On January 25th, the Better Identity Coalition, FIDO Alliance, and the ID Theft Resource Center (ITRC) came together to present a policy forum looking at “Identity, Authentication, and the Road Ahead.”

This policy forum brought together leaders from government, industry, and non-profits to discuss topics including:

• The release of the ID Theft Resource Center Annual Data Breach Report
• The impact of identity-related cybercrime on industry and government over the last year
• The human toll of identity theft – and the need to build inclusive digital identity systems that work for everyone
• What to expect from the new Congress and the Biden Administration in 2023
• Updates on new products and standards like FIDO that can make identity and authentication both more secure and easier to use
• Discussions on what can be done to drive better identity infrastructure in America

The post Cybersecurity Policy Forum: Identity, Authentication and the Road AheadCybersecurity Policy Forum: appeared first on FIDO Alliance.

The identity landscape is set to undergo tremendous transformation in 2023 as lawmakers and regulators alike struggle to help protect individual privacy and improve access to services and the digital economy. A primary underpinning for what will enable the new identity landscape is strong authentication.

On Jan. 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum in Washington, D.C. to discuss the challenges and opportunities of identity and authentication. 

The full-day event included sessions loaded with data on the current state of data breaches, presentations by government leaders, panels on the state of passkeys and the path toward better identity in 2023 and beyond. A key theme that was often repeated throughout the day, by experts from government and industry alike, was the complexity of the identity landscape and the need for more collaboration and interoperable standards.

“A lot of our ability to make progress on the set of problems starts with a bigger issue, the recognition that identity is critical infrastructure and needs to be treated as such,” Jeremy Grant, Managing Director, Technology Business Strategy at Venable LLP and Coordinator, Better Identity Coalition said during his opening remarks for the event.

“Until we start to think about identity that way we’re going to continue to struggle to address challenges in this space.”

Identity risk continues to grow

In the opening keynote session, Jimmy Kirby, Acting Deputy Director of FinCEN (Financial Crimes Enforcement Network) outlined the identity related issues his agency has seen in recent years.

Kirby said that in recent years financial services have been increasingly migrating towards a primarily online environment. It’s a trend that creates new opportunities for abuse. As a result, FinCEN has been thinking about how it can leverage all of the data that financial institutions send to it to help stem the tide of abuse.  He noted that identity related suspicious activity reports (SARs) submitted to FinCEN grew more than 15%, from 2021 to 2022.

According to Kirby, reports of threats at each stage of the customer identification process continue to grow from the proofing and enrollment stage to the authentication stage, including the use of compromised credentials, impersonation and artificial intelligence to conduct illicit finance.

While there are challenges, there are also opportunities.

“We see opportunities for digital identity to address customer identification breakdowns in customer onboarding, account logins, transaction monitoring, as well as in investigations,” Kirby said. “There are a number of features of a digital identity framework that, taken together, have the potential to address threats and spur innovation across all types of financial services.”

FinCEN isn’t the only organization seeing a spike in cybercrime. James Lee, COO of the ITRC (Identity Theft Resource Center) presented data from his organization’s annual data breach report. Among the top line highlights of the report is that there were 1,802 data breaches during the year impacting over 422 million victims.

Lee commented that a prevailing trend was an increase in supply chain attacks as a preferred attack vector over just malware. He also emphatically complained about the lack of information present in many data breach disclosures. Lee said that 66% of data breaches did not include information about the root cause of the attack which led to the breach or any victims details.

In a panel session, titled “Data Breach Notices Suck,” John Breyault, Vice President, Public Policy, Telecommunications and Fraud at National Consumers League (NCL) lamented the current state of password usage, which inevitably is a root cause for many data breaches.

“I have been doing consumer education work for 15 years now at NCL, and not a day goes by it seems that I don’t tell consumers to not use the same password across multiple accounts,” Breyault said.

Towards the U.S. Government plan on secure digital identity

In a lunchtime keynote, Congressman Bill Foster (IL-11), outlined his view on Congressional efforts to introduce a secure digital identity policy for the U.S. 

Foster emphasized time and again during his keynote that secure digital identity needs to be a bipartisan effort in the U.S. Congress as it’s an issue that impacts all Americans. While he noted that there might be some concerns about the U.S. government having a database of user identities that it issues, he argued that to most people, the real life threat to their privacy comes more from having someone impersonate them online.

The lack of secure digital identity may have also been a factor in the massive volume of fraud experienced by the U.S. government over COVID benefits. Conversely, the fact there wasn’t a secure digital identity scheme in place may have made it more difficult than necessary for some to be able to get benefits. Overall, Foster said that he’s hopeful Congress can put something together.

“It can serve as a gentle reminder that the government does some good in your life,” Foster said. “One of the things that we could do a much better job with is preventing identity fraud, because that’s a real life pain for tens of millions of Americans every year.”

Bias and diversity is a requirement of digital identity

In multiple sessions over the course of the event, the topic of fairness, bias and diversity in relation to digital identity was discussed.

Jordan Burris, VP and Head of Public Sector Strategy at Socure commented that in his view, bias a lot of times comes down to the reality that an identity approach is taken that is solving for the majority of the population, and as such, the minority or those who operate on the fringes are being left out of the ecosystem.

Andrew Stettner, Deputy Director for Policy at the Office of Unemployment Insurance Modernization at the U.S. Department of Labor argued that his agency and the entire administration are taking equity in identity very seriously.

“We’re looking at equity in a much more conscious way, for us is a very key element of identification going forward,” Stettner said.

Why FIDO is critical for better identity

A critical element of secure identity is having strong authentication.

In a keynote session, Andrew Shikiar, Executive Director and CMO of FIDO Alliance, outlined the ways that FIDO is playing a role in helping to improve the state of identity today across multiple efforts. He also predicted that FIDO will become increasingly relevant in the year ahead.

“The average person on the street will start to understand what identity verification means, and actually start to understand what digital identity means,” Shikiar said. “That’s a net benefit because the more people understand what their identity means, and the importance of it, the more steps they’ll take to actually protect it.”

Among the FIDO efforts to help improve identity outlined by Shikiar are:

• Biometric performance criteria. This is a biometric certification program, where FIDO helps to assess the performance of different biometric components that are critical to identity verification.
• Remote Identity Verification. This includes the Document Authenticity (DocAuth) Certification for mobile document verification, with ongoing work into face verification for liveness and selfie-match.

Shikiar also talked at length about passkeys, which brings added usability to FIDO based strong authentication.

“FIDO Alliance’s mission is to reduce the industry reliance on passwords,” Shikiar said. “Simply put, passkeys stand to take passwords out of play for the vast majority of consumer use cases.”

The passkey future for authentication

In a panel session on passkeys, panelists discussed the benefits and opportunities that passkeys will bring.

Tim Cappalli, Identity Standards Architect at Microsoft detailed what passkeys enable, including the ability to take a FIDO credential and use it in a similar way to how password managers work today. Passkeys can also be synchronized with a cloud provider and are interoperable across platform vendors enabling better usability overall.

Panelists emphasized that the promise of passkeys is to more easily enable users to benefit from strong authentication. Christiaan Brand, Product Manager, Identity and Security at Google explained that Google has been supporting FIDO for years, including supporting security key based approaches. In his view, passkeys represent the usability necessary to actually make strong authentication with un-phishable credentials a reality for Google’s users.

Usability was also a theme that Paul Grassi, Principal Product Manager – Identity Services at Amazon emphasized, since in in his view, past efforts to get strong authentication adoption haven’t been entirely successful

“It breaks my heart to say it but consumers are not adopting security keys, they’re not adopting Google Authenticator they’re not adopting two-factor,” Grassi said. “We’re excited to see passkeys as that replacement, and to see the adoption numbers skyrocket, reducing friction while increasing security, which is, I think, the goal of any security practitioner.”

The recording of the full event is available here.

The post Recap: 2023 Identity, Authentication and the Road Ahead #IDPolicyForum appeared first on FIDO Alliance.

If your organisation were hit by a cyber attack, would you tell anyone?

Historically, the answer would be an unequivocal no. Many believe that sharing that you were a target exposes your company’s (or your personal) vulnerabilities, making you more susceptible to further attack or ridicule. But this ‘security by obscurity’ mindset is not only outdated, it hinders the industry’s ability to harden our collective defences, most notably by eliminating our dependence on passwords and other knowledge-based credentials. 

While this year saw a 5%-7% drop globally in the use of passwords for entry, it is still by far the most popular online authentication method, which is a big problem. Passwords are not only highly insecure, but they also cause major consumer headaches and are costing businesses; 59% of consumers gave up on accessing an online service and 43% abandoned a purchase when asked for a password in the past month. More than 82% of data breaches are caused by weak or stolen login credentials. 

The benefits of multi-factor authentication (MFA) are widely reported but many firms have been sheepish about sharing their adoption figures. 

This may be because the figures weren’t great. Twitter revealed its two-factor-authentication adoption figures last summer, revealing that just 2.3% of accounts had it enabled. Of those, 80% relied on SMS-based backup, the least secure mode. Communicating this doesn’t make Twitter any less secure. Instead, it sets a powerful benchmark for improvement, and gives the industry a reality check that considerable work remains to get more customers using MFA. 

Other organisations to be applauded are Cloudflare and Twilio. The two cloud computing giants recently reported that they were targeted by a near-exact phishing attack. Employees were targeted with a text message from a supposed IT department, directing them to a fake website requesting a password change. Neither Twilio nor Cloudflare’s monitoring systems detected the attack, and, as you’d expect, some employees were caught off-guard and shared credentials. 

While Twilio fell victim to the attack (along with dozens of other companies), Cloudflare’s employees were protected because they use Fast ID Online (FIDO) security keys which are tied to users. Origin binding also prevented any credentials from being shared. Since the incident, Twilio has followed Cloudflare’s lead, as it shared in its updated incident report. This is a great example of how sharing successes and failures alike leads to two on the whole. 

At the FIDO Alliance, we’re working with the world’s leading tech companies and consumer service providers to solve this challenge. Together, we’ve created technology that’s increasingly cited as a ‘gold standard’ by governments, including the US’s cybersecurity body, CISA, and the UK’s National Cyber Security Centre. 

To best defend against cyber attacks, organisations should take inspiration from the Twilio and Cloudflare story and build in security protocols that are phishing-resistant. These protocols are often implemented with USB keys or built-in biometric authentication on devices, and can be added as a critical layer of security to both an organisation’s own network and information, and for customers accessing its services. 

Of course, the work we do at the FIDO Alliance, creating and implementing new technology, is an important part of moving the world away from passwords and other weak forms of legacy authentication – but it isn’t the most critical piece. Industry-wide commitment to creating intuitive and common user journeys, underpinned by architectural best practices, will enable the kind of cultural shift and mass adoption of this technology that will be required if we want to remove passwords from our daily lives. 

Collaboration and transparency are key ingredients that raise the bar for all involved – including for hackers, who need to have a far harder time executing remote attacks.

The post Raconteur 2022 Report: Authentication & Digital Identity appeared first on FIDO Alliance.

The post Video: The Future of Passwords is Passwordless appeared first on FIDO Alliance.

According to recent research reports and news, Asia Pacific regions are witnessing a surge in cyber-attacks – and the highly publicized online attacks all start with compromised passwords. 

In December 2021, nearly 470 customers of a Singapore bank had fallen victim to SMS phishing attacks, with total losses amounting to at least $8.5 million. In New Zealand, the Department of Internal Affairs (DIA) received over 114,000 SMS scam reports between September and October 2021, the highest in the Department’s history. In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks. In January, a local payment provider experienced a data breach, with 35 million customers having their data, including card information and fingerprint scans, released on the dark web for anyone to buy. These are just a few examples on a list that continues to grow.

The Industry Is Uniting to End the Password Problem

On February 15^th, the FIDO APAC Marketing Forum (AMF) brought together FIDO members from 12 countries in APAC to share insights, lessons learned and best practices to mitigate the surge of cyber-attacks that have taken hold of the region. 

 Here are the highlights of the sessions:

The agenda started with a welcome message from Andrew Shikiar, Executive Director and CMO of the FIDO Alliance.  Shikiar said, “2022 is the year of FIDO adoption and this time we mean it. FIDO adoption is truly happening now at scale.  Asia has always been at the forefront with early FIDO adoptions, and it is wonderful to see a new momentum in Taiwan and ASEAN.”

Megan Shamas, Senior Director of Marketing at the FIDO Alliance, reviewed 2021 highlights and shared 2022 global marketing programs that are being prepared. She detailed FIDO’s new year marketing programs that are divided into many different boxes, such as PR, digital, content, industry events, seminars, and research, while seeking member feedback.

The group heard from Karen Chang of Egis Technology, who is also Chair of FIDO Taiwan Engagement Forum while serving as a member at SEMI E187 Standard Committee. Chang pointed out that SEMICON Taiwan released SEMI E187, the first ever semiconductor standard. FIDO is listed as a reference of ‘Authentication Technologies’ in the document.

Le Tuan Khoi from MK Group in Vietnam shared their FIDO deployment case study. The insightful local trends on cybersecurity and cybercrime statistics were highly appreciated by the members. It was very helpful for us to understand the local markets and how FIDO can be accepted there.

Keiko Itakura from Rakuten Group shared Rakuten’s FIDO implementation case study. Itakura, who also serves as Co-Vice Chair of the FIDO Japan Working Group, said, “FIDO has great availability to unify authentication methods and phishing resistance by utilizing standard technology.”  At the end of her presentation, the members congratulated the 25th year anniversary of Rakuten.

Special guest Yusuf Khan from Digital Dubai joined us to share digital ID trends and related activities in Dubai.  He emphasized that balance between usability and security is very important, which FIDO Authentication is on the sweet spot.  It was also exciting to learn that Dubai is exploring passwordless and secure mobile based digital identity.

Finally, Young Lee from DEFEND in New Zealand joined us as a special speaker.  Lee gave us a bird-eye view of New Zealand’s 2021 Cybersecurity Landscape.  He said, “thousands of phishing and credential harvesting attacks were recorded in Q2 2021, and it was a 73% increase from the previous quarter.”

A Call to Participate

The FIDO APAC Marketing Forum (AMF), under the FIDO Marketing and Communications Board Committee, was inaugurated on November 28^th, 2020, to provide a platform for regional members to connect, learn from each other and share best practices. Although it was established during the worst period of the global pandemic, the forum has now grown to 98 members from Australia, China, Japan, Korea, Hong Kong, Indonesia, India, Malaysia, Saudi Arabia, Taiwan, and Vietnam. Members in the APAC region are encouraged to participate in this forum and can get involved by contacting info@fidoalliance.org.

We look forward to hosting yet another exciting AMF meeting in Q2 2022!

The post Latest updates from FIDO APAC Marketing Forum: FIDO Members from the Region Get Together to Learn from Each Other and Stay Alert appeared first on FIDO Alliance.

The intersection of identity and authentication and how it can help to improve business as well as people’s lives was a core topic of conversation on the first day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 4.

The FIDO Alliance joined together with Better Identity Coalition and the ID Theft Resource Center (ITRC)  to host the two day event running on Feb. 4-5, which has over 1,000 registered attendees who are gathering to learn more and discuss the current and future state of identity and authentication. The first day of the event had a strong focus on things the U.S. can and is doing to help improve the state identity, while recognizing the many challenges on the road ahead.

Identity is a National Security Issue

In the opening keynote, Michael Mosier (pictured), Deputy Director & Digital Innovation Officer at the U.S. Treasury departments Financial Crimes Enforcement Network (FinCEN), outlined what’s at stake when it comes to digital identity.

“I view identity as a national security issue, and it will take the intellectual power and creativity of all of us to figure out how to secure identities and keep people from harm,”  Mosier said.

Mosier emphasized that digital identity solutions are a key factor to help prevent fraud and financial crime. He added that in order to get payments right, there is a clear need to first get identities done right. The right way in his view, is an approach that preserves privacy while ensuring integrity in the system.

“The ability to detect and address risks is only as good as the ability to determine with whom you’re engaging,” Mosier said. “So the real question for identity related risk is, do you have the information necessary to reliably assess the risk of your counterpart or your customer.”

A key challenge FinCen is seeing is at the account opening stage, with identity proofing and verification. A July 2020 advisory from FinCen highlighted the issue reporting that criminals are undermining identity verification processes, through identity theft and synthetic identity fraud.

“We’re seeing a lot of identity authentication compromise, leading to account takeovers, as  a lack of multifactor and multi step authentication is too prevalent across the financial sector,” Mosier said. 

The costs of those takeovers is far from trivial. FinCEN is seeing around 5,000 account takeover reports each month, reaching approximately $400 million per month over the last two months.

“The bottom line is that many account takeovers and fraud are occurring because of failures to enforce stronger levels of assurance and identity verification in authentication processes,” Mosier said.

Phishing is Top Source of Identity Theft and Cybercrime

The Identity Theft Resource Center (ITRC) is seeing the same trends as FinCEN with phishing and credential theft being the leading source of identity theft, according to the groups recent release 2020 Data Breach Report. In a keynote session, Eva Velasquez, President and CEO and James Lee, Chief Operating Officer (pictured) of the  ITRC outlined the high level findings of the report and its impact.

“Credentials are the coin of the realm today, as opposed to what we have traditionally thought of as being the kind of information that threat actors wanted to collect.” Lee said.

While other failures and vulnerabilities including unpatched software can and do lead to data breaches, Lee emphasized that the majority of the root causes of cyberattacks rely primarily on user logins and passwords

How the Pandemic has Accelerated the Need for Strong Authentication

With tens of millions of Americans looking to the U.S. government for help during the pandemic, there has been a clear need for strong authentication and identity technology.

During a panel, Sanjay Gupta, chief technology officer for the US Small Business Administration (SBA) noted that the SBA has been able to ramp up during the pandemic thanks in part to the deployment of a strong authentication based single sign on technology that makes use of FIDO Alliance standards. The SBA uses the login.gov platform from the U.S Government’s General Service Administration (GSA).

In a keynote session, Congressman Bill Foster (D-IL) (pictured) stated that the COVID crisis has laid bare many of the inadequacies of the identity system in the U.S.

Just to pick one example, Foster noted that over a million stimulus checks were sent to dead people and for millions of others, the stimulus checks were delayed because of challenges in verifying who is eligible based on where they live. While there are challenges, Foster noted that there has also been a lot of relevant technological progress, independent of government action. 

“The use of a secure enclave on a modern cell phone as a FIDO second factor device is a huge step forward,” Foster said.  “The increasing use of privacy preserving biometric sensors on smartphones as a means of providing digital online authentication for human identity is going to be transformative.”

In a panel following the keynote on where the government can help with identity and authentication, Paul Rosenzweig, Resident Senior Fellow, Cybersecurity and Emerging Threat at the R Street Institute commented that good identity is clearly one of those common public goods that economic theory teaches us, is best provided at a governmental level. That’s an idea that panelist Phil Lam (pictured), Executive Director of Identity for the U.S. General Services Administration (GSA) agreed with.

“I think that we as a government are providing a lot of benefits to Americans today and in order to facilitate providing that benefit, we kind of need to know who you are and  are you eligible for a benefit,” Lam said. 

Lam re-iterated that the FIDO-enabled login.gov portal is a critical part of the U.S. government’s authentication strategy and now serves over 25 million users.

The final panel of the day tackled the socially important topic of equity and inclusion when it comes to identity and the individual. Among the panelists was Reverend Ben Roberts (pictured) who runs the ID Ministry, which is an effort to help the underprivileged get their identity so they can qualify for government assistance or even just to get a bank account.

Roberts detailed a number of heart-breaking cases of individuals that have had extreme challenges in getting some form of verified identity. He had a strong message for government policy makers and technology developers alike for how to enable strong authentication and identity systems.

“As we’re bringing things online and as new policies and new systems come into play, really do your level best to ensure that people are not getting left behind,” Roberts said.

Today’s sessions (February 4) have been recorded and can be found here. There’s still time to register for tomorrow’s sessions (February 5). Register here.

The post Identity, Authentication and the Road Ahead: Virtual Policy Forum Day 1 appeared first on FIDO Alliance.

The post ConnectSafely Webinar: Are Passwords Really Protecting Us? appeared first on FIDO Alliance.

In June, NIST put out a call for comments on the next iteration of its Digital Identity Guidelines, SP 800-63-4. We welcomed the opportunity to comment; read our full comments in the Government & Public Policy area of the website.

Up front, we note that SP 800-63-3 represented a significant improvement in NIST’s Digital Identity Guidelines, taking a more modern approach to identity proofing, authentication, and federation. That said, technology and threat are both never static, and we are encouraged to see that NIST is embarking on another revision of the document.

In our comments, we make three recommendations for SP 800-63-4:

1. NIST should adjust its approach to AALs to help implementers clearly differentiate between tools that are phishing resistant and those that are not. 

Today, a variety of authenticators based on shared secrets – including Look-Up Secrets, Out-of-Band Devices (i.e., Push), and OTP apps and tokens – are given the same weight in AAL2 as authenticators based on asymmetric public key cryptography, such as FIDO. Given how attackers have caught up with the former, it no longer makes sense to combine  these two types of authenticators under a single designation. Doing so misleads implementers into thinking these two categories of authenticators are equivalent in strength or resiliency. In our comments, we provide NIST with several ideas for how it can adjust the AALs to provide more differentiation between tools that are phishing resistant and those that are not. 

2. NIST should engage with FIDO Alliance to explore other alternatives to enable FIDO authenticators to meet AAL3 requirements

When SP 800-63-3 was first published, it created a path for some FIPS 140 validated FIDO authenticators to meet AAL3 – if those authenticators were deployed in concert with Token Binding to deliver Verifier Impersonation Resistance. Since that time, most major browser vendors have withdrawn support for token binding. Per discussions with NIST, we understand that this means that FIDO authenticators can no longer meet AAL3 without implementing other approaches to mitigate the loss of token binding. As NIST embarks on the next revision of SP 800-63, we urge NIST to engage with FIDO Alliance to explore other alternatives to enable FIDO authenticators to meet AAL3 requirements.

3. Provide more direct references to FIDO

SP 800-63B describes Requirements by Authenticator Type but is inconsistent in how it points to standards that support that type. This has created some confusion in the marketplace when implementers consult SP 800-63B and see reference to standards like OTP and PKI but do not see any specific reference to FIDO. In our comments, we offer three suggestions for how the guidance can directly reference FIDO so that implementers have a clearer understanding of where FIDO fits in and supports the requirements. 

We greatly appreciate NIST’s consideration of our comments and look forward to ongoing dialogue and collaboration as they seek to update the Digital Identity Guidance.

The post FIDO Alliance Submits Comments to NIST on Digital Identity Guidelines, Asks for Stronger Differentiation for Phishing-resistant Authentication Tools appeared first on FIDO Alliance.

By Henry Lee and Sanghun Won, Co-Chairs, FIDO Alliance Korea Working Group

Interviewees

Mentors: Dongho Kim, Samsung SDS, Kieun Shin, LINE and Sangwook Han, CrossCert
Mentees: Yeojin Lee representing Team Jekyll & Hyde (mentored by Samsung), Yushin Cho representing Team N-Key (mentored by LINE), and Nohyun Kawk representing TEEware (mentored by CrossCert).

Question: As FIDO Alliance Korea Working Group Technical Sub-Group Co-Leaders (Dongho and Kieun), what was the background or purpose of running a FIDO Hackathon – Developer Support Program this year?

Dongho: Since FIDO Alliance Korea Working Group announced 2019 would be the year of FIDO deployment, the members sought various ways to make it happen. The idea of running a Hackathon seemed to be a perfect fit since we realized a one-day workshop or seminar had its limits to fully demonstrate the strength of FIDO protocols. Based on my earlier experiences of volunteering at school coding classes and joining local Hackathon events, it was understood that submerging ourselves with these young minds was the best way to reach out to local developer community.

Kieun: We have been trying our best to introduce FIDO-based services to the market. Being able to learn creative ideas and approaches to deploy FIDO was the key purpose of launching such an event.  Identifying a potential partners and high-skilled engineers were unexpected bonuses.

Question: What motivated your team to participate in the FIDO Hackathon?

Nohyun: TEEware is a startup founded by members of KAIST (Korea Advanced Institute of Science and Technology) Graduate School of Information Security, and we thought the FIDO Hackathon was an ideal platform to verify our idea to combine FIDO protocols with decentralized ID for electronic contract projects.

Yushin: All of our team members are at their 2^nd or 3^rd year of university with experience of participating over dozens of local Hackathon events hosted by government agencies and private companies. We all thought the FIDO Hackathon was unique and much more meaningful, compared to other local half-day or one-day Hackathon event. It gave us an opportunity to engage deeply with Mentors with lots of hands-on experiences in the industry, which eventually helped us realize the FIDO-enabled Kiosk proof of concept in a timely manner.

Yeojin: As a school graduation project, our team members had an idea to make authentication much stronger and simpler by combining FIDO protocol with QR codes, but did not know how to move forward, due to the fact that we never had such scale of project experiences as college students. By working with Mentors and communicating with other teams participating in the FIDO Hackathon, we could quickly fill the technical gaps.

Question: As a Mentor or Mentee, what was the most challenging aspect of the program?

Dongho: In the beginning, we thought inviting talented teams to participate in the program was the most challenging, due to the fact that we weren’t able to be competitive with other Hackathon programs in terms of prize money or gifts. We stayed  focused on what was achievable and provided a simple, clear message to the public about what we wanted to accomplish. In the end, magic happened. Not only did more than 40 teams participate in the initial screening process, but we had 12 of them completing the proof of concepts through the mentorship program.

Yeojin: Right from the beginning of the mentorship program, the team members realized that the way we do projects at school were very different from how things were done in the field. We also had to quickly build a bridge between what we know as concept or academic theory and what or how things are actually done in business. That was the most challenging, yet most rewarding at the same time, because learning something like that as a student is priceless.

Yushin: Our team members came from 3 different universities and we have never worked as a team before. What we thought as a simple issue in the beginning were later found to be the toughest hurdle.  Thanks to our mentor’s close and frequently scheduled guidance, we were able to stay as a team and never give up. We learned the importance of human factors and soft skills while conducting such a project.

Sangwook: Unlike other teams that are consisted of university students, TEEware was a young startup with extremely demanding business schedules. By closely communicating with the team, we were able to narrow down the project scope, which fits the purpose of the Hackathon program, and successfully complete the project in a timely manner.

Question: What are the tangible or intangible assets you earned from the FIDO Hackathon program?

Sangwook: As an engineer, I was only able to see a small aspect of FIDO protocols, log-in and log-out, so far. However, the FIDO Hackathon opened up our eyes by understanding how FIDO can be presented as a solution to various technical or social problems. CrossCert has signed a business partnership with TEEware and you will see future products spinning out from this result very soon.

Nohyun: By participating the FIDO Hackathon, we were able to study the feasibility of our product and closely listen to potential clients’ needs. These lessons will be reflected upon our future business and product development plans.

Kieun: Surprisingly, I learned a lot by teaching and communicating with these young university students.  Acquiring new ideas, being able to set our future products or services roadmaps, and understanding how to work with external partners with fresh minds were incredible assets that I earned.

Yushin: Besides the fact that we have earned the Top 3 Awards with prizes and trophies, it was so satisfying to see our rough idea to successfully go through proof of concept process. It is something that I could never accomplish in any other short-term Hackathon events.

Dongho: I was so happy to see the general public and local developers got to understand more about FIDO protocols, fixing misunderstanding around FIDO. Internally, the FIDO Hackathon helped FIDO Alliance Korea Working Group members to collaborate with each other for the very first time, by shooting for a single target and supporting the local developer community.

Please visit FIDO Alliance SlideShare for detailed presentations of FIDO Hackathon Top 3 Winners:

• LINE X N-Key: P.42~53
• Samsung X Jekyll & Hyde: P.60~73
• CrossCert X TEEware: P.80~97

Following Mentors are available for further discussions on their FIDO Hackathon outcomes:

• Dongho Kim @ Samsung SDS (dongho78.kim@samsung.com)
• Kieun Shin @ LINE (kieun.shin@linecorp.com)
• Sangwook Han @ CrossCert (swhan@crosscert.com)

The post FIDO Hackathon in Korea: A Q&A with the Top 3 Winners and their Mentors appeared first on FIDO Alliance.

Challenge:

There are 65 million subscribers who use mobile banking services in Korea – most of whom use password-based authentication. Also, there are 37 million people who have been issued accredited certificates in Korea. For account transfers, subscribers generate digital signatures of transaction through an accredited certificate and verify it in their bank for user authentication, integrity and non-repudiation

Like many consumers around the world, Korean mobile banking subscribers who must remember their unique password feel uncomfortable for many reasons.  This includes the fact that inputting a password in mobile device is very difficult and time consuming – and also because passwords are highly susceptible to theft and misuse (such as for account hijacking). Additionally, many Koreans feel uncomfortable using passwords when they use an accredited certificate based on National PKI(NPKI) for digital signing.

As a result, many banks in Korea have sought to implement easy and secure user authentication technology in their online mobile banking service for subscribers, with biometric authentication approaches being a preferred model. However, many banks have hesitated to implement biometric authentication systems that rely upon server-side storage and matching of biometric templates as they present a risk to subscribers of having biometric credentials stolen – which unlike passwords cannot be changed.

Case Study: Kookmin Bank

Kookmin Bank (or KB) is Korea’s leading bank in total assets (2018) and National Customer Satisfaction Index (NCSI) (2017). KB has provided a mobile banking service named ‘KBStar Banking’ since 2003. KBStar Banking supports a variety of authentication mechanisms, but almost subscribers have used password-based authentication and accredited certification in NPKI. Accredited certification has especially been used for digital signing for account transfers and loan applications.

Kookmin Bank has been seeking simpler, stronger authentication for their mobile service due to the fact that many subscribers have expressed displeasure and discomfort with the password-based approach. KB has also needed a solution for accredited certification in NPKI that does not require a password at account transfer or loan application or similar services.

In November of 2016, CrossCert implemented the CrossCertFIDO® FIDO client and authenticator which supports fingerprint, iris and voice biometric authentication in the KBStar mobile banking app. CrossCert also set up the CrossCertFIDO® server in CrossCert’s global secure datacenter which has passed ISMS and Web Trust Audit, and it has connected and operated a relying server in Kookmin Bank.

KB and CrossCert have also provided subscribers with K-FIDO based authentication and digital signing – which eliminates the need for passwords for loan applications, account transfers and similar services. The net outcome is that subscribers no longer need to remember and input a password.

The Result:

There are now about 3.5 million subscribers who are leveraging simpler, stronger FIDO-based authentication across various KBStar mobile banking apps (KBStar banking, KBStar Mini, Liiv, KB Real Estate, KBStar alarm, KB my money, Liiv TTok TTok). In total there are 16 million FIDO transactions per month and there have been over 260 million total FIDO transactions since the launch of the services (as of October 2018).

Many Korean banks (in addition to KB) have implemented FIDO  authentication in their mobile banking apps to provide their subscribers with stronger and more user-friendly authentication. The positive user experiences in banking have set the stage for similar adoption in other industries – e.g., insurance, education and government services.

The post Kookmin Bank Leverages Crosscert FIDO to Provide Easy Biometric Authentication to Its Customers appeared first on FIDO Alliance.

World Password Day was started by FIDO Board member Intel seven years ago, and much has changed in that time. The world finally has a better call-to-action than simply changing passwords and hoping the year-over-year growth in data breaches magically reverses itself. The FIDO Alliance and the World Wide Web Consortium have announced a new authentication standard that Google, Microsoft and Mozilla have said will be built into Chrome, Edge and Firefox respectively. This new set of technologies, collectively known as FIDO2, enable websites and native apps to use on-device biometrics and/or portable security keys to free their users from a dependency on the failed “shared secret” security model of passwords and one-time-passcodes. Passwords are no longer fit for purpose, a fact highlighted in numerous studies that attribute password compromise as the root cause for the vast majority of data breaches that have taken place in recent years.  

That’s why I applaud World Password Day’s commendable focus on multi-factor authentication this year. Instead of encouraging users to change all of their online passwords – which more often than not results in easy-to-remember passwords being recycled across different accounts – website and app developers can now look to new methods of authentication that will enhance security while improving user experience.  By building to these new web standards for strong cryptographic authentication, developers can now leverage the authentication mechanisms that are already on their users’ smartphones, tablets, and computers — from fingerprint, iris, face or voice recognition, to portable hardware security keys — to improve security for their businesses and their users.

This year ‘World Password Day’ could mark the beginning of the end for “shared secrets” security on the web. But to do that, online services must accept that the humble password has outlived its efficacy and take action to learn more about FIDO2 today so that next year we can celebrate how our favorite online services have freed us from the bondage of passwords.

The post Perspectives on World Password Day appeared first on FIDO Alliance.

The post FIDO Alliance Letter Regarding Payment Services Directive 2 appeared first on FIDO Alliance.

Tell us a little bit about Raonsecure.  What are your core product offerings?  What industries and geographies do you cover?
Raonsecure is a Korean ICT information security leader and has supplied mobile security (mobile vaccine, virtual keyboard, PKI password authentication, EMM), PC security and IoT-based solutions mainly to financial institutions, government and enterprise. Our client SDK and server were in the first group of FIDO® Certified UAF products, and we deployed the first commercial FIDO implementation for a banking service in Korea. Currently, we have the largest number of commercial FIDO deployments in Korea.

In addition to our solutions, we provide various personal authentication services for individual users (B2C facing) such as our ‘USIM Smart Authentication’ and ‘USIM Simple Authentication’ services, offered jointly with the three domestic mobile communication companies in Korea. Through our subsidiary, Raon WhiteHat Center, we discover and train the next generation of information security officers. The WhiteHat Center’s teams have won several international hacking competitions, including Defcon CTF.  They also engage in security consulting and auditing as well as pure threat analysis and research.

Why did Raonsecure decide to upgrade its membership from Sponsor to join the FIDO Board of Directors?
As the provider of a leading FIDO solution in Korea, we are firmly established as a leader in biometric authentication and want to be a part of shaping the next generation of the FIDO standard, while reflecting our specific regional situation. Further, we plan to do our best as a member of the FIDO Alliance Board of Directors to help the Korean biometric authentication industry make the leap to the global market.

We all know that there is a lot of FIDO innovation in Korea.  How has Raonsecure engaged in the Korean marketplace, and what lessons from Korea do you think other geographies can learn?
In Korea, internet banking and mobile banking are some of the most advanced (as well as actively used) services in the world. In recent years, Raonsecure has been among the first to supply a FIDO Certified solution to those industries and commercialize it for banking services in Korea. Since then, we have helped construct most of the biometric authentication infrastructure in Korea – used by mobile carriers and fintech services among others. We believe that Raonsecure’s activities contribute to the growth not only of the domestic biometric authentication industry, but to changes in the overall authentication paradigm, and we would like to help further the development of the global biometric authentication industry. What we found with FIDO in Korea was that banks and financial institutions started a snowball rolling downhill that quickly expanded to lots of other types of industries.

In what ways do you believe your company can help the FIDO Alliance successfully fulfill its mission?
At present, the Korean people actively want enterprises and the government to come up with better and innovative methods to existing authentication methods used today. This has been a big part of the nationwide drive for FIDO adoption in so many industries. We look forward to sharing our know-how, accumulated through various deployments in Korea, with the Alliance.  We will do our best as a FIDO board member to continue spreading the FIDO global biometric standard not only in Korea, but throughout the world.

The post Q&A with FIDO’s latest Board Company, Raonsecure appeared first on FIDO Alliance.

Andrew Shikiar, Senior Director of Marketing, FIDO Alliance

We are back and recovered from Mobile World Congress, which was a great week for the FIDO Alliance!  Mobile World Congress is known as the biggest annual gathering for the mobile industry with more than 100,000 attendees. Our experience was filled with positive energy and bustling activity. This year, the FIDO Alliance hosted a pavilion featuring Aware, Daon, Nok Nok Labs, Sensory Inc, TRUXTUN Capital and Yubico. We set up a series of pods on the upper walkway — a great spot where tens of thousands of attendees stopped by to learn more about FIDO’s ecosystem for simpler, stronger authentication.

While MWC once was the show to see the latest mobile devices, it has evolved to include stronger security themes, an area where FIDO Authentication is dominant. FIDO has a clear value in mobile, where the industry is demanding better security features for mobile applications, and consumers are demanding an end to passwords and PINs as security boundaries. The mobile industry is responding by increasingly offering FIDO Authentication built into their flagship devices, and shipping more biometric smartphones. Biometric smartphones are becoming “the new normal” — there was a ten-fold increase of biometric smartphones in the last two years, according to Acuity Market Intelligence. We’re also seeing smartphones being updated to accept FIDO BLE and/or NFC-enabled security keys for authentication, giving consumers even more choice on how they authenticate to services.

Other key takeaways from the event included:

FIDO is the strategy for leading Mobile Network Operators (MNOs). We had many conversations in the FIDO Pavilion and throughout the show with MNOs that have, or are in the process of, rolling out FIDO Authentication. Two of the top reasons:  FIDO’s simpler user experience, and the ability to help service providers meet emerging regulatory policies such as PSD2 in Europe.

FIDO fits with GSMA’s Mobile Connect. GSMA’s Mobile Connect provides a universal login solution that matches users to their mobile device, allowing them to log into websites and applications without usernames and passwords. FIDO biometrics is a leading authentication mechanism for Mobile Connect, which Rajiv Dholakia of Nok Nok Labs spoke about at length during the Mobile Connect-themed seminar at the show. The FIDO Alliance is actively working with GSMA on projects that will demonstrate the combined value of Mobile Connect together with FIDO Authentication, so look forward to seeing more from us on that soon.

Securing the Internet of Things is critical. Similar to our takeaways from last month’s RSA Conference, there was a lot of discussion around IoT as it relates to mobile innovation, and the critical need for security in the space. FIDO Authentication is a natural fit for IoT — both for authenticating users to connected devices, as demonstrated by FIDO Alliance members Infineon and Oberthur at the show, and for M2M authentication. Given all of this buzz around IoT, the timing is good for our next webinar, where we will talk in more detail about specific current and emerging use cases for FIDO in IoT.

All and in all, Mobile World Congress was a great experience for the FIDO Alliance as first-time exhibitors, and we already have plans in place to return next year. Are you a mobile ecosystem participant looking to get involved with FIDO? Get in touch with us today.

The post FIDO’s Imperative to Mobile Ecosystem Evident At Mobile World Congress appeared first on FIDO Alliance.

Last month FIDO held our first events in India – half-day seminars in Mumbai and Bangalore.  It was an eye opening experience in many ways, and it’s clear that the desire for simpler, stronger authentication spans borders and use cases.  The audiences were very savvy and engaged in both sessions – asking pointed questions and sparking fresh ideas that will be brought back into FIDO’s working groups.The Tour was generously sponsored by Persistent Systems and the Data Security Council of India (DSCI), with additional support from Egis Technologies, Feitian, Nok Nok Labs and NXP.  

India is home to a bustling economy that is driven by a technology sector providing product development and integration services on a global scale. This economy serves a population that is more connected by the day.  In fact, India has passed the United States and is now the second biggest consumer of the Internet (behind China).  This latter trend in connecting the previously unconnected is where the Indian government has been very proactive in creating relevant technology policies and initiatives – and also is where FIDO stands to have the greatest impact.

For starters, some key numbers give you a feel for the types of transformations that are possible in India.  In telecommunications – just 20 years ago it could take even city-dwellers weeks or longer to get landline service due to the vastness and complexity of the infrastructure.  As a result, in 2001 there were less than 37 million fixed and mobile subscribers. Today, however, there are over a billion mobile subscribers and still only 25 million fixed line subscribers – which enables the next frontier for Indian transformation:  payments.

While Indian society is clearly becoming increasingly connected, it is still a cash-driven economy with less than 5% of transactions happening electronically as recently as 2014. The country’s goal is to bring this ratio more in line with countries like the United States or United Kingdom, where the majority of transactions are handled electronically. But as more and more people leverage electronic or mobile transactions, opportunities increase for hacking and fraud.

Fortunately, the Indian government is well ahead of the curve on this matter, and has mandated second-factor authentication for all online and mobile transactions. This currently manifests itself via one-time passcodes delivered over SMS, which while certainly better than single-factor does have its usability and security challenges.  As part of FIDO’s efforts in India, we will be engaging with leaders in policy and commerce to introduce the added security benefits that FIDO authentication brings to the table versus one-time passcodes (OTPs).  In addition, much of India uses PKI and digital certificates to ensure secure online transactions – this is a bulky and time-consuming process that stands to be vastly improved through FIDO authentication.

Successive generations of technology have required users to become more and more savvy. In the context of India and other emerging populations, however, the challenge is to simplify the usage of technology. FIDO, with its option for biometric-based strong authentication, is ideally suited to offer a viable solution.  In fact, one of the founding visions for FIDO was to have a solution protecting the next billion users who don’t know what a password is, and who shouldn’t have the pain of passwords inflicted upon them.

These ideals also pertain to the “newly banked” in India – where there are now tens of millions of people using mobile devices to make purchases and small peer- to-peer transactions.  This demographic will be conducting mobile transactions before they’ve ever seen a web page or have ever received an email, which makes them particularly susceptible to phishing attacks.  Eventually they will receive email – and as 12% of links in phishing emails are currently opened today, there’s a good chance that less experienced users will take the bait.  As such, it’s critical that their service providers deploy FIDO authentication solutions which are architected to prevent phishing and man-in-the-middle attacks.

We’re excited to build on this initial foray into India, and in the near future will be launching a dedicated effort in the region in order to support and grow the local FIDO community.  Stay tuned for more details!

The post FIDO Authentication in India appeared first on FIDO Alliance.

http://www.wired.com/2015/10/github-moves-past-password-make-open-source-secure/

The post Github Moves Past the Password to Make the Internet Secure appeared first on FIDO Alliance.

http://www.finextra.com/blogs/fullblog.aspx?blogid=9116

The post Banker’s Overview to Online Fraud appeared first on FIDO Alliance.