer data reveals that people see entering passwords as a pain and avoid it when they can,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Service providers realize the inconvenience and security issues with passwords and are offering more ways to authenticate such as cookies to stay logged in and/or legacy MFA like SMS OTPs.” 

Shikiar added: “However, these attempts at convenience and security are still based on outdated and phishable authentication technologies that everyone needs to move away from if we are ever going to stop the constant onslaught of data breaches. Organizations should all have implementation of modern, phishing-resistant authentication on their roadmaps, whether it is via on-device biometrics, FIDO security keys or passkeys.” 

Tracking emerging technologies

The FIDO Alliance’s Online Authentication Barometer is designed to track habits, trends and adoption across key use-cases, including new technologies and use-cases as they are adopted. This year, it began tracking the metaverse as one of its key online use-cases. The Barometer also sampled early insights into passkeys, which are FIDO credentials designed to replace passwords that provide faster, easier, and more secure sign-ins to websites and apps.

Almost a third of people (31%) have logged into the metaverse recently, with 61% concerned over their security and privacy. Despite this, phishable authentication methods dominate with 38% of people logging in with passwords, 24% using password plus OTPs, and 21% remaining logged in. Other, more secure, possession-based methods like biometrics (26%) and physical security keys (16%) are also prevalent.

Passkeys, which provide secure and convenient passwordless sign-ins to online services, appear to 

have a high level of awareness, despite only being announced this year. The data shows that 39% of people are familiar with the concept of passkeys – and this is especially high among 18-34 year-olds at 48%. FIDO’s Online Authentication Barometer will track the adoption of passkeys in next year’s report and determine how far this early awareness translates into usage.

Ends

Notes to editors:

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,044 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

The post FIDO Alliance study reveals global password usage is down – yet its continued dominance is proving costly appeared first on FIDO Alliance.

As high-value services increasingly move online – from banking applications to government services – demand is rising for more robust verification solutions to validate user identities remotely by leveraging trusted government-issued ID documents. Accurate remote identity verification is also critical at the point of account creation, prior to FIDO authentication, and during the account recovery process. 

The DocAuth Certification Program provides a standard testing process for organizations to prove their products can validate different government-issued ID document types across multiple geographies, and that they are fit for commercial use. For service providers, the program provides a benchmark when evaluating multiple vendors to ensure they meet global performance standards and can assist in stopping bad actors from creating accounts using fake or stolen documentation. 

“FIDO Alliance was pleased to collaborate with our FIDO Accredited laboratory partners on this important program, as accurately verifying a user’s identity during initial account creation is a critical step in the overall integrity of the account – and also strengthens the security of subsequent FIDO-based sign-ins,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The launch of FIDO’s Document Authenticity Certification Program gives service providers a FIDO Certified mark to ensure the mobile document verification solutions they choose have met globally-recognized standards and can assist them in providing greater security across the entire account lifecycle. We look forward to seeing the first FIDO DocAuth Certified products early next year.” 

Program Details 

The DocAuth Certification Program provides certification performance criteria for vendors, and sets test procedures that FIDO Accredited Laboratories use for evaluating mobile document verification solution capabilities. A full list of FIDO Accredited Document Authenticity Laboratories can be found here. 

The program is open to vendors seeking certification for their mobile document verification solutions. Vendors who achieve certification receive a Document Authenticity Certificate, as well as granted use of the FIDO Certified mark, to demonstrate they have passed the well-defined testing administered by the FIDO Alliance and Accredited Laboratories. 

FIDO Document Authenticity Certification is independent of other FIDO certification programs. There are no FIDO Certification prerequisites to apply for Document Authenticity Certification. 

The FIDO Alliance plans to expand its identity verification program in 2023 with the launch of a face verification certification, including performance criteria requirements that address liveness and selfie-match.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. 

PR Contact 
press@fidoalliance.org

The post FIDO Alliance Announces Document Authenticity Certification Program for Remote Verification appeared first on FIDO Alliance.

Megan Shamas, senior director of marketing, FIDO Alliance

Cybercriminals are like trick or treaters – knocking on doors and helping themselves to your freely-given credentials. Whether traditional phishing emails or more sophisticated deepfake-bolstered attacks, our digital lives and the proliferation of passwords are making us increasingly vulnerable to the cyber threat.

Awareness is a core part of FIDO Alliance’s mission to move the world away from passwords to simpler, stronger authentication. Standards and technology is just one half of solving cybersecurity challenges – we have a duty to educate and provide the best information and resources to help everyone make smart decisions in whatever online environment they’re in – whether you’re at work, studying, or in your personal life. 

That’s why we love working with CISA and NCSAM and their efforts around Cybersecurity Awareness Month, as it gets to the ‘people’ part of cybersecurity. And undoubtedly, when we think of that ‘people’ part, phishing and social engineering attacks are top of the list.

To promote this year’s Cybersecurity Awareness Month, we’ve taken inspiration from the impending spooky season to unmask the scariest techniques and technologies criminals are using to steal your sweet candy credentials – and, how to stop them.

The Wolf in Sheep’s Clothing 

The online world can be a great space for finding friends, work, and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are quite sophisticated, and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims.  

Plenty of Fish can quickly become Plenty of Phish, catching consumers when they have their guard down and least expect anything. The recent Netflix documentary ‘Tinder Swindler’ is a great example of how convincing and persistent these fraudsters can be. When forming relationships online, remember that those on the other end of apps might not always be who they seem before sharing any sensitive information that could help them take over your online accounts.  

The Ghosts of Phishmas Past 

An email from the bank wanting to confirm your details. A text from couriers asking you to reschedule your delivery. The cheery retailer message to say you’ve won $100 to spend if you register a new account.

You might think you’ve seen and heard it all before, but these older, tried and tested phishing techniques are haunting us and are still by far the most effective. Take the Royal Mail SMS scam that blew up last Christmas time in the UK, or the recent global attack on Facebook Business/ad users. An estimated three in five were targeted by fake delivery text messages in 2021. As both the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out.

The Shapeshifter

You’ve no doubt seen funny viral videos of deepfakes, like Tom Cruise singing, or heard of the fake videos created of Ukranian President Zelensky earlier this year. But deepfake technology isn’t just limited to comedy and political attacks – this technology is becoming both more readily available and more convincing, bringing to the fore even more effective attacks on everyday consumers. Back in June, the FBI even issued a warning to employers about fake employees using the technology to apply for jobs under false pretences to defraud organisations.

Deepfake video and audio is now being used to bolster more standard phishing attacks and convince victims they’re engaging with those closest to them to pressure them into giving away sensitive information and details.

The Terminator

This is one type of social engineering attack that should send shivers down your spine. Recent advances in AI and machine learning are enabling attackers to automate highly targeted attacks – known as spear-phishing – by data scraping and integrating convincing details like name, date of birth and employer details, into attacks. 

By revealing just enough legitimate information, consumers are lured into a false sense of security and even more likely to share credentials. Now automated at an alarming rate and level of sophistication, this is one attack that will keep coming back… that is, if we don’t find a strong enough defence. 

Boo, Passwords!

The only way we can truly protect ourselves from sharing our most precious credentials online is to not have credentials we can share in the first place. If passwords are like Halloween candy at our doors, moving to something we simply can’t share like FIDO cryptographic-based signs ins and on-device biometrics means even if you fall for the trick, fraudsters are going hungry.   

FIDO authentication, created by global collaboration of the world’s biggest tech companies, numerous service providers and security stakeholders, is the only widely available phishing-resistant authentication method. Increasingly, governments like the US and the UK are citing FIDO as the ‘gold standard’ for organisations to implement and access robust cybersecurity. FIDO technology is readily available for companies big and small to implement and, as Cloudflare’s recent thwarted cyberattacks shows, it’s effective. 

FIDO technology is about to become more readily available and ubiquitous among consumers too. Earlier this year, the world’s biggest platforms – Apple, Google and Microsoft – committed to supporting our new security key standards, FIDO multi-device credentials, also known as ‘passkeys’. This means, across our most favoured browsers and devices, we’ll soon be able to access FIDO-based passwordless sign-in technology with the same gestures we use every day on mobile devices, using biometrics or PIN. 

This Cybersecurity Awareness Month, we’re urging service providers to get phishing-resistant passwordless authentication on their roadmap so consumers can make the move to passwordless – or at the very least, using passwords less – so we can leave these social engineering monsters toothless.

The post The Top Cyber Attacks Still Scaring us this Halloween – and How to Stop Them appeared first on FIDO Alliance.

July 2022 was a busy month for FIDO members in APAC, particularly with the events that took place in Korea and Vietnam:

FIDO Tech Seminar in Korea

On July 13th, the FIDO Korea Working Group held a half-day virtual tech seminar with 250+ attendees.  The sessions included updates on the state of the FIDO Alliance and its certification programs, an introduction to FIDO Device Onboard (FDO), a FIDO Authentication 101, an introduction to multi-device FIDO credentials (also known as “passkeys”), and a presentation on understanding Korean  laws mandating the use of passwords.

[Pic 1: Snapshot of FIDO Tech Seminar Platform]	[Pic 2: Samples of Virtual Sessions]

This tech seminar covered topics such as FDO and passkey, and provided a forum for industry experts to learn about phishing-resistant online authentication. 

Based on the post-event survey, over 30% of attendees reported they were victims of credential thefts, though they are online security industry experts or studying in the related fields.  Mr. Hyeong Won Pyo at Chosun Media thoughtfully summarized what he learned from the seminar while sharing with his colleagues and friends: “Our journalists are under attack by online phishing campaigns, and it was great to learn how to protect them with FIDO Authentication.”

Those who missed the live streaming sessions can watch the recordings here.

Vietnam Goes Passwordless Roundtable

On the same afternoon, FIDO Alliance participated in another hybrid event, the Vietnam Goes Passwordless Roundtable, organized by VinCSS and Vietnamese Ministry of Information and Communication.

It was the first forum on passwordless authentication in Vietnam, and the cyber security industry leaders in the region gathered representatives from the state banks, and local journalists.

[Pic 3: FIDO Update by Andrew Shikiar]	[Pic 4: Panel Discussion Session]

During the event local cyber security leaders discussed and shared best practices on digital authentication, disruptive technologies, and mega trends of passwordless authentication.  The experts recognized the recent increase of cyber-attacks in Vietnam as a risk factor for further developing digital applications, which is one of the top strategic activities of Vietnamese National Digital Transformation Program.

Mr. Do Ngoc Duy Tranc, CEO of VinCSS said, “VinCSS is ready to sponsor and support the nation by integrating strong FIDO-based passwordless authentication technology by building broader cooperation mechanisms with multi-sectors.”

To learn more about the event and exciting passwordless activities in Vietnam, please visit the event platform.

The post Momentum in APAC:  FIDO Tech Seminar in Korea and Passwordless Roundtable in Vietnam Recaps appeared first on FIDO Alliance.

Seattle, Washington, August 2, 2022 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2022, the only industry conference dedicated to the who, what, and where of user authentication. 

This year’s featured keynote will be presented by Cybersecurity and Infrastructure Security Agency (CISA’s) Director, Jen Easterly, and Senior Technical Advisor, Bob Lord. Additional speakers including Jonathan Bellack, Senior Director, Identity & Counter-Abuse Technology at Google; Pamela Dingle, Director of Identity Standards, Microsoft; Luis G. DaSilva, Head of Digital Identity Products at Visa; and Christopher Harrell, Chief Technology Officer at Yubico will deliver keynote presentations exploring the theme of “taking modern authentication to the next level” from a variety of diverse, global perspectives. 

Authenticate 2022 is a hybrid event, held at the Sheraton Grand in Seattle, Washington and virtually on October 17-19, 2022. Now in its third year, the event is focused on providing education, tools, and best practices for modern authentication across web, enterprise, and government applications. CISOs, security strategists, enterprise architects, and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2022-conference/. 

In response to its rising popularity, the conference now features a third content track and offers more than 80 sessions. Speakers from ADP, Amazon, Citi, CVS Health, Salesforce, Target, USAA and others will deliver a diverse set of sessions, detailed case studies, technical tutorials, and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2022 

Authenticate 2022 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/event/authenticate-2022-conference/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2022, Authenticate will be held October 17-19 at the Sheraton Grand in Seattle, Washington and virtually. Early-bird registration discounts are available through September 2, 2022. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2022 are Google, Microsoft, Visa, and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org  
SOURCE FIDO Alliance, Inc.

The post CISA Director Jen Easterly to Deliver Signature Keynote at FIDO Alliance’s Authenticate 2022 Conference  appeared first on FIDO Alliance.

New Delhi, India, June 28^th, 2022 – The FIDO Alliance today announced the FIDO Developer Challenge – India. Building on the success of the FIDO Developer Challenges over the past three years, the FIDO Alliance is focusing the program on the Indian market, encouraging local developer teams to create and present compelling and innovative applications leveraging FIDO standards and technologies.

In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks. Knowledge-based authentication, such as passwords, is no longer fit for the rapidly developing and connected Indian market. The FIDO Alliance is bringing its Developer Challenge to India to empower local developers to explore new options for moving beyond passwords with simpler, stronger FIDO Authentication.

“Educating and supporting the developer community is a priority for the FIDO Alliance, and is one of the key elements to driving market adoption of FIDO Authentication standards,” said Andrew Shikiar, executive director and CMO at the FIDO Alliance. “Over the years, the FIDO Developer Challenge programs have been a major component in successfully engaging local developers. India has a rich history of developer talent and innovation – we are looking forward to seeing how these bright minds leverage FIDO standards to bring simpler, stronger authentication capabilities to web applications and services.”

Participating teams will use public web frameworks and/or SDKs from FIDO Alliance’s members and sponsors of the Developer Challenge. Sponsors currently include Visa, Infineon, Samsung Electronics, Trustkey, Ensurity, and Octatco.

The Challenge is open to students, individual developers, and pre-seed-stage companies residing in India. Projects should apply FIDO Authentication protocols to address modern technical or social challenges within various fields such as fintech, ecommerce, IoT, retail, blockchain, healthcare, public service, gaming, education, AI and the Metaverse.

In addition to receiving goods and prizes from FIDO Alliance and the Challenge sponsors, the winning team will be invited by the FIDO India Working Group to make their final presentations to FIDO Alliance global stakeholders.

The deadline to submit an application is August 12, 2022. Registration to participate can be found here: https://forms.gle/infm9319Ph8HwbJv8

(*The application submission deadline has been extended from August 12th to September 12th.)

Additional resources for the event can be found on the FIDO Developer Challenge India homepage: https://fidoalliance.org/fido-developer-challenge-2022-india/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

The post <strong>FIDO Alliance Announces the FIDO Developer Challenge – India</strong> appeared first on FIDO Alliance.

Identiverse, Denver, CO June 22, 2022 – The FIDO Alliance today released new user experience (UX) guidelines to help accelerate deployment and adoption of multi-factor authentication (MFA) with FIDO security keys. 

The FIDO Security Key UX Guidelines are available at https://fidoalliance.org/ux-guidelines/. 

FIDO security keys – small, portable high-security devices that connect to a phone or computer via USB, Bluetooth or NFC – are considered by many to be the “gold standard” for multi-factor authentication. Simply touching this device during sign-in protects accounts from a targeted attack 100% of the time. Many services, including Twitter and Facebook, now offer the option to enable FIDO security keys for mobile and desktop access. 

The aim of the FIDO Security Key UX Guidelines is to help online service providers design a better, more consistent user experience for the consumer security key audience and ultimately maximize adoption. The document provides UX guidelines for all major steps of a consumer’s journey with FIDO security keys: awareness; consideration; enrollment; management; and authentication. 

“Having reached widespread support for FIDO Authentication across the web, the FIDO Alliance is increasingly focused on ways to grow and ultimately reach mass adoption. One of our primary areas of focus towards this objective is making FIDO more usable and accessible,”  said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We’ve established a FIDO UX Task Force consisting of UX experts from around the globe to conduct research and provide guidance on how to optimize user journeys as users enroll in, and subsequently sign in, with FIDO in various use cases. Today’s guidelines follow our first set of UX guidelines focused on the desktop authenticator user experience, with more to follow. I strongly encourage service providers to leverage these best practices when rolling out FIDO Authentication.” 

The guidelines were created by the FIDO Alliance UX Task Force in partnership with usability research firm Blink UX. They conducted formal research of FIDO user journeys and actively engaged with FIDO Alliance stakeholders to establish these FIDO security key UX best practices. The guidelines were developed following multiple sessions of moderated and unmoderated consumer research conducted by Blink UX, in collaboration with FIDO UX Task Force members.

Learn more about the FIDO Security Key UX Guidelines at Identiverse 2022

Attending Identiverse? Learn more about the guidelines today, June 22, during the session “Optimizing UX for FIDO Security Keys” at 12:00 pm MDT. 

About the FIDO UX Task Force

The FIDO UX Task Force for this project was established to develop best UX practices for implementing MFA with FIDO security keys for consumer web-based sites on desktops/laptops across platforms. Member volunteers for this project included product and design leaders from Feitian, Google, IBM, Idemia, JP Morgan Chase Bank, Meta, Microsoft, NIST, OneSpan North America, Onfido, Trusona, Trustkey, Visa, VMware, and Yubico. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

Contact

press@fidoalliance.org

The post FIDO Alliance Releases Guidelines for Optimizing User Experiences with FIDO Security Keys appeared first on FIDO Alliance.

World Password Day was created in 2013 to help people better secure their accounts by providing tips for better password hygiene: don’t reuse passwords; use a complex, random string of letters, numbers and characters; use a password manager. At the time of its inception the intentions of this day were positive and necessary as we didn’t have more secure consumer-friendly alternatives readily available. 

Technology and best practices have changed over the years and many now use World Password Day to encourage users to level-up their account security by enabling multi-factor authentication. This is certainly a best practice for password-based logins, but falls short of addressing the evolving threat landscape which has commercialized the ability for hackers to bypass legacy forms of MFA. 

What we ultimately need is widespread availability of passwordless sign-in technology that is more convenient and more secure – and we have that today with FIDO Authentication, which is already supported in over 90% of web browsers and virtually every modern handset and computing device. 

In March of this year the FIDO Alliance shared its vision to make FIDO Authentication even more widely available and consumer-ready through the advent of multi-device FIDO credentials (referred to by some as “passkeys”). 

Today, as an evolution of this announcement, FIDO Alliance is excited to share that Apple, Google and Microsoft are aligned with this vision and will be implementing multi-device FIDO credentials in their respective platforms. Read the press release for more details.

From a user experience standpoint, this will be very similar to how one interacts with a password manager today to help them securely enroll and sign into websites – only it will be far more secure as the process will issue a FIDO keypair instead of a password. 

From a service provider perspective, the availability of multi-device FIDO credentials will join the ongoing and growing utilization of security keys to allow for a full range of options for deploying modern, phishing-resistant authentication.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. This is a critical step in helping the industry at large break its dependence on the passwords and other knowledge-based credentials which to this day are the cause of over 80% of data breaches.

I am often asked when the industry will be able to get rid of passwords – to which I respond that the path towards passwordless is a journey and not a sprint. That being said, the first step on the password-less journey is to use less passwords – which is embodied by the commitment made today by the world’s largest platform providers.  While “Less Passwords Day” doesn’t roll off the tongue as well as “World Password Day,” it certainly is a day worth celebrating!

The post World Password Day Had a Good Run. Now We’re Celebrating A Future with Less Passwords appeared first on FIDO Alliance.

Mountain View, California, MAY 5, 2022  – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.  

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.  

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS. 

An Expansion of Passwordless Standard Support 

Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms. 

These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins: 

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account. 
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. 

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year. 

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Available Resources:

White Paper: Multi-Device FIDO Credentials

Blog: Charting an Accelerated Path Forward for Passwordless Authentication Adoption

Webpage

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Apple

Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.

About Google

Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.

About Microsoft

Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

The post Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, April 12, 2022 – FIDO Alliance today announced that testing is now available for individuals seeking to become FIDO Certified Professionals. Experts in online security and authentication are invited to apply and demonstrate their ability to support businesses designing their authentication strategy and migration away from outdated techniques like passwords. 

FIDO is increasingly recognized by global enterprises, governments and consumers as the gold standard for phishing-resistant multi-factor authentication; just recently, it was cited as ‘best practice’ in the U.S. Zero Trust Strategy. This program meets the corresponding demand for trusted professionals with FIDO expertise to support the implementation of FIDO authentication into organizations’ identity architectures. 

“Organizations of all sizes and across all industries are increasingly aware that passwords are no longer fit for purpose, but very few know what the other options are, and even fewer know how to get there,” said Andrew Shikiar, Executive Director and CMO of the FIDO Alliance. “The FIDO Certified Professional Program stands to be a powerful tool in orchestrating the next phase of mass migration to more robust, modern authentication infrastructures. With more experts on the ground, we can keep empowering businesses all over the world to break their dependence on passwords – enabling greater security and enhanced user experience.”

Aspiring FIDO Certified Professionals must be equipped with advanced technical knowledge to help organizations define a robust FIDO architecture that meets their business needs. Individuals are assessed on their skills and knowledge in relation to the FIDO standards and architecture, as well as the identity and authentication space more broadly. 

Achieving FIDO certification provides an array of benefits for professionals including:

• Competitive advantage in a highly-skilled industry
• Ability to execute projects with increased efficiency
• Increased earning potential 
• Professional credibility and validation of expertise
• Networking and business opportunities as part of the Alliance  

Participants are assessed via an exam curated by industry peers and FIDO partner, Professional Testing. The program is recommended for professions including technology architects, systems and operations engineers, security professionals and identity and access management professionals. 

Among the first group to receive their FIDO certification are professionals who aided in the development of the exam: Eldan Haim, Apiiro; Shane Weeden, IBM; David Turner, FIDO Alliance; Susana Rodriguez, HYPR; Khedron de León, HYPR; Baljeet Sandhu, HYPR; Pasha Benenson, HYPR; Manish Khedawat, Target; and Aleksey Kravtsov, Warby Parker.

Individuals seeking certification should visit https://fidoalliance.org/fido-certified-professional-program/ to register with FIDO Alliance to take the exam. 

For more information, please contact certification@fidoalliance.org. 

PR Contact
press@fidoalliance.org 

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Empowers New Wave of Authentication Experts with FIDO Certified Professional Testing Program appeared first on FIDO Alliance.

According to recent research reports and news, Asia Pacific regions are witnessing a surge in cyber-attacks – and the highly publicized online attacks all start with compromised passwords. 

In December 2021, nearly 470 customers of a Singapore bank had fallen victim to SMS phishing attacks, with total losses amounting to at least $8.5 million. In New Zealand, the Department of Internal Affairs (DIA) received over 114,000 SMS scam reports between September and October 2021, the highest in the Department’s history. In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks. In January, a local payment provider experienced a data breach, with 35 million customers having their data, including card information and fingerprint scans, released on the dark web for anyone to buy. These are just a few examples on a list that continues to grow.

The Industry Is Uniting to End the Password Problem

On February 15^th, the FIDO APAC Marketing Forum (AMF) brought together FIDO members from 12 countries in APAC to share insights, lessons learned and best practices to mitigate the surge of cyber-attacks that have taken hold of the region. 

 Here are the highlights of the sessions:

The agenda started with a welcome message from Andrew Shikiar, Executive Director and CMO of the FIDO Alliance.  Shikiar said, “2022 is the year of FIDO adoption and this time we mean it. FIDO adoption is truly happening now at scale.  Asia has always been at the forefront with early FIDO adoptions, and it is wonderful to see a new momentum in Taiwan and ASEAN.”

Megan Shamas, Senior Director of Marketing at the FIDO Alliance, reviewed 2021 highlights and shared 2022 global marketing programs that are being prepared. She detailed FIDO’s new year marketing programs that are divided into many different boxes, such as PR, digital, content, industry events, seminars, and research, while seeking member feedback.

The group heard from Karen Chang of Egis Technology, who is also Chair of FIDO Taiwan Engagement Forum while serving as a member at SEMI E187 Standard Committee. Chang pointed out that SEMICON Taiwan released SEMI E187, the first ever semiconductor standard. FIDO is listed as a reference of ‘Authentication Technologies’ in the document.

Le Tuan Khoi from MK Group in Vietnam shared their FIDO deployment case study. The insightful local trends on cybersecurity and cybercrime statistics were highly appreciated by the members. It was very helpful for us to understand the local markets and how FIDO can be accepted there.

Keiko Itakura from Rakuten Group shared Rakuten’s FIDO implementation case study. Itakura, who also serves as Co-Vice Chair of the FIDO Japan Working Group, said, “FIDO has great availability to unify authentication methods and phishing resistance by utilizing standard technology.”  At the end of her presentation, the members congratulated the 25th year anniversary of Rakuten.

Special guest Yusuf Khan from Digital Dubai joined us to share digital ID trends and related activities in Dubai.  He emphasized that balance between usability and security is very important, which FIDO Authentication is on the sweet spot.  It was also exciting to learn that Dubai is exploring passwordless and secure mobile based digital identity.

Finally, Young Lee from DEFEND in New Zealand joined us as a special speaker.  Lee gave us a bird-eye view of New Zealand’s 2021 Cybersecurity Landscape.  He said, “thousands of phishing and credential harvesting attacks were recorded in Q2 2021, and it was a 73% increase from the previous quarter.”

A Call to Participate

The FIDO APAC Marketing Forum (AMF), under the FIDO Marketing and Communications Board Committee, was inaugurated on November 28^th, 2020, to provide a platform for regional members to connect, learn from each other and share best practices. Although it was established during the worst period of the global pandemic, the forum has now grown to 98 members from Australia, China, Japan, Korea, Hong Kong, Indonesia, India, Malaysia, Saudi Arabia, Taiwan, and Vietnam. Members in the APAC region are encouraged to participate in this forum and can get involved by contacting info@fidoalliance.org.

We look forward to hosting yet another exciting AMF meeting in Q2 2022!

The post Latest updates from FIDO APAC Marketing Forum: FIDO Members from the Region Get Together to Learn from Each Other and Stay Alert appeared first on FIDO Alliance.

FIDO Alliance released a paper today that outlines the next steps in the evolution of FIDO and passwordless authentication adoption. Specifically, we are introducing the concept of multi-device FIDO credentials to address current challenges with account recovery for consumer deployments at scale.

FIDO Alliance has really been successful in changing the nature of authentication – FIDO Authentication is now built into every leading device and browser and many major brands have made FIDO logins available to their users. 

However, a challenge that persists is the requirement that users enroll their FIDO credentials for each service on each new device, which typically requires a password for that first sign-in. So what happens to your FIDO login credentials and how do you recover your account if you change your phone or laptop? They are not recoverable in today’s FIDO model. This presents issues for deploying FIDO at scale to consumers who are constantly moving between devices and updating to new ones. This is less of a challenge in the enterprise, where companies can solve this issue by deploying internal management tools used to support passwordless authentication, and for employees to recover accounts and credentials.

So while FIDO is available to deploy at scale today, a feature has been missing to make it as fully ubiquitous and available as passwords: the ability to have your FIDO credentials available to you across all of your devices, even a new one, without having to re-enroll for every account. 

Introducing multi-device FIDO credentials

The new paper released today outlines the next steps for the evolution of FIDO to address this limitation. The paper introduces multi-device FIDO credentials, also informally referred to by the industry as “passkeys,” which enable users to have their FIDO login credentials readily available across all of the user’s devices. This will help service providers bring passwordless sign-in to consumers at scale by addressing the issue of account recovery – the key barrier to mass adoption of cryptographically secure, passwordless authentication. 

The paper outlines how the FIDO Alliance and the W3C WebAuthn working group propose to achieve this, which includes two key updates:

• The ability to use a phone as a roaming authenticator through a defined protocol to communicate between the user’s phone (which becomes the FIDO authenticator) and the device from which the user is trying to authenticate.
• Making FIDO credentials universally available on all the user’s devices to ensure they can survive device loss and sync across different devices

By introducing these new capabilities, we hope to empower websites and apps to offer an end-to-end truly passwordless option; no passwords or one-time passcodes (OTP) required. The user experience of sign-in becomes a simple verification of a user’s biometric or a device PIN – the same consistent and simple action that consumers take multiple times each day to unlock their devices. The vision is that these experiences will be available across all our devices, operating systems and browsers.

FIDO Alliance sees the introduction of multi-device FIDO credentials to be an important step towards deployment of phishing-resistant FIDO authentication at a broader scale in many use cases that today are totally reliant on passwords or legacy forms of MFA such as SMS OTPs that are under increasing attack. 

We’re looking forward to hearing from industry stakeholders about this development and will be sharing more details on a webinar in April.

The post Charting an Accelerated Path Forward for Passwordless Authentication Adoption appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA – March 10, 2022 – The FIDO Alliance is pleased to announce its first Authenticate Virtual Summit of 2022: The FIDO Fit in Commerce: Examining the Present and Future of Authentication in Banking, Retail, Crypto and Blockchain. The summit features Signature Sponsors Daon, Keyless and Nok Nok. 

Attendees will hear from industry experts on the authentication challenges facing all commerce stakeholders today, and learn about FIDO’s invaluable role in the industry.  The program provides market-specific insights, and will air March 30 in the U.S. (2:00 – 5:30pm Eastern) and March 31 in  Europe (2:00 – 5:30pm CET). 

Online payment fraud is rising globally, totalling an estimated $20bn USD in losses last year. Meanwhile, Forrester research suggests poor online checkout experiences are costing brands over $18bn a year in cart abandonment. This event invites players across banking, retail, crypto and blockchain to learn how they can meet the urgent need to deliver simpler, stronger user authentication, and why FIDO has  quickly become a key cornerstone in the future of commerce.

The agenda features presentations from leading financial institutions, solution providers and industry analysts to explore: 

• Commerce authentication today and its challenges
• The benefits and risks of different authentication methods
• Key privacy and regulatory requirements – and how they’re evolving
• The imperative for modern strong authentication in commerce
• Use cases and practical insights into deploying FIDO 
• The future of authentication in commerce

Speakers include executives from RH-ISAC, eBay, Gemini, Goode Intelligence, PLUSCARD, Entersekt, LoginID, the Greensheet, IDnow and more.

Register for free and view the agenda for the event here. All sessions will also be available on-demand after the second airing.

Sponsorship Opportunities

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities for interested organizations. Visit the Authenticate sponsorship page for more information or contact authenticate@fidoalliance.org.

About FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Announces Commerce Virtual Summit Amid Rising Online Payment Fraud and Authentication Challenges appeared first on FIDO Alliance.

SEATTLE, February 15, 2022  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to the who, what, and where of user authentication. Authenticate, featuring Signature Sponsors Google, Microsoft, Visa and Yubico, will take place at the Sheraton Grand in Seattle, Washington and virtually on October 17-19, 2022. 

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the third consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference featured more than 70 sessions and welcomed over 650 attendees, 97% of whom agreed  that the content was exactly what they were looking for. The exhibit area included 25 industry-leading exhibitors and sponsors.

Authenticate 2022 will build upon this strong foundation and feature detailed case studies, technical tutorials, and expert panels aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and networking opportunities. 

Authenticate Call For Speakers

The Authenticate 2022 conference program committee is currently holding an open call for speakers. Authenticate provides speakers with an opportunity to increase visibility, educate on in-market solutions, and allow for networking between those involved in modern authentication. 

The committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices. For this year’s event, the focus will be on “taking modern authentication to the next level.” Diverse, global perspectives and presentations that focus on the following topic areas are welcome: 

• Authentication trends & insights 
• Modern authentication case studies & implementation strategy
• Regulatory impact on authentication 
• Technical & developer tutorials

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. 

The Authenticate Call for Speakers closes on March 15, 2022. To submit an application, please visit https://authenticatecon.com/event/authenticate-2022-conference/. 

Sponsorship Opportunities at Authenticate 2022 

Authenticate 2022 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/event/authenticate-2022-conference/.

Sponsorship requests will be filled on a first-come, first-served basis. Requests for sponsorship should be sent to authenticate@fidoalliance.org.

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2022, Authenticate will be held October 17-19 at the Sheraton Grand in Seattle, Washington and virtually. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate Conference 2022 appeared first on FIDO Alliance.

The FIDO Alliance endorses The U.S. Office of Management and Budget’s finalized Federal Zero Trust Strategy, supporting their efforts to implement stronger cybersecurity methods across government agencies. The Federal Zero Trust Strategy now requires agencies to use phishing-resistant multi-factor authentication (MFA) to access agency-hosted accounts, highlighting FIDO Authentication as a quality option to ensure user security. Notably, the OMB also recommends this approach in environments where the use of Personal Identity Verification (PIV) isn’t feasible. 

“The Federal Zero Trust Strategy provides a robust roadmap for agencies to follow to ensure best practices in creating a zero trust environment. The FIDO Alliance commends the Office of Management and Budget for requiring phishing-resistant authentication to protect agencies as phishing attacks become significantly more sophisticated – including the increasingly common ability to bypass legacy MFA approaches such as OTPs,” said Andrew Shikiar, executive director of the FIDO Alliance. “Authentication is a critical component of any zero trust architecture. As cited by OMB, FIDO Security Keys and authenticators present a practical alternative to PIV and can provide agencies with a rapidly deployable solution to harden their defenses against hackers armed with increasingly sophisticated and persistent threat campaigns.”

WHO: The FIDO Alliance

WHAT: The OMB’s Federal Zero Trust Strategy, which aims to accelerate the migration of U.S. Government agencies towards zero trust cybersecurity principles, mandates the use of phishing-resistant authentication, such as FIDO Authentication. This serves as yet another example of the government recognizing the importance of not only MFA, but phishing-resistant MFA to secure accounts.

As the OMB initiates this paradigm shift in how Federal agencies approach cybersecurity, the broader adoption of FIDO Authentication will provide simpler and more secure authentication for agencies, especially as enterprise users continue to be the most valuable targets for phishing.

WHEN: The OMB released its final Federal Zero Trust Strategy on January 26, 2022. As detailed in the strategy, agencies are required to achieve the zero trust security goals outlined in the strategy by the end of 2024.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
press@fidoalliance.org

The post Media Alert: The FIDO Alliance Endorses The Office of Management and Budget’s Finalized Zero Trust Strategy appeared first on FIDO Alliance.

Over the course of two days from Jan. 24 – 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum with representatives from government and industry providing insight into the policies, challenges and opportunities for identity and authentication in 2022 and beyond.

Identity has always been important, and during the pandemic the gaps in identity verification capabilities were dramatically exposed in a number of ways. The challenges of identity in the pandemic were detailed in a keynote fireside chat with Susan Gibson, chair of the U.S. Pandemic Response Accountability Committee (PRAC) Identity Fraud Reduction & Redress Working Group, and Jeremy Grant, coordinator of the Better Identity Coalition. Gibson explained that the PRAC was formed by the U.S. Government with the goal of promoting transparency and facilitating coordinated oversight of the federal government’s pandemic response, which totaled some $5 trillion in aid.

Gibson noted that there have been many instances of pandemic aid fraud, due in no small part to weaknesses in identity verification and coordination. For example, she noted that a single social security number was used to claim unemployment insurance in 29 different states. 

While identity fraud, with social security numbers and other means is common, Gibson emphasized that trying to stop identity thieves isn’t the only answer to the problem as the volume of personally identifiable information that is already out in the public domain is large.

“Really, we need to focus less on trying to fix the problem by stopping identity theft and focus more on: how do you get to the strong authentication, with a realization that the identity theft has already happened,” Gibson said.

Data breaches continue to happen

Identities are often at the root of data breaches, both as a root cause, as well as a consequence. 

In a morning session, James Lee, Chief Operating Officer of the ID Theft Resource Center (ITRC), outlined some of the key data points from his organization’s 2021 End-of-Year Data Breach Report. Among the highlights is the fact that 2021 was the worst year ever for data breaches, with 1,862 incidents impacting 294 million victims.

Lee said that the top data attribute that is stolen in data breaches are names of users, followed by social security numbers. That said he noted that in fraud forums, stolen social security numbers are sold for $2 each. In contrast, logins and passwords associated with email accounts and in particular Gmail accounts are worth $80 each.

The first day of the event concluded with a pair of panels on different aspects of identities and authentication. In a panel on things the government is doing to co-ordinate and improve identity, Jason Lim, Branch Manager for Screening Technology Integration Program (STIP), TSA, Phil Lam Executive Director for Identity, U.S. General Services Administration, Tim Weiler Economic Policy Advisor & Legislative Counsel, U.S. Rep. Bill Foster, and Kate Wechsler, Executive Director, Consumer First Coalition, each detailed their views on what different agencies are doing.

Identity is also about access, which isn’t the same for all members of society. That was a key theme in the final panel of the day hosted by Eva Velasquez President and CEO, Identity Theft Resource Center (ITRC), alongside panelists Birdell Lewis, Senior Vice President, Centralized Shared Services, Synchrony; Pastor Ben Roberts, Foundry United Methodist Church; and Chris Peterson, Penny Forward and Community Member.

Day Two: The Future of Strong Authentication

In an opening keynote on the second day of the event, Eric Mill Senior Advisor, White House Office of Management and Budget (OMB) delivered a keynote that outlined the direction of strong authentication in the government.

Mill noted that in the fall of 2021, the OMB published a draft of its federal zero trust strategy, which defines having a defense against phishing as a key priority. Mills said that phishing is one of the most common ways that adversaries gain a foothold in an enterprise and the government wants to focus on having an order of magnitude better defense against that kind of attack.

“We are trying to create a clear baseline for civilian federal agencies around not using multifactor authentication methods that don’t resist phishing,” Mills said.

Mills noted that PIV, or Personal Identity Verification cards are commonly used in the government and they can be an effective phishing deterrent. He added that there is a need to have a broader approach with FIDO WebAuthn platform authenticators as well.

“We really expect to see PIV, FIDO and web based authenticators in commingled use throughout the federal government and other weaker methods in the context  of phishing,  discontinued,” Mills said.

The zero trust strategy was officially published the day following the conference and requires the use of phishing-resistant MFA, like FIDO Authentication.

FIDO Alliance’s efforts for strong authentication and identity

In a keynote, Andrew Shikiar, Executive Director of the FIDO Alliance, outlined the progress and initiatives that his organization has underway to help improve the state of strong authentication.

Shikiar emphasized that the imperative that FIDO is seeking to address is not just to be a checkbox item for multi-factor authentication (MFA), but rather to truly be a foundation to secure connected services that are critical to today’s networked society. 

Shikiar predicted that 2022 will be the year that MFA attacks become mainstream. Having a phishing-resistant approach, which is what FIDO provides, is critical. The need for phishing-resistant MFA and strong authentication has been cited by multiple governments as a best practice. 

“Passwords are part of our lives because they’re ubiquitous and they’re part of the web’s DNA,” Shikiar said. “Simply put, we need to supplant them, keep them out of that role and take their place.” 

Barriers to MFA and the need for improved identity proofing

In a panel on how the government and industry are rethinking authentication, panelists provided insight into what holds adoption back and what needs to happen next.

Pam DIngle, Director of Identity Standards at Microsoft, commented that while there is awareness about the need for strong authentication and MFA there are several reasons why it isn’t always implemented. One type of organization that doesn’t deploy is where there are some sort of organization barriers to MFA.

“So customers come to us and say they know they need to do it right, but they have legacy technology or they have other reasons why they can’t adopt,” Dingle said. “For everyone else, I believe it’s on people’s lists.”

Christine Owen Director, Advanced Solutions, Cybersecurity at Guidehouse, commented that a challenge she sees with MFA deployment is on service accounts. Owen noted that adding MFA to those types of accounts is not always as easy as it should be. Grant Dasher from CISA noted in his organization’s view, identity is clearly the foundation of a zero trust architecture. Dasher added that the President’s Executive Order has committed the government on both civilian and national security sides to go in that direction.In fact CISA has referred to FIDO as the gold standard for authentication in its recent guidance.

Helping to ensure that a given identity is in fact authentic is the domain of identity proofing, that also helps with the initial verification of identity documentations and attributes. In an afternoon panel, Rae Rivera, Director of Certification Programs at the FIDO Alliance, outlined the ongoing efforts to create certification programs for identity proofing.

Brighton Haslett, Counsel in the U.S. House of Representatives, Committee on Financial Services, noted that it’s important that any new regulations in the identity proofing space need to be based on real information.

“I think the biggest threat in this space is any kind of legislation or regulation born out of misunderstanding and fear,” Haslett said. “I think when we see a rush to regulate a new technology, it’s usually an attempt to mitigate bad outcomes whether those are real or not.”

Strong Authentication, Identity and the Banking System

The need for strong authentication to help secure identity is of critical importance to the financial sector and its government regulators.

“If you look at so many of the things that bring risk to the financial sector in the United States they are all anchored on identity, ” commented Sultan Meghji, Chief Innovation Officer, FDIC.

Meghji’s views were echoed by Kay Turner, Senior Counselor to the Director, FinCEN Digital Identity, Inclusion, and Digital Payment Infrastructure. She noted that FinCEN’s role in the financial sector as the primary administrator of the Bank Secrecy Act and the U.S. financial intelligence unit, is to help prevent illicit finance, money laundering and related crimes like countering the financing of terrorism.

“Identity is at the heart of all financial services, and it’s core to trust,” Turner said. “So we recognize that the ability to assess risk is only as good as your ability to figure out with whom you’re engaging.”

Much of Turner’s sentiment were echoed in a keynote by Elizabeth Rosenberg Assistant Secretary for Terrorist Financing and Financial Crimes, at U.S. Treasury.

Rosenberg said that many of the critical problems plaguing the financial system stem from an inability to readily and reliably know who is dealing with whom.

“As a policy matter, digital ID has the potential to immediately and dramatically improve how we protect our national security and financial security,” Rosenberg said. 

Looking beyond just being aware of the importance of strong authentication for identity, Rosenberg said that the U.S. Treasury is approaching 2022 as a year of action for digital ID.

“I don’t want us to be addressing the same problems when next year’s identity forum convenes,” Rosenberg said. “At least I don’t want to see the same problems happening as frequently to the same degree as they are right now and the Treasury is committed to making that happen.”

In the closing keynote, Carole House Director for Cybersecurity and Secure Digital Innovation, White House National Security Council (NSC), also noted that she sees identity as being critical to national security.

“Many cyber incidents that we’ve seen involve vectors of compromise that could have been thwarted through stronger identity and access management solutions, including implementation of multifactor authentication solutions,” House said.

Recordings of Day 1 and Day 2 are now available.

The post Recap: Identity, Authentication, and the Road Ahead #IDPolicyForum appeared first on FIDO Alliance.

Editor’s Note: This is the final blog posting covering the 2021 FIDO Developer Challenge. We invite you to read the previous blog posts to learn more about past stories:

• Announcing the FIDO Developer Challenge for Developers Across the Globe
• FIDO Developer Challenge: Welcoming Teams to the Implementation Stage

This year’s FIDO Developer Challenge reached a successful conclusion, with a ceremonial event during Authenticate 2021 in Seattle. The recorded video of the ceremony is available now, and we’re pleased to share more detailed stories of the three finalists as well as the rest of the teams that made it to the final stage.

Gold Winner – Lockdrop

Lockdrop, a company based in Toronto, Canada, strengthened their document transfer service using end-to-end encryption with WebAuthn as an MFA authentication option. The team wants to help businesses and people exchange larger datasets easily and securely, a problem that is prevalent across most industries and results in people falling back to insecure and/or archaic forms of data transfer such as email, fax, CD-ROMs (yes, CD-ROMs!), and USB sticks.

Silver Winner – Shaxware

Shaxware is a company located in Tokyo, Japan. They created a Proof of Concept, fashioning the Japanese National ID Card (My Number Card) into a FIDO roaming authenticator. They proposed to extend WebAuthn by using the external IC card as a primary digital certificate.

Bronze Winner – SoundAuth

SoundAuth is the team name for a company (Trillbit) based in Boston with R&D staff stationed in India. This team built a FIDO MFA solution that leverages data over sound technology to provide a seamless user experience while eliminating the need to rely on an additional hardware token or internet connectivity.

From the initial pool of applicants, fourteen teams from eight different countries (Canada, France, India, Japan, Malaysia, South Korea, USA, Vietnam) competed throughout the FIDO implementation stage – including the three finalists detailed above. There were also many concepts that did not make the top three yet have shown compelling ways to leverage the strength and usability of FIDO Authentication. Examples include:

• FIDO and AI-based remote test proctoring system (India)
• Web payment system, leveraging FIDO-based digital wallet (France)
• FIDO-based online note-taking apps for developers (Vietnam)
• FIDO-based VPN access (South Korea)
• FIDO and AI-based assisted technology for visually impaired people (South Korea)

Thanks and final thoughts

The 2021 FIDO Developer Challenge was made possible by the support and active engagement from the event sponsors – who not only helped fund the event operations and prizes, but gave hands-on feedback and guidance as judges. Thanks also to the W3C and WebAuthn community for guidance and support through the FDC Discord Channel – it was great to see so many people weighing in to help these development teams.

We were very pleased to have built off of our prior developer hackathon efforts in Korea, to have brought the challenge global, and to have added  a focus on public APIs. The Challenge demonstrated that the combination of open technology coupled with the entrepreneurial vision of a developer will result in inspiring outcomes and innovation. We look forward to expanding this effort in 2022. Please don’t hesitate to reach out (https://fidoalliance.org/contact/) should you have any feedback or suggestions on the program.  

The post 2021 FIDO Developer Challenge: Outcomes and Winners appeared first on FIDO Alliance.

SINGAPORE, November 5, 2021 — The FIDO Alliance announced the agenda and speaker lineup for its free Virtual Authenticate Summit: APAC Innovation, the quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication. This three-day event, being held December 8-10, 2021, features expert speakers from around the globe, with regionally specific tracks focused on strong authentication trends in China, India, the ASEAN region, Korea, Japan and Taiwan.  

“Asia has long been a hub of innovation for FIDO Authentication – with some of the earliest and most noteworthy implementations having taken place throughout the region,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are pleased to build upon FIDO’s Authenticate Virtual Summit series to allow local participants to gain insights into the latest trends and technologies from FIDO Alliance and its global stakeholders.”

Fraud and identity theft continues to grow throughout APAC as a result of lingering reliance on weak authentication methods such as passwords, as witnessed by the recent FIDO Alliance Online Authentication Barometer survey. The survey shows that while security is a priority with 84% of respondents having taken steps they believe will better protect their accounts from compromise, 43% did so by strengthening their passwords.

This Virtual Summit will give attendees the necessary tools to start their companies on a journey towards a passwordless future – as regional stalwarts such as NTT DOCOMO, Samsung, LINE and many more have done already.

Participants will also gain insights from subject matter experts in identity and authentication, with case studies including:

• Asia Pacific — Electronic Transactions Development Agency (ETDA), Malaysian Ministry of Finance, SecureMetric
• China — FIME, Lenovo
• India — Ensurity, RBL Bank, Reserve Bank of India
• Japan — AXELL, Digital Agency of Japan Government, Josai University, OpenID Foundation Japan, NTT DOCOMO, Rakuten, Yahoo! Japan
• Korea — AWS/AirCuve, LINE, SK Telecom/Octaco, TrustKey, Telecommunications Technology Association of Korea 
• Taiwan — AuthenTrend/NEC, FIME, Financial Supervisory Commission, PUFsecurity

Authenticate Virtual Summit: APAC Innovation is free to attend for anyone interested in learning more about and/or deploying FIDO Authentication. Most sessions will also be available on-demand after they air, and translated subtitles for global contents will be available in Chinese, Japanese or Korean (as well as for the event platform). Attendees and sponsors will also have the ability to engage and network, as well as visit sponsor booths via the virtual platform. 

Visit the 2021 Authenticate Virtual Summit: APAC Innovation event page to find out more and register for the event.

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
press@fidoalliance.org 

Megan Shamas, Director of Marketing
FIDO Alliance
+1 (203) 231-9280
megan@fidoalliance.org

Jareth Cheng
FINN Partners for FIDO Alliance
+65 3157 5619
yingFIDO@finnpartners.com

The post FIDO Alliance Announces Asia Pacific Authenticate Virtual Summit to Drive Further Adoption of Modern User Authentication appeared first on FIDO Alliance.

SEATTLE, WA, October 18, 2021 – FIDO Alliance today announced a new addition to its range of certification programs: the FIDO Certified Professional Program. Designed to formally recognize the knowledge of online security and authentication professionals, the program aims to grow the number of experts available to support businesses implementing stronger FIDO authentication solutions. 

The FIDO Certified Professional Program complements FIDO Alliance’s portfolio of FIDO certification programs including functional, security and Biometric Component Certification. The certification programs are a well-established pillar of the FIDO ecosystem, promoting trust and ensuring products and services are high quality and interoperate seamlessly together. 

The FIDO Certified Professional Program assesses and validates an individual’s skills and expertise in relation to the FIDO standards and architecture, as well as the identity and authentication space more broadly. FIDO Certified professionals will be equipped with the advanced technical knowledge to analyze business requirements and help organizations define a robust FIDO architecture tailored to their needs.  

“There is a large global appetite for authentication solutions beyond outdated and insecure passwords,” said Dr. Rae Rivera, Certification Director of FIDO Alliance. “But with passwords so embedded in the digital security world, many organizations struggle to know where to start. Growing the global pool of authentication experts with this certified program is key to guiding more companies quickly and confidently in the right direction, while ensuring talented professionals have a means to demonstrate their market expertise.” 

The program is recommended for a variety of job functions, including technology architects; systems and operations engineers; security professionals; and identity and access management professionals.  

“Establishing and sharing industry best practices is at the heart of FIDO Alliance’s mission to reduce the world’s reliance on passwords in favor of modern, possession-based approaches to user authentication,” said Andrew Shikiar, Executive Director and CMO of FIDO Alliance “The FIDO Certified Professional Program builds upon our deep expertise in running industry-driven certification efforts and stands to raise the bar and authentication implementation capabilities of developers, architects and other professionals around the world.” 

To be the first to hear when program enrollment opens, please register your interest here.  

Learn More at the Authenticate 2021 Conference

To learn more about the FIDO Certified Professional Program and other trends in modern authentication, attend the FIDO Alliance’s Authenticate 2021 conference this week, October 18-20, to hear from Certification Director, Dr. Rae Rivera, who will present two certification-focused sessions: 

• Advancing Your Professional Development in Identity and Authentication with IDPRO and FIDO Alliance 
• FIDO: The Value of Certification

All Authenticate 2021 attendees, remote and in person, will have access to live, on-demand and post-session recordings. Register now to participate virtually!

PR Contact 

press@fidoalliance.org  

About the FIDO Alliance The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Launches FIDO Certified Professional Program appeared first on FIDO Alliance.

Summary of key findings:

• Passwords still prevail over other, more secure authentication methods — 56% of people used them to log into financial services accounts in the last 60 days
• Biometrics are gaining traction, both in perception of security and usage — 32% of people think it is the most secure authentication method, and it is the preferred method for 28%
• Many consumers still don’t know what action to take to secure their accounts — stated by 37% of people that didn’t take any steps to improve their online security
• Many consumers wrongly believe that taking action to strengthen a password is the best way to secure their account — 19% of people believe this
• Consumers need to be educated on the risks and implications of poor account security and the solutions available 

SEATTLE, WA, October 18, 2021 — The FIDO Alliance today launched its Online Authentication Barometer to track the uptake of secure authentication technologies among the general public. The Online Authentication Barometer provides baseline insights into the state of online authentication in 10 countries across the globe, with future releases of the barometer able to compare changes in behaviors and attitudes over time. 

It reveals that biometrics, such as using fingerprints and face scans, are being used by at least 35% of people and are by far the most popular form of online authentication behind passwords. The barometer highlights how adoption of biometrics for online authentication varies widely internationally, yet all countries surveyed reported at least 25% of the population are using biometrics in some capacity. 

Passwords and other knowledge-based approaches such as OTPs have historically dominated online authentication and the barometer confirms this is still the case. However, major platform and device manufacturers including Apple, Google and Microsoft have begun adopting possession-based, passwordless alternatives into their core product offerings to improve security and convenience. As these and other initiatives gain traction, the world’s reliance upon passwords and other server-side “secrets” is expected to decrease in favor of modern solutions including biometrics, security keys and other on-device approaches for user authentication.

Biometrics are the most popular of these possession-based and password-free authentication options, and data from the barometer reveals why. Biometrics are perceived to be the most secure way for people to verify their identity online – 32% of people believe this, a trend that holds true in all 10 countries the Online Authentication Barometer explored. Biometrics are also the most preferred method of logging in for 28% of people surveyed. 

“Time and time again we see data breaches, ransomware and other attacks that leverage vulnerabilities associated with passwords and other ‘what you know’ forms of authentication — including OTPs as a second factor,” said Andrew Shikiar, Executive Director & CMO of the FIDO Alliance. “The industry at large must shift towards possession-based factors such as biometrics and security keys that are not susceptible to remote attacks such as phishing, credential stuffing and various forms of social engineering that frankly are difficult if not impossible for the average user to detect.  We are pleased to establish and share the Online Authentication Barometer as a mechanism to track our collective progress towards a safer and more secure networked economy.” 

The Online Authentication Barometer also found encouraging data on people actively taking steps to protect their accounts from being hacked or compromised. The vast majority of people (84%) took action, suggesting high levels of awareness on the security issues passwords have. However, despite biometrics being recognized for better security, 19% of people still consider passwords to be the most secure way to authenticate themselves online, and 11% of people think SMS OTPs are the most secure. This was ahead of some of the strongest methods available today, including authentication software (6%) and physical security keys (4%). 

Of the 16% who didn’t take any steps to improve their online security, the majority said they didn’t know how (37%), with 26% saying it’s too complicated and 16% believing a data breach or hack would not happen to them.

The full Online Authentication Barometer from the FIDO Alliance can be found here.

Notes to editors

• Major organizations that have begun adopting possession-based, passwordless alternatives to improve security and convenience include:
  • Apple announcing its intent for users iCloud Keychains users to secure accounts with cryptographic keypairs (“passkeys”) instead of passwords
  • Google announcing plans to enable multi factor authentication by default
  • Microsoft enabling its users to completely remove the password from their Microsoft account
• The FIDO Alliance Online Authentication Barometer research was conducted among 10,000 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China. The interviews were conducted online by Sapio Research in September 2021 using an email invitation and an online survey. 

PR Contact

press@fidoalliance.org 

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Research Tracks Passwordless Authentication as It Moves Mainstream appeared first on FIDO Alliance.

At the Authenticate Virtual Summit on Sept. 23, 2021, users, experts and vendors from around the world detailed how strong authentication helps to enable government services and new efforts to secure online identities. Users including the U.K. National Health Service (NHS), as well as the U.S. Government’s login.gov and Internal Revenue Service (IRS) provided insights into the present and future of online authentication and digital identities.

In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, outlined the strategic imperative for FIDO in government services around the world.

“COVID-19 created an imperative to really accelerate digital transformation activities,” Shikiar said. “When the pandemic hit all of a sudden, everyone was at home and all activity brought requirements for modern authentication schemes that go far beyond passwords, even beyond traditional multi-factor authentication.”

Shikiar noted that the FIDO Alliance standards align very well with global regulations and policies and there is a growing trend of government guidance for authentication that cites the use of FIDO.

“It’s important to enable trust in the government ecosystem,” Shikiar said. “This comes through the engagement FIDO does with different regulators and government bodies and ultimately will be manifested through the secure implementation of digital identity services to citizens worldwide.” 

Technology Helping to Push FIDO Strong Authentication Forward

A key path for enabling FIDO specification is via vendors that support government efforts. 

Patrick Sullivan, CTO of security strategy at Akamai, commented that password credential stuffing attacks are very common. He noted that Akamai’s platform sees as many as a billion password attacks per day. That’s where multi-factor authentication and more specifically strong authentication based on FIDO Alliance standards play a strong role. Sullivan noted that there is a clear need to provide multi-factor authentication in a low friction environment where it’s delivered in the form factor of an app on a smartphone.

“We’re not asking users to carry around a hardware token to accomplish FIDO2 as we move in that direction, and by introducing less friction, there’s less risk of our users doing something anomalous,” Sullivan said.

Jeff Frederick, manager of solutions engineering at Yubico, noted during his session that in government, many agencies in the U.S use Common Access Card (CAC)/Personal Identity Verification (PIV) credentials that go beyond basic passwords. Frederick noted that FIDO2 standards, which are supported on his company’s YubiKey device, provide a strong impersonation resistant authentication protocol that uses public private key cryptography.

“It’s very similar to PIV/CAC and FIDO2 is an open standard that’s managed by the FIDO Alliance, so that any vendor can support this and use it today,” Frederick said. “It’s built into all major operating systems and all major browsers so there’s no middleware that you need to install to make this work and it’s just an easy to implement solution that will modernize the federal authentication infrastructure across the board.”

Making Identity and Authentication Less Taxing at the IRS

The IRS proofs and authorizes tens of millions of taxpayers every year, across both digital and non digital channels, according to Courtney Rasey, assistant to the director, Identity Assurance, Privacy Governmental Liaison, & Disclosure (PGLD) at the IRS.

“None of those tens of millions of taxpayers who are calling the IRS are doing so just because they want to, it’s not really a fun weeknight activity,” she said. “They need to resolve an issue to meet their tax obligation and we know that, so we’re always striving to provide better service to taxpayers, to help them get the service that they need in the most convenient and efficient way possible.”

One way the IRS is looking to be more convenient to taxpayers is with its Secure Access Digital Identity (SADI) platform that was launched in June of 2021. Rasey explained that SADI leverages a Credential Service {rovider (CSP) that identity proofs the taxpayer and then provides the IRS with a digital identity credential.

“Users are eventually going to be able to access all IRS online applications utilizing that single digital identity credential,” Rasey said. “The IRS is moving more and more applications behind SADI throughout fiscal year 2022 and as we do move more applications taxpayers are going to be able to do so many things with just one credential.”

Moving Toward Zero Trust with Strong Authentication

In May, President Biden signed Executive Order 1402, which directs U.S. government agencies to improve cybersecurity. One of the primary provisions of the executive order is to move the federal government toward a zero trust architecture.

“When we talk about zero trust, we’re talking about an architecture where people and their devices aren’t trusted just by virtue of being inside an organization’s enterprise network,” explained Eric Mill, senior advisor, Office of Management and Budget (OMB).

Mill noted that in a zero trust model, people and devices are validated at each step and  authentication is context-aware. The OMB is strongly encouraging the adoption of phishing resistant multi-factor authentication, with FIDO WebAuthn as a good alternative option in environments where CAC/PIV isn’t feasible.

“We’re pushing very hard on multi-factor authentication and we really view reliable authentication as a critical foundation of zero trust architecture,” Mill said.

In a Policy Deep Dive session, Jeremy Grant, managing director, technology business strategy at Venable, noted that there are a number of reasons why authentication is important to governments. 

Grant said that FIDO specifications can help governments to protect access to their own assets and can help to enable more high-value citizen facing services to the public. 

“I think what we’re seeing in 2021, is a really different environment across the globe, where FIDO authentication is emerging, not just as another permitted option, but in many cases as a preferred choice of governments across the world,” Grant said.

How the National Health Service (NHS) uses FIDO

Among the areas in the world where FIDO is finding a home is in the U.K. 

The National Health Service (NHS) is the publicly funded medical and healthcare system in the U.K. and it has embraced FIDO standards to help improve human health.  With the NHS Login service, citizens get a centralized identity for health services while the NHS app provides a simplified application for accessing and managing an individual’s access to health services.

Priyanka Mittal, technical architect for the NHS Login and NHS app, said that over the past 18 months there has been a 10-fold increase in the user base for NHS login as demand has grown during the pandemic.

Sean Devlin, tech lead for the NHS App, explained that initially the services started out using an SMS based two-factor authentication approach, but wanted to find a more seamless approach. NHS decided to use FIDO UAF and built out its own implementation, using eBay’s open source FIDO implementation as a starting point.

Devlin said that before using FIDO, users had to navigate as many as five different screens to get through a multi-factor authentication flow. With FIDO, it’s a single screen.

The NHS has also saved a lot of money by moving to FIDO. With over 500,000 FIDO logins per day, Devlin estimates that the NHS is saving on the order of £8,000 per day on SMS messaging costs.

Bringing FIDO Strong Authentication to Login.gov

FIDO specifications also play a pivotal role at login.gov, which is a single sign-on platform for U.S. government services.

Jonathan Hooper, login.gov Engineering Lead at the General Services Administration (GSA), explained that the authentication portal fronts over 200 sites across the U.S. government,  spread across 27 different agencies. Hooper explained that starting in 2018, login.gov began expanding the use of multi-factor authentication, including the WebAuthn specification.

“We don’t want to be ‘big brother,’ we want to make sure that we can protect users’ privacy and the things built into the protocol that helped to do that were very attractive to us,” Hooper said. “WebAuthn is also very cheap, it is much cheaper to do a WebAuthn authentication event than it is to do SMS by several orders of magnitude.”

Improving Digital Identity with FIDO

A FIDO-based approach for digital identity could soon be finding its way to Canada as well according to Joni Brennan, president, Digital ID & Authentication Council of Canada (DIACC). An effort currently underway is the Pan Canadian Trust Framework (PCTF) which is an information assurance framework.

“We think that there’s a great opportunity here to leverage an information assurance framework, coupled with FIDO Alliance driven specifications, to create and to verify that end to end experience that’s needed for digital ID adoption,” she said.

The need for secured digital identities was also highlighted by Amit Mital, special assistant to the President and senior director, National Security Council at the White House.

“Today, when we authenticate ourselves and identify ourselves, we might use one of dozens of popular systems,” Mital said. “

So the ecosystem itself is very decentralized, and it’s very unharmonized. It is also fundamentally unsecure.”

Mital said that there is a clear need for strong remote identity solutions that can provide easy, secure, affordable and reliable ways to identify consumers across digital systems. 

“It’s clear that there are a diverse and large number of scenarios that need digital identity and there is no single entity that can solve all these scenarios,” Mital said. “We need an ecosystem that brings together the best ideas and innovation from the private sector, both large companies and startups, as well as the government at both the federal and the state, the local, tribal and territorial lands.”

Wrapping up the day’s event, Andrew Shikiar, executive director of the FIDO Alliance, observed that there are a lot of conversations ongoing about  different types of government services and their dependency on secure digital identity.

“Ultimately, identity and authentication are core to deploy new services at scale, in a way that meets the requirements for government agencies, and for citizens alike,” Shikiar said.

The webcast is now available on demand. To watch the recording, visit the event page.

For more discussions on moving past passwords to modern strong authentication, attend Authenticate 2021 on October 18-20, 2021 in Seattle or virtually. The full agenda and details to register are available at authenticatecon.com. 

The post Authenticate Virtual Summit: The Imperative for Strong Authentication for Government Services appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, AUGUST 31, 2021 — The FIDO Alliance has announced the agenda and speaker lineup for its next Virtual Authenticate Summit, “The Imperative for Strong Authentication for Government Services,” taking place September 23, 2021 from 11:00 am – 2:30 pm EDT. Authenticate Virtual Summits are a quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication across various markets and geographies.

Register for free and view the agenda on the Authenticate Virtual Summit event page.

“Government agencies around the world are rolling out more robust digital services for employees and citizens — and the COVID-19 pandemic has only accelerated this imperative,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Global standards and best practices are key to success in this digital transformation of e-government services — particularly in the areas of strong user authentication and identity verification. We’ve been happy to see the growing trend of governments referencing and leveraging FIDO’s outputs and look forward to sharing their insights with the broader Authenticate community.”

This government-focused Authenticate Virtual Summit brings together leaders from the public and private sector to examine strong authentication for government services, including considerations for implementing modern authentication systems for e-citizen services and remote government workforces, government agency case studies, the intersection with global policy and more.

This Authenticate Virtual Summit agenda includes:

• Keynotes from Akamai, FIDO Alliance, IRS, and Yubico
• A look at how the IRS is leveraging new digital identity proofing procedures for non-digital authentication
• Case studies from GSA and NHS on how they are leveraging FIDO to streamline and secure logins
• Discussions on the state of strong authentication in government and how policies and directives are changing how governments authenticate
• Considerations and best practices for optimizing the strong authentication for government experience 

Akamai and Yubico are Signature sponsors for this Authenticate Virtual Summit. To participate as a sponsor, visit https://authenticatecon.com/sponsors/. 

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact

press@fidoalliance.org

The post FIDO Alliance Announces Speakers for Authenticate Virtual Summit, “The Imperative for Strong Authentication for Government Services” appeared first on FIDO Alliance.

Leaders from Amazon, Apple, Google, Microsoft and IBM met with President Joe Biden at the White House last week to discuss strategies the government and private sector can use together to improve the nation’s cybersecurity. 

Following the meeting, Amazon announced that it will provide eligible AWS customers with access to free FIDO Security Keys. Not only will this protect the burgeoning number of businesses that run on AWS, but it will help instill better authentication practices as these keys can be used across many other business (e.g., G Suite, Github, Dropbox, Stripe) and consumer (Facebook, Twitter, Coinbase, Bank of America) services.

Amazon has been a leading stakeholder in FIDO Alliance for several years now – it is wonderful to see their leadership extended to the market at large. As more businesses move to the cloud, it is absolutely critical that cloud service providers follow suit to protect this critical infrastructure. Threats and attackers are growing in sophistication, and the impacts are non-trivial. Hundreds of millions of personal records are being stolen and resold on the dark web on an alarmingly regular basis. This is a clear and present threat to our economy, our national security and our society.

It’s difficult to name a breach from the past five years that wasn’t tied to stolen credentials. 

The latest prominent attack, which was carried out on Colonial Pipeline, used a single stolen password to essentially cripple the U.S eastern seaboard.

It is important that all businesses take steps to educate and protect their employees and customers from such threats. “Traditional” means of multi-factor authentication (such as OTPs) simply aren’t fit-for-purpose to protect against these attacks, which can financially cripple a company or organization. 

Ultimately, credential-based breaches (like Colonial Pipeline’s) wouldn’t be possible if accounts were protected with FIDO Authentication, which requires local possession of a device with no knowledge-based authentication credentials passed over the network. 

The FIDO Alliance has come a long way since our inception. What started as a whiteboard concept has evolved into technology that is becoming part of the web’s DNA. Virtually every platform and device can now support FIDO Authentication, and there are public SDKs and tools, plus a rich ecosystem of FIDO Certified vendor products and services that can help companies implement FIDO for their sites and apps. 

Amazon’s move to provide free FIDO Security Keys sets a strong – and important – example. We encourage all other cloud service providers to urgently consider following suit by at a minimum enabling FIDO authenticators for admin access to networks.

The post Amazon is Giving Free FIDO Security Keys to AWS Customers to Encourage Better Account Security appeared first on FIDO Alliance.

SEATTLE, August 17, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, today announced its full 2021 agenda. This three-day event, which takes place October 18-20 in Seattle and also with remote attendance options, will help educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. 

The Authenticate 2021 agenda features:

• Deployment case studies from enterprises and service providers including Capital One, eBay, Facebook, Google, Morgan Stanley, Target, Verizon, Wayfair and more 
• Technical deep dives on FIDO’s authentication specifications: IoT, biometrics and identity verification
• Vertical perspectives from leaders and practitioners in financial services, eGovernment, retail and communications
• In-depth discussions on the evolving policy landscape and deployment considerations therein 

“Relying on passwords is passé. Modern authentication systems and standards have emerged to provide more efficient ways for organizations to provide strong security and better interactions with their brands,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The FIDO Alliance encourages organizations of all sizes to prioritize stronger security, and it is our mission to share the tools and resources to help them get there. ​​This year’s agenda delivers on that mission, providing attendees with a strong foundation for deploying simpler, stronger authentication.” 

This year’s headlining keynote speakers are: Bob Lord, former CSO of the Democratic National Committee; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehrensvard, CEO and founder of Yubico; David Henstock, head of identity and authentication products, Visa; and Dave Kleidermacher, vice president for engineering, Android security and privacy, Google. A full list of speakers is available on the Authenticate conference website. 

The conference agenda features 45+ in-person sessions and 20+ sessions on-demand, all of which will be available to all attendees. Authenticate also features an expo hall with product and service offerings with 20+ sponsors, as well as various networking and social events built into the three-day schedule – all while adhering to all CDC and local health/distancing requirements. 

Register Today!
Take advantage of early-bird pricing by registering by September 3. To register, visit https://authenticatecon.com/event/authenticate-2021-conference/. Authenticate will be held in conjunction with the FIDO Alliance member plenary, scheduled for October 20-22. FIDO Alliance members have exclusive access to discounted rates to attend both events.

Get involved at Authenticate

There are still select sponsorship opportunities available for Authenticate 2021; companies interested can learn more at https://authenticatecon.com/sponsors/.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: The @AuthenticateCon agenda is here! Visit the event website to take a look at this year’s speakers and session topics for the latest in user #authentication. www.authenticatecon.com

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif hotel in Seattle, Washington with the option to participate remotely via live stream and on-demand sessions. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact

authenticate@fidoalliance.org  

PR Contact

Morgan Mason
Aircover PR
408-612-9889
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate 2021 Agenda appeared first on FIDO Alliance.

By Joon Hyuk Lee, APAC Market Development Director

Editor’s Note: This is the second blog covering the FIDO Developer Challenge.  To learn more about the background and process, please read the earlier blog post, Announcing the FIDO Developer Challenge for Developers Across the Globe.

We are happy to announce that 14 teams from eight different countries (the U.S., Japan, Canada, France, India, Malaysia, Vietnam, and South Korea) have been invited to participate in the implementation stage of the 2021 FIDO Developer Challenge. Six of the teams are early-stage ventures and an equal number hail from academia; the other two are individual developers.

[Faces of participants, captured during online interviews in late July]

All of the teams share a commitment to using FIDO authentication to provide a smoother and more secure user experience across a variety of application areas. As was the case in our earlier Hackathons, we are seeing yet again that the mix of entrepreneurial vision coupled with the capabilities of FIDO Authentication can be realized in a wide array of use cases and industries. We will share more details on each of the submissions as the review process carries forward.

The teams are now engaged in designated virtual lounges for possible Q&As and support from the Developer Challenge sponsors and broader FIDO development community.  To that end, we would like to recognize and give special thanks to the W3C WebAuthn Adoption Community Group for managing the private Discord Channel to provide technical support for participating teams.

Implementations will be done by the end of August and the judges will evaluate the teams’ final presentations and demos by early September.  Please stay tuned for our announcement of the Top 3 by the middle of September – with the winner being announced at the Authenticate conference in Seattle on October 20.

The post FIDO Developer Challenge: Welcoming Teams to the Implementation Stage appeared first on FIDO Alliance.

SEATTLE, June 30, 2021 — Authenticate, the only industry conference dedicated to the who, what, why and how of user authentication, is coming October 18-20, 2021 to the Motif hotel in Seattle, Washington. Featured keynote speakers at the second annual event include Bob Lord, former CSO of the Democratic National Committee, Dave Kleidermacher, Vice President for Engineering, Android Security & Privacy at Google, Joy Chik, Corporate Vice President for Identity at Microsoft, David Henstock, Head of Identity and Authentication Product, of VISA and Stina Ehrensvard, CEO and co-founder of Yubico.  

Registration is now open for the event, with options for in-person or remote experiences. The 2021 edition of Authenticate will focus on providing excellent live and on-demand content, a live expo hall with 20+ sponsors, as well as a variety of networking opportunities — all while adhering to all CDC and local health/distancing requirements.

“We look forward to welcoming our keynote speakers to the Authenticate stage to share their vision and experience in moving to modern and secure FIDO Authentication,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “After a year of increasingly severe data breaches and user login frustrations, each speaker brings a unique perspective and insight on easing the adoption of simpler, stronger and standards-based authentication.”

CISOs, security strategists, enterprise architects, product and business leaders will walk away from this three-day event with an understanding of the FIDO approach to simpler, stronger authentication, and the tools and best practices they need to integrate FIDO Authentication into their own services.

In addition to the keynote sessions, Authenticate 2021 speakers will go in-depth on the state of authentication including a range of topics including:

• Authentication trends & insights
• Case studies
• Modern authentication implementation strategy
• Vertical trends & initiatives
• Industry standards
• Regulatory impact on authentication
• Technical & developer tutorials

Register Today!

Take advantage of early bird pricing by registering before August 18. 

Get involved at Authenticate

In addition to the Authenticate stage, the FIDO Alliance has a limited number of sponsorship and exhibitor opportunities remaining for the 2021 event. Companies looking to showcase their brand and products front and center at Authenticate can contact authenticate@fidoalliance.org.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

About Authenticate

Authenticate is the only conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. This year’s Signature Sponsors include Google, Microsoft, Visa and Yubico. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org   

PR Contact
Morgan Mason
Aircover PR
408-612-9889
press@fidoalliance.org 

The post FIDO Alliance’s Authenticate Conference Announces 2021 Keynote Speakers and Open Registration appeared first on FIDO Alliance.

The digital security, privacy and authentication landscape is evolving quickly in the European Union with new regulations that could have a broad ranging impact for its citizens, as well as companies around the world. 

At the Authenticate Virtual Summit: Focus on Europe, which was held on June 17, experts on the authentication market in Europe provided insight into the latest developments including PSD2 SCA (Payment Services Directive Strong Customer Authentication), delegated authentication, eIDAS (electronic IDentification, Authentication and trust Services) and the EU Digital Wallet among other efforts.  

Kicking off the virtual summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance outlined how the FIDO specifications work and why strong authentication is essential for multiple use cases including ecommerce, Internet of Things (IoT) and identity verification. 

“FIDO’s goal from day one was to certainly reduce reliance on passwords, but in some ways that was just a means to an end, really trying to address the data breach problem, as the vast majority of data breaches are caused by weak credentials,” Shikiar said.

As FIDO is moving forward, there has been a need to strengthen identity verification assurance to support better and safer account recovery. As part of that, Shikiar noted that the FIDO Alliance launched the Identity Verification & Binding Working Group (IDWG) which is driving that work forward.

“We’re seeking to establish best practices for possession based identity verification,” Shikiar said. “That will not only enable safer, easier and stronger account recovery, but doing so will also stop hackers from using the account recovery process as an opening for social engineering account takeovers.”

Helping to Limit Cart Abandonment

There is a tangible connection between ecommerce success and strong authentication, according to Rolf Lindemann, VP products at NokNok.

Lindermann noted that during the pandemic, ecommerce grew faster than ever before. But with 13% of credit card online payments not being completed, it’s clear that cart abandonment is still impacting business in a significant manner.

“We learned that authentication friction in general is a major factor for card abandonment,” Lindermann said. “This becomes obvious given that online authentication is at the core of all online transactions. Authentication is the front door to digital services in general.” 

The path to reducing authentication friction involves the use of FIDO, which Lindermann said can help to enable strong customer authentication that can be implemented in a single convenient step.

Toward a Strongly Authenticated Digital Identity 

In Europe and elsewhere around the world, there is a growing conversation about the need to enable and provide some form of digital identity. According to Steve Pannifer, COO of Consult Hyperion, digital identity consists of three things: identification, authentication and authorization. 

Pannifer explained that identification is all about asking the question – is this person real, unique and identifiable? Authentication is the process of realizing that an identified person is coming in to use the service again, as the service provider wants to know if it is the same person that established the identity at some point in the past. Authorization ties it all together, which uses identity and authentication to access services.

“Digital identity is not a means in and of itself, it’s a means to an end,” Pannifer said. “The end that it is serving is all of those services that I’m trying to get access to.”

Fabian Eberle, co-founder and COO at Keyless is also a big believer in digital identity. In a session, Eberle outlined the need for a decentralized system for personal identity management. Such a system puts users in control of their own identity information, and lets them selectively disclose that identity data in a more private and secure way.

Eberle noted that at LUISS Guido Carli University, over 10,000 students are now benefiting from a digital identity system that helps to support remote education services. The Keyless approach benefits from FIDO standards that helps to authenticate a device and identify students in a frictionless approach.

Digital Identity in Europe: eIDAS

In the European Union, there is an effort known as eIDAS which is a legal framework for mutual recognition of national digital identity schemes.

“The purpose of eIDAS is cross border access for citizens in any European country to gain access to any public service in the EU,”Sebastian Elfors, senior solutions architect at Yubico explained.

FIDO standards are being increasingly adopted by European governments to help support eIDAS efforts. Among those that Elfors highlighted is healthcare authentication in Norway, EduID for universities in Sweden and the National Health Service (NHS) in the U.K. 

FIDO standards are also helping the Czech Republic with its CZ.NIC top level domain registry which also operates the mojedID (my ID in Czech) service. 

Jaromi Talir, technical fellow at CZ.NIC and member of eIDAS Technical subgroup explained that the domain registry had a requirement to authenticate the identity of domain owners. That requirement led to the creation of mojeID, which has been using FIDO standards since 2019. Talir explained that CZ.NIC uses FIDO to support a multi-factor strong authentication based approach to help authentication user identity.

Using FIDO to Support Delegated Authentication

With the European Union’s Payment Services Directive Strong Customer Authentication (PSD2 SCA), that came into effect in 2021, there are very stringent requirements for merchants to authenticate consumers with payment providers.

In a panel discussion, Jonathan Grossar, VP, product development at Mastercard commented that within a few months of the introduction of PSD2 SCA there has been an increase in the number of transactions that have been abandoned by consumers.

“So a problem with PSD2 SCA is that consumers may have to authenticate twice,” Grossar siad. “First with the merchant to have access to the account or to the card that is stored on file and then a second time doing the transaction with the bank and potentially then with a different authentication mechanism.”

All those extra steps introduce additional friction and complexity for both merchants and consumers that can be alleviated with an approach known as delegated authentication. Grossar explained that with delegated authentication, the entire authentication piece is handled  with a secure mechanism by merchants. Using FIDO standards in combination with EMVco’s 3-D Secure standards to share authentication and risk data is the way forward in Grossar’s view.

“FIDO is interoperable across multiple devices and platforms,” Grossar said. “So in short, you have today billions of devices that are enabled with FIDO, and that potentially can be used for delegated authentication.”

Jason Muncey, principal, EU Payment Acceptance & International Expansion, at Amazon is also optimistic about using FIDO for delegated authentication. Muncey commented that even before the PSD2 SCA requirements cart abandonment was just a pain that all merchants have had to live with. In his view, there is a real need to have some form of consistent approach.

Lee Goddard, product director, head of authentication at Worldpay also noted that – there will always be some amount of abandonment potential in that purchase process. 

“I think the FIDO approach to delegated authentication will really take things a step further in removing evermore abandonment,” she said.

Remote Identity Verification in Europe

With the pandemic, the ability to do in-person identity verification became challenging, which led to a need for increased remote identity verification in Europe and other areas around the world.

In a panel discussion, Santosh Rajvaidya, senior director, product management at Jumio noted that to date, there is no consistent approach when it comes to remote ID verification in Europe. That situation could be changing with the new digital identity wallet approach from the European Commission that could be the first step in the right direction.

“What is happening with digital identity wallet is you do a one time verification of your ID and the identity is created in the digital identity wallet,” Rajvaidya said. “From there on the user can reuse it multiple times across different applications.”

There is now also an ID Verification and Binding Working Group IDWG within FIDO that is doing work that will also help with remote identity verification efforts. Rayissa Armata, Head of Regulatory Affairs at IDnow, commented that when it comes to verification, user experience and convenience are key attributes.

“Most users aren’t concerned with their identity or the data privacy, they’ll tick the boxes and move on, they just want to get their service,” she said.

Wrapping up the virtual Authenticate Summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance emphasized that the FIDO Alliance is in a very good place today, in Europe and around the world.

“We’re seeing more and more companies adopt FIDO authentication,” Shikiar said. “I personally firmly believe that virtually every consumer service online will be offering passwordless login options in the next few years and our hope is that the vast majority of these leverage FIDO.”

Looking forward to the next FIDO Authenticate virtual summits is in September with a focus on government services. Then in October, the FIDO Alliance will be hosting its first live event with the Authenticate Conference in Seattle.

The post Authenticate Virtual Summit: Focus on Europe Recap appeared first on FIDO Alliance.

Identiverse, Denver, CO June 23, 2021 – The FIDO Alliance today announced its first user experience (UX) guidelines and new FIDO2 standards enhancements aimed at accelerating the world’s move beyond passwords. With over 4 billion devices, all major browsers and operating systems now supporting FIDO authentication, today’s releases make it even easier for service providers and enterprises to provide simple, phishing-resistant and privacy-enhancing sign-in experiences.

Today’s announcements come as the widespread support for FIDO Authentication has led to an increased demand from service providers and consumers alike – but they need an implementation path to follow that maximizes adoption and simplifies FIDO deployments. The FIDO UX guidelines provide that path, allowing service providers to help consumers understand, adopt and benefit from logging in with FIDO.

At the same time, the increase in remote work and subsequent increase in phishing attacks on their infrastructure is accelerating enterprises’ digital transformation plans and making strong authentication a priority. The FIDO2 enhancements announced today address enterprises’ unique authentication and device management needs for faster, more efficient FIDO deployments.

“Eliminating the reliance on passwords is now a major objective for everyone offering online services – both to provide a more seamless yet secure access to consumer services, as well as to address the growing threat from sophisticated attacks targeting distributed workforces and systems. Our first UX guidelines and FIDO2 enhancements give consumers and enterprises the tools, protection and roadmap to a simpler, more secure, passwordless future,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance.

UX Guidelines to speed consumer adoption of FIDO authentication 

Virtually every modern device and web browser now supports FIDO Authentication, allowing consumers to leverage the same technology they use to unlock their device (a fingerprint or face scan for example) to now sign-in to web services in a secure and private manner. A growing number of large service providers and financial institutions are providing this built-in functionality in order to give their customers the option to log in without the risk and hassle of passwords. These FIDO UX guidelines were created as a set of best practices to help service providers encourage their customers to log in with FIDO Authentication on desktop environments; other FIDO authentication use cases will be addressed through UX guidelines in the future. 

The UX guidelines are available to view and download at www.fidoalliance.org/UX-guidelines.

The UX Guidelines were developed following many sessions of moderated and unmoderated consumer research conducted by third-party research firm Blink UX, in collaboration with UX and design experts from FIDO Alliance member companies including Bank of America, eBay, Facebook, Google, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa and Wells Fargo.

For more detail on this work and recommendations visit Andrew’s blog. FIDO Alliance also has updated the consumer resource site loginwithfido.com with added information on how and where to use FIDO Authentication.  

Enhancements to FIDO standards to accelerate passwordless in the enterprise

The FIDO Alliance has announced enhancements to its FIDO2 specifications, which include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies – with the World Wide Web Consortium  (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.

Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.

Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here. 

Join the Optimizing User Experience for FIDO Authentication Panel Live today at 1:30pm MT

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

Contacts

Morgan Mason
FIDOteam@aircoverpr.com

The post Major FIDO Updates Launched to Accelerate Global Charge Past Passwords appeared first on FIDO Alliance.

FIDO Authentication has seen remarkable acceptance over the past few years, thanks in large part to standardization by the World Wide Web Consortium (W3C) and the subsequent adoption into leading device platforms and browsers. All told, we estimate over 4 billion devices (inclusive of Windows 10 PCs as well as every modern Apple and Android device) now support FIDO Authentication, as do over 88% of web browsers. Couple that addressable market with the ability for developers to write to the public FIDO2 WebAuthn API and you can see why so many enterprises are featuring FIDO support in request for proposals (RFPs) and accelerating related development plans.

However, while FIDO definitely does provide a simpler, stronger approach to user authentication, there is still a need to get users more accustomed to the user experience – and to optimize these flows as much as possible.  In short, “if you build it they will come” isn’t always sufficient for paradigm-changing technologies. We’ve heard from more and more relying parties that they would benefit from tips on how to most effectively implement FIDO in a way that resonates with consumers and works across major browsers and platforms.   

Over the past five years, the Alliance has conducted research that has consistently found consumers want to use FIDO authentication once they understand what it is and to have common “FIDO-enabled” signals to show where to obtain it. This illustrates the need for FIDO to be introduced to consumers in a user-friendly and consistent way in order for our protocols to be adopted at scale.  

To address this requirement, FIDO’s Board of Directors last year launched a User Experience (UX) Task Force (UXTF), drawing on world-class UX experts from many of our member companies, including Bank of America, eBay, Facebook, Google, HYPR, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa, and Wells Fargo. The UXTF was tasked with creating recommendations and best practices for how to deploy FIDO, factoring in utilization of FIDO messaging, logos and other visual cues. We partnered with consulting firm Blink UX to conduct the first formal usability research of FIDO user journeys, including registration and authentication steps and various use cases – all feeding into our Desktop Authenticator UX Guidelines.

To complement this effort, we constructed a strawman banking user journey that could be used to test various assumptions and to better examine the authentication steps actually employed by users. With IBM’s assistance, a website was created to reflect this use case and was utilized during our testing and analyses.  The site will remain live as a reference implementation of our UX Guidelines. 

We divided the typical FIDO journey into a series of four major steps:

• Promote awareness of the availability of various biometric sign-ins, then perform the actual sign-in and determine if a user has a FIDO-eligible device that can be used in the authentication process.
• Invite users to register via FIDO, especially if they are using Windows Hello or Apple TouchID.
• The actual FIDO registration of the user’s desktop authenticator, along with messages showing success or failure.
• Making FIDO the primary sign-in path, and issue appropriate confirmation messages.

The UX tests were done in three different rounds. First was a qualitative series where we walked participants through a mock-up of the site and test. This allowed us to get feedback on some of our initial messaging and visual assumptions, which fed into the final site design. Next, we ran 100 subjects through independent https://digitalbank-test.com/simple/ quantitative testing – where they were assigned and had to complete a mock banking task, which included a prompt to enroll for FIDO login. Our last round of testing were qualitative video interviews, which provided an invaluable human element and insights on the FIDO value proposition. 

Collectively, these tests are what helped define and focus our messaging, logos and various other iconography and logic flows that were useful in developing UX guidelines and other best practices for FIDO implementations.

Our preliminary recommendations from these tests are:

• Use a simple biometric image (such as a fingerprint icon) to trigger the initial user registration, then have FIDO logos at each touchpoint to confirm that a user is following the right sequence of steps.
• Make sure developers optimize for each type of environment (operating system and device form factors such as laptop or phone) for each FIDO-capable device. For example, Windows and MacOS have different icons that are used to designate fingerprint usage, as shown in the below screencaps.

• Use one of two suggested messaging styles: we tested and validated one style that is simple and one that is to “add an option.” For example, a simple message might say: “You’re eligible for a simpler sign-in! Learn how you can skip your password the next time you sign in. Register now.” And the optional message might say:  “Add an easy and safe way to access your account. Register now.”
• Take steps to educate consumers and customer support staff on FIDO. Promote FIDO awareness across multiple touch points and marketing channels such as email and direct postal mail campaigns and social media. This should include information about FIDO-capable device availability and how to use FIDO on Windows 10 Hello and Apple smartphones.  This also will help address potential user reluctance around using biometric sign-ins. Although many users view biometric sign-in as desirable, convenient, and secure, some users initially express hesitancy to share biometric or other computer sign-in information with their bank or with FIDO – and hence need to be educated that their biometrics stay safely on their device.
• Have a special “problem resolution” path for those customers who run into problems.

FIDO Alliance’s ultimate goal is to see as many service providers moving their customers away from password-based authentication as soon as possible – and we hope that these UX guidelines can help accelerate this movement.  As this is our first foray into usability guidance we’re also open to and appreciative of feedback from deploying organizations.  

 Read more about FIDO’s UX efforts and research here.

The post World’s Largest Tech Companies Drive FIDO Alliance’s New User Experience Guidelines appeared first on FIDO Alliance.

Today we are announcing enhancements to two of the core FIDO protocols, the Client To Authenticator Protocol (CTAP) v2.1 and WebAuthn Level 2 – which collectively comprise FIDO2. Both are significant advances in extending FIDO’s capabilities specifically for enterprise users and supporting more complex application use cases. These enhancements come at an appropriate time, given the increased demand and rate of adoption for FIDO methods as the pandemic and remote work continues throughout the world.

The FIDO2 WebAuthn protocol is a set of application programming interfaces (APIs) that describe how to enable authentications inside browser sessions. Level 2 is the latest version of the standard, which is maintained by the W3C organization and was released in April. This standard makes it easier to write web applications that use FIDO Authentication, which is now supported across the five major endpoint operating systems (Windows, MacOS, Linux, Android, ChromeOS, and iOS).  

There are six major improvements that we are announcing today:

Enterprise attestation

Today’s announcements increase support for enterprise management of devices and users. The CTAP and WebAuthn protocols have added features that make it easier for enterprises to add specific user identity data during the registration process, so corporate administrators can more easily track key distribution and usage. Because these features can reveal some private user information – information that they would have divulged anyway to their employer – this feature is not available directly to consumers’ authenticators. Instead, authenticators must be pre-programmed (before credential registration) with these enterprise attestations by the enterprises themselves. 

Cross-origin iFrame support

This feature allows web-based ecommerce transactions to be completed within pop-up windows on a browser, something that was forbidden in earlier FIDO versions as a way to protect potential man-in-the-middle and man-in-the-browser attack scenarios. The new standards make a very safe, secure and encrypted way to accomplish these transactions, without revealing data pulled from multiple domains such as the originating vendor, the user’s bank account, a credit card issuer, and so forth. It also helps in situations when users are connecting via bandwidth-limited circumstances (such as via Bluetooth or poor Wifi signals) to keep the authentication workflow moving without a lot of back-and-forth network traffic and latency delays. 

Support for Apple Attestations

FIDO Alliance has been pleased to have Apple as a contributing member for the past 18 months. This feature adds support for Apple’s method of doing attestation on their devices using the WebAuthn protocols.

Better biometric management

The CTAP v2.1 additions include better biometric enrollment and management features, so that users can register multiple fingerprints and other bio-markers. Additionally, enterprises can set minimum PIN lengths. As more mobile devices include facial and fingerprint recognition, this keeps FIDO current with the latest authentication technologies.

Large blob support

An alternative to running a centralized authentication service, this feature includes a way to store things like certificates that may be necessary for other authentication scenarios, such as using encrypted SSH connections. 

Resident credential improvements 

Now called discoverable credentials, this enables passwordless workflows to re-authenticate a user. The authentication dialog automatically finds and applies an existing credential and asks for user confirmation, thus making FIDO easier to use.

Always Require User Verification

This feature allows a user to protect the credentials on their authenticator with some form of user verification independent of the Relying Party. Platform authenticators and other authenticators with the feature enabled will always perform user verification. Some certification programs such as US FIPS 140-3 prohibit the authenticator performing signing operations without authentication.

The post FIDO2 Enhancements for Enterprise & Complex Security Applications appeared first on FIDO Alliance.

Mountain View, CA  June 10, 2021 – The FIDO Alliance today announced the first global FIDO Developer Challenge. Building on the success of the FIDO Hackathon in Korea over the last few years, FIDO is globally expanding the program and encouraging developer teams to create and present compelling and innovative applications leveraging FIDO standards and technologies. 

“User authentication historically has been an afterthought for web developers – largely because more advanced capabilities were too difficult and couldn’t be utilized by most developers,” said Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance. “FIDO changes all of that – with the WebAuthn API providing an open mechanism that includes advanced cryptographic protection that doesn’t require a security expert. And with billions of devices now supporting this functionality, now is the time for developers to get acquainted with FIDO Authentication,” Shikiar said. “Teams will be able to use public web frameworks and/or SDKs from FIDO’s members and sponsors of the Developer Challenge. The Alliance is looking forward to seeing the creative and technical capabilities of the broader web developer community,” he said.

The FIDO Developer Challenge takes place within a virtual format and focuses on implementation of the FIDO2 WebAuthn API. The Challenge is open to students, individual developers, and pre-seed-stage companies. Projects should apply FIDO authentication protocols to address modern technical or social challenges within various fields such as Fintech, eCommerce, IoT, retail, blockchain, gaming and education. 

The winning team will be invited to the Authenticate conference (Oct. 18-20 in Seattle) with all expenses paid by FIDO Alliance. In addition to exposure at Authenticate, the top three teams of the Challenge will receive prizes from FIDO membership, public recognition, and the unique opportunity to share their business vision with panels of early-stage investors.

The deadline to register is July 2, 2021. Registration to participate can be found here: https://docs.google.com/forms/d/1J2YqpAGQAsMjF4iIlB0L27u9ii8J2HU7vOJWwOGMUZU/viewform?edit_requested=true 

Sponsors include: AuthO, Google, Hanko.io, LINE, LoginID, Octatco, Samsung, StrongKey, TrustKey and Yubico.

Additional resources for the event can be found on the Developer Challenge homepage: https://fidoalliance.org/fido-developer-challenge/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is changing the nature of security and identity in order to enable simpler and stronger online experiences. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and drives market education programs in order to build confidence and trust in FIDO Certified products and services.

The post FIDO Alliance Announces the FIDO Developer Challenge appeared first on FIDO Alliance.

By Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance

Welcome to the Challenge

The FIDO Alliance is pleased to announce our first global FIDO Developer Challenge, where participating developer teams will create and demonstrate compelling and innovative applications leveraging FIDO standards and technologies. Prior challenges based in Korea over the past two years proved to be very successful and  we are now pleased to expand this program globally.

FIDO has come a long way since the Alliance’s inception in 2012, going from a whiteboard concept to a core technology supported by billions of consumer devices worldwide.  With over 85% of browsers now supporting FIDO Authentication, now is the time for web developers to ditch password-based logins in favor of FIDO’s approach, which provides a superior user experience and prevents phishing and other computer hacks. We are looking forward to seeing the selection  of implementations the developer community comes up with this year, leveraging the public FIDO2 WebAuthn API to bring FIDO Authentications to websites and services.  

Projects we are looking for 

We are looking for projects that address a technical or social challenge in today’s world. There is no limit on the development ideas, but we expect implementation of FIDO Authentication to take place in various fields such as Fintech, eCommerce, IoT, retail, blockchain, gaming and education. Samples from the previous regional challenge include projects like FIDO-based IoT storage services for low-income families, FIDO-based drone platforms, FIDO-based smart home security systems, FIDO- and DID-based smart health insurance card services and a FIDO-based passwordless WiFi router control system. We are happy to expand this year’s program globally to attract even more innovative ideas to solve technical and social challenges.

The process

The FIDO Developer Challenge takes place in a virtual format and focuses on implementation of the FIDO2 WebAuthn API. The Challenge is open to students, individual developers, and pre-seed stage venture companies only.

Our website contains all the details on how to participate in the FIDO Developer Challenge. Here are a few milestones we are looking forward to:  

• We will be accepting applications until July 9. Upon receiving applications from all over the world, we will do the initial screenings and announce the top 20 teams within two weeks of the application submission deadline.  
• Then, we will invite 20 teams to implement the FIDO2 WebAuthn API in their inventions, online services or products.
• The teams that successfully implement FIDO2 will be invited to the final evaluation step, where they will give an online presentation and demo. They will also  participate in a Q&A with our judges.
• The judges will select the top three teams, all of which will be featured in a session at our Authenticate conference (Oct 18-20 in Seattle, WA; USA), with the winner being offered the opportunity to attend with all their expenses paid by the FIDO Alliance.  

Prizes and opportunities

In addition to exposure at Authenticate, the top three teams will receive prizes from FIDO members, awarded public recognition, and the unique opportunity to share their business vision with panels of early-stage investors. More details can be found on the Challenge website. 

We encourage you to think outside the box, considering new experiences and benefits that FIDO can bring to users and developers alike. Best of luck to you all. We cannot wait to see your submissions!

For more information visit https://fidoalliance.org/fido-developer-challenge/

The post Announcing the FIDO Developer Challenge for Developers Across the Globe appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, June 8, 2021 — The FIDO Alliance has announced its agenda and speaker lineup for it’s 2021 Virtual Authenticate Summit: “Focus on Europe,” taking place June 17 from 2:00pm – 5:30pm Central European Summer Time. Authenticate Virtual Summits are a quarterly series of virtual seminars that will delve into specific topics related to the FIDO approach to modern user authentication.

More details and free registration are available on the Authenticate Virtual Summit registration page.

Featured keynotes will be presented by Steve Pannifer, COO of Consult Hyperion; and Fabian Eberle, Co-Founder and COO of Keyless; Rolf Lindemann, Vice President, Products of Nok Nok. The half day Summit includes sessions in which representatives from Amazon, CZ.NIC, IDnow, Jumio, Mastercard, Thales, Venable LLP, WorldPay and Yubico will discuss the state of authentication in Europe in light of regulations like PSD2 SCA, eIDAS and GDPR, open banking and the COVID-19 pandemic.

In Europe, financial services organizations, merchants, telecommunications companies, enterprises and the broader ecosystem are working to balance regulatory demands and rapidly evolving user expectations – all amidst a global pandemic and digital transformation efforts. Implementing strong authentication has become a challenge for these organizations striving to protect valuable usr and transaction data without introducing friction in the process. 

It is more critical than ever for leaders in this sector to find balance between compliance, security and user experience. This Authenticate Virtual Summit tackles these issues with a half day agenda that includes:

• Keynotes from Consult Hyperion, FIDO Alliance, Keyless and Nok Nok
• Roundtable discussion on FIDO & Delegated Authentication, featuring expert perspectives from Amazon, Mastercard, Thales and WorldPay
• Panel discussion on The State of Technology and Regulation for Remote Identity Verification in Europe, featuring expert perspectives from IDnow, Jumio and Venable LLP
• Details BBVA’s FIDO implementation 
• Details on eIDAS, FIDO Deployments and Recognition in the EU discussed by CZ.NIC and Yubico 
• Considerations and best practices for optimizing the strong authentication user experience

“Building off of the success of our first Authenticate Virtual Summit this past March, we are excited to continue the Authenticate Virtual Summit Series with a focus on Europe. In light of recent regulations and the COVID-19 pandemic, the discussion of authentication in Europe is a natural area of focus for our upcoming Summit,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are honored to have such an esteemed roster of thought leaders committed to imparting their collective insight, especially as we work together to balance regulatory demands and rapidly evolving user expectations.”

Keyless and Nok Nok are signature sponsors for this Authenticate Virtual Summit. For more information about additional summits: https://authenticatecon.com.

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Announces Speakers for Second 2021 Authenticate Virtual Summit: “Focus on Europe” appeared first on FIDO Alliance.

By Rae Rivera, Ph.D., Director of Certification, FIDO Alliance

The FIDO Alliance today  introduced a significant update to its Metadata Service (MDS). The service provides information about the certification status of authenticators, authenticator capabilities, and any known security issues. The FIDO MDS provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators. 

MDS is a web-based repository where vendors can publish metadata about their certified FIDO authenticators. Relying parties use this information  to validate authenticator attestation and prove the authenticity of the device model. 

With over 100 authenticator products on the market today, and demand for strong authentication on the rise, the need for an easy-to-use repository to load and view FIDO Certified authenticators has grown in importance. 

Just last week, the Biden administration mandated multi-factor authentication for all government agencies to thwart phishing attempts and protect against account takeover.  Governments and other regulated industries such as banking and healthcare especially need to know that authenticators being used to access their systems are genuine and meet certain requirements, including FIDO Certification status, compliance and other organizational requirements. The new features in the FIDO MDS allow organizations to more quickly and easily verify the attributes of the FIDO Authenticators being used to log in to their web services and applications. 

Today’s news is significant in several areas:

1. The new MDS has a more efficient and effective user interface that greatly simplifies the uploading and publishing of metadata. 
2. There is a simplified API for relying parties to download metadata.
3. Metadata updates are now available daily instead of monthly, which ensures relying parties have access to the most up-to-date information.
4. The new MDS data format is now a single JSON structure, making it more compatible with standard web development tools. The new MDS format uses human-readable strings instead of numerical values, making it easier to read and understand.
5. The MDS data is now linked to the FIDO Certification program, which will ensure the reliability of the validity of metadata of FIDO Certified products. 
6. The service now uses cloud caching to provide high availability and download performance. 

For more information visit https://fidoalliance.org/metadata/. 

The post Announcing the New Streamlined and Simplified Metadata Service for Authenticator Vendors and Customers appeared first on FIDO Alliance.

Federal agencies should choose FIDO as they seek to comply with the new Executive Order that requires the implementation of multi-factor authentication within the next 180 days.

By: Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance

In the face of recent attacks that have exposed areas of weakness in critical U.S. infrastructure assets, President Biden signed a new Executive Order Wednesday to help bolster the nation’s cybersecurity.

There have been a number of high profile attacks against critical American infrastructure in recent months, including the Solarwinds supply chain attack that exposed much of the government to potential risk. Top of mind in recent days is the ransomware attack against Colonial Pipeline, which significantly impacted the flow of refined oil across America. These attacks expose the vulnerability of critical infrastructure in the United States, and the Biden Administration is issuing federal directives that will minimize or eliminate risk.

A key part of the Executive Order is a requirement that agencies adopt multi-factor authentication (MFA) and encryption for data at rest and in transit to the maximum extent possible. Federal Civilian Branch Agencies will have 180 days to comply with the Executive Order and will need to report on progress every 60 days until adoption is complete. If for some reason agencies cannot fully adopt MFA and encryption within 180 days, they must report to Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA with a rationale for not meeting the deadline.

At the FIDO Alliance, we welcome today’s directive from the Biden Administration and applaud its focus on the importance of multi-factor authentication. What’s notable about this Executive Order is that the White House is prioritizing MFA everywhere, rather than limiting MFA to the PIV/PKI platform that agencies have depended on for more than 15 years. Today’s Executive Order marks an important step forward, in that it makes clear the priority is protecting every account with MFA — without mandating any specific technology. This is a notable shift, because we know that the weakest forms of MFA can still stop some attacks where passwords are the attack vector. We also know that FIDO Authentication is the only standards-based alternative to PIV for those applications that need protection against phishing attacks. This Executive Order opens the door for agencies to deploy FIDO Authentication — something we’ve heard they’ve wanted to do but have held back as use of any non-PIV authentication has not been permitted.  

This isn’t the first time the U.S Government has advocated for the use of MFA and strong encryption. In an advisory issued by CISA in September 2020 on election security, the government agency noted that the majority of cyber-espionage incidents are enabled by phishing, and FIDO security keys are the only form of MFA that offer protection from phishing attacks 100% of the time.

In fact, the U.S. Government hasn’t just been advocating for the use of strong authentication with FIDO, it has actually already been implementing it since at least 2018 on the login.gov portal. With login.gov the U.S. Government is already offering a secure approach to help citizens and agencies to securely access Federal resources. In June 2019, the FIDO Alliance hosted a webinar detailing the deployment case study for login.gov, which is now even more timely with the need for agencies to adopt strong authentication in the next 180 days.

Since its inception, the FIDO Alliance has been bringing industry partners together, including every major operating system vendor as well as technology and consumer service providers across all industry verticals including financial services, ecommerce and government. All those diverse groups have been working together in common purpose to standardize strong authentication. Billions of devices around the world today can support FIDO Authentication and are ready to play their part in ensuring a strong authentication future. The fact that most major cloud providers, device manufacturers and browser vendors all ship with support for FIDO means that agencies can easily leverage MFA that is built in, rather than other products that need to be “bolted on.”  

If there is one thing that the recent spate of attacks has served to once again remind us, it’s that the private sector and public sector need strong security measures to protect critical infrastructure — and the FIDO Alliance believes this begins with authentication.

We urge government agencies to adopt only the strongest forms of MFA when complying with this directive. The FIDO Alliance and its members stand ready to serve and help agencies with the education, resources and tools to implement strong authentication to help reduce risk and improve the cybersecurity posture of the U.S. Government.

The post FIDO Alliance Supports Biden Administration EO on Cybersecurity appeared first on FIDO Alliance.

Mountain View, Calif., April 20, 2021 – The FIDO Alliance today announced the launch of the FIDO Device Onboard (FDO) protocol, a new, open IoT standard that enables devices to simply and securely onboard to cloud and on-premise management platforms. Through this standard, the FIDO Alliance addresses challenges of security, cost and complexity tied to IoT device deployment at scale. FIDO Device Onboard furthers the fundamental vision of the Alliance, which has brought together 250+ of the most influential and innovative companies and government agencies from around the world to address cyber security in order to eliminate data breaches, and enable secure online experiences.

IDC expects the IoT market to maintain a double-digit annual growth rate and surpass the $1 trillion mark in 2022. Despite this projected growth, a recent survey of both providers and enterprise users, has found a majority of businesses have serious concerns about breaches to their infrastructures. Of the 170 IoT leaders surveyed, the survey found that 85% say security concerns remain a major barrier to IoT adoption. Almost two-thirds (64%) of respondents stated that end-to-end IoT security is their top short-term priority, surpassing edge compute (55%), artificial intelligence (AI)/machine learning (50%) and 5G deployments (28%).

The FIDO Alliance’s FDO specification for IoT was collaboratively developed to solve the issue of IoT security in onboarding – just as it has done with its FIDO authentication standards to help address the global data breach problem. The FDO specification has reached Proposed Standard status and is open and free to implement. Initially, the specification is targeted at industrial and commercial applications. Developers can view and download the specification at https://fidoalliance.org/specifications/download-iot-specifications/

“The FIDO Device Onboard standard released today builds on the Alliance’s ongoing efforts to help close the security gaps that currently exist on the web, by expanding this work into IoT applications,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Businesses recognize the huge potential of the IoT and the enormous benefits it can bring to manufacturing, retail, healthcare, transportation, logistics and more. The paradigm needs to shift immediately so we can move IoT technologies ahead with safer, stronger and more secure means of authentication for these important uses in industrial and commercial environments.”  

A Standard for Fast, Secure IoT Device Onboarding

FDO is an automated onboarding protocol for IoT devices, leveraging asymmetric public key cryptography to provide the industrial IoT industry with a fast and secure way to onboard any device to any device management system. 

The business benefits from the FIDO Device Onboard standard include:

• Simplicity – Businesses no longer have to pay more for the lengthy and highly technical installation process than they do for the devices themselves. The highly automated FDO process can be carried out by people of any level of experience quickly and efficiently.
• Flexibility – Businesses can decide which cloud platforms they want to onboard devices to at the point of installation (as opposed to manufacture). A single device SKU can be onboarded to any platform, thereby greatly simplifying the device supply chain. 
• Security – FDO leverages an “untrusted installer” approach, which means the installer no longer needs – nor do they have access to – any sensitive infrastructure/access control information to add a device to a network. 

“This is a major milestone that aims to solve one of today’s critical challenges with deploying IoT systems. The new FDO standard will help reduce cost, save time and improve security, all helping the IoT industry to expand rapidly,” said Christine Boles, Vice President, Internet of Things Group and General Manager, Industrial Solutions Division at Intel. “Implementation of the FDO standard will enable businesses to truly take advantage of the full IoT opportunity by replacing the current manual onboarding process with an automated, highly secure industry solution.” 

This is the latest FIDO Alliance initiative in its mission to reduce the world’s reliance on passwords with simpler, stronger authentication that prevents scalable attacks and account takeovers. FIDO Device Onboard was developed through the work of the Alliance’s IoT Technical Working Group, led by co-chairs Richard Kerslake, Intel, Giridhar Mandyam, Qualcomm and vice chair Geof Cooper, Intel. Additional companies with specification editors including Arm, Amazon Web Services (AWS), Google and Microsoft.

The FIDO Alliance and IoT TWG will be hosting a webinar on May 7th to review the FIDO Device Onboard standard, use cases and upcoming certification processes. For more information and to register: https://fidoalliance.org/event/securing-iot-with-fido-authentication/2021-05-07. 

For an introduction to FIDO Device Onboard, read the paper at  https://fidoalliance.org/intro-to-fido-device-onboard.  

Comments about FDO from IoT Industry Stakeholders

“As the IoT rapidly expands, the security of devices cannot be optional and a strong foundational root of trust is essential. Arm is dedicated to driving standards in security through initiatives such as PSA Certified, and welcomes further ecosystem collaboration for the advancement of secure, robust solutions that enable innovation. The FDO specification will enable device makers to deploy, onboard and manage secure IoT devices faster at a lower cost, helping scale IoT across both industrial and consumer use cases.” — Mohamed Awad, vice president, IoT Business at Arm

“FDO is a revolutionary standard, leveraged by BT’s Zero Touch Onboarding (ZTO), which can address a critical need for the IoT, Edge Compute and 5G industries and help them to scale up securely and fully automated, from the manufacturer to the consumer, from the device to edge, and from edge to the cloud.” — Dr Mohammad Zoualfaghari, Research Manager and IoT Architect at BT

“We are delighted to be part of the IoT TWG and will be supporting the FIDO device onboarding (FDO) specification. Originally, we worked closely with Intel SDO and adopted this approach to our IoT security platform, KeyScaler. Now that FIDO has developed a new enhanced standard, we will also be supporting FDO in our KeyScaler platform. Current and future customers will be able to leverage FDO in their IoT projects.” — Darron Antill, CEO of Device Authority

“The work the FIDO Alliance is doing to address phishing by closing security gaps on the web would not be possible without industry collaboration and standardization. It’s a natural fit for the FIDO Alliance to use these same tools to address the threats against IoT infrastructure. As a board member of the FIDO Alliance since its earliest days, Google is proud to have contributed to this new standardization effort to better secure IoT.” — Dave Kleidermacher, VP, Android Security & Privacy, Google

“The Open Horizon project wanted a simple solution to zero-touch provisioning that would have wide support from hardware manufacturers, maximum flexibility, and a staged approach. The FDO specification from the FIDO Alliance certainly meets those requirements. After implementing and shipping support in Open Horizon, we’re pleased with the results and with the feedback we’ve received from those using it in the field. We’re looking forward to implementing FDO in our Smart Agriculture SIG‘s use cases, and in the Open Retail Reference Architecture.” — Joe Pearson, Technology Strategist, IBM Cloud and Technical Steering Committee Chair, Open Horizon project

“We are delighted that the FDO protocol is built with security in mind as it enables FDO based systems to store the private key secrets and device credentials in a Trusted Platform Module. TPM is a widely accepted and used technology that creates trust in manufacturing and supply chain. It is a major contribution towards the acceleration of IoT device deployment.” — Jürgen Rebel, Senior Vice President and General Manager Embedded Security at Infineon Technologies

“Today’s announcement is a significant leap forward in enabling secure device deployments at scale. By creating the standard and open source reference implementation in parallel, the FIDO Alliance has delivered an IoT standard which is proven to be secure, significantly lowers the cost of onboarding and speeds time to market.” — Francois Ozog, Director of Linaro’s Edge and Fog Computing Group 

“LoginID continues to support the FIDO standard and its emergence as the de facto global method for authentication. As part of our API strategy of providing the easiest way to integrate FIDO, LoginID will be deploying FDO as a part of our platform in 2021.  We look forward to collaborating further with other enterprises on this initiative.” — Simon Law, CEO, LoginID

“We are thrilled to see the FIDO Alliance address such a critical piece of the IoT device lifecycle. Device onboarding through a standardized protocol like FDO simplifies device set-up by abstracting the underlying complexities of the hardware, which will accelerate the adoption of IoT in industry.” — Sam George, VP of IoT, Microsoft Azure 

“The demand for automatic onboarding, traceability and updating of assets is growing, and manufacturers are challenged to rapidly identify and replace defective devices before they disrupt operations. Integrating FDO into our IAS4.0 platform will prove invaluable in informing our roadmap for the future of industrial automation and Molex’s broad portfolio of industry-leading connectivity solutions.” — Riky Comini, Senior Director of Industrial Automation, Molex

“The FIDO Alliance has set the standards for secure user to device authentication which has gained broad acceptance and adoption worldwide. With their release of these new standards for IoT we now have equally robust standards to support the challenges associated with secure device onboarding.” — Phil Dunkelberger, CEO, Nok Nok 

“FIDO is simply the most effective way to eliminate both ID theft and unessential password reuse. The Rakuten security team is fully committed to transitioning from traditional authentication methods to a world where passwords aren’t required. This mission is critical if we wish to achieve a truly secure internet for society. This is another important milestone on the way to Internet World Peace.” — Yoshinari Fukumoto, General Manager of Cyber Security Defense Department, Rakuten Group, Inc.

“By promoting the FIDO Device Onboard (FDO) Specification to Proposed Standard, FIDO Alliance is demonstrating its active commitment in deploying its authentication standards to new fields. The FDO specification will pave the way for secure interactions between devices and IoT platforms. As a board member of the FIDO Alliance, RaonSecure is delighted to support the FIDO Alliance in this important progress, enhancing security in IoT environments.” — Soonhyung Lee, CEO, RaonSecure

“SecurID, an RSA business, congratulates FIDO and the identity community for completing the FDO spec, a critical milestone towards securing the IoT supply chain and ecosystem.  As a FIDO Board Member and contributor to the FDO technical working group, we are actively exploring ways to incorporate FDO into our market-leading identity and access management and IoT security offerings.” — Salah Machani, Director, Engineering Technologist, RSA

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact:
Morgan Mason
FIDOteam@aircoverpr.com 

The post FIDO Alliance Creates New Onboarding Standard To Secure Internet of Things (IoT) appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, April 8, 2021 —  The FIDO Alliance announced new research today revealing that 45% of consumers have had their social media accounts compromised or know a friend or family member who has. The same research found that almost 60% of respondents were the most concerned about protecting their phones (over another device) when it comes to the security of their social media accounts. Over 4000 people in North America, the UK, France and Germany were polled in March 2021 for the research. 

The findings reveal the larger scale of the social media security problem, following several attacks on the social media accounts of high-profile individuals in recent months, including Elon Musk, Bill Gates, Jack Dorsey, and senior NHS leaders. The research shows that these attacks are not limited to the highest profile individuals.

Despite this, the FIDO Alliance research shows that social media hacks are not necessarily prompting consumers to take security action. This research shows that 40% of consumers do not increase security on their social media accounts when they see celebrities, politicians or large companies hacked, but feel like they should.  

“You may think that well-known individuals with mass followings are the only target, but our research shows that a much larger number of people have been affected,” said Andrew Shikiar, executive director of the FIDO Alliance. “Social media accounts are prime targets, as they hold so much of a user’s personally identifiable information (PII). Yet, our research shows a disconnect between the need for stronger security for social media accounts and consumer awareness of how to take action.” 

The FIDO Alliance research identified a substantial lack of awareness and neglect for the use of two-factor authentication technologies offered by social media service providers. 26% of people said they were either not familiar with two-factor options or not using them. Similarly, some respondents (15%) said they would like to increase the security of their accounts but don’t know how. Another finding which highlights this lack of understanding or awareness on these issues, was the fact that 4 out of 10 people could not make a judgement on whether they believed they were vulnerable or not to a social media hack. 

For those who have taken action to better secure their social accounts, creating a stronger password was the most popular method for 50% of the respondents, an action that still leaves them vulnerable to some of the most common and effective attacks, such as phishing.

Shikiar says, “The research is showing us that there is a general lack of awareness among consumers about how to assess their own risk of falling victim to social media hacks. They are also unsure as to what steps should be taken to best protect their accounts. Social media platforms like Twitter and Facebook have made much stronger security options available. Consumers just need to know what they are, how easy they are to use and how to turn them on.”

For consumers that want to increase the security of their accounts, social media platforms provide a number of options with varying levels of protection:

• All social media services offer basic two-factor authentication options via a one-time passcode. Once this is turned on, an SMS code is sent to the user’s mobile device and entered during sign-in. Because SMS codes are still able to be phished, accounts are still vulnerable to targeted attacks.
• For maximum security, social media providers are increasingly adding support for physical FIDO security keys. These are small, portable high-security devices that connect to a phone or computer via USB, Bluetooth or NFC. Simply touching this device during sign-in protects accounts from a targeted attack 100% of the time. Most social media services, including Twitter and Facebook, now offer the option to enable FIDO security keys for mobile and desktop access.

Since its inception, the FIDO Alliance has established technical specifications that are now the trusted standard for user authentication on the devices and web browsers used every day. FIDO Authentication removes the reliance on passwords and stands to turn the tide in the industry’s battle against data breaches and credential theft. In 2020, the Alliance debuted loginwithFIDO.com, a site to inform consumers about FIDO Authentication technologies available to help them secure their authentication processes.

For a full copy of the FIDO Alliance Consumer Research Report: https://fidoalliance.org/social-media-survey. 

Methodology

The survey was conducted among 4,026 Consumers across the UK, US, France, and Germany.

The interviews were conducted online by Sapio Research in March 2021 using an email invitation and an online survey.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post New FIDO Alliance Research Finds 45% of Consumers Have Fallen Victim To Social Media Hacks Or Know Someone Who Has appeared first on FIDO Alliance.

SEATTLE, April 6, 2021 — Authenticate, the only industry conference dedicated to the who, what, why and how of user authentication with a focus on the FIDO standards-based approach, is coming in October 2021. This is the second year the FIDO Alliance is hosting this public conference to provide CISOs, security strategists, enterprise architects, product and business leaders with all the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2021 will be held October 18-20, 2021 at the Motif Seattle in Seattle, Washington. For more information and to sign up for event updates, visit authenticatecon.com.

Last year’s Authenticate conference featured 50+ sessions, including detailed case studies, technical tutorials and expert panels — all helping educate attendees on business drivers, technical considerations and overall best practices for deploying modern authentication systems. The 2021 event will again focus on providing excellent content, a dynamic expo hall, and other networking opportunities while adhering to all CDC and local health/distancing requirements. 

Authenticate Call for Speakers Now Open

Speaking at Authenticate 2021 is an opportunity to increase visibility, educate about in-market solutions, and allow for networking between those involved in modern authentication. 

The Authenticate conference program committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices. The committee seeks global perspectives and presentations on the following topic areas, though other topics will be considered:

• Authentication trends & insights
• Case studies
• Modern authentication implementation strategy
• Vertical trends & initiatives
• Industry standards
• Regulatory impact on authentication
• Technical & developer tutorials

The call for speakers is now open through May 31, 2021. Professionals who have ideas that are unique, expertise-driven and reflect diversity are encouraged to submit by visiting www.authenticatecon.com. It is strongly suggested to submit early, as the program committee will be reviewing and accepting proposals as they are submitted.

Get involved at Authenticate

In addition to the Authenticate stage, the FIDO Alliance has a number of sponsorship and exhibitor opportunities for the 2021 event becoming available on April 15, 2021 Companies looking to showcase their brand and products front and center at Authenticate can contact authenticate@fidoalliance.org.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org  

PR Contact
Morgan Mason
Aircover PR
408-612-9889
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate 2021 Conference Coming in October appeared first on FIDO Alliance.

A major milestone has been realized, with the German Federal Office for Information Security (BSI-Bundesamt für Sicherheit in der Informationstechnik) becoming the first organization to the achieve the Certified Authenticator Level 3+ level, which is the highest level of validation currently offered by the FIDO Alliance. 

The path toward the Level 3+ designation has been several years in the making.

Dr. Rae Rivera, Certification Director for the FIDO Alliance explained that the Certified Authenticator program was originally launched in August 2018 in a bid to define greater levels of assurance for FIDO authenticators. She noted that the FIDO Specifications include an inherent amount of security and privacy. The goal with the Certified Authenticator program is to provide additional security assurances for the authenticators themselves. 

With the first Certified Authenticator Level 3+ designation now granted, Rivera expects other organizations will follow, helping to improve strong authentication for users and organizations around the world.

“We’re continuing to see more pickup and uptake in the Certified Authenticator program,” Rivera said. “At each higher level, there’s less risk of a vulnerability.”

Understanding the Different Certified Authenticator Levels

There are three core levels (L1, L2, L3 and ) in the Certified Authenticator program with each level building on the requirements of the preceding level. Incremental additional assurance can be obtained to allow a vendor to achieve a “+” within each level (L1+, L2+, L3+). 

The program evaluates authenticators to answer the question ‘how well does the authenticator protect the private key?The most basic entry level is L1 which Rivera said a vendor can achieve by supporting and implementing the FIDO specifications. An authenticator certified at L1 provides protection against phishing and credential abuse.

Moving up to L2, Rivera noted that restricted operating environments are required to protect against malware attacks. When you get to L3 and L3+, Rivera said that it’s all about looking at hardware authenticators, and how they provide protection against brute force attacks. 

“One of the core attributes of our higher level programs, specifically level three and three plus, is that they require the product to have what we call a companion program certification,” Rivera said. 

She noted that the companion program certification that has been defined for those higher levels is Common Criteria  which provides sets of evaluations and designations to help define the security posture for a given device or service.

“The higher level that you go, the less vulnerable the authenticator is to any kind of attack,” Rivera said.

Why the Level 3+ Certification is Significant

With BSI now certified at L3+ the door is open to others to follow the same path toward the highest level of security assurance.

“Personally I feel like this is a huge leap forward for the program,” Rivera said.

Rivera noted that to date there have been many products that have been certified at the lower levels of the Certified Authenticator program. Now that the first L3+ has been achieved she anticipates that there will be more interest from organizations to go through the program to gain that additional higher level of assurance.

“This certification clearly demonstrates the value of our certified authenticator program – particularly at the higher levels,” she said. “Government and regulated industries such as finance, healthcare, energy and education often have more sensitive use cases that require specific types of authentication into their networks. Vendors and relying parties in these markets see this as a benefit because it meets the need for hardware protection and is also Common Criteria certified.” 

How Others Can Benefit from the First Level 3+ Certification

Now that BSI has hit the Level 3+ certification, there is now quite literally a path for others to follow.

Rivera explained that with the L3+ certification there is a protection profile associated with it. The protection profile contains all the components that are used to achieve the L3+. As such, another vendor could utilize the protection profile to develop their product to get certified at the higher level.

“The protection profile serves as good guidance for those that are seeking the higher levels as to what they need to do and what modifications they need to make to their implementation,” Rivera said. “BSI getting certified at Level 3+ has made it a little easier for others to start achieving this level.”

The post Authenticator Certification Hits a New Milestone with First L3+ appeared first on FIDO Alliance.

Contributed by Sebastian Elfors, Senior Solutions Architect, Yubico

Recognition of the value of FIDO in European digital identity systems and eIDAS continues to grow.  This month has featured two new updates in Europe on the FIDO front: the release of a landmark ENISA report that discusses the role FIDO2 plays in eIDAS, and the accreditation by the Czech government of a new eID solution using FIDO2.

In March 2021, the EU Cybersecurity Agency (ENISA) issued the report Remote ID Proofing, which describes the current regulatory landscape and supporting standards for the European countries’ remote identity proofing laws, regulations and practices. ENISA’s report is based on the ETSI TR 119 460 and ETSI TS 119 461 documents, which describe the policies and practices for remote identity proofing among trust service providers in the EU. Especially the eIDAS regulation, the AMLD5 directive to prevent money laundering, and EU directives on issuing ID-cards and exchanging identity information have been taken into account from a legal perspective.

Several methods for remote identification are proposed in the ENISA report: video recorded sessions, identification based on eID schemes or electronic signatures, bank identification, scanning of existing ID-cards, or a combination of several methods. In particular the option to identify a user with an eID scheme is of interest from a FIDO perspective. The following statement is written in section “2.2.4 Electronic identification means” of the ENISA report:

“A protocol used by several electronic identity means providers is OpenID connect. It is an authentication layer on top of OAuth 2.0 and is specified by the OpenID foundation. This protocol allows to verify the identity of the applicant based on the authentication performed by an Authorization Server, and by obtaining basic information about the applicant. Another technology that can be used in eID solutions is FIDO2. The FIDO Alliance explains in a whitepaper how FIDO2 can be used for eID means corresponding to eIDAS article 8.”

In the very same month, the Czech ministry of interior issued eIDAS accreditation for the Czech domain registry CZ.NIC, meaning that their identity provider mojeID can deploy FIDO2 as an eID scheme at eIDAS level of assurance High under the following conditions:

• The FIDO2 authenticator is FIDO certified at Level 2 (or higher)
• The FIDO2 authenticator is based on a secure element that is certified at FIPS 140-2 Level 3 or Common Criteria EAL4 + AVA_VAN.5
• The FIDO2 authenticator has a PIN set and the PIN is required for all transactions at level of assurance High
• Username and password are used in conjunction with FIDO2

Both ENISA’s report on remote identity proofing and the official approval of CZ.NIC’s FIDO-based eID scheme are great examples of how FIDO has been recognized as a viable authentication protocol for eIDAS compliant eID schemes in the EU.

The post FIDO Recognition for European Digital Identity Systems and eIDAS Grows appeared first on FIDO Alliance.

What’s the role of FIDO authentication in financial services and what can be done to help consumers and issuers be more secure? Those topics were at the foundation of the Authenticate Virtual Summit: Modern Authentication for Financial Services, hosted by the FIDO Alliance on March 25.

The financial services focused event included speakers from eBay, Financial Data Exchange, Gemini, Google, Javelin Strategy and Research, Mastercard, JP Morgan Chase, StrongKey, Trusona and Visa, with topics spanning from the future of authentication to best practices on how to optimize the authentication experience for users.

In his opening keynote, Andrew Shikiar, executive director and CMO of the FIDO Alliance noted that over the course of the pandemic there has been an increase in cyberattacks against financial services institutions, which has only heightened the need for stronger authentication methods.

“At the end of the day, the vast majority of statistics and the vast majority of these problems come down to fundamental truth, which is that we’re trying to run a hyper connected economy, a networked society, on a authentication model that simply is not fit for purpose and that of course is our dependence on passwords,” Shikiar said.

Shikiar detailed how the FIDO Alliance is working to help move the world away from passwords and help users benefit from stronger forms of authentication. In particular, FIDO is playing a key role in the financial services market across a number of categories. FIDO specifications are being used today by financial services firms to help protect online accounts against account takeovers and phishing attacks. A key goal is to also make it easier for organizations to use strong authentication. Shikiar emphasized that the FIDO Alliance’s tagline is: simpler, stronger authentication.

“If there’s one thing the industry has seen is that the more complex the approach is for MFA [Multi-Factor Authentication] , the less likely someone is to stick with it,” Shikiar said. “So for people to keep using strong authentication, it needs to be easy and single gesture, which is the core of FIDO’s approach.” 

Improving Authentication with FIDO at Visa

Visa is one of the world’s largest credit card brands and financial services firms on the planet and it sees FIDO as being a strong tool for helping to improve security and reduce fraud. 

In a keynote presentation, David Henstock, Head of Identity and Authentication Products at Visa, observed that FIDO specifications have a significant role to play in helping to drive better outcomes within the payments industry. Henstock noted that what has increasingly occurred in recent years is that fraudsters are targeting the authentication layer.

“The question that always comes up is what can Visa do to help fight account takeover fraud?” Henstock stated. “The culprit more often than not is knowledge based authentication, or simply put  – passwords.”

Henstock noted that FIDO is an easy way to upgrade from usernames and passwords to a more secure standard upgrading the authentication experience that sellers have. He added that overall FIDO helps to provide a better, more easy to use customer experience for authentication. 

FIDO is also important to help with regulatory compliance. In Europe, the PSD2 [Payment Services Directive version 2] is a key driver for strong authentication adoption as it mandates the use of Strong Customer Authentication (SCA).

“If you’re doing digital commerce in Europe, you must abide by the SCA regulations,” Henstock said.

In a bid to help organizations with FIDO deployment, Arshad Noor, CTO at StrongKey used his Authenticate session to detail new capabilities in the StrongKey FIDO server that can help organizations meet the challenges of global requirements.

“We see a lot of confusion in the WebAuthn and FIDO ecosystem where people are confused between security capability, and the user experience that consumers go through when interacting with FIDO,” Noor said. “We believe that FIDO should first be viewed as a security technology, and second as a convenience technology.”

Consumer Confidence in Passwords is Declining

The need to move away from passwords isn’t just about regulation, it’s also about consumer confidence in the security of password based authentication.

In a session, Javelin Strategy & Research analysts Rachel Huber and John Buzzard outlined the state of the market in terms of fraud and online security.

“We have discovered trend wise that consumer confidence with passwords is down substantially and I want to say -finally,” Buzzard stated. 

Buzzard noted that consumers have begun to realize that stronger authentication methods including biometrics are effective ways to validate identity. He added that consumers are now indicating that they are ready to move away from passwords.

“Whether the password disappears, maybe it becomes sort of like the Mayor McCheese of the city in the sense that it’s there but it doesn’t mean anything if that’s what it requires,” Buzzard said. “That’s still okay because we’re ready to move forward with stronger forms of authentication.”

Payments and the Future of Authentication 

FIDO standards are at the core of security efforts at eBay, which helps the online marketplace meet the needs of its diverse user base. In a panel on Payments and the Future of Authentication Ashish Jain, Product Management Executive, Identity, Mobility & Analytics, eBay explained that a key challenge for his platform is having the right experience that can fit the needs and requirements of a broad customer base.

“When we started investigating FIDO and saw that it was supported by Google, Microsoft, and Apple, it gave us the confidence that it can meet the needs for a variety of our customers and hence, we continue to investigate and invest in the protocol,” Jain said.

For Christiaan Brand, Product Manager for Identity & Security at Google, FIDO adoption started out as a way to help curb phishing risks and has evolved to become a way to help improve multiple aspects of security for both Google and its users.

“FIDO is one of those few security inventions, which aims to both address security and improve on that axis, while at the same time also improving on the usability front,” Brand said. “The FIDO components that have been built into the platforms nowadays do give our users, better and more secure experiences.”

For Ranjita Iyer, SVP, Identity Solutions at Mastercard, FIDO specifications are being combined with other standards including the EMV 3D Secure effort to enable a seamless authentication and payment experience that can lead to better approval rates for digital transactions and lower fraud. 

Integrating FIDO with other standards is also something that the Financial Data Exchange (FDX) is implementing with its stack. Don Cardinal, Managing Director, Financial Data Exchange explained in a session that his organization is dedicated to unifying the financial service industry around an interoperable royalty free standard for secure permission to access data.

“The whole idea is to stop sharing user IDs and passwords and stop using them in the entire session,” Cardinal said. “Ideally, if you have OIDC [OpenID Connect] and FIDO throughout FDX you can enroll, use and consume the whole setup and never use a credential, which I think is really powerful in today’s day and age.”

Optimizing UX for Strong Authentication 

While the technical details of FIDO specifications are critical to enabling strong authentication, optimizing the user experience is critical to adoption. 

In the final panel of the day, Megan Shamas, Director of Marketing, FIDO Alliance noted that there is an effort that is currently underway to to test and improve the FIDO user experience. Guidance from that testing effort is set to be publicly available in late 2021.

Kerry Hebert, Design Director (CX/UI) at Visa emphasized that it’s likely that FIDO implementation hinges on user adoption and adoption is only going to happen if the user registers. She noted that for  users to take the step of registering, they need to believe that there’s value in what it provides and in some way makes the consumer’s life a little bit better.

Kevin Goldman, Chief Experience Officer, Trusona strongly suggests that financial services firms not think about user experience as something that is bolted on to the end of the process. Rather he suggests that it’s an integrated part of the entire process of supporting and enabling FIDO standards.

Judy Clare, Vice President, Product Manager, Digital Identity and Authentication at JPMorgan Chase & Co, suggested during the panel that from an experience perspective, FIDO engagement needs to be easily digestible for consumers. 

“You really have to have that value proposition out there  – what’s in it for me, and why should I be clicking through this and take an extra 30 seconds to sign up for it and then go on my way, because I am here to do something and this wasn’t it,” Clare stated. “So it’s really important to keep the user in mind.”

Next Up: More Authenticate Summits and Authenticate 2021 Conference

There’s much more content to come from the FIDO Alliance in 2021.

Looking forward there is another virtual event coming in June which will focus on strong authentication in Europe. Plans are also coming together for a physical Authenticate conference set for October in Seattle.

“In general, what we see is a lot of best practice sharing, everyone is in this together, and is motivated to help protect the networked economy and FIDO authentication presents a great way of doing so,” Shikiar said. “So we encourage you to certainly take part.”

The post FIDO Authenticate Summit Wrap Up: Modern Authentication for Financial Services appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, March 8, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, announced today the speaker line up for it’s first 2021 Virtual Summit: “Modern Authentication for Financial Services” taking place March 25 from 9:00am – 12:00pm PDT. 

Featured keynotes will be presented by Rachel Huber, Senior Analyst, Payments and John Buzzard, Lead Analyst, Fraud & Security, both of Javelin Research; David Henstock, Head of Identity & Authentication Products, Visa and Arshad Noor, CTO, StrongKey. The half day format includes sessions in which executives from eBay, Gemini, Google, Mastercard, JP Morgan Chase, Visa and Trusona will talk about the rapidly evolving security and usability measures being developed and deployed to safeguard financial service users by way of modern authentication.

Payments and financial services are amongst the leading industries for adoption of modern authentication systems – and digital transformation in general – with use cases ranging from simpler and stronger account sign-on to mobile banking to secure payments. COVID-19 has only accelerated the imperative to protect valuable resources while still providing secure access to online banking services. 

Between current and emerging regulations, the ongoing battle against hackers and a fickle yet demanding consumer base, it is more critical than ever for leaders in this sector to find balance between compliance, security and user experience. This edition of the Authenticate Virtual Summit tackles these issues with an agenda that includes:

• Keynotes from FIDO Alliance, Visa, StrongKey and Javelin Strategy & Research 
• Panel discussion on Payments & the Future of Authentication, featuring expert perspectives from eBay, Google and Mastercard
• Tips on how to secure users can their crypto from Gemini
• Details on how to leverage the FDX and FIDO protocols to enable secure access and data sharing
• Considerations and best practices for optimizing the strong authentication user experience

“Building off of the success of our Authenticate conference last year, we developed the Authenticate Virtual Summit Series to provide informative and interactive content on the role of modern authentication in organizations’ evolving digital transformation plans. Payments, financial services and cryptocurrency are natural focus areas for our first Summit, as these are amongst the leading industries for adoption of modern authentication systems – an imperative that has only accelerated during COVID-19,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are proud to have such an esteemed roster of financial services industry thought leaders committed to imparting their collective insight, especially as the risks of security breaches remain high and consumers demand increasing convenience.”

To view the full agenda and register, visit www.authenticatecon.com

For more information about additional summits: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Announces First 2021 Authenticate Virtual Summit, focusing on Modern Authentication for Financial Services appeared first on FIDO Alliance.

The second and final day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 5 brought together government officials, tech experts and policy advocates in a packed agenda.

The two-day event was hosted by the FIDO Alliance together with the Better Identity Coalition and the ID Theft Resource Center (ITRC) and had over 1,000 registered attendees. The first day of the event saw sessions that outlined the clear and present need for the government and industry to make identity and strong authentication systems more pervasive, to help protect and serve individuals and businesses alike. The second day in contrast had a strong focus on the need for strong authentication and was highlighted by an expert panel that explained how FIDO authentication was able to help secure the 2020 U.S. election.

The day’s event kicked off with a keynote from Congressman John Katko (R-NY) who emphasized the critical need for secure digital identity.

“Our homeland security, national security, economic security and way of life are threatened in unprecedented ways by highly sophisticated adversaries and simply being vigilant is no longer enough,” Katko (pictured) said. “Today’s threat environment demands a posture of unwavering resilience. This is particularly true for ensuring the sanctity and resilience of our digital identities.”

How FIDO Helped to Secure the 2020 Election

The resilience of digital identity and strong authentication was called into question during the 2016 election cycle when hackers were able to infiltrate the email accounts of Democratic party staffers, notably the attack of Clinton campaign chair John Podesta’s gmail account.

The same type of event didn’t re-occur during the 2020 election cycle, in part thanks to FIDO standards and a concerted effort to make sure that both Democratic and Republican party officials had access to strong authentication. In a panel during the event, Michael Kaiser, President and CEO of Defending Digital Campaigns (pictured) explained that his organization was created to help solve the challenge of political campaigns not having the right cybersecurity resources to defend themselves. As companies cannot directly donate to campaigns, Defending Digital Campaigns was formed to act as an intermediary, that enables political campaigns to get cybersecurity services including FIDO based strong authentication resources, for free or low cost.

Kaiser explained that political campaigns are not like a typical organization in that they are short lived and don’t have long term thinking about a security maturity model. Despite that, political campaigns need to be protected as they sit on incredibly valuable and important information.

“I think we gave away more than 10,000 security keys in the political sector in the 2020 cycle,” Kaiser said. “That’s a lot of people and a lot of accounts as we gave away more than $1 million worth of products to 183 campaigns.”

Bob Lord (pictured), chief security officer of the Democratic National Committee (DNC) noted that after the events of the 2016 election, security was clearly under the microscope.

“Security is a real challenge and everybody really understands the importance of it, but the dollar figures really can get in the way,” Lord said. “Making sure that there was a reliable source for things like security keys was really instrumental in moving forward.”

Within the DNC and across campaigns, Lord and his team strictly implemented the use of FIDO based security keys to provide strong authentication capabilities and limit the risk of potential phishing attacks. 

“Today 100% of the people at the DNC who need to get access to their email and  access to their documents, they’re all using security keys – no exceptions, no executive privilege to opt out of this,” Lord said.

The DNC also benefited from Google’s Advanced Protection Program (APP) which provides additional levels of protection and assurance beyond what a basic gmail account enables. 

“We’re big supporters and real big believers in the combination of FIDO security keys and the APP,” Lord said.

Why DNC Believes in FIDO

Lord noted that there are a number of reasons why he is a big supporter of FIDO standards. For one is the fact that FIDO standards are built into the Google Chrome browser. Lord explained that the DNC was pushing the use of Chromebooks to campaigns and the integrated FIDO capabilities made it easier to deploy strong authentication.

While there are multiple types of two-factor authentication available in the market, for Lord there are really only two categories.

“I think there are really two kinds of multi-factor that are available in the consumer space – I think there are FIDO security keys and then there’s everything else,” Lord stated emphatically. “When I refer to everything else, I refer to those other multi-factors systems as legacy and I do that because I want people to get the mental model that this is something to be contained, minimized and eventually moved out.”

Lord observed that other multi-factor approaches, while better than not using multi-factor at all, have shown weaknesses, which is why in his view as an industry it’s important to really be pushing people pretty aggressively to move down the path of FIDO strong authentication adoption.

While Lord is an advocate for adopting FIDO based strong authentication with security keys, he also noted that there were some usability challenges his team had to work through as well training that was needed to educate and onboard users. The learning from the DNC’s efforts are all now being publicly shared by Lord’s team at https://democrats.org/security/.

“It’s a non-partisan thing so there’s nothing red or blue about these best practices, but you’ll see in there that we really push pretty hard on security keys and the APP in particular,” he said.

Mark Risher, Senior Director of Security and Identity at Google (pictured) emphasized during the panel that in general adding a second factor does still objectively decrease the chances of a user becoming the victim of a phishing attack. That said, he noted that for an attacker, phishing a password, or just phishing a password plus a One Time Password (OTP) PIN code basically just  requires basically one more line of code for an attacker.

“It does not require the funding of the nation state,” Rischer said about the ability to bypass OTP for phishing attacks. “So we need to get the world to understand the distinction, and to move into and start requiring these much more stringent hardware based strong authentication technologies and standards.”

How FIDO is Moving Forward to Enable Digital Transformation

The afternoon keynote at the event was delivered by Andrew Shikiar (pictured) the Executive Director of the FIDO Alliance. Shikiar noted that passwordless authentication is an important cornerstone for digital transformation.

“The security and authentication aspects of digital transformation came to the fore as everything was accelerated due to the pandemic,” Shikiar said.

Shikiar noted that social engineering had kind of a renaissance in 2020 as phishing continued to be successful.

“Simply put, the only way to break this cycle is to eliminate our dependence on server side credentials and password,” Shikiar said. “Anything on a server can and will eventually be stolen so they’re easy to phish, harvest and replay.”

The need to create stronger authentication is why FIDO was born. Shikiar explained that the FIDO Alliance’s mission is to create open standards for simpler, stronger authentication with public key cryptography and asymmetric public key cryptography, which is something that the average consumer should never have to pronounce, let alone know what it means.

Shikiar also outlined some of the FIDO Alliance’s highlights from 2020 including Apple joining the group. He added that Apple joining served as a powerful signal to the industry that really everyone is coalescing around the FIDO Alliance as the organization to collaborate on the standards based user friendly and strong authentication. Another key highlight from 2020 for FIDO was the level of support across operating system and browser combinations with different transport mechanisms for the authenticator. 

“Over 4 billion devices can support FIDO authentication,” Shikiar said. “So in short, you know, we think FIDO is becoming part of the DNA of the web itself, which is a pretty audacious thing.”

“To summarize, FIDO is very much the present and the future of user authentication.”

The Solarwind #Solorigate Attack as an Identity Authentication Issue

A key topic that resonated throughout the second day of the policy forum was the impact of the recent Solarwinds attack which is also commonly referred to as Solorigate.

During a panel about what policies the Biden Administration should consider with regards to Identity, John Miller Senior Vice President of Policy and Senior Counsel at ITI, commented that the Solarwinds attack has been accurately described as a software supply chain attack but it really is also fairly characterized as an identity attack.

“Characterizing Solarwinds as an identity attack presents an opportunity to remind policy makers of how fundamental identity is to not only what we’re doing online as consumers but to, but an enterprise environment,” Miller said.

In the final keynote of the event, Alex Weinert (pictured) Partner Director of Identity Security, at Microsoft, outlined the gory authentication and identity details behind the Solorigate incident and why zero trust principles would help to mitigate many risks.

Weinert noted that the Solorigate attack was a fundamental attack on trust. He also emphasized the clear role that authentication played in the attacks and the need to move to strong authentication.

“What are we doing to encourage explicitly verifiable credentials, we all know passwords are crap, we know they’re incredibly vulnerable,” Weinert said. “Are we doing enough as an industry to push for the end of passwords?”

Today’s sessions (February 5) have been recorded and will be available soon.

The post Identity, Authentication and the Road Ahead: Virtual Policy Forum Day 2 appeared first on FIDO Alliance.

The intersection of identity and authentication and how it can help to improve business as well as people’s lives was a core topic of conversation on the first day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 4.

The FIDO Alliance joined together with Better Identity Coalition and the ID Theft Resource Center (ITRC)  to host the two day event running on Feb. 4-5, which has over 1,000 registered attendees who are gathering to learn more and discuss the current and future state of identity and authentication. The first day of the event had a strong focus on things the U.S. can and is doing to help improve the state identity, while recognizing the many challenges on the road ahead.

Identity is a National Security Issue

In the opening keynote, Michael Mosier (pictured), Deputy Director & Digital Innovation Officer at the U.S. Treasury departments Financial Crimes Enforcement Network (FinCEN), outlined what’s at stake when it comes to digital identity.

“I view identity as a national security issue, and it will take the intellectual power and creativity of all of us to figure out how to secure identities and keep people from harm,”  Mosier said.

Mosier emphasized that digital identity solutions are a key factor to help prevent fraud and financial crime. He added that in order to get payments right, there is a clear need to first get identities done right. The right way in his view, is an approach that preserves privacy while ensuring integrity in the system.

“The ability to detect and address risks is only as good as the ability to determine with whom you’re engaging,” Mosier said. “So the real question for identity related risk is, do you have the information necessary to reliably assess the risk of your counterpart or your customer.”

A key challenge FinCen is seeing is at the account opening stage, with identity proofing and verification. A July 2020 advisory from FinCen highlighted the issue reporting that criminals are undermining identity verification processes, through identity theft and synthetic identity fraud.

“We’re seeing a lot of identity authentication compromise, leading to account takeovers, as  a lack of multifactor and multi step authentication is too prevalent across the financial sector,” Mosier said. 

The costs of those takeovers is far from trivial. FinCEN is seeing around 5,000 account takeover reports each month, reaching approximately $400 million per month over the last two months.

“The bottom line is that many account takeovers and fraud are occurring because of failures to enforce stronger levels of assurance and identity verification in authentication processes,” Mosier said.

Phishing is Top Source of Identity Theft and Cybercrime

The Identity Theft Resource Center (ITRC) is seeing the same trends as FinCEN with phishing and credential theft being the leading source of identity theft, according to the groups recent release 2020 Data Breach Report. In a keynote session, Eva Velasquez, President and CEO and James Lee, Chief Operating Officer (pictured) of the  ITRC outlined the high level findings of the report and its impact.

“Credentials are the coin of the realm today, as opposed to what we have traditionally thought of as being the kind of information that threat actors wanted to collect.” Lee said.

While other failures and vulnerabilities including unpatched software can and do lead to data breaches, Lee emphasized that the majority of the root causes of cyberattacks rely primarily on user logins and passwords

How the Pandemic has Accelerated the Need for Strong Authentication

With tens of millions of Americans looking to the U.S. government for help during the pandemic, there has been a clear need for strong authentication and identity technology.

During a panel, Sanjay Gupta, chief technology officer for the US Small Business Administration (SBA) noted that the SBA has been able to ramp up during the pandemic thanks in part to the deployment of a strong authentication based single sign on technology that makes use of FIDO Alliance standards. The SBA uses the login.gov platform from the U.S Government’s General Service Administration (GSA).

In a keynote session, Congressman Bill Foster (D-IL) (pictured) stated that the COVID crisis has laid bare many of the inadequacies of the identity system in the U.S.

Just to pick one example, Foster noted that over a million stimulus checks were sent to dead people and for millions of others, the stimulus checks were delayed because of challenges in verifying who is eligible based on where they live. While there are challenges, Foster noted that there has also been a lot of relevant technological progress, independent of government action. 

“The use of a secure enclave on a modern cell phone as a FIDO second factor device is a huge step forward,” Foster said.  “The increasing use of privacy preserving biometric sensors on smartphones as a means of providing digital online authentication for human identity is going to be transformative.”

In a panel following the keynote on where the government can help with identity and authentication, Paul Rosenzweig, Resident Senior Fellow, Cybersecurity and Emerging Threat at the R Street Institute commented that good identity is clearly one of those common public goods that economic theory teaches us, is best provided at a governmental level. That’s an idea that panelist Phil Lam (pictured), Executive Director of Identity for the U.S. General Services Administration (GSA) agreed with.

“I think that we as a government are providing a lot of benefits to Americans today and in order to facilitate providing that benefit, we kind of need to know who you are and  are you eligible for a benefit,” Lam said. 

Lam re-iterated that the FIDO-enabled login.gov portal is a critical part of the U.S. government’s authentication strategy and now serves over 25 million users.

The final panel of the day tackled the socially important topic of equity and inclusion when it comes to identity and the individual. Among the panelists was Reverend Ben Roberts (pictured) who runs the ID Ministry, which is an effort to help the underprivileged get their identity so they can qualify for government assistance or even just to get a bank account.

Roberts detailed a number of heart-breaking cases of individuals that have had extreme challenges in getting some form of verified identity. He had a strong message for government policy makers and technology developers alike for how to enable strong authentication and identity systems.

“As we’re bringing things online and as new policies and new systems come into play, really do your level best to ensure that people are not getting left behind,” Roberts said.

Today’s sessions (February 4) have been recorded and can be found here. There’s still time to register for tomorrow’s sessions (February 5). Register here.

The post Identity, Authentication and the Road Ahead: Virtual Policy Forum Day 1 appeared first on FIDO Alliance.

On February 4-5, 2021, the Better Identity Coalition, FIDO Alliance, and Identity Theft Resource Center will be hosting an online event, “Identity, Authentication and the Road Ahead”. 

The event will bring together leaders from government, industry and the nonprofit sector to tackle how the government plans to modernize identity and authentication, how COVID-19 has affected the identity landscape, ways the government can help address pain points in our identity infrastructure, standards updates and more. Our keynote speakers include Congressman Bill Foster [D-IL], Financial Crimes Enforcement Network (FinCEN) Deputy Director and Digital Innovation Officer Michael Mosier, Congressman John Katko [R-NY] and Partner Director of Identity Security for Microsoft Alex Weinert. 

“The COVID-19 pandemic has laid bare our challenges in digital identity and authentication – not just from a security perspective, but also a human one,” said Jeremy Grant, Coordinator of the Better Identity Coalition. “We’re thrilled to partner with the FIDO Alliance and the Identity Theft Resource Center on this two-day event to highlight different facets of the challenges in identity and authentication – and discuss ways the government and industry can partner together to spur new solutions that can help all Americans.”

“The FIDO Alliance is pleased to be working with the Better Identity Coalition and the ID Theft Resource Center to advance awareness of and inspire action for  simpler and stronger authentication and improved identity verification processes,” said Andrew Shikiar, Executive Director & CMO of the FIDO Alliance. “Jarring events of late, such as the global COVID pandemic and threats to the U.S. election, have accelerated the urgency to move forward with digital transformation plans and enable secure and phish-proof access to remote systems and applications. We’re looking forward to sessions that will uncover the critical role that FIDO Authentication has played this past year and will play in the future of identity and authentication.”

“The Identity Theft Resource Center is honored to co-host the 2021 Policy Forum with the Better Identity Coalition and FIDO to bring awareness to digital security, privacy and convenience for everyone,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “It is critically important we take a look at identity crimes and their impacts on individuals, businesses and policies, particularly when it comes to equity and inclusion. We hope that the two-day event highlights how government and decision-makers can address the pain points in our identity infrastructure and leads to discussions on how to improve identity use and protection in America.”

Our hashtag for the event is #IDPolicyForum.  You can find the full schedule here and RSVP here. This event is on the record and open to the public. 

About the Better Identity Coalition 

Launched in 2018, the Better Identity Coalition is an organization focused on bringing together leading firms from different sectors to develop a set of consensus, cross-sector policy recommendations that promote the adoption of better solutions for identity verification and authentication. The Coalition’s founding members include recognized leaders from diverse sectors of the economy, including financial services, health care, technology, FinTech, payments, and security. More on the Coalition is available at https://www.betteridentity.org/. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact: 

Better Identity Coalition: Joshua Lamel
jlamel@insight-dc.com, 202-246-1400 

FIDO Alliance: Karen Arena
press@fidoalliance.org, 732-407-8510

ITRC: Alex Achten     
media@idtheftcenter.org, 888-400-5530 Ext. 3611 

The post EVENT: Identity, Authentication and the Road Ahead appeared first on FIDO Alliance.

Joon Hyuk Lee and Atsuhiro Tscuhiya, APAC Market Development Team

The reason to put passwords in the rearview mirror is more evident than ever. Our recent survey on consumer behavior says that 58% of abandoned online purchases are due to the difficulty of managing passwords. The Gartner Group’s research indicates that 20-25% of all helpdesk calls are password reset requests. The World Economic Forum (WEF) assessed that cybercrime costs the global economy $2.9 million every minute; about 80% of the attacks targeted passwords.

But the tide is turning. During our inaugural Authenticate conference, which took place in November 2020, Microsoft announced that they now have more than 150 million people are using their passwordless sign-in each month. That is a 50% increase from last year’s report at Microsoft Ignite back in November 2019.

We have all seen how the global pandemic has drastically accelerated the willingness of and the need for organizations to embrace passwordless FIDO Authentication. It is now a matter of how and with whom, instead of when.

Updates from APAC Marketing Forum

We are happy to share meaningful progress since the first FIDO AllianceAsia Pacific Marketing Forum (AMF) in July. Here are some updates from our members across the region:

Taiwan

Mentioned in our previous post was  the introduction of FIDO’s standards in official documents developed by Taiwan Association of Information and Communication Standards (TAICS) and SEMI (Semiconductor Equipment and Materials International) Taiwan, as well as FIDO’s logo on the app of Taiwan-Cathay United Bank.

Recently, the government of Taiwan has also adopted FIDO’s authentication method for the purpose of citizen’s tax filing, a government service that supports more than 200,000 users. 

India

FIDO2 is now accepted by the CCA (Controller of Certifying Authorities), under India Ministry of Electronics and Information Technology, as an alternative to SMS OTP.  The guidelines have been published on the CCA website (http://cca.gov.in/eSignAPI.html).

FIDO Alliance member Singular Key’s FIDO Certified authentication service is being used by ReBIT, the cybersecurity subsidiary of the Reserve Bank of India.

Additionally, a whitepaper on FIDO authentication for banking space has recently been submitted to ReBIT. Webinars designed to educate the public on FIDO’s standards are also in the works. These efforts will no doubt help to drive up FIDO awareness amongst the India population.

Hong Kong

In Hong Kong, the passion for horse racing continued even as people stayed home and betting branches closed because of the global pandemic.

For the first time ever, the Hong Kong Jockey Club (HKJC) kicked off the horse racing season with all-digital betting. Punters had to log on to HKJC’s mobile betting app, provided by FIDO Alliance member Tradelink.

The betting channels, which are secured by FIDO via biometric authentication on users’ mobile devices, provided a user-friendly and safe experience that helped to secure a record HK$1.376 billion turnover – 6.83% higher than the previous record set in the 2017/2018 season! This was made possible, despite the record low number of attendees at the races in year 2020.

Separately, the Hong Kong Special Administrative Region (HKSAR) government rolled out a new initiative powered by Tradelink’s FIDO Certified authentication – the “iAM Smart” initiative, which enables Hong Kong citizens to authenticate their identities using mobile devices for access to financial services. 

Malaysia

There is a clear transition towards a passwordless future in Malaysia.

The FIDO Certified authentication service from SecureMetric is recently being adopted by a number of public services in the country as part of the government’s Malaysia Cyber Security Strategy 2020-2024. This means that FIDO authentication will play a role in services such as Malaysia Central Bank’s (Bank Negara) Electronic Know Your Customer (eKYC), the Ministry of Science, Technology and Innovation (MOSTI) National Technology as well as Innovation Sandbox (NTIS) from the Ministry of Science.

Vietnam

In Vietnam, the shift away from passwords is accelerating. Currently, there are 32 licensed e-Wallet providers all vying to lead the charge to facilitate the country’s shift to a more cashless society. There is also a major focus on smart city, digital signatures and electronic ID developments.

Earlier this year, FIDO member VinCSS became the first company in the country to develop FIDO2 Certified authenticators. Since then, it has met the FIDO2 standard for the second time, announcing its achievement of FIDO2 Certification for its strong authentication server named VinCSS FIDO2 Server.

This achievement also means VinCSS is currently one of only 13 companies globally with a FIDO2 certified server that can accept any FIDO certified authenticator, irrespective of its manufacturer – an amazing feat!

Other Notable Updates in Asia

Additionally, Japan-based telecommunications operator KDDI recently deployed FIDO2 for its “au ID” and started FIDO authentication service. Instant messaging app LINE, introduced biometric authentication that utilizes FIDO standards for iPad users, eliminating the need to key in passwords. The FIDO Japan Working Group Chair was invited as an expert by the Japan Ministry of Internal Affairs and Communication on their discussions using My Number Card capabilities on smartphones.

Furthermore, in Korea, the Blue House, the executive office and official residence of the president of the Republic of Korea, deployed TrustKey’s login solution powered by FIDO’s standards for remote work and internal security access.

—

If you wish to take part in these exciting new initiatives, or have any inquiries, please do not hesitate to contact tsuchiya@fidoalliance.org.

By joining AMF, you will not only get to connect with key authentication players in APAC, but also gain benefits of participating in FIDO branded awareness and promotional activities together with global champions.

The post Deployments and Government Recognitions on the Rise in Asia: Updates from FIDO APAC Marketing Forum appeared first on FIDO Alliance.

Today, the IoT Security Foundation (IoTSF) and FIDO Alliance announced that they are collaborating to improve the status of IoT security.

The main aims of the collaboration are to raise awareness on the limitations of passwords for IoT devices and provide practical alternatives for product manufacturers. The goals of the collaboration will be achieved by joint messaging and providing publicly accessible materials to help industry implement password-less authentication. 

What’s the problem with passwords?

Passwords are a traditional and simple method for authenticating a user and allowing access to resources. In the past this may have been sufficient, but passwords dramatically fall short in many ways when billions of devices are expected to be connected to networks to collect and share data or provide automation – the era of IoT.

Although this is not a new problem, users are still finding it a challenge to manage and keep track of different accounts and app login credentials. The result is that many take shortcuts – using easy to remember (and guess) passwords, or using the same password across many accounts¹. This weakens security. Now consider the growing number of home, business, medical, industrial and national infrastructure uses of IoT which bring efficiency, innovation and user benefits. IoT devices are everywhere and the trend is set to continue as this article illustrates. For IoT-class products such as routers and webcams, traditionally manufacturers have opted to have factory universal default passwords² and whilst these can be changed, a significant number remain set to the default. This makes them prime targets for botnets which weaponize devices for DDOS attacks such as the famous Mirai and its many variants.

This means that the sheer volume of devices is only going to exacerbate the issues experienced with passwords today. In summary, passwords are not a good solution to the requirements of IoT authentication now, or in the future.

How can this be addressed?

New standards and forthcoming regulation are helping to drive change. The ETSI 303 645³ baseline requirements for consumer IoT cyber security standard published mid 2020, has a provision for “no universal default passwords” and this standard is now being used as a basis for regulation and certification schemes internationally⁴.

Whilst “no universal passwords” is a good start for regulation⁵, it does not go far enough. The good news is that there are good alternatives to passwords, so they can be eliminated, and they are also better and simpler to use. 

How are IoTSF and FIDO Alliance working together?

Both organisations will work together to promote the awareness and use of password-less forms of authentication and link working group activities to ensure industry can access publicly available materials when designing new products.

The IoT Technical Working Group of the FIDO Alliance aims to build a comprehensive authentication framework for IoT devices which provides detailed technical specifications for password-less authentication.

The IoT Security Foundation publishes best practice cyber security advice for product manufacturers and users of IoT systems. Its IoT Security Compliance Framework Working Group is dedicated to the creation and maintenance of the framework which guides developers through a structured process of questioning and evidence gathering. This helps companies make better products with security by design. It is in this area where both organisations intend to collaborate at the technical level to complement the advocacy of passwords alternatives.

John Moor, Managing Director IoTSF said, “The use of passwords for security is an outdated and outmoded security practice for the digital age. There are solutions which are stronger from a technical perspective and better from a user’s perspective. We are delighted to be working closely with the FIDO Alliance to help eliminate the use of passwords and drive better practice for our manufacturing members.”

Christina Hulka, executive director and COO of the FIDO Alliance said, “The FIDO Alliance mission is to reduce the world’s reliance on passwords with simpler and stronger authentication, including in IoT which unfortunately continues to rely on default or weak password authentication. We look forward to working with the IoT Security Foundation to accelerate our path toward bringing passwordless authentication to IoT.”

References

¹ https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
² https://www.router-reset.com/default-router-password-lookup
³ https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf
⁴ https://www.iotsecurityfoundation.org/consumer-iot/
⁵ https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products

About the Internet of Things Security Foundation (IoTSF)

IoTSF is a non-profit corporate and professional membership association.

The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.

IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at key stages of the IoT ecosystem – those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.

IoTSF was formed as a response to existing and emerging threats in the Internet of Things applications.

IoTSF is an international, collaborative and vendor-neutral members’ initiative, driven by the IoT ecosystem and inclusive of all parties including technology providers and service beneficiaries.

For more information, news and further announcements, please visit the official website at www.iotsecurityfoundation.org.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Press Contact

Jenny Devoy
IoT Security Foundation
+44 (0)1506 401210
contact@iotsecurityfoundation.org
twitter: @IoT_SF

The post The IoT Security Foundation and FIDO Alliance Announce Collaboration to Eliminate Passwords in IoT appeared first on FIDO Alliance.

Yuriy Ackermann, Certification Technical Manager, FIDO Alliance

With the advancement and modifications to specifications and program requirements, certification processes and policies will need to be modified from time-to-time. With the recent changes and publication of the FIDO Authenticator Certification program as they relate to V1.4 of the Security Requirements, and the current FIDO Registry of Values specification, we are recommending currently certified servers make necessary changes.

It is strongly recommended that you update your FIDO2 and UAF servers in order to correctly process current and future metadata statements based on the latest updates to the FIDO Registry of Predefined Values.

The spec changes are as follows:

• All previous USER_VERIFY methods have been post-fixed with _INTERNAL to identify them explicitly as INTERNAL user verification methods 
  • Example: USER_VERIFY_PRESENCE → USER_VERIFY_PRESENCE_INTERNAL.
    
• New USER_VERIFY methods have been added: USER_VERIFY_PASSCODE_EXTERNAL (0x00000800) and USER_VERIFY_PATTERN_EXTERNAL (0x00001000)
  
• RS1 or ALG_SIGN_RSASSA_PKCSV15_SHA1_RAW (0x0010) IANA ALG_KEY_COSE “alg” identifier has been changed to -65535

Servers should make the following updates to support these changes:

• FIDO2 servers: Update pubKeyCredParams to contain -65535 alg
  
• FIDO2 and UAF servers: Change old user verification methods values to the new post-fixed values. Example: USER_VERIFY_PRESENCE → USER_VERIFY_PRESENCE_INTERNAL
  
• FIDO2 and UAF servers: Run the conformance tools to verify support for these changes

The latest FIDO Registry of Predefined Values is now available in JavaScript.

The post FIDO Certified Servers: Updates for Processing Current Metadata Statements appeared first on FIDO Alliance.

Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance

Editor’s Note: This is the final blog posting covering the 2020 FIDO Hackathon – Goodbye Password Challenge. To learn more about the background and process, please read previous blog posts:

• 2020 FIDO Hackathon: Goodbye Password Challenge in Korea
• 2020 FIDO Hackathon in Korea: Learn & Implement Phase
• 2020 FIDO Hackathon in Korea Update: Mid-term Meetup Event

The 2020 FIDO Hackathon – Goodbye Password Challenge has come to a close – a big thank you to the FIDO Alliance Korea Working Group members and event sponsors. The Korean video versions of the entire 2020 FIDO Hackathon journey and presentations by the top 5 winners are available through FIDO Videos Library and a ZDNet Korea interview. We hope this blog will help English readers to understand these winners’ projects, and how their ideas showcase the myriad possibilities for FIDO Authentication in the future.

Here is an overview of the winners and their projects: 

Moses’ Miracle – Gold Award

Moses’ Miracle is a team consisting of three students majoring in computer engineering and industrial design. They developed a gate access control system based on FIDO Authentication. The smartphone-based system helps people access different security areas much faster and more conveniently without remembering passwords, physical keys, or smart cards. From a management perspective, this solution consumes less time, cost, and labor. For more technical information and a demo of the system, please watch their video presentation.

Protect Homes – Silver Award

Protect Homes is a team that consists of two developers and two designers, half studying in university and the rest working for venture companies. The team integrated FIDO Authentication to strengthen a smart home ecosystem’s security, coming up with a management app for IoT devices. By going passwordless, the system demonstrated that security and usability are both enhanced. For more technical information and a demo of the solution, please watch their video presentation.

Dr. Who – Silver Award

Dr. Who is a team consisting of one project manager, two developers, and one public healthcare specialist from WHO (World Health Organization). The team came up with a Proof of Concept project, introducing smart health insurance card services that link Distributed IDentity technology and FIDO Authentication. They wanted to solve the problem with the existing physical health insurance card, which is an inferior way of identifying a patient’s actual identity. For more technical information and a demo of the service, please watch their video presentation.

Fingerprint 486 – Bronze Award

Fingerprint 486 is a team that consists of seven university students; two app developers, two front-end, one backend developer, and one computer graphic designer. They developed a FIDO Authentication-based document sharing system, which grants file access rights more securely and conveniently without sharing passwords. For more technical information and a demo of the system, please watch their video presentation.

AWS (Add Wi-Fi Security) – Bronze Award

AWS is a team that consists of two backend, two front-end developers, and one computer graphic designer coming from the same woman’s university. The team developed a FIDO Authentication-based passwordless Wi-Fi router control system, which does not disclose an administrator’s information. For more technical information and a demo of the system, please watch their video presentation.

Building upon the success of the FIDO Hackathon in Korea over the last two years, we are looking at possibilities for APAC-wide (or global) Hackathon in the year 2021. We believe such a Hackathon (or challenge program) helps us engage and empower developers to accelerate service deployment with out-of-box ideas.

The post 2020 FIDO Hackathon in Korea: Introducing the Top 5 Winners appeared first on FIDO Alliance.

December 1, 2020 – The FIDO Alliance wrapped its first public conference, Authenticate, on November 19 following six days of virtual sessions, networking and an expo hall all focused on the future of strong authentication with FIDO standards. The conference drew 3,000+ registrants seeking the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate provided the opportunity for attendees to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services. Attendees heard case studies from many companies that have or are in the midst of rolling out FIDO for consumer and enterprise applications, including Target, IBM, CVS Health, Microsoft, Intuit, Google, NTT DOCOMO and eBay. Other sessions gave both beginners and FIDO veterans content on the core aspects of FIDO’s specifications, a WebAuthn workshop for developers, deployment best practices, insights into biometric security, account recovery and more. The dynamic expo hall complemented the sessions, allowing attendees to meet the vendors providing FIDO solutions that can help them quickly get on the path to simpler, stronger authentication. 

“After years of increasingly severe data breaches and user login frustration, enterprises and consumer service providers understand that they need to end their dependence on passwords. The excitement and engagement in Authenticate showcased that organizations are ready to embrace a new way to provide secure access to online services and applications with FIDO,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. 

Authenticate 2020 sessions are available on-demand, and highlights from the conference can be found on the Authenticate blog. Those interested in attending future Authenticate Summits and Conferences should sign up for updates at www.authenticatecon.com. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Wraps Inaugural Authenticate Conference After 50+ Sessions and Expo Focused on the Future of Strong Authentication appeared first on FIDO Alliance.

According to the FIDO Alliance’s survey, conducted with 1,000 consumers in the U.S., password frustrations are leading to abandoned carts and lost sales. 58% in the U.S. have abandoned purchases due to the difficulty of managing passwords. They cancelled these transactions because they either could not remember their password or were being forced to create a new account and password to make the purchase.

The research also identified several reasons for potential loss of repeat business, as multiple factors stop people from setting up new accounts after making an initial purchase. Their chief concern, cited by 40% of customers, is that they don’t want their financial information to be stored on retailers’ databases. Having to enter billing and personal data (34%) was another reason, and passwords were again a source of frustration with 28% stating that having to set up and remember a new password would stop them from opening an account.

“Many common online retail practices, like setting up new passwords and accounts, are being rejected by consumers and consequently are hurting retailers’ bottom lines. These outdated processes introduce friction into an experience that people rightfully expect to be as smooth as possible,” said Andrew Shikiar, executive director at the FIDO Alliance. “While historically there has been little that merchants can do other than to be frustrated at password-related losses, that is no longer the case – and retailers need to look for new solutions to removing needless friction from online transactions, or run the risk of losing customers to the competition.”

The survey also revealed on-device biometrics as an alternative to passwords that consumers prefer. This is especially true as more retailers and banks are required to implement Strong Customer Authentication to comply with emerging regulations around the world. 

According to the survey, consumers overwhelmingly prefer the retailers that enable them to log in and make transactions simpler by using their on-device biometrics, such as a fingerprint or FaceID. 

68% of consumers believe these on-device methods are quicker than using traditional two-factor authentication requiring both a password and a one-time password (OTP), and 66% believe they are easier to use.

In addition, 60% of U.S. consumers believe retailers offering on-device authentication care more about their customer experience, 58% believe they care more about their privacy, and 61% believe they care more about their security. They are also more likely to recommend these retailers to friends and family, with 60% stating they would do so.

Young consumers (aged 18 – 24) in the United States are by far the most likely to adopt on-device biometrics, with 76% believing they are easier to use and 81% that they are quicker to use, and 66% would recommend retailers offering on-device biometrics to friends and family.

“2020 has found more and more people fulfilling many of their needs by making a bulk of their purchases online,” added Shikiar. “Merchants especially need to make the buying experience simpler for consumers without sacrificing security. The good news is that most consumer devices today ship equipped with the technology to provide these simpler, stronger authentication methods – it is now incumbent upon retailers to take advantage of these capabilities.” 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post New research reveals consumer frustrations with online retail appeared first on FIDO Alliance.

Mountain View, Calif., November 5, 2020 – The FIDO Alliance’s first industry conference dedicated to user authentication is giving attendees the opportunity to experience a first-hand look at the latest product and service innovations from companies showcasing their solutions at the event.

Authenticate is being held virtually from November 9-19, 2020. Complimentary registration is at www.authenticatecon.com. Pre-session Expo-only hours start on November 9th from 1-5pm PST,  and the full conference starts on the 10th at 8:30 AM PST.

Participating companies will showcase their newest solutions in the Virtual Expo Hall throughout the conference and beyond. Virtual booths are 360-degree experiences, allowing registered attendees to explore content, see demos, talk live with company executives, and come away with the tools needed to implement FIDO authentication within their organization. 

“The enthusiasm we’ve seen from our sponsors is a testament to their commitment to solving one of the industry’s most challenging security problems of our time,” said Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance. “We’re thrilled that we can deliver an interactive and engaging virtual platform for these companies most interested in transforming the user authentication process through their leading edge, software, products, applications and services.”

Authenticate 2020 Exhibiting Sponsors

For more information on each, go to the Authenticate Expo Guide.

The free conference is singularly focused on authentication, providing the industry with a forum to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services. Industry professionals seeking education, tools and best practices to roll out modern authentication across web, mobile, enterprise and government applications should register for free and check out the full agenda at www.authenticatecon.com. 

Follow us on social media @authenticatecon and join the conversation with #Authenticate2020!

About Authenticate
Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to replace passwords with simpler, stronger authentication.

Register for Authenticate today! www.authenticatecon.com 

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

###

The post Leading Technology Companies Showcase Modern Authentication Products, Services and More at Authenticate 2020 appeared first on FIDO Alliance.

First work product from Web Payment Security Interest Group outlines the roles of complementary technologies that can enhance the security and convenience of web payments for merchants and their e-commerce customers.

November 5, 2020 – EMVCo, the FIDO Alliance and the World Wide Web Consortium (W3C) have published a document explaining the roles of their related technology specifications, that together can support merchants in delivering a more secure and convenient payment experience for the benefit of their e-commerce customers.  

The ‘How EMVCo, FIDO, and W3C Technologies Relate’ document is the first output of the Web Payment Security Interest Group, a collaborative industry-led initiative focused on enhancing the interoperability of web payments. Key to this ongoing effort is identifying gaps between relevant specifications to increase compatibility among different technologies.

This new educational resource informs payments industry stakeholders on the roles of EMV® Secure Remote Commerce (SRC), EMV 3-D Secure (3DS), EMV Payment Tokenisation, FIDO Alliance’s FIDO2 specifications, and W3C’s Web Authentication and Payment Request APIs, which may be used together to enable more secure and convenient card-based payment during an e-commerce guest checkout on the Web.

The document also addresses how these technical specifications can support merchant efforts to fight fraud, protect user privacy and meet regulatory requirements, while helping to reduce cost and streamline the online payment process. 

Following the document’s publication, the Web Payment Security Interest Group is actively seeking feedback from interested organizations to improve and enhance the document. For more information and details on how to submit feedback, please visit: https://www.w3.org/securepay/.    

At the Authenticate 2020 Conference on 18 November, representatives from EMVCo, the FIDO Alliance and W3C will participate in a virtual panel session to discuss the document and seek input on it from payments industry stakeholders. The conference is open and free for anyone to attend. 

“As more merchants move online, especially since the start of the COVID-19 pandemic, and fraud attempts increase, EMVCo sees this collaboration with the FIDO Alliance and W3C as a major contribution to advancing secure web-based payments, while also simplifying the online payment process for merchants and helping to reduce friction for their e-commerce customers,” said Bastien Latge, Director of Technology for EMVCo. 

“FIDO Authentication can complement EMVCo and W3C technologies by securely and conveniently authenticating users and transactions in a variety of scenarios,” said Christina Hulka, executive director and chief operating officer of the FIDO Alliance.  “The Web Payments SIG and this first resource are intended to educate and answer questions so ultimately these technologies can be implemented for stronger and simpler web payments. We look forward to industry feedback to help us to frame future educational outputs.” 

“W3C, EMVCo, and FIDO have been working together for a number of years, and now is the time for the industry to start to reap the benefits,” said Ian Jacobs, W3C’s payments lead. “We published ‘How EMVCo, FIDO, and W3C Technologies Relate’ to usefully answer real-world industry questions. Through it, the three organizations have also advanced their understanding of each other’s activities. This now allows us to accelerate our joint efforts, and in collaboration with industry, to develop the next generation of secure and user-friendly technologies to streamline e-commerce.”

– ENDS –

Notes to Editors:
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

About EMVCo
EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. EMV is a technology toolbox that enables globally interoperable secure payments across face-to-face and remote environments. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are available royalty free, designed to be flexible, and can be adapted regionally to meet national payment requirements and accommodate local regulations.

EMVCo is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, and focuses on the technical advancement of the EMV Specifications. To provide all payment stakeholders with a platform to engage in its strategic and technical direction, EMVCo operates an Associates Programme and encourages all interested parties to get involved. 

www.emvco.com │ EMV® Insights │ LinkedIn │ Twitter │ An Introduction to EMVCo │ YouTube

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

About the World Wide Web Consortium 
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C well-known standards HTML and CSS are the foundational technologies upon which websites are built. W3C works on ensuring that all foundational Web technologies meet the needs of civil society, in areas such as accessibility, internationalization, security, and privacy. W3C also provides the standards that undergird the infrastructure for modern businesses leveraging the Web, in areas such as entertainment, communications, digital publishing, and financial services. That work is created in the open, provided for free and under the groundbreaking W3C Patent Policy.

For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award. And for its work to standardize a Full TV Experience on the Web, W3C received a 2019 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. Organizationally, W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. For more information see https://www.w3.org/.

EMVCo PR Contacts
Dave Amos / Chloe Smith – david@iseepr.co.uk / chloe@iseepr.co.uk 
+44 1943 468007

FIDO PR Contact
Karen Arena, Aircover PR – press@fidoalliance.org
+1 732-407-8510

W3C PR Contact
Amy van der Hiel – w3t-pr@w3.org
+1.617.253.5628 

The post EMVCo, FIDO Alliance and W3C Collaborate on Educational Resource for More Secure and Convenient Web Payments appeared first on FIDO Alliance.

Joon Hyuk Lee and Atsuhiro Tscuhiya, APAC Market Development Team

[Snapshots of AMF Inauguration Members]

As the world struggles to contain the global pandemic, cybercriminals are launching their attacks and taking advantage of the anxiety and uncertainty that people are feeling. They impersonate trusted authorities or brands to mislead their victims. This is not surprising as cybercriminals are always on the lookout for opportunities and vulnerabilities.

Cybersecurity ranks amongst the top ten global risks, and reducing cyber-risk exposure has become a priority for business leaders, according to the World Economic Forum’s 2020 Global Risks Report.

Meanwhile, cybersecurity and technology experts overwhelmingly agree that reliance on passwords should be reduced if not totally scrapped: 80 percent of all data breaches involve weak or stolen passwords, and 29 percent of all attacks leverage the latter.

The use of passwords poses many challenges. As we increasingly live our lives and perform mission critical work online, safe access to connected devices and online services is more important than ever. The need to raise authentication standards and reduce reliance on passwords is now more urgent than ever.

APAC Marketing Forum

Since 2012, the FIDO Alliance has been working with organizations across Asia Pacific (APAC) to reduce the reliance on passwords and encourage the adoption of simpler and stronger approaches to authentication. Today, we have close to 40 members from both the public and private sector in this region.

Recently, more than 30 representatives from these member organizations got together for the very first FIDO Alliance APAC Marketing Forum (AMF). The AMF, held virtually, was an informal marketing related discussion.

The event provided a platform for members to connect, learn about each other’s markets and share best practices. It facilitated communication and cooperation amongst members, and the authentication industry as a whole.

Recent Initiatives in APAC

FIDO members in APAC also have made tremendous progress in recent months.

Companies that deployed FIDO authentication include PrivyID in Indonesia, and Japan-based NTT Docomo and KDDI. Furthermore, VinCSS became the first company in Vietnam to develop FIDO2-certified strong authentication servers.

FIDO also was included in official standards documents developed by the Taiwan Association of Information and Communication Standards (TAICS) and SEMI (Semiconductor Equipment and Materials International) Taiwan. 

Also in Taiwan, the Taiwan-Cathay United Bank has added the FIDO logo to the latest version of its app, which was released to customers in August.

Additionally, we had successful events like the FIDO Security Key Support Campaign, and 2020 FIDO Hackathon – Goodbye Password Challenge that offered member organizations opportunities to interact with each other despite physical distancing.

Activities in the Pipeline

Moving forward, we aim to organize more of both digital and onsite collaborative marketing events where members can promote their innovations and share case studies. Currently, planned initiatives include:

• FIDO Alliance virtual AMFs to be organized once every quarter, where post discussion updates will be shared through the FIDO Blog
• FIDO Alliance quarterly member newsletter 
• Updated FIDO Alliance orientation material with contents customized for the needs of APAC members

We look forward to seeing you at the next virtual meeting in October!

—

If you wish to take part in these exciting new initiatives, or have any inquiries, please do not hesitate to contact tsuchiya@fidoalliance.org.

By joining AMF, you will not only get to connect with key authentication players in APAC, but also gain benefits of participating in FIDO branded awareness and promotional activities together with global champions.

The post FIDO Alliance Members Meet Virtually in Inaugural APAC Marketing Forum appeared first on FIDO Alliance.

Mountain View, Calif., October 14, 2020 – The FIDO Alliance has opened registration for its inaugural Authenticate virtual conference for identity and security professionals around the world. Authenticate is the first conference dedicated to who, what, why and how of user authentication – with a focus on the FIDO standards-based approach.

Authenticate is being held virtually from November 9-19, 2020. Industry professionals seeking education, tools and best practices to roll out modern authentication across web, mobile, enterprise and government applications should register for free at www.authenticatecon.com. 

The Authenticate agenda includes six days of jam-packed opportunities to transform attendees authentication knowledge and procedures. Authenticate is singularly focused on authentication, providing the industry with a forum to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services. 

Here’s a glimpse at some of the content attendees will get from their complimentary registration:

• Keynotes from the world’s greatest minds on cryptography, security and identity: 
  • Dr. Whitfield Diffie, Co-inventor of Public Key Cryptography and Senior Advisor, Uniken
  • Joy Chik, Corporate Vice President, Microsoft Identity
  • Stina Ehrensvärd, CEO and founder, Yubico
  • Mark Risher, Senior Director of Product Management, Google
  • Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance
• Case studies from service and technology providers including CVS Health, EMILY’s List, Facebook, Google, IBM, Mass Mutual, Microsoft, MITRE Corporation, NTT DOCOMO, PNC Bank, and Target
• Policy discussions around PSD2, GDPR and eIDAS; authentication to enable better privacy for citizens; authentication from a regulator’s perspective and more
• Standards and technical implementation presentations focusing on FIDO for identity verification; bringing FIDO Authentication to IoT; OpenID for open banking; standards and the future of payments; account recovery; FIDO certification; attestation and more
• Sessions on the state of authentication, building an authentication strategy, and how FIDO fits with initiatives like W3C Web Payments, and EMVCo 3DS and SRC

See FIDO Authentication in Action in the Virtual Expo Hall

Attendees will join peers in the virtually rich and immersive expo hall that feels like they’re with colleagues in person through creatively-produced networking lounges and other interactive features that will help them make new connections and reunite with old friends. Sponsoring company booths will be a 360-degree experience, allowing them to explore content, see demos, talk live with company executives, and come away with the tools needed to implement modern authentication with FIDO inside of their organization.

Exhibiting sponsors include: signature sponsors Google, Microsoft and Yubico; platinum sponsors Feitian, HID, Identiv, NokNok, Secret Double Octopus and Strongkey; gold sponsors AuthenTrend, Aware, Daon, Duo, HYPR, RSA, SurePass and Uniken; and startup sponsors AuthAmor, Iproov and One World Identity.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to replace passwords with simpler, stronger authentication.

Register for Authenticate today! www.authenticatecon.com 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Opens Free Registration for Authenticate 2020 Conference appeared first on FIDO Alliance.

Andrew Shikiar, FIDO Alliance Executive Director & CMO 

The US Cybersecurity and Infrastructure Security Agency (CISA),  issued an advisory Thursday recommending cyber attack remedies for election-related activities  including the use of FIDO authentication to thwart phishing  attempts and account takeover. 

The advisory, entitled “ACTIONS TO COUNTER EMAIL-BASED ATTACKS ON ELECTION RELATED ENTITIES” noted that 78 percent of cyber-espionage incidents are enabled by phishing. CISA makes specific recommendations on protecting against cyber attacks to aid organizations involved in election-related activities.

Among other recommendations, FIDO Authentication was highlighted to thwart phishing attempts and protect against account takeover for cloud email and other high-value services. Specifically, CISA cites FIDO2 Security Keys as a tool that campaigns and organizations can, and should, use to protect themselves. The advisory also recommends that, when available, campaigns and organizations should enroll users in advanced protection services such as Google Advanced Protection, which leverages FIDO Security Keys as a best practice over other 2FA methodologies to protect workforces from account takeovers related to malicious attacks.

FIDO security keys offer protection against phishing attacks by working as a second, physical factor of authentication and only authenticating when a user is on the correct website. Thus, even if a user is tricked into supplying their password to a phishing website, the physical security key will still block attackers from accessing their account. 

Phishing continues to be a problem and remains one of the most popular means by which cybercriminals obtain data. Embracing FIDO technology is smart politics, and smart policy for those who understand the gravity of the cyber threat. As the election draws near, we’re increasingly seeing foreign agents attempting to infiltrate, influence and disrupt our elections.

As the CISA advisory implies, phishing and other cyber attacks are a critical issue with widespread and damaging implications to U.S. national security. The CISA advisory highlights the importance of locking down email systems, which have become a preferred vector for malicious activity. The CISA recommendations are intended as a preferred method for protecting the 2020 and future political campaigns. 

The post CISA Cites FIDO Authentication to Protect Political Campaigns appeared first on FIDO Alliance.

In June, NIST put out a call for comments on the next iteration of its Digital Identity Guidelines, SP 800-63-4. We welcomed the opportunity to comment; read our full comments in the Government & Public Policy area of the website.

Up front, we note that SP 800-63-3 represented a significant improvement in NIST’s Digital Identity Guidelines, taking a more modern approach to identity proofing, authentication, and federation. That said, technology and threat are both never static, and we are encouraged to see that NIST is embarking on another revision of the document.

In our comments, we make three recommendations for SP 800-63-4:

1. NIST should adjust its approach to AALs to help implementers clearly differentiate between tools that are phishing resistant and those that are not. 

Today, a variety of authenticators based on shared secrets – including Look-Up Secrets, Out-of-Band Devices (i.e., Push), and OTP apps and tokens – are given the same weight in AAL2 as authenticators based on asymmetric public key cryptography, such as FIDO. Given how attackers have caught up with the former, it no longer makes sense to combine  these two types of authenticators under a single designation. Doing so misleads implementers into thinking these two categories of authenticators are equivalent in strength or resiliency. In our comments, we provide NIST with several ideas for how it can adjust the AALs to provide more differentiation between tools that are phishing resistant and those that are not. 

2. NIST should engage with FIDO Alliance to explore other alternatives to enable FIDO authenticators to meet AAL3 requirements

When SP 800-63-3 was first published, it created a path for some FIPS 140 validated FIDO authenticators to meet AAL3 – if those authenticators were deployed in concert with Token Binding to deliver Verifier Impersonation Resistance. Since that time, most major browser vendors have withdrawn support for token binding. Per discussions with NIST, we understand that this means that FIDO authenticators can no longer meet AAL3 without implementing other approaches to mitigate the loss of token binding. As NIST embarks on the next revision of SP 800-63, we urge NIST to engage with FIDO Alliance to explore other alternatives to enable FIDO authenticators to meet AAL3 requirements.

3. Provide more direct references to FIDO

SP 800-63B describes Requirements by Authenticator Type but is inconsistent in how it points to standards that support that type. This has created some confusion in the marketplace when implementers consult SP 800-63B and see reference to standards like OTP and PKI but do not see any specific reference to FIDO. In our comments, we offer three suggestions for how the guidance can directly reference FIDO so that implementers have a clearer understanding of where FIDO fits in and supports the requirements. 

We greatly appreciate NIST’s consideration of our comments and look forward to ongoing dialogue and collaboration as they seek to update the Digital Identity Guidance.

The post FIDO Alliance Submits Comments to NIST on Digital Identity Guidelines, Asks for Stronger Differentiation for Phishing-resistant Authentication Tools appeared first on FIDO Alliance.

Support for FIDO in browsers and operating systems is widespread and growing fast. Enterprises now have better tools to replace easily compromised passwords with simpler, stronger FIDO Authentication and eliminate phishing, man-in-the-middle and other security attacks. But, if you want to deploy FIDO in your enterprise, what are the first steps? Do you need to explain “why FIDO?” to your CISO? What do the timelines look like? Should you build your own server or work with a vendor? What FIDO authenticators should you accept? How do you manage  them? 

The FIDO Alliance Enterprise Deployment Working Group (EDWG) will answer these questions, and more, in its new white paper series. The series aims to educate corporate management and IT security on the improvements available for authentication today and how to leverage them within their own organizations. This work is dedicated to eliminating passwords and securing the simple act of logging into company systems and applications. 

First up in the series is the primer “CXO Explanation: Why Use FIDO for Passwordless Employee Logins?” This document is the guide for you and/or the executive leaders in your organization as to why you should invest in FIDO2 deployment for your employees.

It addresses all of the common questions from CXOs on the value proposition of FIDO Authentication and how the FIDO2 passwordless framework addresses the authentication needs and challenges of companies for the modern workforce. Read it now at https://fidoalliance.org/white-paper-cxo-explanation-why-use-fido-for-passwordless-employee-logins/ and pass it along to colleagues.

Subsequent entries in this educational series will focus on server deployment, authenticator choices, authenticator life-cycle management, and credential acceptance in the enterprise. This series is part of the Alliance’s strategy to provide expert deployment guidance to our community in order to support the rapidly growing number of FIDO implementations across a variety of use cases. Please watch this space as we publish more in this Enterprise Series over the coming months. 

The post New White Paper Series Provides How-tos and Best Practices for Going Passwordless in the Enterprise appeared first on FIDO Alliance.

Editor’s note: For the background information on the 2020 Hackathon in Korea, see the April blog post: “2020 FIDO Hackathon: Goodbye Password Challenge in Korea.”  To learn more about examples of proposed development ideas, please read the June blog post: “2020 FIDO Hackathon in Korea: Learn & Implement Phase.”

In the afternoon of July 1st, 2020, a Mid-Term Meetup Event for FIDO Hackathon – Goodbye Password Challenge was held at Telecommunication Technology Association (TTA). Originally, the Hackathon Steering Committee had planned a full-day onsite final implementation and evaluation day, followed by a month and a half online training phase.  Due to the global pandemic, we had to change our schedules in accordance with school calendar disruptions and summer holidays. We decided to have a half-day mid-term meetup event for participants. This allowed us to help the teams to stay on course while providing a safe environment for people to learn from each other face-to-face.

Nineteen different teams participated in the event, half of them face-to-face with strict public health guidance applied, and the other half virtually. The meeting gave opportunities for teams to share their FIDO protocol-based online service development ideas and current development status, learn from each other and receive valuable feedback from FIDO Alliance Korea Working Group members.

In addition to sharing their projects’ current development status, the teams had the opportunity to present the “homework” they have completed after online training.  The homework was writing a simple article on the web, with answers to the following questions:

• What is FIDO Alliance?
• What are the FIDO protocols?
• What are the benefits of implementing FIDO protocols?
• (Option) What services/products are you developing for the 2020 FIDO Hackathon and what would be the value of adopting FIDO protocols for online authentication?

We were very pleased with the articles we received. You can read examples (mostly in Korean) by visiting these following links:

• No matter how passwords are complicated, they are not safe!  Learn FIDO concepts
• FIDO Authentication: Good security knowledge to learn while you are quarantined at home
• 2020 FIDO Hackathon Homework – My Plan to Develop FIDO Based IoT Solution for Home
• FIDO – New technology standard to solve problems with IDs and Passwords 
• Let’s learn about FIDO Alliance and FIDO Specs
• Summary on FIDO Alliance and FIDO Specs

We hope this short blog gives you a better understanding of the current status of the 2020 FIDO Hackathon in Korea.  We will be back soon with more updates after the final evaluation — scheduled for this week. 

The post 2020 FIDO Hackathon in Korea Update: Mid-term Meetup Event appeared first on FIDO Alliance.

“While it’s disappointing we cannot be together for the very first Authenticate, the safety of our community is our biggest priority,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Due to continuing concerns over COVID-19, and in alignment with the information we’re hearing from local officials, we decided to transition to a digital-only format, and focus on giving attendees a powerful and informative virtual experience.”

As FIDO recasts the conference to a virtual-only format, it will expand it to a multi-day November event spread across all time zones to accommodate global participation, including live Q&A sessions with presenters. The virtual format allows for sponsoring companies to showcase their solutions through virtual exhibit booths and other branding and networking opportunities. 

2020 headlining keynote speakers are as formerly announced: Dr. Whitfield Diffie, the co-inventor of public key cryptography; Joy Chik, corporate vice president of identity at Microsoft; Mark Risher, senior director of product management at Google; and Stina Ehrensvard, CEO and founder of Yubico. A full list of speakers is available on the Authenticate website.

The conference agenda will contain informative content on authentication, with a focus on the FIDO approach, including these topics: 

• Case studies from service and technology providers including CVS Health, EMILY’s List, Facebook, Google, IBM, Mass Mutual, Microsoft, MITRE Corporation, NTT DOCOMO, PNC Bank, and Target
• Sessions on the state of authentication, building an authentication strategy, and how FIDO fits with initiatives like W3C Web Payments, and EMVCo 3DS and SRC
• Standards and technical implementation presentations focusing on FIDO for identity verification; bringing FIDO Authentication to IoT; OpenID for open banking; standards and the future of payments; FIDO certification; attestation and more
• Policy discussions around PSD2, GDPR and eIDAS; authentication to enable better privacy for citizens; authentication from a regulator’s perspective and more

Please visit www.authenticatecon.com for the latest information.  

Contact: fidoalliance@aircoverpr.com

The post Authenticate 2020 Conference, Hosted by FIDO Alliance, to be Virtual Event this November appeared first on FIDO Alliance.

The FIDO Alliance has launched a new microsite, LoginWithFIDO.com, for high level, non-technical information about FIDO for consumers and service providers. As part of this project, we wanted to learn more about consumer attitudes and habits around authentication. What are their password habits? What do they think about the FIDO approach? Do they want to see FIDO at login? 

To find out, we conducted a survey of 1,000 U.S. consumers – the results of which we’ll be sharing on this webinar. Join us to see the findings from our research and to learn how you may be able to utilize the data for your own FIDO offerings and/or deployments. 

Join this webinar to hear: 

• How many different passwords consumers really use for their online accounts
• What tactics they use for password management and how often they are resetting passwords and 
• Their familiarity with various types of authentication technologies including SMS OTPs, biometrics and others
• The types of apps and services where consumers most want to use FIDO
• How consumers want to be communicated with about FIDO at enrollment and login

We will also give the audience a detailed look at LoginWithFIDO.com and how you can consider using it for your own educational initiatives around FIDO. You’ll learn:

• How to navigate through the microsite and its two landing pages
• How you can reference the site and its materials for your own offerings and deployments
• Added insights into how to utilize FIDO’s consumer-facing marks

Register for the webinar here.

Tuesday, July 28 at 2-3pm ET

Speakers: 
Megan Shamas, Director of Marketing, FIDO Alliance
Andrew Shikiar, Executive Director and CMO, FIDO Alliance

The post Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com appeared first on FIDO Alliance.

Andrew Shikiar, Executive Director & CMO, FIDO Alliance

At its WWDC, Apple detailed that its upcoming release of Safari in iOS and MacOS 14 will enable users to use Touch ID and Face ID for web logins, and we couldn’t be happier. It marks a giant step forward in the industry’s quest to move beyond passwords in favor of cryptographically secure authentication based on FIDO standards. 

The functionality, based on the WebAuthn API in the FIDO2 standard, will make logging in to a website as easy as it is to unlock your iPhone or iPad using whichever biometric option is available. Apple’s built-in support in its stock web browser means that every modern device platform now has built-in FIDO support, which furthers our aim of making FIDO Authentication as ubiquitous as other critical internet protocols.  

To that end, we’ve recently provided a resource that shows the latest progress for FIDO support across browsers and platforms.  This image (shown below) is permanently hosted on our WebAuthn resources page. 

It’s been really cool to watch this diagram grow both wider  (adding in the Apple operating systems) and greener over the past 12 months or so since Apple ramped up its FIDO support. This rapid maturation and support for WebAuthn is accelerating adoption; with over 85 percent of today’s browsers now supporting FIDO Authentication, many service providers are now actively working to deploy FIDO to their customers worldwide. 

The FIDO Alliance was founded on a singular mission: To eliminate dependence on passwords by creating and driving adoption of open standards for simpler, stronger user authentication. Today, we’re closer to reaching that audacious goal that the FIDO ecosystem has been working on for the past several years. Thanks, Apple!

The post Expanded Support for FIDO Authentication in iOS and MacOS appeared first on FIDO Alliance.

Banks in Europe have deployed customer authentication solutions for several years. These solutions have served their purpose well and enabled customers to safely log in to their bank accounts. In the world of e-commerce, these solutions, when used, have been successful in combating online payment fraud. 

The Second Payment Services Directive (PSD2) and its associated Regulatory Technical Standards (RTS) dramatically change the payment landscape, considering:

• The mandate for strong, multi-factor authentication, 
• The emergence of Third Party Providers (TPP) accessing accounts via open APIs

The success of PSD2 will ultimately be determined by how well banks can balance user convenience with security obligations, while maximizing reach. As such, they may want to evaluate how well their legacy authentication solutions meet this new need. 

FIDO authentication standards have been proposed as a way for banks to meet all requirements in a PSD2 world — but is the change from a legacy method to FIDO worthwhile? 

Join this webinar to learn more about FIDO Authentication standards and how they compare with legacy authentication methods used to access an account or secure an online payment. The methods compared are SMS OTPs, hardware OTP generators, CAP readers, and proprietary smartphone and biometrics-based solutions in terms of PSD2 compliance, security, usability and scalability. 

Join us to find out: Why change to FIDO?

Register for the webinar here.

July 16th at 3pm CET | July 16th at 9am EST

Speakers: Alain Martin, co-chair of the FIDO Europe Working Group and Head of Consulting and Industry Relations, Thales

Moderator: Andrew Shikiar, Executive Director and CMO, FIDO Alliance

The post PSD2 Support: Why Change to FIDO appeared first on FIDO Alliance.

Last April, the FIDO Korea Working Group announced our initiative to distribute FIDO Security Keys to Korean citizens to help better secure their identities, data and systems while working remotely due to the Coronavirus outbreak. We were able to do this thanks to FIDO Alliance Korea Working Group Deployment & Marketing Sub-Group’s efforts and in-kind sponsorship by FIDO Security Key vendors like TrustKey (previously known as eWBM), AirCuve (Yubico’s local partner) and Octatco. Today, we are happy to share the results of this initiative, which ended with positive impacts and pleasant surprises. 

In short, the outcome can be summarized as following:

• The campaign was covered by 15+ local online media, spreading positive awareness of FIDO Authentication
• We reached out to 52 organizations and individuals exposed to greater cyber risk by working at home and distributed 156 FIDO Security Keys
• 70% of them were new relationships that we had not previously had through previous on/offline events (e.g. hospitals, pharmaceutical companies, healthcare centers, patent offices, online game developers, ecommerce owners, retail shop owners, architects, hospitality industries, financial institutes, financial investors, school teachers, semiconductor industries, sports video analyst, advertisement agency, etc.)
• 25% of them had potential to be business partners or relying parties

Here are some remarks by recipients of free FIDO Security Keys who agreed to disclose their identities:

“We are a group of 5 university hospitals working together on a suicide prevention project.  Securing personal and medical information of these patients are very important, especially when we are working remotely.  We hope to try out the FIDO Security Key through this giveaway campaign and find out how to adopt it into our database protection system.” – Mr. Dohyun Kwon, Seoul National University Hospital

“It is a shame but we have been writing passwords on a wall thus far, so we do not have to ask each other when logging into shared computers.  It is scary that these passwords can be exposed to others with bad intentions.  We have a great hope that FIDO Security Keys would eliminate these worries and even enable architects to work at home while feeling secured and safe.” – Mr. Taehoon Hur, Ruha Architectural Design Firm

“I operate over 10 healthcare and fitness centers in Seoul and always felt uncomfortable about having all these members’ personal information sitting on our computer where any staff with passwords can access it , not to mention some staff with such privileges kept on forgetting these long and hard-to-remember passwords.  It would be interesting experiments for us to test out these FIDO Security Keys in practice.” – Ms. Jaehee Yoon, STAR Health Care and Fitness

“We are food product wholesalers mainly doing businesses online.  Due to the Coronavirus outbreak, we would have to have our staff work at home with much of our purchasing and customer information in their laptops.  Hope our staff would not have to expose the passwords by using these FIDO Security Keys. Thank you!” – Mr. Hoyoon Jung, NongGa Food Products

“WIPS is the number one patent database related services and consulting firm in Korea.  We are used to working under Bring Your Own Device environment but have struggled managing passwords.  Happy to take part in this experiment program and hope to see positive results.” – Mr. Taewoo Kwon, WIPS

Once again, we truly appreciate the undivided attention and efforts given by all FKWG members on this campaign, and especially recognize TTA (Telecommunications Technology Association) and Dr. Heung Youl Youm, for their extra efforts in the early stage of ideation and promotions.  

As Dr. Stephen Oh, the Co-Leader of FKWG Deployment & Marketing Sub-Group said, “It was an amazing experience not just because we have learned a lot from the market where we could not usually reach through conventional approaches, but also it only took less than a month from ideation to full execution.”

The post Sharing the Outcome of FIDO Security Key Support Campaign in Korea appeared first on FIDO Alliance.

Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance

Editor’s note: For background on the 2020 Hackathon in Korea, see the April blog post: “2020 FIDO Hackathon: Goodbye Password Challenge in Korea.”

These are the faces of 2020 FIDO Hackathon – Goodbye Password Challenge participants, captured during online interviews which took place in the first two weeks of May.

A little over 40 applications were received by the end of proposal submission deadline, and 25 teams were given the opportunity to have online interviews, which helped them to crystalize their ideas and understand the full details of the Goodbye Password Challenge Program. About 100 people from 22 teams are now at the Learn and Implement Phase, which is being delivered through a specialized designated online communication platform.

We will not be sharing full details of the participating teams until they reach the final evaluation date the first week of August, but we would like to share some examples of proposed development ideas:

On July 1, we will have the mid-term meet-up event to share each team’s current development status and plans for the rest of the implementation phase.

Please stay tuned and we will come back with more updates on 2020 FIDO Hackathon in Korea.

The post 2020 FIDO Hackathon in Korea: Learn & Implement Phase appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, May 27, 2020 – The FIDO Alliance today announced a new website and suite of supporting assets aimed at educating consumers and their service providers on the benefits of FIDO’s approach to simpler, stronger user authentication.  At the core of this effort is the debut of loginwithFIDO.com, a site to inform people about FIDO Authentication technologies. It launches in conjunction with the FIDO “I-Mark”, an easy-to-spot symbol that indicates the device or website consumers are using is authenticating with FIDO technology. Fueled by popular demand, these new tools further the Alliance’s mission to reduce the world’s reliance on passwords and encourage further adoption of FIDO Authentication. 

With over 250 members representing global leaders in internet services, security, finance, communications and government, the FIDO Alliance collaborates to fulfill its mission of addressing the plague of data breaches caused by outdated, password-based authentication. Since its inception, the FIDO Alliance has established technical specifications that have become the trusted standard for user authentication on the devices and web browsers we use every day. FIDO has created a fast and easy alternative to passwords, letting people unlock a device or log in to a website using options like biometrics, a security key, or a local PIN code. These simple yet secure methods remove reliance on passwords and stand to turn the tide in the industry’s battle against data breaches and credential theft.  

“As the FIDO standards are reaching a tipping point with widespread adoption among technology companies, it’s a natural next step for us to provide consumers with a place to learn more, and to help companies implement user logins that are easier to use and that keep personal data and information secure in order to instill further trust in their brands, ” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance. “Soon, when consumers see the I-Mark on the sites they use, they can be confident that they’re getting a common user experience that is easy, trusted and fully secure.” 

Leading up to the launch of loginwithfido.com, the Alliance conducted a survey of 1,000 U.S. consumers to understand their behaviors when it comes to login passwords and security. The research indicated their desire to have stronger security for banking/ payment apps and e-commerce sites, but those consumers do not follow proper safety protocols when managing their passwords. 52 percent are using five or fewer passwords across all of their accounts and most (45 percent) keep track of them in their head and nowhere else. 

“While most people know they shouldn’t repeatedly use the same password, convenience is currently winning over security,” added Shikiar. “The research tells us that consumers will benefit greatly if they understand FIDO’s technology —  marrying convenience with security that goes beyond the ways they are currently managing their passwords.”

In the same study, consumers were briefed on FIDO technology and its benefits, and 71 percent would trust mobile apps and websites more if they knew these sites and devices were using the FIDO Alliance authentication standards and validation technology. The I-Mark button is a direct response to help consumers discern quickly which sites and devices are secured through its technology. Now, they can easily spot the button on their login pages and immediately recognize they can use FIDO authentication for a safer, more secure login. 

FIDO Alliance members are enthusiastic supporters of the direction the Alliance is taking with this consumer effort.

For more information for both consumers and service providers, please visit www.loginwithfido.com

For a full copy of the FIDO Alliance Research Report, https://fidoalliance.org/consumerresearch/

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contacts
Karen Arena
FIDOteam@aircoverpr.com

FIDO Alliance Member Quotes

“We have known for a long time that consumers need to authenticate securely and safely leveraging an industry standard. As more and more of our commerce and interactions move online, consumers should be able to check for that “seal of security;” this is a great step in helping them learn about the benefits of FIDO.” — Phillip Dunkelberger, CEO Nok Nok Labs

“FIDO Alliance has an important role in educating consumers on strong authentication. Users have more influence than they may believe on what security features online services implement. We can all ask for solutions that are easy to use while keeping our accounts well protected. Right now, hardware-backed authentication with FIDO is the only technology proven to eliminate account takeovers at scale — and loved by users.” — Stina Ehrensvärd, CEO and Co-Founder, Yubico

“We congratulate FIDO Alliance on launching the LoginWithFIDO.com and FIDO I-Mark! This is a long-awaited landmark that brings consumers a real sense of where the FIDO authentication is being supported and how FIDO works. All of those that have experienced the pain of passwords can now shift to the simpler but safer FIDO-secured login to eliminate passwords!” — Tibi Zhang, Vice President, FEITIAN Technologies 

“Raonsecure is very pleased to support the new consumer focus that marks a new stage in the standardization effort of FIDO Alliance. As a board member of the Alliance, Raonsecure has been strongly involved in its development by performing various deployments of FIDO-based technology not only with public institutions but also with the enterprise. The variety of use cases to date provides the FIDO Alliance with enough maturity to educate consumers and relying parties on its benefits.” — Soon Hyung Lee, CEO, Raonsecure

The post FIDO Alliance Debuts New Consumer Educational Site, loginwithfido.com, and New I-Mark Web Symbol appeared first on FIDO Alliance.

Megan Shamas, Director of Marketing, FIDO Alliance

Over the last several years, eIDAS regulation has been widely adopted by the EU member states, and several eIDAS-compliant services and eID schemes have been rolled out across Europe.

eIDAS stands for “electronic identification, authentication and trust services.” It builds the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States. eIDAS is meant to enable mutual recognition of eID and trust services across the EU in a regulated, secure and private manner. In a world where transactions are increasingly digital and without borders, this recognition and trust is essential.

FIDO Authentication is a natural fit for the delivery of services that meet eIDAS regulations, and many of our members are working with governments and service providers to enable secure and seamless electronic interactions throughout the EU. To give an overview and more in-depth details on how FIDO and eIDAS intersect, we’ve released two new white papers. The first, “Introduction of FIDO and eIDAS Services” serves as an introductory white paper describing the relationship between FIDO2 standards and eIDAS compliant schemes that can accommodate modern authentication protocols. The second, “Using FIDO with eIDAS Services” is a more detailed look at how FIDO can be used with eIDAS services, including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework.

Sebastian Elfors, Solutions Architect at Yubico, the lead contributor for the new papers, had this to say about the intersection of FIDO and eIDAS:

“The modern FIDO standard, and its wide adoption by the largest IT-companies all over the globe, provides a viable framework for expanding and modernizing eIDAS services across Europe. In the intersection between eIDAS and FIDO, there are a number of emerging deployment scenarios that will benefit the public sector in the European Union. There are already several eID schemes being notified by the EU Commission this year, the number of Qualified Trust Service Providers are constantly growing, and more government services are enabling cross-border eID support.”

To expand on this topic and information in the new white papers, Sebastian will join our executive director and CMO Andrew Shikiar to lead a webinar on May 28 at 15:00 CEST. The webinar will include:

• An introduction to eIDAS
• An overview on how to use FIDO as part of an eID scheme
• An overview on using FIDO2 for authentication to Qualified Trust Service Providers (QTSPs)

There will be time for Q&A, so please bring your questions! 

Register for the eIDAS webinar here.

Speakers: Sebastian Elfors, Senior Solutions Architect, Yubico and Andrew Shikiar, Executive Director and CMO, FIDO Alliance

Download the Introduction to FIDO & eIDAS Services white paper here.

For details, including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework, please read the complementary white paper, “Using FIDO with eIDAS Services.”

The post FIDO & eIDAS: Providing Secure and Seamless Electronic Services in the EU appeared first on FIDO Alliance.

The coronavirus outbreak is not only raising public health concerns, but also exposing many office employees who are forced to work at home to greater cybersecurity risk, especially online phishing attacks which is known to be the origin of more than 80% of cyber attacks.

In order to help Koreans to stay protected from such online phishing attacks, the FIDO Alliance Korea Working Group just launched the FIDO Security Key Support Campaign. Sponsored by eWBM, AirCuve (Yubico Partner) and Octatco, the FIDO Security Key Support Campaign will provide 300 FIDO physical security keys to Koreans who are working remotely where their networks and devices are less protected.

Dr. Daniel Ahn, the Co-Chair of FIDO Alliance Korea Working Group, said, “It is our pleasure to practice social contribution by closely collaborating among the FIDO Alliance members in Korea. Similar to our 2020 FIDO Hackathon – Goodbye Password Challenge, we will continue to develop and provide social contribution programs that can educate the public about FIDO protocols while leaving positive social impacts.”

The application for campaign ends on April 17^th, 2020.  For those who wish to receive a free FIDO security key, the online application site can be found by clicking the campaign banner on the sponsoring member’s website.  

Links to sponsoring member websites:
eWBM (https://www.ewbm.co.kr/)
AirCuve (http://www.aircuve.com/)
Octatco (https://octatco.com/)

We are happy to work with our members on this campaign in Korea, and plan to evaluate its success and lessons learned to inform possible programs in other regions of the world.

The post FIDO Alliance Offers 300 Free FIDO Security Keys to Protect Koreans Working at Home appeared first on FIDO Alliance.

Editor’s Note: We began the Hackathon program last year to support the local developer community and drive market adoption of FIDO Authentication standards in Korea. The 2019 FIDO Hackathon was a hybrid of a three-month-long mentorship and a service development competition, which unlocked the potential of FIDO protocols along with unexpected positive outcomes. Please visit the following blog postings to learn more about 2019 FIDO Hackathon:

FIDO Authentication Developer Support Program: FIDO Hackathon in Korea
FIDO Hackathon in Korea: A Q&A with the Top 3 Winners and their Mentors
FIDO Hackathon in Korea: Meet the Finalists

The FIDO Alliance Korea Working Group is thrilled to announce the opening of  online registration for the 2020 FIDO Hackathon – Goodbye Password Challenge in Korea. 

The program can be simply summarized as following three phases:

LEARN – Learn how to adopt FIDO protocols
IMPLEMENT – Implement FIDO protocols into participants’ online services
CHANGE – Change to simpler and stronger FIDO authentication

Now, let us walk through the three simple phases.

Once the registration closes at the end of April, those who qualify will be invited to the online learning stage created by the FIDO Alliance Korea Working Group Technical Sub-Group. Toward the end of the LEARN phase, participating teams will be given a very easy online assignment. Those who score in the  top 20 will be invited to the next stage. The LEARN phase is scheduled to be completed by the end of June.

The IMPLEMENT phase will take place in July, inviting the top 20 teams to one-day, in-person events. Participants will fine-tune their service developments in the morning with hands-on support by FIDO experts from FIDO Alliance members. In the afternoon and evening (if necessary), participants will  go through onsite evaluation. In case there is still a concern for public health in summer, we have prepared various backup plans, including completely converting the event into multiple online evaluation sessions over a period of time.

At the annual multi-day FIDO Seoul Public Seminar in early September, the top 5 teams will show how they have made the CHANGE to simpler and stronger FIDO Authentication, followed by award ceremonies. The top five teams and finalists will receive trophies and certification of completion, and over KRW20,000,000 worth of gifts and prizes.

Dr. Daniel Ahn, the Co-Chair of FIDO Alliance Korea Working Group would like to welcome local developers to join the 2020 FIDO Hackathon with following remarks:

“Due to the recent global public health concerns, the needs for simpler and stronger FIDO authentication will be increased due to the increasing demands for ‘untact’ and remote working technologies. Building upon the success of 2019 FIDO Hackathon in Korea, the FIDO Alliance Korea Working Group members will diligently prepare yet another meaningful event for local developers.”

On behalf of all the sponsors of 2020 FIDO Hackathon, Mr. Junho Shin, the Co-Leader of FIDO Alliance Korea Working Group Public Policy and Certification Sub-Group, would like to share a few words:

“Without knowing what would happen early this year, we began preparing 2020 FIDO Hackathon to be as much virtual as possible, for possible global-scale program expansion in upcoming years. Therefore, we are technically and operationally fully prepared to run this event without any public health concern, so those who consider joining the program would not lose the priceless opportunity to showcase their talents to the world.”

We thank you for your continued interest and support for FIDO Hackathon – The Developer Support Program and welcome you to visit our official registration site by clicking the 2020 FIDO Hackathon banner below:

More resources on the event:
Click here to download the RFP (Request for Participation).
Click here to watch YouTube contents (e.g. Intro, Welcome Remarks, FIDO Spec Updates, How to Join)

Special thanks to following sponsors:
Signature Sponsor: Ministry of Science and ICT | Telecommunication Technology Association
Gold Sponsor: Samsung Electronics, BC Card, eWBM, AirCuve, Octaco, CrossCert, PSEF

The post 2020 FIDO Hackathon: Goodbye Password Challenge in Korea appeared first on FIDO Alliance.

Authenticate, the inaugural FIDO conference, will be postponed from its original date of June 2-3. The good news is we have secured a date later this year in the same location in Seattle, WA. 

Authenticate 2020 will now take place on November 9-10, 2020, with the FIDO Alliance member plenary following on November 11-12. Please visit www.authenticatecon.com for the latest information and to register. 

The industry response to Authenticate has been outstanding on all fronts. We had nearly four times the amount of speaking submissions than we had available sessions, which allowed us to put together a highly compelling agenda with some of the brightest minds in authentication. Also, sponsorships are nearly sold out – with all expo space now reserved. Lastly, registration has trended well above projections, which would point to a potential sell-out for this inaugural event. 

Our hope is that the threat of COVID-19 will have dissipated by this fall and that we’ll be able to bring forward all of the above enthusiasm to our new dates. 

We greatly appreciate the support and enthusiasm from the broader FIDO Community, and we’re looking forward to a successful event in November. Until then, we hope everyone stays safe and well. If any questions about Authenticate, contact authenticate@fidoalliance.org. 

The post An Update from FIDO Alliance on Authenticate Conference appeared first on FIDO Alliance.

FATF Recommendations are the recognized standards for  global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice. 

The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:

“Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches.  Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.

Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.”

This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate  when they are looking to craft new or updated rules on digital identity and authentication. 

Read the full FATF Recommendations here. 

The post Financial Action Task Force Guidance Points to FIDO as Preferred Approach to Combat Authentication Vulnerabilities appeared first on FIDO Alliance.

SEATTLE, February 26, 2020 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, today announced its full 2020 agenda. This two-day event, coming to Seattle on November 9-10, 2020, will inspire attendees to embrace a new way to authenticate and present the necessary tools to move past passwords.

The Authenticate 2020 agenda features:

• Case studies from service and technology providers including CVS Health, EMILY’s List, Facebook, Google, IBM, Mass Mutual, Microsoft, MITRE Corporation, NTT DOCOMO, PNC Bank, and Target
• Sessions on the state of authentication, building an authentication strategy, and how FIDO fits with initiatives like W3C Web Payments, and EMVCo 3DS and SRC
• Standards and technical implementation presentations focusing on FIDO for identity verification; bringing FIDO Authentication to IoT; OpenID for open banking; standards and the future of payments; FIDO certification; attestation and more
• Policy discussions around PSD2, GDPR and eIDAS; authentication to enable better privacy for citizens; authentication from a regulator’s perspective and more

“Authenticate provides the industry with an opportunity for education and discussion on implementing modern authentication,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. “FIDO encourages organizations of all sizes to prioritize stronger security, and we are eager to share the tools and resources to help them get there. The conference agenda features practical presentations and case studies that will give attendees a deep understanding of the best practices they need to integrate FIDO’s approach to simpler, stronger authentication into their own services.”

2020 headlining keynote speakers are: Dr. Whitfield Diffie, the co-inventor of public key cryptography; Joy Chik, corporate vice president of identity at Microsoft; Mark Risher, senior director of product management at Google; and Stina Ehrensvard, CEO and founder of Yubico. A full list of speakers is available on the Authenticate website.

Authenticate will also feature an expo hall with product and service offerings from over two dozen vendors, as well as various networking and social events built into the two-day schedule.

Register today!
Take advantage of early bird pricing by registering by September 9. To register, visit https://authenticatecon.com/register/. Authenticate will be held in conjunction with the FIDO Alliance member plenary being held November 11-12. FIDO Alliance members have exclusive access to discounted rates to attend both events!

Get involved at Authenticate
There are still select sponsorship opportunities available for Authenticate 2020; companies interested can learn more at https://authenticatecon.com/sponsors/.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: The @AuthenticateCon agenda has been released! Visit the event website to take a look at this year’s speakers and session topics for the latest in user #authentication. www.authenticatecon.com

About Authenticate
Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2020, Authenticate will be held November 9-10 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org 

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post Agenda Announced for Authenticate 2020, the First FIDO Conference appeared first on FIDO Alliance.

SEATTLE, January 30, 2020 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, announced today it’s 2020 keynote speaker lineup. Featured keynoter Dr. Whitfield Diffie, the co-inventor of public key cryptography, and executives from Google, Microsoft and Yubico will headline the inaugural event, being held June 2-3, 2020 in Seattle.

Other headlining keynote speakers are: Joy Chik, corporate vice president of identity at Microsoft; Mark Risher, senior director of product management at Google; and Stina Ehrensvard, CEO and founder of Yubico.

“We’re excited to welcome our keynote speakers to the Authenticate stage to share their vision and experiences in moving to more modern and secure FIDO Authentication,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “These speakers each offer unique perspectives on the state of authentication today, and will provide the ideal kickoff to our program filled with case studies and implementation advice for organizations to adopt simpler, stronger authentication.”

CISOs, security strategists, enterprise architects, product and business leaders will walk away from this two-day event with a real understanding of the value of the FIDO approach to simpler, stronger authentication, and the tools and best practices they need to integrate FIDO Authentication into their own services.
Experts will go in-depth on the state of authentication today at Authenticate 2020, covering a range of topics including:

• Authentication trends & insights. Passwords, one-time passcodes and push-based authentication; FIDO Authentication; risk-based authentication and behavioral biometrics; smart cards; single sign on; decentralized authentication; authentication factors (biometrics, FIDO security keys)
• State of security & credential attacks. Phishing, credential stuffing, password spraying, man-in-the-middle, presentation attack
• Case studies & implementation strategy. Global consumer/enterprise/government case studies, IAM integration, industry standards, certification programs, identity verification, account enrollment and recovery
• Vertical trends & initiatives. IoT, payments, healthcare, government 
• Industry standards. FIDO, EMVCo 3DS and SRC, W3C WebAuthn and Web Payments
• Regulatory impact on authentication. PSD2, GDPR, CCPA

Register Today!
Take advantage of early bird pricing by registering by March 8. To register, visit https://authenticatecon.com/register/. Authenticate will be held in conjunction with the FIDO Alliance member plenary being held June 4-5. FIDO Alliance members have exclusive access to discounted rates to attend both events!

Get involved at Authenticate
Companies looking to showcase their brand and products front and center at Authenticate can learn more about remaining sponsorship opportunities at www.authenticatecon.com.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: .@AuthenticateCon has announced its keynote speakers. It’s time to embrace a new way to #authenticate – these great speakers will show you how! @Uniken_Inc @WhitfieldDiffie @microsoft @joychik @MRisher @Google #StinaEhrensvärd @Yubico #Authenticate2020! http://www.authenticatecon.com

About Authenticate
Authenticate is first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2020, Authenticate will be held June 2-3 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post FIDO Alliance’s Authenticate Conference Announces 2020 Keynote Speakers appeared first on FIDO Alliance.

A new paper from the World Economic Forum (WEF) showcases FIDO Authentication as a ready-to-be-implemented option to save organizations the high costs and user experience frustrations of passwords. The paper was released this week during the WEF annual meeting in Davos.

The paper, Passwordless Authentication: The next breakthrough in secure digital transformation, was developed in collaboration with the FIDO Alliance and includes contributions from many of our members including Aetna/CVS Health, Google, HYPR, Intuit, Microsoft, Nok Nok, Onfido, Trusona, the UK government and Yubico.  

According to the report, ending our reliance on passwords can make us safer and businesses more efficient. Cybercrime is set to cost the global economy $2.9 million every minute in 2020 and some 80% of these attacks are password-related. Knowledge-based authentication like passwords is not only a major headache for users, it is costly to maintain. For larger businesses, it is estimated that nearly 50% of IT help desk costs are allocated to password resets, with average annual spend for companies now at over $1 million for staffing alone.

The lead of the project, Adrien Ogee, Platform for Shaping the Future of Cybersecurity and Digital Trust, World Economic Forum, points out in a press release accompanying the paper that “better authentication practices are not just possible they are a necessity.” The possibility of moving beyond passwords is more real than ever as the growing availability of next generation, FIDO-based technologies like biometrics and security keys can meet consumer demands for both user convenience and security. There are several mini case studies from our members in the report that highlight their use today, and the benefits they are seeing. A few examples:

• A mid-sized U.S. retail bank saved more than $2.9 million annually and saved customers up to 30% in time to finish a payment (Source: Nok Nok)
• A U.S. financial software company brought its authentication success rate to 99.9% and reduced sign in time by 78% (Source: Intuit)
• Google’s internal use of FIDO security keys dropped total time spent authenticating by nearly two-thirds, and they experienced zero authentication failures

It’s validating to see WEF not only educate world leaders on the economic impact of our legacy authentication practices, but to recognize that there are viable alternatives that are ready to implement today. With cryptographically secure and convenient FIDO Authentication now supported in all major web browsers as well as Android and Windows platforms, there is no reason to delay — now is the time to move past passwords and embrace simpler, stronger authentication.

The post Davos: World Economic Forum Points to FIDO as Viable Alternative to Passwords appeared first on FIDO Alliance.

From consumer brands to vendors to enterprises, FIDO has been embraced across the globe in 2019, and this is more evident than ever with the growth in our certification programs. Today organizations are requiring certification before deploying FIDO Authentication. The increase in certified FIDO products illustrates its value to the industry.

With that, we’re excited to announce our newest certifications today, which puts us over 688 certified products. Certifications across all specifications were strong this quarter, as tech providers look to provide solutions for those with cross-platform and mobile-first strategies.

It’s notable that we now have 107 authenticator certifications at L1 and L2 levels – big growth since this program was launched last year. This program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO Certified authenticators. Certification gives enterprises and online services the ability to make better informed risk management decisions when registering credentials from FIDO-enabled devices. Today, we offer certifications at Levels 1, 2, 3 and 3+ and plan to introduce more levels in the future.

These companies have achieved FIDO certification since our last update:

• FIDO2: Acceptto Corporation; Authentrend; CANTON Consulting; Capy Japan Inc.; CROSSCERT: KECA(Korea Electronic Certification Authority); ellipticSecure; Excelsecu Data Technology Co., Ltd.; GoTrustID Inc.; Hanko GmbH; HID Global; Hypersecu Information Systems, Inc.; Kensington Computer Products Group; knowledgesuite,inc.; Login ID Inc.; Paywax; RSA; SEOWOOSNC Co.,Ltd.; SoloKeys; SurePassID; Target; TOKEN2; TWCA; Uni-ID Technology (Beijing) Co., Ltd.; Veridium ID Ltd; XionITS; WebComm Technology Co.,Ltd.; Yubico
  
  
• FIDO U2F: Kensington Computer Products Group; Synaptics Incorporated; Yubico
  
  
• FIDO UAF: Giesecke+Devrient Mobile Security GmbH; LG Electronics; Novatek Microelectronics Co.; PNC; SurePassID; WebComm Technology Co.,Ltd.
  
  

In Biometric Component Certification program news, Telecommunications Technology Association (TTA) and TUV Informationstechnik GmbH are now accredited independent labs performing biometric evaluations (see our labs page for details and additional labs). This program is gaining momentum, with several certifications in process.

Technology providers and relying parties interested in FIDO certification should start with the Certification Overview. Ready for interoperability testing? Join us at our next event, March 3-5, 2020 in Seoul, South Korea where we will be testing FIDO UAF, FIDO U2F and FIDO2 implementations. Get all of the details and register here.

The post FIDO Certification Program Ends Year Strong With 688 Certified Products appeared first on FIDO Alliance.

TOKYO, December 5, 2019 — 2019 was a year of strong progress for the FIDO Alliance in realizing its mission to make secure and convenient logins available to web service providers and users across the globe, the Alliance said today in its 2019 progress report.

FIDO platformization makes simpler, stronger authentication available to billions
2019 was the year of FIDO platformization, with leading platforms and web browsers adding support for FIDO Authentication out-of-the-box. This support allows websites to enable FIDO-based logins via a simple API call on billions of devices consumers use every day.

Highlights of this year’s FIDO enablement progress include:

• WebAuthn, the web API portion of the Alliance’s FIDO2 specifications, became an official W3C web standard
• Browser support for FIDO2 was introduced for Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari and Opera
• Google received FIDO2 certification for the Android 7.0+ platform, which makes FIDO available for use in all Android mobile devices operating on Android 7 or later
• Microsoft achieved FIDO2 certification for Windows Hello, which makes FIDO available on any Windows 10 device

“We know that realizing the FIDO Alliance’s mission to move the world beyond the password ‘shared secret’ model of authentication requires making FIDO a ubiquitous feature across all of the devices, operating systems and browsers we use every day. Given the platform enablement progress of this year, we are well on our way to that ubiquity,” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance. “Never before have service providers and developers had the ability to enable convenient, cryptographically secure authentication to a user base this broad. Service providers are now taking advantage of these new capabilities on a global scale.”

Leading service providers tapping into the power of FIDO Authentication
As platform enablement grew in 2019, service providers continued their FIDO rollouts across mobile and web applications on a global scale. This includes these notable developments:

• Intuit rolled out FIDO passwordless authentication across its mobile apps, reducing sign-in time by 78% and successfully authenticating 99.9% of the time, compared to 80-85% for SMS-based multi-factor authentication
• Microsoft made FIDO Authentication a fundamental component in its efforts to provide users a seamless, password-free login experience. Most recently, Microsoft rolled out FIDO-based passwordless sign-in for Azure Active Directory (Azure AD)
• Building upon their prior FIDO innovations, NTT DOCOMO announced d ACCOUNT Passwordless Authentication — the option to disable password logins and set accounts to login via FIDO biometric authentication only 
• The General Services Administration (GSA) enabled FIDO Authentication for login.gov, its single sign-on website for the U.S. public and federal employees to interface and transact with federal agencies online
• The National Health Service (NHS) in the United Kingdom released open source code for developers to add FIDO biometric security for app login
• Google continued to add FIDO support across its platforms, including the ability to use Android phones as a physical security key and built-in Chromebook support.  
• LINE Pay became the first mobile payment app to support FIDO2, allowing users to simply scan their fingerprint or face to authenticate themselves or confirm transactions

New work areas address adjacent technology areas to advance FIDO adoption
Earlier this year, the FIDO Alliance launched new work areas in the Internet of Things (IoT) and identity verification and binding. These initiatives build upon the Alliance’s ongoing focus on driving the efficacy and market adoption of FIDO Authentication by addressing adjacent technology areas that leave security vulnerabilities on the web.

The Alliance aims to strengthen identity verification assurance to support better account enrollment and recovery, and automate secure device onboarding to remove password use from IoT. The Alliance has formed two new working groups: the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas.

New perspectives and participants
The ongoing growth of the FIDO ecosystem was reflected through many new FIDO Alliance members in 2019. These include sponsor-tier organizations AdNovum Informatik AG, FIME SAS, the government of Thailand, IBM, IDNow GmbH, Imagination Technologies, Intuit, Jumio Corporation, the Mitre Corporation, Phoenix Technologies Ltd., Ping Identity, and Secure Identity, LLC (CLEAR).

Looking Ahead to 2020
In the coming year, the FIDO Alliance will continue enabling FIDO rollouts with best practices documentation and developer-focused initiatives. The Alliance is also debuting a new conference, Authenticate, focused on FIDO Authentication and the surrounding ecosystem of technologies, innovations and adopters.The inaugural event will be held June 2-3, 2020 in Seattle, WA. 

TWEET THIS: 2019 Progress Report: #FIDO standards for simpler, stronger web logins are well on their way to ubiquity thanks to a year of strong progress incl. platformization, official standardization & broad support https://fidoalliance.org/fido-alliance-2019-progress-report

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post FIDO Alliance 2019 Progress Report: FIDO Authentication for Simpler, Stronger Web Logins Now Ready for Rollout on Billions of Consumer Devices appeared first on FIDO Alliance.