Carlsbad, Calif., August 3, 2023 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2023, the only industry conference dedicated to all aspects of user authentication.

This year’s featured keynote will be presented by Rachel Tobac, white hat hacker and social engineering expert whose exploits have been featured on CNN, 60 Minutes and more. Additional keynote presentations providing diverse and global perspectives on modern authentication will be delivered by speakers from 1Password, Amazon, Google, Microsoft, Yubico and others.

Authenticate 2023 will be held at the Omni La Costa Resort and Spa and from October 16-18, 2023 – with virtual attendance options for those unable to be there in person. Now in its fourth year, the event is focused on providing education, tools and best practices for modern authentication across web, enterprise and government applications. CISOs, security strategists, enterprise architects and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2023/.

In response to its rising popularity, the conference now includes 90+ sessions from 125 speakers spread across three content tracks — as well as interactive half-day workshops for developers and user experience leads. Speakers from Alibaba Group, Fox Corporation, GitHub, Intuit, Mercari, Pinterest, Salesforce, Starbucks, Shopify, Target and others will deliver a diverse set of sessions, detailed case studies, technical tutorials and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead generation capabilities and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/sponsors/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the only conference dedicated to all aspects of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2023, Authenticate will be held October 16-18 at the Omni La Costa Resort and Spa in Carlsbad, CA and virtually. Early bird registration discounts are available through August 18, 2023. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2023 are 1Password, Google, Microsoft and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

The post FIDO Alliance Details Agenda for Authenticate 2023, Featuring Keynote from Rachel Tobac, Noted White Hat Hacker & SocialProof Security CEO appeared first on FIDO Alliance.

Singapore, August 1, 2023 — The FIDO Alliance today provided an updated list of speakers and sponsors for its first-ever FIDO APAC Summit, the premier event dedicated to advancing and promoting phishing-resistant FIDO authentication in the region. Co-hosted by the Ministry of Information and Communications (Vietnam), the summit will take place in Vinpearl Nha Trang, Vietnam, on 28 – 30 August 2023, and centers on the theme of “Connecting for a Safer Digital Future”.

With hundreds of attendees expected, the summit will feature more than 25 VIP guests and speakers from the APAC region. Hieu Minh Ngo, a former hacker turned cybersecurity specialist, will be joining these prominent industry leaders to discuss the latest developments and share best practices. Drawing on his insider knowledge of cybercriminal tactics, Hieu offers insights into common cybersecurity traps and vulnerabilities, and how passwordless authentication technologies can boost organizations’ defenses against hackers.

“As a former hacker turned cybersecurity specialist, I know firsthand how cybercriminals are always looking for loopholes to exploit for their gain. That is why it is imperative for organizations to ensure a robust cybersecurity strategy to safeguard users online,” said Hieu. “Embracing passwordless authentication can offer the highest levels of security and mitigate potential cyber threats from malicious hackers. I am excited to be part of the FIDO APAC Summit 2023 to share my experiences on how going passwordless can thwart phishing attacks and impart valuable lessons to attendees.”

Regional Cybersecurity Thought Leaders

The keynote speakers at the FIDO APAC Summit include:

• Nguyen Huy Dung, Deputy Minister of Information and Communications (Vietnam)
• Andrew Shikiar, Executive Director of FIDO Alliance
• Do Ngoc Duy Trac (Simon), CEO of VinCSS

The summit will also feature case studies and tutorials delivered by industry experts from government organizations and leading technology companies, including:

• Hieu Minh Ngo, Threat Hunter, NCSC Viet Nam & Co-founder of Chongluadao.vn
• Khanit Phatong, Senior Management Officer, Thailand Electronic Transactions Development Agency 
• Teresa Wu, Vice President, Smart Credentials – Civil Identity IDEMIA Identity & Security North America 
• Paul Heim, Director, FIDO Alliance
• Sea Chong Seak, CTO of SecureMetric
• Alex Wilson, Director Engineering, Yubico
• Dovlet Tekeyev (Dave), Director, AirCuve
• Hyung Chul Jung, Head of Security Engineering Group, Samsung Electronics
• Eiji Kitamura, Developer Advocate, Google
• Gautam Pande, Vice President, Identity Solutions, Asia Pacific, Mastercard
• Masao Kubo, Manager, Product Design Department, Smart Life Business Company, NTT DOCOMO
• Henry (Haixin) Chai, CEO of GMRZ Technology, Lenovo
• Cuong Tran, CTO, Pavana
• Thang Phan, Passwordless Transformation Lead, VNPAY
• Truong Nguyen, Back End Developer, PayPay Corporation
• Naohisa Ichihara, CISO, Mercari
• Jaebeom Kim, Principal Researcher, Telecommunications Technology Association

The updated list of speakers can be found here.

In addition, the APAC Summit will feature a busy expo hall, with demo booths from VinCSS, Securemetric Technology, Yubico, AirCuve, CyStack, iProov, Thales, ISR, SMARTdisplayer Technology, and TrustKey.

Event Registration and Sponsorship Opportunities

Attendance is free of charge. For more information and to register your interest in the summit, please visit the website here.

“The FIDO Alliance is excited to host its first Asia-Pacific Summit 2023 in Vietnam, which will feature content presented by some of the brightest minds in authentication from around the world,” said Andrew Shikiar, executive director & CMO of the FIDO Alliance. “As cyber attacks continue to grow in volume and sophistication, it is more important than ever for companies to put passwords in the rear view mirror in favor of passkeys — which present a user-friendly alternative based upon FIDO standards.”

At the initial announcement of the event, Deputy Minister of Information and Communications (Vietnam), Nguyen Huy Dung said, “We are delighted to take part in organizing this event. We fully endorse the adoption of passwordless authentication technology to secure Vietnam’s digital economy. Our aspiration is to foster connections and collaborations with the FIDO Alliance and other APAC region countries for a safer digital future.”

Registrations are now open to the public. While the event is offered free of charge, all delegates are required to book a minimum of three nights at the event venue, Vinpearl Resort Nha Trang. For more information and to register your interest in the summit, please visit the website here.

For companies interested in sponsorship opportunities, please contact events@fidoalliance.org. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 
press@fidoalliance.org 

APAC Media Contact
Evelyn Owen & Farah Aqilah
FINN Partners on behalf of FIDO Alliance
yingFIDO@finnpartners.com 
+65 9109 6954

The post FIDO APAC Summit Keynotes and Sponsors Announced appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., June 27, 2023 – Passkeys are a gamechanger for signing to online services and apps, providing phishing-resistant security and easy user experience far superior to passwords and other phishable forms of authentication. Enterprises globally are interested in passkeys but may be wondering: how do I start? And “what type of passkey is right for my environment?” 

The FIDO Alliance addresses these questions in a new series of papers providing considerations for leveraging passkeys across different enterprise use cases. The series was developed by the FIDO Alliance’s Enterprise Deployment Working Group (EDWG) and can be found at https://fidoalliance.org/fido-in-the-enterprise/.  

The papers in the series are:

• FIDO Deploying Passkeys in the Enterprise – Introduction
• Replacing Password-Only Authentication with Passkeys in the Enterprise
• FIDO Authentication for Moderate Assurance Use Cases 
• High Assurance Enterprise FIDO Authentication 

A fifth paper in the series, “Displacing Password + SMS OTP Authentication with Passkeys,” is expected to publish later this summer.

“Passkeys are a new concept to many enterprise organizations, in terms of both terminology and FIDO authentication capabilities,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “These papers demystify synced and device-bound passkeys and provide the decision points for how to leverage them across a variety of use cases, whether they are using passwords alone, legacy MFA or FIDO-based solutions today. These papers provide a great foundation for anyone looking to understand how passkeys can increase their organization’s security posture, meet legal and regulatory requirements and decrease support and other costs associated with authentication.” 

Get an Overview Live at Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise

Those interested in this topic are encouraged to join the FIDO Alliance and members of its Enterprise Deployment Working Group on June 29, 2023 at 9:00 am PT / 12:00 pm ET for the free Authenticate Virtual Summit: Considerations for Passkeys in the Enterprise to learn how passkeys can fit into a variety of enterprise environments.

Sessions will cover introductory material, considerations across various use cases, and criteria to evaluate how synced passkeys and device-bound passkeys can meet varying legal, regulatory, and security requirements across enterprise environments.

Learn more and register for the free virtual summit at https://authenticatecon.com/event/passkeys-in-the-enterprise/.

About the Enterprise Deployment Working Group (EDWG)

The FIDO Alliance’s Enterprise Deployment Working Group (EDWG) aims to accelerate enterprise deployments of FIDO solutions and advance the FIDO Alliance’s vision for a strong, interoperable modern authentication ecosystem. The EDWG acts as a group of subject matter experts and internal advisors within the FIDO Alliance on issues affecting the deployment of FIDO solutions at the enterprise level. FIDO Alliance members interested in joining the EDWG can contact info@fidoalliance.org for information on how to participate.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact
press@fidoalliance.org

The post FIDO Alliance Publishes Guidance for Deploying Passkeys in the Enterprise appeared first on FIDO Alliance.

Singapore, June 26, 2023 — The FIDO Alliance announced today its first-ever FIDO APAC Summit 2023, the premier event dedicated to advancing and promoting phishing-resistant FIDO authentication in the region. The summit, co-hosted by Vietnam Ministry of Information and Communications, will take place in Vinpearl Nha Trang, Vietnam, on August 28 – 30, 2023.

For more information and to register your interest in the summit, please visit the website here. 

The cybersecurity landscape in Asia-Pacific has undergone significant growth and transformation in recent years, driven by the rapid digitalization, increased internet penetration, and the rapid adoption of advanced technologies such as cloud computing, AI, and the Internet of Things (IoT). As businesses and governments become more reliant on digital infrastructure, cyber threats have grown increasingly sophisticated and widespread, resulting in a surge in prominent cyberattacks and data breaches. With Asia-Pacific accounting for 31% of all incidents globally in 2022, there is a crucial need for more robust authentication methods — and there is no better time than now for organizations to take the necessary steps forward.

The theme for this year’s event is “Connecting for a Safer Digital Future” which aims to highlight the importance of secure, phishing-resistant authentication methods, specifically focusing on FIDO standards and passkeys. The summit will bring together various industry leaders, cybersecurity experts, and government representatives from the region to discuss the latest developments and share best practices and success stories. Attendees can expect insightful keynote presentations, engaging panel discussions, comprehensive technical workshops, and ample networking opportunities. 

“The FIDO Alliance is excited to host its first Asia-Pacific Summit 2023 in Vietnam. Around the globe, we are witnessing an increasing number of cyberattacks and scams stemming from weak or stolen credentials — and this is no different in the APAC region. Fortunately, there has been a steady momentum toward adopting passkeys based on phishing-resistant, FIDO authentication by organizations here to combat these threats,” said Andrew Shikiar, executive director of the FIDO Alliance. “Through this summit, we hope to facilitate knowledge sharing in the various areas of authentication, and we encourage anyone interested to learn more to join us.”

Deputy Minister of Vietnam’s Ministry of Information and Communications, Nguyen Huy Dung, said, “We are delighted to take part in organizing this event.” He emphasized, “We fully endorse the adoption of passwordless authentication technology to secure Vietnam’s digital economy.” He continued, “Our aspiration is to foster connections and collaborations with the FIDO Alliance and other APAC region countries for a safer digital future.”

The conference will feature more than 25 VIP guests and speakers from the APAC region, with over 300 attendees expected. Key summit speakers this year include member companies from the FIDO Alliance, such as VinCSS, Google, Mastercard, Samsung Electronics, NTT Docomo, SK Telecom, SecureMetric, AirCuve, ETDA and Thales, among many others.

Registrations are now open to the public. While the event is offered free of charge, all delegates are required to book a minimum of three nights at the event venue, Vinpearl Resort Nha Trang. For more information and to register your interest in the summit, please visit the website here. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

APAC Media Contact

Evelyn Owen & Farah Aqilah

FINN Partners on behalf of FIDO Alliance

yingFIDO@finnpartners.com 

+65 9109 6954

The post FIDO Alliance Opens Registration for Its First-Ever Asia-Pacific Summit 2023 in Vietnam appeared first on FIDO Alliance.

ITU-T is the standardization arm of ITU, the United Nations specialized agency for ICT. The FIDO Alliance specifications were approved as official ITU-T Recommendations by ITU members including national administrations and the world’s front-running ICT companies. The new ITU-T Recommendations are under the responsibility of ITU’s standardization expert group for security, ITU-T Study Group 17.

“The FIDO Alliance is improving online authentication through open standards based on public key cryptography that make authentication stronger and easier to use than passwords or one-time passcodes. One of the ways that we fulfill this mission is by submitting our mature technical specifications to internationally recognized standards groups like ITU-T for formal standardization,” said David Turner, senior director of standards development at the FIDO Alliance. “This recognition from ITU-T illustrates the maturity of FIDO authentication technology and complements our web standardization work with the World Wide Web Consortium (W3C).”

“Predecessors of these FIDO UAF and CTAP specifications were first adopted as ITU standards in 2018. ITU-T Study Group 17 will continue to strengthen its collaboration with the FIDO Alliance. These two FIDO Alliance specifications, adopted as ITU standards recently, are being widely used in various industries such as the financial sector to provide strong online authentication based on public key cryptography and various user verification methods,” said Heung Youl Youm, Chairman of ITU-T Study Group 17. “These new ITU standards will provide a concrete basis for the two FIDO specifications to be adopted across the 193 ITU Member States.”

“Our working group within ITU-T Study Group 17 was pleased to be able to collaborate with the FIDO Alliance to promote the standardization of state-of-the-art security technologies,” said Abbie Barbir, Rapporteur for ITU-T’s working group on ‘Identity management and telebiometrics architecture and mechanisms’ (Q10/17). “This work will help address and solve the security limitations of passwords and move the world closer to passwordless solutions.” 

The specifications that are now ITU-T Recommendations are:

• FIDO UAF 1.2 (Recommendation ITU-T X.1277.2). A mobile standard providing authentication without passwords by using biometrics and other modalities to authenticate users to their local device.
• CTAP 2.1 (Recommendation ITU-T X.1278.2). Part of FIDO2 specifications along with the W3C Web Authentication standard,  allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor or multi-factor authentication experience.

For more information on the FIDO Alliance and FIDO authentication, visit http://www.fidoalliance.org.

For more information on ITU-T SG 17 visit https://www.itu.int/en/ITU-T/studygroups/2022-2024/17/Pages/default.aspx.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About ITU-T SG 17

The ITU Telecommunication Standardization Sector (ITU-T) is one of the three Sectors (branches) of the International Telecommunication Union (ITU). It is responsible for coordinating standards for telecommunications and Information Communication Technology such as X.509 for cybersecurity, Y.3172 and Y.3173 for machine learning, and H.264/MPEG-4 AVC for video compression, between its Member States, Private Sector Members, and Academia Members.

FIDO Alliance Contact
press@fidoalliance.org 

ITU Contact
tsbsg17@itu.int

The post Updated FIDO Alliance Specifications Adopted as ITU International Standards appeared first on FIDO Alliance.

CARLSBAD, Calif., June 6, 2023  —  The FIDO Alliance is pleased to announce registration is now open for Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on passkeys and related FIDO-based solutions. Authenticate will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego – with virtual attendance options also available.

To register, visit https://authenticatecon.com/event/authenticate-2023/. Early bird registration discounts are available through August 18.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

“Passkeys are the hottest topic in digital identity and authentication as the world accelerates its efforts to put passwords in the rear-view mirror,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. “Authenticate has rapidly established itself as a must-attend event for those interested in learning about how to apply passkeys and other cutting-edge authentication solutions to their business. Between the dozens of sessions and countless networking opportunities, Authenticate attendees will come away from this year’s conference with actionable insights to help accelerate their companies’ transition to a password-free future.”

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. The full 2023 agenda will be published later this month. Attendees benefit again from a dynamic expo hall and engaging networking opportunities. 

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are 1Password, Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on passkeys and FIDO-based solutions. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort & Spa in Carlsbad, CA, just north of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org

PR Contact 

press@fidoalliance.org

The post FIDO Alliance Opens Registration for Authenticate 2023 appeared first on FIDO Alliance.

The FIDO Alliance UX Guidelines for Passkey Creation and Sign-ins aim to help online service providers design a better, more consistent user experience when signing in with passkeys. The guidelines are available at https://fidoalliance.org/ux-guidelines/. 

Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. While far easier and more secure than passwords and legacy forms of 2FA, the research performed for these guidelines found that passkey sign-ins present a distinct user journey that service providers need to consider before providing passkey support. The FIDO Alliance UX Guidelines provide evidence-based best practices for key steps in the user journey for passkey creation and sign-in.

“As companies around the world accelerate their move toward passwordless authentication based on FIDO standards, the topic of user experience has risen to the forefront,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Passkeys uniquely can provide a phishing-resistant sign-in as well as a superior user experience which can drive top-line growth by enabling more seamless access to online services and engendering stronger brand affinity. We encourage online service providers to use these guidelines in their journey to rolling out passkeys to ensure a consistent, thoughtful, and simple user experience for their users.”

Passkeys are supported in the vast majority of consumer devices: Apple and Google have readied their operating systems for service providers to enable sign-ins with passkeys that sync across devices; Windows 10 and 11 have long supported device-bound passkeys in Windows Hello – and passkeys from iOS or Android devices can also be used to sign into sites in Chrome or Edge on Windows. 

Many leading service providers including Google, PayPal, Yahoo! Japan, NTT DOCOMO, CVS Health, Shopify, Hyatt, Instacart, Robinhood, Mercari and Kayak are providing their customers with passkey sign-ins. 

“When it comes to providing passkeys to consumers, technical implementation is only one piece of the puzzle,” said Kevin Goldman, chair of the FIDO Alliance UX Working Group and Chief Experience Officer at Trusona. “Simply put, the UX is a critical component in helping consumers adopt passkeys as a password replacement. These guidelines are a carefully researched set of best practices that will help online service providers design a better, more consistent user experience when signing in with passkeys and ultimately maximize adoption.”

The guidelines were created by the FIDO Alliance UX Working Group in partnership with usability research firm Blink UX – with added underwriting support from 1Password, Google, Trusona and US Bank. This group collectively conducted formal research of FIDO user journeys and actively engaged with FIDO Alliance stakeholders to establish these UX best practices. 

Learn more about the FIDO UX Guidelines for Passkeys at Identiverse 2023

Attending Identiverse? Learn more about the guidelines today, May 31, during the session “Optimizing UX for Passkeys” at 2:00 pm PDT.

Attend the Webinar Series

The FIDO Alliance is hosting a three-part webinar series to educate on the findings and best practices developed through the intensive research for the UX guidelines for passkeys. Attendees will get actionable tools to accelerate and optimize deployments of passkeys for consumer sign-ins. 

Webinars include:

• 10 UX Guidelines for Passkeys (June 13, 2023 at 10am PDT / 1pm EDT)
• Driving Adoption of Passkeys with UX (June 20, 2023 at 10am PDT / 1pm EDT)
• UX and Content Strategy Workshop for Passkeys (June 27, 2023 at 10am PDT / 1pm EDT)

Register for the webinar series here.

About the FIDO UX Working Group

In order to accelerate adoption of FIDO solutions and achieve the FIDO Alliance’s vision of helping reduce the world’s overreliance on passwords, the UX Working Group (UXWG) serves as subject matter experts and internal advisors within the FIDO Alliance on issues related to usability and UX. The FIDO Alliance UXWG is composed of 79 product, design, accessibility, marketing and technical leaders from 31 diverse companies. A full list of members who contributed to this project can be found in the guidelines.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact
press@fidoalliance.org 

The post FIDO Alliance Publishes Research-backed Guidelines for Optimizing User Sign-in Experience with Passkeys appeared first on FIDO Alliance.

CARLSBAD, CALIF, February 23, 2023  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. 

Authenticate 2023, featuring signature sponsors Google, Microsoft, and Yubico, will be held October 16-18, 2023 at the Omni La Costa Resort & Spa in Carlsbad, CA, just North of San Diego. Visit our website for information on submitting a speaking proposal and becoming a sponsor.

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the fourth consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference sold out for in-person attendance, welcoming over 950 total attendees in Seattle and remotely. The event featured more than 100 sessions with highly engaging content, plus a sold-out exhibit area with 30 industry-leading exhibitors and sponsors.

Authenticate 2023 will build upon this strong foundation and feature detailed case studies, technical tutorials, expert panels, and hands-on lab sessions aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and engaging networking opportunities. 

Authenticate Call For Speakers

The Authenticate 2023 conference program committee has opened its call for speakers. Authenticate provides speakers with an opportunity to increase their industry reach and visibility by educating attendees on in-market approaches for deploying modern authentication solutions.  

The committee is looking for vendor-neutral, educational presentations that focus on authentication strategies and best practices. Submissions can span all aspects of authentication implementations from initial research and business case development through piloting to rollout and beyond. Perspectives on global trends and considerations for user authentication should also be submitted. The committee is looking for a variety of session types and formats including main stage storytelling, introductory “101’s”, detailed case studies, technical tutorials, hands-on labs, and thought provoking panels.

Diverse, global perspectives and presentations that focus on the following topic areas are welcome: 

• Authentication trends & insights 
• Modern authentication case studies & implementation strategy

• Hands-on implementation guidance and best practices 
• Government impact on authentication

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. Product and sales pitches will not be accepted.

The Authenticate Call for Speakers closes on March 31, 2023. To submit an application, please visit https://authenticatecon.com/authenticate-2023-call-for-speakers/.

Sponsorship Opportunities at Authenticate 2023 

Authenticate 2023 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please view the prospectus.

Sponsorship requests will be filled on a first-come, first-served basis; requests for sponsorship should be sent to authenticate@fidoalliance.org.

Signature sponsors for the 2023 event are Google, Microsoft, and Yubico.

About Authenticate

Hosted by the FIDO Alliance, Authenticate is the industry’s only conference dedicated to all aspects of user authentication – including a focus on FIDO-based sign-ins. It is the place for CISOs, business leaders, product managers, security strategists and identity architects to get all of the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2023 will be held October 16-18, 2023 and will be co-located with the FIDO Alliance’s member plenary (running October 17-19) at the Omni La Costa Resort in Carlsbad, CA, just North of San Diego, with a bigger footprint for more attendees, sessions for all levels, a larger expo hall for companies bringing passwordless to fruition, and added opportunities for networking with your peers. 

Whether you are new to FIDO, in the midst of deployment or somewhere in between, Authenticate 2023 will have the right content – and community – for you. 

Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. To receive updates about Authenticate events, sign up for the newsletter.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact 

press@fidoalliance.org

The post FIDO Alliance Announces Authenticate 2023 Conference appeared first on FIDO Alliance.

The FIDO Developer Challenge 2022 – India has come to a successful close with the award ceremony held on January 20th, 2023, at the Samsung R&D Institute in Noida. The challenge aimed to educate and support local adoption of FIDO technology.

First place was awarded to MonitorExam for their innovative FIDO-based online exam proctoring system. AyanWorks, with their FIDO-based SSI wallet, and AllSafe, a team of students with a FIDO-based SSO service, were also recognized as the other two top finalists.  For the full details of ideas presented by the top three finalists, please view the recorded sessions:

We would like to extend our gratitude to our sponsors, including Visa, Samsung, Infineon, Ensurity, TrustKey, and Octatco, for their support in making this event a success.

Departing Thoughts

The Indian government agencies, including Data Security Council India (DSCI), our local liaison partner, and the Controller of Certifying Authorities (CCA), which officially endorses FIDO as the 2nd factor authentication, are dedicated to promoting robust and user-friendly cybersecurity measures. We are confident that the India-focused FIDO Developer Challenge has made a positive impact by empowering local developers to rapidly deploy FIDO-based services, which provide enhanced protection against phishing-related cyber-attacks while maintaining ease of use for all online users.

Editor’s Note: This is the final blog posting covering the 2022 FIDO Developer Challenge – India. We invite you to read the announcement message to learn more about the background and processes.

The post <strong>FIDO Alliance Awards Winner and Top Finalists of Developer Challenge – India</strong> appeared first on FIDO Alliance.

You can access the recorded version by clicking on the video below and/or the videos by visiting our YouTube channel.

The post Videos: FIDO Alliance Public Seminar in Korea appeared first on FIDO Alliance.

TOKYO, December 9, 2022 – Global, industry-wide commitment is bringing the passwordless future closer to reality, FIDO Alliance members shared today at the first in-person FIDO seminar in Japan since December 2019. During the seminar, leading organizations shared major updates that will further the Alliance’s mission to replace passwords with simpler and stronger authentication. 

A significant milestone came last May when Apple, Google and Microsoft announced plans to expand support for FIDO with passkeys, a phishing-resistant replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Passkeys can be leveraged across devices and platforms to offer an end-to-end passwordless sign-in option, or bound to a particular device such as a FIDO security key for high-assurance use cases. Passkeys are supported today in iOS 16, macOS Ventura, Android and ChromeOS, with Windows coming soon.

Notably, global service providers such as PayPal have expanded their FIDO support and are offering passkey sign-ins, while early FIDO adopters in Japan have announced passkey commitments or adoption as their next steps towards passwordless:

• Yahoo! JAPAN has been working on passwordless initiatives with FIDO since 2015, and more than 38 million active users in 2022 are signing in without passwords. Yahoo! JAPAN now supports passkeys iOS, iPadOS and MacOS.
• KDDI has first launched FIDO in 2020 for its au ID platform with more than 30 million customers. Now au ID is accessible with passkeys on iOS and FIDO2 on Android. 
• NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015 and is the first mobile operator to deploy FIDO authentication at scale. DOCOMO has announced its intention to support passkeys for its more than 50 million of d ACCOUNT users beginning in early 2023. 

“From the very beginning of the FIDO Alliance, Japan has been a global hub of innovation, support and deployments of FIDO authentication. It is not a surprise that several leading organizations in the region will be some of the first globally to offer their customers FIDO sign-ins with passkeys,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This is illustrative of our global membership’s commitment to the passwordless future, and their collaboration to maximize the reach, usability and security of FIDO authentication.” 

Within the FIDO Alliance’s 250+ members, 58 actively take part in the FIDO Japan Working Group, now beginning its 7th year working together to spread awareness and adoption of FIDO in the region. 

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post Momentum for FIDO in Japan Grows as Major Companies Commit to Passwordless Sign-ins with Passkeys appeared first on FIDO Alliance.

The Internet of Things (IoT) is an increasingly critical and difficult area for IT devices that need to be secured.

At the Authenticate Virtual Summit: The FIDO Fit in IoT held on Dec. 7, a series of experts outlined FIDO Alliance efforts to help device manufacturers and developers better secure IoT. A key theme of the event was all about understanding how the FIDO Device Onboarding (FDO) specifications can help improve IoT security.

David Turner, director of standards development at FIDO Alliance, kicked off the event by noting that passwords remain a large problem across the IT industry. The challenge of passwords is compounded with IoT devices, which scale into the millions and potentially billions of devices. Challenges with passwords for IoT include password re-use, which can be a huge problem with IoT. If a system ships with a default password, it can be trivially easy for attackers to exploit.

“Hackers don’t break into IoT, they log into it,” Turner said.

One way to help secure IoT is with the FIDO Alliance’s FDO standard. Turner explained that FDO is an open standard that allows organizations to quickly and securely onboard IoT devices.

Small things, big impact: The path to FDO

Rolf Lindemann, director of product at Nok Nok and one of the leaders of the FIDO Alliance IoT Technical Working Group, explained that FIDO authentication standards are applicable to users as well as device authentication.

Lindermann said that there is a clear need to have a strong foundation to help secure IoT. The first step is to have hardened hardware elements at the CPU level including things like TPMs, TrustZone and SGX which are provided by the silicon vendors. The next critical step is to add device level attestation to help with supply chain integrity that also helps to reduce the complexity for device onboarding. The third step is to have strong authentication, that ensures only legitimate entries get access.

“To make the IoT ecosystem more secure, you need strong authentication that’s the front door providing fishing resistance and being still practical for daily large scale use,” Lindermann said. 

How FDO tackles the onboarding challenge

The challenge of onboarding is where the FDO specifications come into play.

Richard Kerslake, general manager of industrial controls and robotics, IoT business unit at Intel, explained that onboarding is the process by which a device can establish a trusted connection with a service or platform.

“We have an IoT device, it’s going to connect to a platform or service and we just need to be sure that everyone in that equation is who they say they are,” Kerslake explained. “Is the device talking to the platform that it thinks it is talking to, and is the platform talking to the device that it thinks it is talking to. So we really need to make sure that both sides of that equation are true.”

Onboarding today is often a very manual process. The promise of FDO is an automated approach that benefits from strong authentication. Kerslake explained that in December 2019 the decision was made to base the FDO specification on Intel’s Secure Device Onboard technology. The FDO 1.0 specification was released in March 2021 and updated to version 1.1 in April 2022.

Going a step further beyond just the specifications FIDO has worked with the Linux Foundation’s LF Edge project which has an open source implementation of FDO.

Going for a deep dive with FDO

There is a fair amount of nuance and details that go into the FDO specification.

In a deep dive session, Geoffrey Cooper, principal engineer, IoTG at Intel, explained the workflow, technical specification and procedures that enable FDO implementations.

Cooper explained that for example if a device is drop-shipped to a location and the device gets powered up and connected to the network, the goal with FDO is to enable that device to figure out who it’s supposed to connect to with proper authentication, sets everything up, and then it goes right into service.

“The idea is we’re taking something that was a very heavy touch kind of operation that we’re turning it into a zero touch operation,” Cooper said.

Enabling that zero-touch approach with FDO involves a series of protocols that are part of the specification. The protocols include device initialization and onboarding components. There is also a concept known as the FDO Service Info Module (FSIM) that provides an extension mechanism to help support devices.

During a robust Q&A session during the Authenticate virtual event, attendees asked a wide variety of questions.

Among the questions was one about what’s needed to help spur adoption for FDO.  Kerslake said there are companies today in different industry verticals including the energy sector, where operators are saying they will not proceed with bringing in new devices without an automated secure onboarding solution.

There are also a growing number of industry solutions that support FDO. Megan Shamas, senior director of marketing at the FIDO Alliance, said that by developing FDO in an industry standards body there are lots of opportunities for collaboration and promotion as well.

“We are in the midst of creating an implementer showcase, which should be live on the website soon,” Shamas said.

The path toward FDO certification

Looking beyond just the FDO specification there is also a need for certification, which is something the FIDO Alliance is now working on.

Paul Heim, director of certification at FIDO Alliance, said that  product certification ensures standardization and interoperability of products within an industry. He added that one of the most important factors about certification is that it helps to ensure consumer enterprise, and industrial protection. The lifecycle for FDO certification includes both functional and security certification.

“The FIDO device onboard certification program is intended to certify IoT devices and onboarding services certification that will be available for both FIDO members, and non-members,” Heim said.

The certification effort is still in development with a program launch set for the first quarter of 2023.

The post Authenticate Summit Recap: The FIDO Fit in IoT appeared first on FIDO Alliance.

Mountain View, Calif., November 22, 2022 – The FIDO Alliance today announces its latest Authenticate Virtual Summit: Securely Onboarding All the Things: The FIDO Fit in IoT, sponsored by Daon and Nok Nok. Responding to rising industry demand for more insight into the role of FIDO and passwordless technology in IoT, the free event will offer attendees expert perspectives and education from leading industry organizations and solution providers on strengthening authentication in IoT. The program will take place virtually on December 7 2022, from 8:00am – 12:00pm PT, and will be made available to registrants on-demand following the event. 

Lack of IoT security standards and outdated processes, such as shipping with default password credentials and manual onboarding, leave devices and the networks they operate on open to large-scale attacks. As the IoT market continues to grow, projected to surpass the $1 trillion mark in 2022, the FIDO Alliance formed the IoT Technical Working Group to address these challenges – aiming to provide a comprehensive authentication framework for IoT devices relying on passwordless authentication. 

Launched in 2021, the FIDO Device Onboard (FDO) specification is the working group’s first output: an open IoT standard which enables devices to simply and securely onboard to cloud and on-premise management platforms. The upcoming virtual summit will delve into this specification and FIDO’s role in IoT with speakers from Intel, Qualcomm, FIDO Alliance and more:

• Introduction: The FIDO Fit in IoT
• Introduction to FIDO Device Onboard
• FIDO Device Onboard: Technical Deep Dive
• FDO Demo
• FDO Case Study
• FDO Certification 101

Register for the event here. 

Sponsorship Opportunities 

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities. Visit the Authenticate sponsorship page for more information or contact authenticate@fidoalliance.org.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate Virtual Summit focused on Securing IoT appeared first on FIDO Alliance.

The final day of the Authenticate 2022 conference was packed with user stories, thought leadership and panel discussions about the challenges and opportunities for FIDO strong authentication today and in the years to come.

The first user story of the day was from global science and technology company EMD Group / Merck KGaA which is now using FIDO to help improve its own authentication system. Dennis Kniep, domain architecture for Identity and access management at the company explained that his team’s mission is to help secure the company where he sees FIDO as playing a major role.

A challenge that EMD Group / Merck KGaA faced with its implementation of FIDO is that there were a number of legacy applications and services that did not support modern web standards.

“We developed the detach authentication mechanism,” Kniep explained. “With that mechanism the users are able to authenticate with FIDO in a phishing resistant way, even if the user needs access to apps with legacy backends, meaning we can enforce FIDO.”

Equity and inclusion matter

A recurring theme through the Authenticate 2022 conference is the need for equity and inclusion.

One panel on the topic specifically looking at the issue of inclusiveness in authentication and identity systems. Jamie Danker, senior director of cybersecurity services at Venable LLP, commented that when solving a problem, the makeup of the people trying to solve a given problem will have an impact on the solution.

Danker noted that a recent equity and inclusion study completed by the U.S. government’s  General Services Administration (GSA) provides some real empirical data on how remote identity proofing solutions will actually operate. 

Danker also mentioned the NIST digital identity guidelines, which are currently being updated to revision 4. She noted that NIST has been very clear that equity considerations are going to be part of that.

Security is more than just the web interface

FIDO strong authentication helps to provide authentication into many different types of systems, but it’s not a ubiquitous option for all types of access.

“Everybody’s talking about web and mobile, and nobody’s talking about the contact center,” John Poirier, Lead Director – EIS at CVS Health said.

Poirier explained that when a password doesn’t work, or a user can’t get access, they will call into a contact center for help. He emphasized that there is a need to make sure there are security policies, procedures and technology in place at contact centers, that secure access, without introducing too much friction.

The idea of extending strong authentication to all types of devices was also discussed by Chad Spensky, CEO of Allthenticate and his co-founder and COO, Rita Mounir.

“The FIDO protocol right now only talks to websites and computers,” Spensky said.

Spensky wants to help bring strong authentication to all types of devices and access ranging from cars, to office doors and everything in between.

Navigating the authentication landscape

In a thematic presentation, Pamela Dingle, director of identity standards at Microsoft, spoke like a pirate and warned about passengers falling off the boat. 

The analogy of the boat is that of helping passengers safely get to their destination, which isn’t always an easy task. Dingle said that Microsoft blocks more than 1000 Password attacks every second, and outlined the multiple reasons why passwords are a weak link. She emphasized that users should wear a life jacket, which in the real world translates into user multi-factor authentication (MFA).

While there are risks with MFA, Dingle said it’s the right first step for many, until they are able to move to phishing resistant strong authentication with FIDO.

“Out of 10,000 compromised accounts, only one will be an MFA credential attack,” she said. “It’s really important to understand the difference in risk between being vulnerable to a password attack, and being vulnerable to an MFA bypass attack.”

That said, she noted that what makes phishing resistant credentials so great, is that they are not susceptible to exactly the same predictable behaviors that make MFA vulnerable. Dingle also noted that she’s very optimistic about the potential for passkeys.

“If we get it right. passkeys become the seat cushion that becomes a flotation device for our passengers,” she said.

Earning Trust in Identity at Scale

With one of the largest ecommerce  and cloud platforms in existence Amazon has a real need for strong authentication and it is increasingly relying on FIDO for those needs.

Sarah Cecchetti, head of product for Amazon Cognito explained that identity is handled by the platform team within Amazon Web Services. She noted that identity needs to have a consistent security and usability bar for every service at AWS. To that end, AWS has built out a modular, but centralized approach that uses FIDO.

Arynn Crow, Senior Manager, User Authentication Product at AWS, said that her company has invested really heavily into FIDO2.

“We continue to invest because fundamentally we believe that FIDO supports greater flexibility,” Crow said. “We have fewer trade-offs between our user’s experience and their security.”

Usability is the key to strong authentication adoption

In a panel session on usability, a key theme that emerged is the foundational need for good usability in order for FIDO adoption to grow.

Judy Clare, vice president, product manager, digital authentication at JP Morgan Chase commented that it’s critical to put strong authentication messages and workflow in the right tone. 

“The right wording and to make it clear, simple and understandable for the average user is very important so that you’re not ostracizing anybody by using all technical jargon,” Clare said.

The need for clear language was echoed by Sierre Wolfkostin, senior product designer at Duo Security. Wolfkostin said that it’s hard to adopt what you can’t understand. 

“Getting to simple human language is really important,” Wolfkostin said.

Usability is also about making sure there is a vibrant ecosystem of vendors and technologies that can help businesses small and large to actually implement FIDO strong authentication in the first place. 

In the closing panel of the event, Christiaan Brand, product manager at Google commented that while well staffed organizations might be able to implement strong authentication and passkey options on their own, many other organizations will need help. It’s a situation much like any other enterprise technology where organizations make use of consultants and service providers to implement complex technology.

Bob Lord, senior technical advisor at CISA argued that the best thing to do is to just start with FIDO. He emphasized the organization should focus on what they can do, not what they can’t.

“I think there’s a lot of hesitation at starting,” Lord said. “I think a lot of misconceptions out there would go away if they were to just start the journey, they would find their misconceptions are wrong.”

Next year in San Diego

In the closing session, Andrew Shikiar, executive director of the FIDO Alliance highlighted the key themes of the event.

Those themes are that deployments are real and organization can and should start today. Usability was another strong recurring theme, as a key to helping to ensure adoption. The concept of security by community also resonated at the conference, with users learning from each other about lessons learned.

In the final analysis the Authenticate 2022 was a stellar success with 90 sessions, spread across three tracks and three days of content.

For next year’s event, Authenticate 2023 will be moving to San Diego.

The post Authenticate 2022: Day 3 Recap appeared first on FIDO Alliance.

The Authenticate 2022 conference got underway on Oct. 17 with a stellar lineup of speakers that included enterprises, service providers and government agencies, all gathered to talk about the current and future state of strong authentication.

The opening session was led by FIDO Alliance Executive Director and CMO Andrew Shikiar who detailed the progress that has been made this past year. Among the highlights mentioned by Shikiar was the launch of passkeys. 

The FIDO Certified Professional program also got underway in 2022 providing a way for professionals to validate skills. There has also been work done to help with usability as well as adoption with initiatives designed to help accelerate broad deployment of FIDO strong authentication.

“Our mission is to reduce industry’s reliance on passwords and legacy multi factor authentication,” Shikiar said. “From day-one we’ve had this audacious goal of shifting away from centrally stored shared secrets to a model that is more possession based in nature and relies on common end user devices, that has been our guiding principle.”

Marcio Mello, head of product, PayPal identity platform, talked about how the online payment plans to leverage passkeys as a way to realize the promise of passwordless. Mello demonstrated workflows using passkeys showing how easy it is for a user to authenticate.

“I would say this is an inflection point in our decade-long commitment as an industry, to a passwordless world,” Mello said about passkeys.

NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015. DOCOMO has helped shape FIDO specifications and is the first mobile operator to deploy FIDO authentication at scale. Shikiar welcomed Koichi Moriyama, a Chief Security Architect at NTT DOCOMO, to the keynote stage where he announced DOCOMO’s intention to support passkeys for its millions of d ACCOUNT users. Moriyama said support would begin in early 2023.

U.S Government sees FIDO as the gold standard for MFA

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) is taking a very active interest in strong authentication.

“We’ve known for decades that passwords are a weak link in cybersecurity and that the extra layer of protection provided by multi factor authentication prevents cyber attacks,” CISA Director, Jen Easterly said. “Yet only a small percentage of people are using it.”

Easterly emphasized that CISA is aggressively pursuing multiple initiatives to help spur adoption of multi-factor authentication (MFA) and more specifically FIDO standards-based strong authentication.

“We’re using this opportunity to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication method.”

Bob Lord, senior technical advisor, cybersecurity division at CISA, told the Authenticate 2022 audience that it is a weird thing that the technology industry has normalized the idea that the burden of staying safe is placed on those organizations that are least able to understand things like threat landscapes.

“We see far too many organizations failing in part because they have no idea they need to do this,” Lord said about strong authentication and FIDO adoption. “And that’s because they don’t have something that is nudging them in the right direction.”

Both Lord and Easterly advocated for technology vendors to make it easier for users to have strong authentication and provide security by default.

“Security features our customer rights, they’re not luxury goods,” Lord said.

FIDO Authentication has social impact

Jonathan Bellack, senior director, identity and counter-abuse technology at Google outlined some of the challenges that Google has seen for users adopting MFA and passwordless security.

“Our user research has shown at least from a consumer point of view, users don’t draw a distinction between any of the words we use in the industry like security, privacy, abuse as it all just kind of fits into this great amorphous blob of safety,” Bellack said.

He noted that consumers have very little time and they just want to know if they can do whatever task they want or need to complete online. To that end, Bellack detailed multiple efforts that Google has underway to embed security in a way that doesn’t introduce friction.

Christopher Harrell, CTO at Yubico, explained during his session how the use of FIDO authentication is being used by organizations around the world to help protect freedom and privacy. Yubico is working with the Freedom of the Press Foundation and Operation Safe Escape among other organizations. The company has donated over 20,000 keys to support many different government agencies in Ukraine. 

“We do hope that the war ends soon but in the interim, we hope that we can help protect infrastructure from cyber attacks,” Harrell said.

FIDO users detail adoption challenges and opportunities

A key part of the program for Authenticate 2022 are user stories and there were plenty to be told on the first day of the conference.

Ian Glazer, SVP product management at Salesforce, described the highs and the lows of his company’s MFA adoption efforts. Salesforce decided in the fall of 2019 that it wanted to achieve 100% adoption of MFA across its services and it’s a journey the company has been on ever since.

Salesforce’s path toward 100% MFA adoption involved both technical considerations as well as a massive effort to engage with users, which led to solid results. Glazer noted that at the end of Salesforce’s fiscal year approximately 80% of its monthly active users were using MFA or SSO. While 80% is a noticeable achievement, it’s not the 100% goal that Salesforce has set. Glazer emphasized that the pursuit of the 100% adoption figure forces his team to continue to innovate and find ways to push adoption.

Salesforce has noticed multiple benefits from MFA adoption so far, including cost reduction and security improvements.

“Because we adopted MFA, we have seen a dramatic reduction in account takeovers,” Glazer said.

Microsoft is also pushing hard for broad adoption as it aims to enable a passwordless experience for its users. Scott Bingham, Senior Program Manager in Identity, and Emily Houlihan, Senior Product Manager at Microsoft, explained in their session what lessons have learned so far on their passwordless journey.

Bingham said that Microsoft has spent years rolling out support for temporary one time passwords, security keys, authenticator apps and Windows Hello as different password replacement offerings. Microsoft is increasingly moving toward eliminating passwords entirely.

“People want passwordless,” Bingham said. “Security is important, but user experience is critical and helps to drive demand.”

USAA, which provides financial services to members of the U.S. military and veterans, is also adopting FIDO and MFA to help secure its users. Dereck Henson, technical security architect at USAA, provided a series of key lessons learned during his session.

His first lesson learned is that it’s a good idea to default to strong authentication from the start. 

“We found that it’s a whole lot easier to start someone in an MFA, highly secured program, rather than to convince them to change their mind later,” Henson said.

Another key lesson that USAA has learned is that when it comes to a passwordless approach, being entirely passive and not showing users that authentication in place, is not a winning scenario. Henson said that USAA members were calling in saying they had been members for decades and couldn’t believe they could just log in with a fingerprint. To that end, USAA has had to add some interstitial screens to its authentication workflow that tell users their access is being secured.

“So not only do you have to be secure, you have to actually look secure,” he said.

Financial service giant Citi has also embraced the FIDO strong authentication approach. Matthew Nunn, Director, Secure Authentication Architecture & Technology Engineering at Citi, did not mince words in his session about why there is a need to move away from passwords.

Nunn said that there really isn’t a meaningful way to make passwords more secure.

“The reason you’re doing passwords and we’ve been doing it for so long is because we are held hostage to the keyboard being the interface to use in order to interact with the system,” Nunn said.

He added that with passwordless, users are no longer held hostage and there is the ability to take advantage of capabilities in devices to authenticate, instead of users needing to regurgitate a password.

Day 2 of Authenticate 2022 is looking to be another packed day full of insightful content and discussion, with sessions on biometrics, consumer authentication habits, FIDO initiatives and more user sessions.Want to attend the next two days of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

The post Authenticate 2022: Day 1 Recap appeared first on FIDO Alliance.

By: FIDO Staff

The second day of the Authenticate 2022 conference had a mix of topics and speakers that spanned multiple facets of the authentication world including payment security, biometrics, national identity and design systems.

The day got started with a keynote from Doug Fisher, senior director at Visa, who discussed the current state of the global payments system and the challenges it faces. Fisher noted that while ecommerce fraud remains a pervasive risk, strong online authentication is helpful to help reduce that fraud.  

A challenge for stronger forms of authentication for ecommerce is often that it introduces more friction into the consumer buying process, which can lead to shopping cart abandonment. To help solve that issue, Fisher explained that the FIDO Alliance, EMVCo and the W3C have been working together to help improve interoperability in a bid to reduce payment authentication friction. The joint effort had led to the Secure Payment Confirmation (SPC) standard that is currently in development

“SPC is a web standard currently in development that is built on WebAuthn to support streamlined authentication during a paymen

t transaction,” Fisher said. “SPC and FIDO go together like peanut butter and jelly.”

The perils of MFA

Not all multi-factor authentication (MFA) technologies are equal was the primary message in a session led by Roger Grimes, data-driven defense evangelist at KnowBe4.

Grimes outlined a litany of MFA bypass techniques that could potentially enable attackers to exploit vulnerable users. He emphasized however that FIDO based strong authentication is unlike MFA in that it can help to eliminate many of the man-in-the-middle attacks that enable bypassing techniques.

“MFA attacks have been around for decades but it certainly is going mainstream this year,” Grimes said.

The risks of non-FIDO MFA is top of mind for Heikki Palm Henriksen, CTO of BankID.

Henriksen’s organization provides a digital identification that is widely used in Norway. BankID started to look at FIDO in 2020 and discovered the insightful white papers produced by the alliance which helped Henriksen and his team to choose FIDO and begin implementation.

“We realized that FIDO2 was the best solution to modernize BankID to reach our goals,” Henriksen said.

Biometric considerations for FIDO

Strong authentication can make use of biometrics such as a fingerprint reader or facial recognition system, as an authenticator.

Biometric systems however are not universally without fault or bias, which is an issue that was discussed by Stephanie Schuckers, director, Center for Identification Technology Research (CITeR) at Clarkson University.

“When we talk about bias related to biometrics, what we’re really talking about is variability in performance due to demographics or demographic differentials,” she said.

Shuckers emphasized that bias relates to the specific technology implementation being used, not the whole field of biometric recognition. Through testing and certification, it is possible to better understand and reduce the risk of potential bias.

Greg Cannon, principal AI/ML standards at Amazon joined Schuckers for a panel session, emphasizing that the goal is to help eliminate passwords and biometrics is a great technology for doing that.

To help illustrate the point that biometrics spoofing is a concern that testing can help to solve, Shuckers brought some props on stage, including a mask of her own face, which apparently did not fool the facial detection system on her phone.

Consumer authentication habits

Understanding how users view authentication is an important aspect of understanding what needs to be done to help improve adoption.

The FIDO Alliance conducts an annual survey that looks at consumer habits for trends and adoption of authentication technologies. Megan Shamas, senior director of marketing at FIDO Alliance, said that the 2022 survey shows users are in some respects entering their passwords less than prior years, though the data is far from being definitive.

Perception of biometrics is also re-assuring as a potential way to help eliminate the use of passwords.

“We have actually been very pleased with consumer sentiment towards biometrics,” Shamas said. “In fact, a lot of consumers that we surveyed find it to be the most secure way to log in.”

Helping to reduce remote authentication fraud

Marianne Crowe, vice president, secure payments innovation and research at Federal Reserve Bank of Boston, used her time on stage to ask for more cooperation across the authentication ecosystem to help secure against fraud.

Crowe noted that there is consumer fatigue with passwords and many users will just reuse the same passwords on multiple sites which is an unsafe practice. MFA is helpful, but she noted that it is often inconsistent today in how it is presented to consumers.

“We’ve got to try to increase implementation and adoption of MFA even in industries and businesses that aren’t required to do it,” Crowe said.

Design system comes to FIDO

One of the ways consistency can come to authentication and specifically to FIDO based strong authentication is with the use of a design system. 

Organizations can now benefit from the FIDO design system at fidoalliance.org/design-system that provides principles, patterns and reusable components.

“Our intention for putting all this together is to make FIDO deployments simpler and faster for product designers, for project managers, product managers and engineers,” Kevin Goldman, chief experience officer at Trusona, said. “Our intention is to fill the gaps that they might have around authentication in their own design systems.”

The final day of Authenticate 2022 is looking to be another day loaded with useful content, thoughtful discussion, more user stories and best practices to help organizations move to the passwordless future.Want to attend the final day of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

The post Authenticate 2022: Day 2 Recap appeared first on FIDO Alliance.

FIDO Alliance’s second annual Online Authentication Barometer reveals the habits, trends and adoption of authentication technologies

Summary of key findings:

• Entering passwords has dropped globally – by 5% – 9% across all use-cases tracked, as people adopt more convenient ways of logging in.
• Yet passwords are still the most-used authentication method and they are proving costly to service providers – 59% of people gave up on accessing online services and 43% abandoned purchases in a given month.
• The use of SMS OTPs has increased globally – by 1% – 4% as it is increasingly offered by service providers as a multi-factor authentication method.
• Businesses need a way to offer people the convenience they want without sacrificing security – passkeys is one new approach and is on the radars of 48% of 18-34 year-olds.
• The metaverse has gained traction yet phishable authentication dominates despite security concerns – 61% of metaverse users are concerned over their security and privacy yet 38% use a password.

SEATTLE, WA, October 18, 2022 — The FIDO Alliance today published its second annual Online Authentication Barometer, which gathers insights into the state of online authentication in 10 countries across the globe. New to the Barometer this year, the FIDO Alliance has begun tracking authentication in the metaverse, and plans to incorporate utilization of technologies like passkeys in future editions of the report.

Key findings

The 2022 Online Authentication Barometer has identified that entering passwords online has dropped by 5% – 9% across all five major use-cases that it tracks – including accessing financial services, work computers and accounts, social media, streaming services, and smart home devices – compared to last year.

Despite this, passwords remain the dominant form of online authentication and cause major issues for people and businesses. For example, 70% of people had to recover a password at least once in a given month. Service providers and retailers also were impacted, with 59% of people giving up on accessing online services in a given month and 43% abandoning purchases because they couldn’t remember their password.

Data from the Barometer also suggests these issues with remembering and entering passwords are leading more people to stay logged into accounts, rising by 5% – 11% across all use-cases, as people opt for greater convenience. Other notable trends include multi-factor authentication through SMS One-Time Passcodes (OTPs) rising between 1% – 4% across all use-cases, as this legacy form of second-factor authentication is increasingly offered by service providers to rapidly improve consumer security and to meet regulatory requirements.

“This year’s Barometer data reveals that people see entering passwords as a pain and avoid it when they can,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Service providers realize the inconvenience and security issues with passwords and are offering more ways to authenticate such as cookies to stay logged in and/or legacy MFA like SMS OTPs.” 

Shikiar added: “However, these attempts at convenience and security are still based on outdated and phishable authentication technologies that everyone needs to move away from if we are ever going to stop the constant onslaught of data breaches. Organizations should all have implementation of modern, phishing-resistant authentication on their roadmaps, whether it is via on-device biometrics, FIDO security keys or passkeys.” 

Tracking emerging technologies

The FIDO Alliance’s Online Authentication Barometer is designed to track habits, trends and adoption across key use-cases, including new technologies and use-cases as they are adopted. This year, it began tracking the metaverse as one of its key online use-cases. The Barometer also sampled early insights into passkeys, which are FIDO credentials designed to replace passwords that provide faster, easier, and more secure sign-ins to websites and apps.

Almost a third of people (31%) have logged into the metaverse recently, with 61% concerned over their security and privacy. Despite this, phishable authentication methods dominate with 38% of people logging in with passwords, 24% using password plus OTPs, and 21% remaining logged in. Other, more secure, possession-based methods like biometrics (26%) and physical security keys (16%) are also prevalent.

Passkeys, which provide secure and convenient passwordless sign-ins to online services, appear to 

have a high level of awareness, despite only being announced this year. The data shows that 39% of people are familiar with the concept of passkeys – and this is especially high among 18-34 year-olds at 48%. FIDO’s Online Authentication Barometer will track the adoption of passkeys in next year’s report and determine how far this early awareness translates into usage.

Ends

Notes to editors:

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,044 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

The post FIDO Alliance study reveals global password usage is down – yet its continued dominance is proving costly appeared first on FIDO Alliance.

FIDO Alliance’s second annual Online Authentication Barometer reveals the habits, trends and adoption of authentication technologies

Summary of key findings:

• Entering passwords has dropped globally – by 5% – 9% across all use-cases tracked, as people adopt more convenient ways of logging in.
• Yet passwords are still the most-used authentication method and they are proving costly to service providers – 59% of people gave up on accessing online services and 43% abandoned purchases in a given month.
• The use of SMS OTPs has increased globally – by 1% – 4% as it is increasingly offered by service providers as a multi-factor authentication method.
• Businesses need a way to offer people the convenience they want without sacrificing security – passkeys is one new approach and is on the radars of 48% of 18-34 year-olds.
• The metaverse has gained traction yet phishable authentication dominates despite security concerns – 61% of metaverse users are concerned over their security and privacy yet 38% use a password.

SEATTLE, WA, October 18, 2022 — The FIDO Alliance today published its second annual Online Authentication Barometer, which gathers insights into the state of online authentication in 10 countries across the globe. New to the Barometer this year, the FIDO Alliance has begun tracking authentication in the metaverse, and plans to incorporate utilization of technologies like passkeys in future editions of the report.

Key findings

The 2022 Online Authentication Barometer has identified that entering passwords online has dropped by 5% – 9% across all five major use-cases that it tracks – including accessing financial services, work computers and accounts, social media, streaming services, and smart home devices – compared to last year.

Despite this, passwords remain the dominant form of online authentication and cause major issues for people and businesses. For example, 70% of people had to recover a password at least once in a given month. Service providers and retailers also were impacted, with 59% of people giving up on accessing online services in a given month and 43% abandoning purchases because they couldn’t remember their password.

Data from the Barometer also suggests these issues with remembering and entering passwords are leading more people to stay logged into accounts, rising by 5% – 11% across all use-cases, as people opt for greater convenience. Other notable trends include multi-factor authentication through SMS One-Time Passcodes (OTPs) rising between 1% – 4% across all use-cases, as this legacy form of second-factor authentication is increasingly offered by service providers to rapidly improve consumer security and to meet regulatory requirements.

“This year’s Barometer data reveals that people see entering passwords as a pain and avoid it when they can,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Service providers realize the inconvenience and security issues with passwords and are offering more ways to authenticate such as cookies to stay logged in and/or legacy MFA like SMS OTPs.” 

Shikiar added: “However, these attempts at convenience and security are still based on outdated and phishable authentication technologies that everyone needs to move away from if we are ever going to stop the constant onslaught of data breaches. Organizations should all have implementation of modern, phishing-resistant authentication on their roadmaps, whether it is via on-device biometrics, FIDO security keys or passkeys.” 

Tracking emerging technologies

The FIDO Alliance’s Online Authentication Barometer is designed to track habits, trends and adoption across key use-cases, including new technologies and use-cases as they are adopted. This year, it began tracking the metaverse as one of its key online use-cases. The Barometer also sampled early insights into passkeys, which are FIDO credentials designed to replace passwords that provide faster, easier, and more secure sign-ins to websites and apps.

Almost a third of people (31%) have logged into the metaverse recently, with 61% concerned over their security and privacy. Despite this, phishable authentication methods dominate with 38% of people logging in with passwords, 24% using password plus OTPs, and 21% remaining logged in. Other, more secure, possession-based methods like biometrics (26%) and physical security keys (16%) are also prevalent.

Passkeys, which provide secure and convenient passwordless sign-ins to online services, appear to 

have a high level of awareness, despite only being announced this year. The data shows that 39% of people are familiar with the concept of passkeys – and this is especially high among 18-34 year-olds at 48%. FIDO’s Online Authentication Barometer will track the adoption of passkeys in next year’s report and determine how far this early awareness translates into usage.

Ends

Notes to editors:

• Research for the FIDO Alliance’s Online Authentication Barometer was conducted by Sapio Research among 10,044 consumers across the UK, France, Germany, US, Australia, Singapore, Japan, South Korea, India and China.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact 

press@fidoalliance.org 

The post FIDO Alliance study reveals global password usage is down – yet its continued dominance is proving costly appeared first on FIDO Alliance.

As high-value services increasingly move online – from banking applications to government services – demand is rising for more robust verification solutions to validate user identities remotely by leveraging trusted government-issued ID documents. Accurate remote identity verification is also critical at the point of account creation, prior to FIDO authentication, and during the account recovery process. 

The DocAuth Certification Program provides a standard testing process for organizations to prove their products can validate different government-issued ID document types across multiple geographies, and that they are fit for commercial use. For service providers, the program provides a benchmark when evaluating multiple vendors to ensure they meet global performance standards and can assist in stopping bad actors from creating accounts using fake or stolen documentation. 

“FIDO Alliance was pleased to collaborate with our FIDO Accredited laboratory partners on this important program, as accurately verifying a user’s identity during initial account creation is a critical step in the overall integrity of the account – and also strengthens the security of subsequent FIDO-based sign-ins,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The launch of FIDO’s Document Authenticity Certification Program gives service providers a FIDO Certified mark to ensure the mobile document verification solutions they choose have met globally-recognized standards and can assist them in providing greater security across the entire account lifecycle. We look forward to seeing the first FIDO DocAuth Certified products early next year.” 

Program Details 

The DocAuth Certification Program provides certification performance criteria for vendors, and sets test procedures that FIDO Accredited Laboratories use for evaluating mobile document verification solution capabilities. A full list of FIDO Accredited Document Authenticity Laboratories can be found here. 

The program is open to vendors seeking certification for their mobile document verification solutions. Vendors who achieve certification receive a Document Authenticity Certificate, as well as granted use of the FIDO Certified mark, to demonstrate they have passed the well-defined testing administered by the FIDO Alliance and Accredited Laboratories. 

FIDO Document Authenticity Certification is independent of other FIDO certification programs. There are no FIDO Certification prerequisites to apply for Document Authenticity Certification. 

The FIDO Alliance plans to expand its identity verification program in 2023 with the launch of a face verification certification, including performance criteria requirements that address liveness and selfie-match.

About the FIDO Alliance 

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services. 

PR Contact 
press@fidoalliance.org

The post FIDO Alliance Announces Document Authenticity Certification Program for Remote Verification appeared first on FIDO Alliance.

Megan Shamas, senior director of marketing, FIDO Alliance

Cybercriminals are like trick or treaters – knocking on doors and helping themselves to your freely-given credentials. Whether traditional phishing emails or more sophisticated deepfake-bolstered attacks, our digital lives and the proliferation of passwords are making us increasingly vulnerable to the cyber threat.

Awareness is a core part of FIDO Alliance’s mission to move the world away from passwords to simpler, stronger authentication. Standards and technology is just one half of solving cybersecurity challenges – we have a duty to educate and provide the best information and resources to help everyone make smart decisions in whatever online environment they’re in – whether you’re at work, studying, or in your personal life. 

That’s why we love working with CISA and NCSAM and their efforts around Cybersecurity Awareness Month, as it gets to the ‘people’ part of cybersecurity. And undoubtedly, when we think of that ‘people’ part, phishing and social engineering attacks are top of the list.

To promote this year’s Cybersecurity Awareness Month, we’ve taken inspiration from the impending spooky season to unmask the scariest techniques and technologies criminals are using to steal your sweet candy credentials – and, how to stop them.

The Wolf in Sheep’s Clothing 

The online world can be a great space for finding friends, work, and romance. But wolves can be lurking behind friendly chats and interactions. These types of attacks are quite sophisticated, and usually take place over an extended period while the attacker wins the trust of their unsuspecting victims.  

Plenty of Fish can quickly become Plenty of Phish, catching consumers when they have their guard down and least expect anything. The recent Netflix documentary ‘Tinder Swindler’ is a great example of how convincing and persistent these fraudsters can be. When forming relationships online, remember that those on the other end of apps might not always be who they seem before sharing any sensitive information that could help them take over your online accounts.  

The Ghosts of Phishmas Past 

An email from the bank wanting to confirm your details. A text from couriers asking you to reschedule your delivery. The cheery retailer message to say you’ve won $100 to spend if you register a new account.

You might think you’ve seen and heard it all before, but these older, tried and tested phishing techniques are haunting us and are still by far the most effective. Take the Royal Mail SMS scam that blew up last Christmas time in the UK, or the recent global attack on Facebook Business/ad users. An estimated three in five were targeted by fake delivery text messages in 2021. As both the volume and quality of attacks continue to rise, the simplest of phishing and smishing could catch any of us out.

The Shapeshifter

You’ve no doubt seen funny viral videos of deepfakes, like Tom Cruise singing, or heard of the fake videos created of Ukranian President Zelensky earlier this year. But deepfake technology isn’t just limited to comedy and political attacks – this technology is becoming both more readily available and more convincing, bringing to the fore even more effective attacks on everyday consumers. Back in June, the FBI even issued a warning to employers about fake employees using the technology to apply for jobs under false pretences to defraud organisations.

Deepfake video and audio is now being used to bolster more standard phishing attacks and convince victims they’re engaging with those closest to them to pressure them into giving away sensitive information and details.

The Terminator

This is one type of social engineering attack that should send shivers down your spine. Recent advances in AI and machine learning are enabling attackers to automate highly targeted attacks – known as spear-phishing – by data scraping and integrating convincing details like name, date of birth and employer details, into attacks. 

By revealing just enough legitimate information, consumers are lured into a false sense of security and even more likely to share credentials. Now automated at an alarming rate and level of sophistication, this is one attack that will keep coming back… that is, if we don’t find a strong enough defence. 

Boo, Passwords!

The only way we can truly protect ourselves from sharing our most precious credentials online is to not have credentials we can share in the first place. If passwords are like Halloween candy at our doors, moving to something we simply can’t share like FIDO cryptographic-based signs ins and on-device biometrics means even if you fall for the trick, fraudsters are going hungry.   

FIDO authentication, created by global collaboration of the world’s biggest tech companies, numerous service providers and security stakeholders, is the only widely available phishing-resistant authentication method. Increasingly, governments like the US and the UK are citing FIDO as the ‘gold standard’ for organisations to implement and access robust cybersecurity. FIDO technology is readily available for companies big and small to implement and, as Cloudflare’s recent thwarted cyberattacks shows, it’s effective. 

FIDO technology is about to become more readily available and ubiquitous among consumers too. Earlier this year, the world’s biggest platforms – Apple, Google and Microsoft – committed to supporting our new security key standards, FIDO multi-device credentials, also known as ‘passkeys’. This means, across our most favoured browsers and devices, we’ll soon be able to access FIDO-based passwordless sign-in technology with the same gestures we use every day on mobile devices, using biometrics or PIN. 

This Cybersecurity Awareness Month, we’re urging service providers to get phishing-resistant passwordless authentication on their roadmap so consumers can make the move to passwordless – or at the very least, using passwords less – so we can leave these social engineering monsters toothless.

The post The Top Cyber Attacks Still Scaring us this Halloween – and How to Stop Them appeared first on FIDO Alliance.

July 2022 was a busy month for FIDO members in APAC, particularly with the events that took place in Korea and Vietnam:

FIDO Tech Seminar in Korea

On July 13th, the FIDO Korea Working Group held a half-day virtual tech seminar with 250+ attendees.  The sessions included updates on the state of the FIDO Alliance and its certification programs, an introduction to FIDO Device Onboard (FDO), a FIDO Authentication 101, an introduction to multi-device FIDO credentials (also known as “passkeys”), and a presentation on understanding Korean  laws mandating the use of passwords.

[Pic 1: Snapshot of FIDO Tech Seminar Platform]	[Pic 2: Samples of Virtual Sessions]

This tech seminar covered topics such as FDO and passkey, and provided a forum for industry experts to learn about phishing-resistant online authentication. 

Based on the post-event survey, over 30% of attendees reported they were victims of credential thefts, though they are online security industry experts or studying in the related fields.  Mr. Hyeong Won Pyo at Chosun Media thoughtfully summarized what he learned from the seminar while sharing with his colleagues and friends: “Our journalists are under attack by online phishing campaigns, and it was great to learn how to protect them with FIDO Authentication.”

Those who missed the live streaming sessions can watch the recordings here.

Vietnam Goes Passwordless Roundtable

On the same afternoon, FIDO Alliance participated in another hybrid event, the Vietnam Goes Passwordless Roundtable, organized by VinCSS and Vietnamese Ministry of Information and Communication.

It was the first forum on passwordless authentication in Vietnam, and the cyber security industry leaders in the region gathered representatives from the state banks, and local journalists.

[Pic 3: FIDO Update by Andrew Shikiar]	[Pic 4: Panel Discussion Session]

During the event local cyber security leaders discussed and shared best practices on digital authentication, disruptive technologies, and mega trends of passwordless authentication.  The experts recognized the recent increase of cyber-attacks in Vietnam as a risk factor for further developing digital applications, which is one of the top strategic activities of Vietnamese National Digital Transformation Program.

Mr. Do Ngoc Duy Tranc, CEO of VinCSS said, “VinCSS is ready to sponsor and support the nation by integrating strong FIDO-based passwordless authentication technology by building broader cooperation mechanisms with multi-sectors.”

To learn more about the event and exciting passwordless activities in Vietnam, please visit the event platform.

The post Momentum in APAC:  FIDO Tech Seminar in Korea and Passwordless Roundtable in Vietnam Recaps appeared first on FIDO Alliance.

Seattle, Washington, August 2, 2022 – The FIDO Alliance announced its keynote speakers and full agenda for Authenticate 2022, the only industry conference dedicated to the who, what, and where of user authentication. 

This year’s featured keynote will be presented by Cybersecurity and Infrastructure Security Agency (CISA’s) Director, Jen Easterly, and Senior Technical Advisor, Bob Lord. Additional speakers including Jonathan Bellack, Senior Director, Identity & Counter-Abuse Technology at Google; Pamela Dingle, Director of Identity Standards, Microsoft; Luis G. DaSilva, Head of Digital Identity Products at Visa; and Christopher Harrell, Chief Technology Officer at Yubico will deliver keynote presentations exploring the theme of “taking modern authentication to the next level” from a variety of diverse, global perspectives. 

Authenticate 2022 is a hybrid event, held at the Sheraton Grand in Seattle, Washington and virtually on October 17-19, 2022. Now in its third year, the event is focused on providing education, tools, and best practices for modern authentication across web, enterprise, and government applications. CISOs, security strategists, enterprise architects, and product and business leaders are invited to register at https://authenticatecon.com/event/authenticate-2022-conference/. 

In response to its rising popularity, the conference now features a third content track and offers more than 80 sessions. Speakers from ADP, Amazon, Citi, CVS Health, Salesforce, Target, USAA and others will deliver a diverse set of sessions, detailed case studies, technical tutorials, and expert panels. Attendees will also benefit from a dynamic expo hall and networking opportunities whether attending in-person or virtually. 

Sponsorship Opportunities at Authenticate 2022 

Authenticate 2022 is also accepting applications for sponsorship, offering opportunities for companies to put their brand and products front and center with brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/event/authenticate-2022-conference/. 

There are a limited number of opportunities remaining. Requests for sponsorship should be sent to authenticate@fidoalliance.org. 

About Authenticate 

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2022, Authenticate will be held October 17-19 at the Sheraton Grand in Seattle, Washington and virtually. Early-bird registration discounts are available through September 2, 2022. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter. 

Signature sponsors for Authenticate 2022 are Google, Microsoft, Visa, and Yubico.

Authenticate Contact 
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org  
SOURCE FIDO Alliance, Inc.

The post CISA Director Jen Easterly to Deliver Signature Keynote at FIDO Alliance’s Authenticate 2022 Conference  appeared first on FIDO Alliance.

New Delhi, India, June 28^th, 2022 – The FIDO Alliance today announced the FIDO Developer Challenge – India. Building on the success of the FIDO Developer Challenges over the past three years, the FIDO Alliance is focusing the program on the Indian market, encouraging local developer teams to create and present compelling and innovative applications leveraging FIDO standards and technologies.

In India, cyber-attacks have doubled in the past three years, according to University of Surrey research, with enterprises the most common target of these attacks. Knowledge-based authentication, such as passwords, is no longer fit for the rapidly developing and connected Indian market. The FIDO Alliance is bringing its Developer Challenge to India to empower local developers to explore new options for moving beyond passwords with simpler, stronger FIDO Authentication.

“Educating and supporting the developer community is a priority for the FIDO Alliance, and is one of the key elements to driving market adoption of FIDO Authentication standards,” said Andrew Shikiar, executive director and CMO at the FIDO Alliance. “Over the years, the FIDO Developer Challenge programs have been a major component in successfully engaging local developers. India has a rich history of developer talent and innovation – we are looking forward to seeing how these bright minds leverage FIDO standards to bring simpler, stronger authentication capabilities to web applications and services.”

Participating teams will use public web frameworks and/or SDKs from FIDO Alliance’s members and sponsors of the Developer Challenge. Sponsors currently include Visa, Infineon, Samsung Electronics, Trustkey, Ensurity, and Octatco.

The Challenge is open to students, individual developers, and pre-seed-stage companies residing in India. Projects should apply FIDO Authentication protocols to address modern technical or social challenges within various fields such as fintech, ecommerce, IoT, retail, blockchain, healthcare, public service, gaming, education, AI and the Metaverse.

In addition to receiving goods and prizes from FIDO Alliance and the Challenge sponsors, the winning team will be invited by the FIDO India Working Group to make their final presentations to FIDO Alliance global stakeholders.

The deadline to submit an application is August 12, 2022. Registration to participate can be found here: https://forms.gle/infm9319Ph8HwbJv8

(*The application submission deadline has been extended from August 12th to September 12th.)

Additional resources for the event can be found on the FIDO Developer Challenge India homepage: https://fidoalliance.org/fido-developer-challenge-2022-india/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

The post <strong>FIDO Alliance Announces the FIDO Developer Challenge – India</strong> appeared first on FIDO Alliance.

Identiverse, Denver, CO June 22, 2022 – The FIDO Alliance today released new user experience (UX) guidelines to help accelerate deployment and adoption of multi-factor authentication (MFA) with FIDO security keys. 

The FIDO Security Key UX Guidelines are available at https://fidoalliance.org/ux-guidelines/. 

FIDO security keys – small, portable high-security devices that connect to a phone or computer via USB, Bluetooth or NFC – are considered by many to be the “gold standard” for multi-factor authentication. Simply touching this device during sign-in protects accounts from a targeted attack 100% of the time. Many services, including Twitter and Facebook, now offer the option to enable FIDO security keys for mobile and desktop access. 

The aim of the FIDO Security Key UX Guidelines is to help online service providers design a better, more consistent user experience for the consumer security key audience and ultimately maximize adoption. The document provides UX guidelines for all major steps of a consumer’s journey with FIDO security keys: awareness; consideration; enrollment; management; and authentication. 

“Having reached widespread support for FIDO Authentication across the web, the FIDO Alliance is increasingly focused on ways to grow and ultimately reach mass adoption. One of our primary areas of focus towards this objective is making FIDO more usable and accessible,”  said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We’ve established a FIDO UX Task Force consisting of UX experts from around the globe to conduct research and provide guidance on how to optimize user journeys as users enroll in, and subsequently sign in, with FIDO in various use cases. Today’s guidelines follow our first set of UX guidelines focused on the desktop authenticator user experience, with more to follow. I strongly encourage service providers to leverage these best practices when rolling out FIDO Authentication.” 

The guidelines were created by the FIDO Alliance UX Task Force in partnership with usability research firm Blink UX. They conducted formal research of FIDO user journeys and actively engaged with FIDO Alliance stakeholders to establish these FIDO security key UX best practices. The guidelines were developed following multiple sessions of moderated and unmoderated consumer research conducted by Blink UX, in collaboration with FIDO UX Task Force members.

Learn more about the FIDO Security Key UX Guidelines at Identiverse 2022

Attending Identiverse? Learn more about the guidelines today, June 22, during the session “Optimizing UX for FIDO Security Keys” at 12:00 pm MDT. 

About the FIDO UX Task Force

The FIDO UX Task Force for this project was established to develop best UX practices for implementing MFA with FIDO security keys for consumer web-based sites on desktops/laptops across platforms. Member volunteers for this project included product and design leaders from Feitian, Google, IBM, Idemia, JP Morgan Chase Bank, Meta, Microsoft, NIST, OneSpan North America, Onfido, Trusona, Trustkey, Visa, VMware, and Yubico. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

Contact

press@fidoalliance.org

The post FIDO Alliance Releases Guidelines for Optimizing User Experiences with FIDO Security Keys appeared first on FIDO Alliance.

World Password Day was created in 2013 to help people better secure their accounts by providing tips for better password hygiene: don’t reuse passwords; use a complex, random string of letters, numbers and characters; use a password manager. At the time of its inception the intentions of this day were positive and necessary as we didn’t have more secure consumer-friendly alternatives readily available. 

Technology and best practices have changed over the years and many now use World Password Day to encourage users to level-up their account security by enabling multi-factor authentication. This is certainly a best practice for password-based logins, but falls short of addressing the evolving threat landscape which has commercialized the ability for hackers to bypass legacy forms of MFA. 

What we ultimately need is widespread availability of passwordless sign-in technology that is more convenient and more secure – and we have that today with FIDO Authentication, which is already supported in over 90% of web browsers and virtually every modern handset and computing device. 

In March of this year the FIDO Alliance shared its vision to make FIDO Authentication even more widely available and consumer-ready through the advent of multi-device FIDO credentials (referred to by some as “passkeys”). 

Today, as an evolution of this announcement, FIDO Alliance is excited to share that Apple, Google and Microsoft are aligned with this vision and will be implementing multi-device FIDO credentials in their respective platforms. Read the press release for more details.

From a user experience standpoint, this will be very similar to how one interacts with a password manager today to help them securely enroll and sign into websites – only it will be far more secure as the process will issue a FIDO keypair instead of a password. 

From a service provider perspective, the availability of multi-device FIDO credentials will join the ongoing and growing utilization of security keys to allow for a full range of options for deploying modern, phishing-resistant authentication.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. This is a critical step in helping the industry at large break its dependence on the passwords and other knowledge-based credentials which to this day are the cause of over 80% of data breaches.

I am often asked when the industry will be able to get rid of passwords – to which I respond that the path towards passwordless is a journey and not a sprint. That being said, the first step on the password-less journey is to use less passwords – which is embodied by the commitment made today by the world’s largest platform providers.  While “Less Passwords Day” doesn’t roll off the tongue as well as “World Password Day,” it certainly is a day worth celebrating!

The post World Password Day Had a Good Run. Now We’re Celebrating A Future with Less Passwords appeared first on FIDO Alliance.

Mountain View, California, MAY 5, 2022  – In a joint effort to make the web more secure and usable for all, Apple, Google and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.  

Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.  

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS. 

An Expansion of Passwordless Standard Support 

Hundreds of technology companies and service providers from around the world worked within the FIDO Alliance and W3C to create the passwordless sign-in standards that are already supported in billions of devices and all modern web browsers. Apple, Google, and Microsoft have led development of this expanded set of capabilities and are now building support into their respective platforms. 

These companies’ platforms already support FIDO Alliance standards to enable passwordless sign-in on billions of industry-leading devices, but previous implementations require users to sign in to each website or app with each device before they can use passwordless functionality. Today’s announcement extends these platform implementations to give users two new capabilities for more seamless and secure passwordless sign-ins: 

1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account. 
2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

In addition to facilitating a better user experience, the broad support of this standards-based approach will enable service providers to offer FIDO credentials without needing passwords as an alternative sign-in or account recovery method. 

These new capabilities are expected to become available across Apple, Google, and Microsoft platforms over the course of the coming year. 

“‘Simpler, stronger authentication’ is not just FIDO Alliance’s tagline — it also has been a guiding principle for our specifications and deployment guidelines. Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Apple, Google, and Microsoft for helping make this objective a reality by committing to support this user-friendly innovation in their platforms and products,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “This new capability stands to usher in a new wave of low-friction FIDO implementations alongside the ongoing and growing utilization of security keys — giving service providers a full range of options for deploying modern, phishing-resistant authentication.”

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers,” said Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency. “At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, Apple’s Senior Director of Platform Product Marketing. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

“This milestone is a testament to the collaborative work being done across the industry to increase protection and eliminate outdated password-based authentication,” said Mark Risher, Senior Director of Product Management, Google. “For Google, it represents nearly a decade of work we’ve done alongside FIDO, as part of our continued innovation towards a passwordless future. We look forward to making FIDO-based technology available across Chrome, ChromeOS, Android and other platforms, and encourage app and website developers to adopt it, so people around the world can safely move away from the risk and hassle of passwords.”

“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” says Alex Simons, Corporate Vice President, Identity Program Management at Microsoft. “By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords. We see a bright future for FIDO-based credentials in both consumer and enterprise scenarios and will continue to build support across Microsoft apps and services.”

Available Resources:

White Paper: Multi-Device FIDO Credentials

Blog: Charting an Accelerated Path Forward for Passwordless Authentication Adoption

Webpage

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

About Apple

Apple revolutionized personal technology with the introduction of the Macintosh in 1984. Today, Apple leads the world in innovation with iPhone, iPad, Mac, Apple Watch, and Apple TV. Apple’s five software platforms — iOS, iPadOS, macOS, watchOS, and tvOS — provide seamless experiences across all Apple devices and empower people with breakthrough services including the App Store, Apple Music, Apple Pay, and iCloud. Apple’s more than 100,000 employees are dedicated to making the best products on earth, and to leaving the world better than we found it.

About Google

Google’s mission is to organize the world’s information and make it universally accessible and useful. Through products and platforms like Search, Maps, Gmail, Android, Google Play, Google Cloud, Chrome and YouTube, Google plays a meaningful role in the daily lives of billions of people and has become one of the most widely-known companies in the world. Google is a subsidiary of Alphabet Inc.

About Microsoft

Microsoft enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

The post Apple, Google and Microsoft Commit to Expanded Support for FIDO Standard to Accelerate Availability of Passwordless Sign-Ins appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, April 12, 2022 – FIDO Alliance today announced that testing is now available for individuals seeking to become FIDO Certified Professionals. Experts in online security and authentication are invited to apply and demonstrate their ability to support businesses designing their authentication strategy and migration away from outdated techniques like passwords. 

FIDO is increasingly recognized by global enterprises, governments and consumers as the gold standard for phishing-resistant multi-factor authentication; just recently, it was cited as ‘best practice’ in the U.S. Zero Trust Strategy. This program meets the corresponding demand for trusted professionals with FIDO expertise to support the implementation of FIDO authentication into organizations’ identity architectures. 

“Organizations of all sizes and across all industries are increasingly aware that passwords are no longer fit for purpose, but very few know what the other options are, and even fewer know how to get there,” said Andrew Shikiar, Executive Director and CMO of the FIDO Alliance. “The FIDO Certified Professional Program stands to be a powerful tool in orchestrating the next phase of mass migration to more robust, modern authentication infrastructures. With more experts on the ground, we can keep empowering businesses all over the world to break their dependence on passwords – enabling greater security and enhanced user experience.”

Aspiring FIDO Certified Professionals must be equipped with advanced technical knowledge to help organizations define a robust FIDO architecture that meets their business needs. Individuals are assessed on their skills and knowledge in relation to the FIDO standards and architecture, as well as the identity and authentication space more broadly. 

Achieving FIDO certification provides an array of benefits for professionals including:

• Competitive advantage in a highly-skilled industry
• Ability to execute projects with increased efficiency
• Increased earning potential 
• Professional credibility and validation of expertise
• Networking and business opportunities as part of the Alliance  

Participants are assessed via an exam curated by industry peers and FIDO partner, Professional Testing. The program is recommended for professions including technology architects, systems and operations engineers, security professionals and identity and access management professionals. 

Among the first group to receive their FIDO certification are professionals who aided in the development of the exam: Eldan Haim, Apiiro; Shane Weeden, IBM; David Turner, FIDO Alliance; Susana Rodriguez, HYPR; Khedron de León, HYPR; Baljeet Sandhu, HYPR; Pasha Benenson, HYPR; Manish Khedawat, Target; and Aleksey Kravtsov, Warby Parker.

Individuals seeking certification should visit https://fidoalliance.org/fido-certified-professional-program/ to register with FIDO Alliance to take the exam. 

For more information, please contact certification@fidoalliance.org. 

PR Contact
press@fidoalliance.org 

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Empowers New Wave of Authentication Experts with FIDO Certified Professional Testing Program appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA – March 10, 2022 – The FIDO Alliance is pleased to announce its first Authenticate Virtual Summit of 2022: The FIDO Fit in Commerce: Examining the Present and Future of Authentication in Banking, Retail, Crypto and Blockchain. The summit features Signature Sponsors Daon, Keyless and Nok Nok. 

Attendees will hear from industry experts on the authentication challenges facing all commerce stakeholders today, and learn about FIDO’s invaluable role in the industry.  The program provides market-specific insights, and will air March 30 in the U.S. (2:00 – 5:30pm Eastern) and March 31 in  Europe (2:00 – 5:30pm CET). 

Online payment fraud is rising globally, totalling an estimated $20bn USD in losses last year. Meanwhile, Forrester research suggests poor online checkout experiences are costing brands over $18bn a year in cart abandonment. This event invites players across banking, retail, crypto and blockchain to learn how they can meet the urgent need to deliver simpler, stronger user authentication, and why FIDO has  quickly become a key cornerstone in the future of commerce.

The agenda features presentations from leading financial institutions, solution providers and industry analysts to explore: 

• Commerce authentication today and its challenges
• The benefits and risks of different authentication methods
• Key privacy and regulatory requirements – and how they’re evolving
• The imperative for modern strong authentication in commerce
• Use cases and practical insights into deploying FIDO 
• The future of authentication in commerce

Speakers include executives from RH-ISAC, eBay, Gemini, Goode Intelligence, PLUSCARD, Entersekt, LoginID, the Greensheet, IDnow and more.

Register for free and view the agenda for the event here. All sessions will also be available on-demand after the second airing.

Sponsorship Opportunities

The Authenticate 2022 Virtual Summit series is accepting applications for sponsorship, offering a number of lead generation and brand visibility opportunities for interested organizations. Visit the Authenticate sponsorship page for more information or contact authenticate@fidoalliance.org.

About FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Announces Commerce Virtual Summit Amid Rising Online Payment Fraud and Authentication Challenges appeared first on FIDO Alliance.

SEATTLE, February 15, 2022  —  The FIDO Alliance is pleased to announce the return of Authenticate, the only industry conference dedicated to the who, what, and where of user authentication. Authenticate, featuring Signature Sponsors Google, Microsoft, Visa and Yubico, will take place at the Sheraton Grand in Seattle, Washington and virtually on October 17-19, 2022. 

Aimed at CISOs, security strategists, enterprise architects, and product and business leaders, this is the third consecutive year that the FIDO Alliance is hosting the public conference. The annual event is specifically designed to share education, tools, and best practices for modern authentication across web, enterprise, and government applications. 

Last year’s conference featured more than 70 sessions and welcomed over 650 attendees, 97% of whom agreed  that the content was exactly what they were looking for. The exhibit area included 25 industry-leading exhibitors and sponsors.

Authenticate 2022 will build upon this strong foundation and feature detailed case studies, technical tutorials, and expert panels aimed at helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. Attendees also benefit from a dynamic expo hall and networking opportunities. 

Authenticate Call For Speakers

The Authenticate 2022 conference program committee is currently holding an open call for speakers. Authenticate provides speakers with an opportunity to increase visibility, educate on in-market solutions, and allow for networking between those involved in modern authentication. 

The committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices. For this year’s event, the focus will be on “taking modern authentication to the next level.” Diverse, global perspectives and presentations that focus on the following topic areas are welcome: 

• Authentication trends & insights 
• Modern authentication case studies & implementation strategy
• Regulatory impact on authentication 
• Technical & developer tutorials

Other topic areas related to authentication will also be considered. Submissions that are unique, expertise-driven, and reflect diversity in speakers are most likely to be accepted. 

The Authenticate Call for Speakers closes on March 15, 2022. To submit an application, please visit https://authenticatecon.com/event/authenticate-2022-conference/. 

Sponsorship Opportunities at Authenticate 2022 

Authenticate 2022 is also now accepting applications for sponsorship, offering a wide range of opportunities to provide broader brand exposure, lead-generation capabilities, and a variety of other benefits for both on-site and remote attendees. To learn more about sponsorship opportunities, please visit https://authenticatecon.com/event/authenticate-2022-conference/.

Sponsorship requests will be filled on a first-come, first-served basis. Requests for sponsorship should be sent to authenticate@fidoalliance.org.

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. 

In 2022, Authenticate will be held October 17-19 at the Sheraton Grand in Seattle, Washington and virtually. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org  

PR Contact 
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate Conference 2022 appeared first on FIDO Alliance.

According to the White House order, agencies have until the end of the government’s fiscal year 2024 to reach the target goals laid out in the strategy and based on a zero-trust model developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The post eSecurity Planet: White House Boosts Zero Trust with New Cybersecurity Strategy appeared first on FIDO Alliance.

The FIDO Alliance endorses The U.S. Office of Management and Budget’s finalized Federal Zero Trust Strategy, supporting their efforts to implement stronger cybersecurity methods across government agencies. The Federal Zero Trust Strategy now requires agencies to use phishing-resistant multi-factor authentication (MFA) to access agency-hosted accounts, highlighting FIDO Authentication as a quality option to ensure user security. Notably, the OMB also recommends this approach in environments where the use of Personal Identity Verification (PIV) isn’t feasible. 

“The Federal Zero Trust Strategy provides a robust roadmap for agencies to follow to ensure best practices in creating a zero trust environment. The FIDO Alliance commends the Office of Management and Budget for requiring phishing-resistant authentication to protect agencies as phishing attacks become significantly more sophisticated – including the increasingly common ability to bypass legacy MFA approaches such as OTPs,” said Andrew Shikiar, executive director of the FIDO Alliance. “Authentication is a critical component of any zero trust architecture. As cited by OMB, FIDO Security Keys and authenticators present a practical alternative to PIV and can provide agencies with a rapidly deployable solution to harden their defenses against hackers armed with increasingly sophisticated and persistent threat campaigns.”

WHO: The FIDO Alliance

WHAT: The OMB’s Federal Zero Trust Strategy, which aims to accelerate the migration of U.S. Government agencies towards zero trust cybersecurity principles, mandates the use of phishing-resistant authentication, such as FIDO Authentication. This serves as yet another example of the government recognizing the importance of not only MFA, but phishing-resistant MFA to secure accounts.

As the OMB initiates this paradigm shift in how Federal agencies approach cybersecurity, the broader adoption of FIDO Authentication will provide simpler and more secure authentication for agencies, especially as enterprise users continue to be the most valuable targets for phishing.

WHEN: The OMB released its final Federal Zero Trust Strategy on January 26, 2022. As detailed in the strategy, agencies are required to achieve the zero trust security goals outlined in the strategy by the end of 2024.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
press@fidoalliance.org

The post Media Alert: The FIDO Alliance Endorses The Office of Management and Budget’s Finalized Zero Trust Strategy appeared first on FIDO Alliance.

Over the course of two days from Jan. 24 – 25, the Better Identity Coalition, the FIDO Alliance, and the ID Theft Resource Center (ITRC) co-hosted the Identity, Authentication, and the Road Ahead Cybersecurity Policy Forum with representatives from government and industry providing insight into the policies, challenges and opportunities for identity and authentication in 2022 and beyond.

Identity has always been important, and during the pandemic the gaps in identity verification capabilities were dramatically exposed in a number of ways. The challenges of identity in the pandemic were detailed in a keynote fireside chat with Susan Gibson, chair of the U.S. Pandemic Response Accountability Committee (PRAC) Identity Fraud Reduction & Redress Working Group, and Jeremy Grant, coordinator of the Better Identity Coalition. Gibson explained that the PRAC was formed by the U.S. Government with the goal of promoting transparency and facilitating coordinated oversight of the federal government’s pandemic response, which totaled some $5 trillion in aid.

Gibson noted that there have been many instances of pandemic aid fraud, due in no small part to weaknesses in identity verification and coordination. For example, she noted that a single social security number was used to claim unemployment insurance in 29 different states. 

While identity fraud, with social security numbers and other means is common, Gibson emphasized that trying to stop identity thieves isn’t the only answer to the problem as the volume of personally identifiable information that is already out in the public domain is large.

“Really, we need to focus less on trying to fix the problem by stopping identity theft and focus more on: how do you get to the strong authentication, with a realization that the identity theft has already happened,” Gibson said.

Data breaches continue to happen

Identities are often at the root of data breaches, both as a root cause, as well as a consequence. 

In a morning session, James Lee, Chief Operating Officer of the ID Theft Resource Center (ITRC), outlined some of the key data points from his organization’s 2021 End-of-Year Data Breach Report. Among the highlights is the fact that 2021 was the worst year ever for data breaches, with 1,862 incidents impacting 294 million victims.

Lee said that the top data attribute that is stolen in data breaches are names of users, followed by social security numbers. That said he noted that in fraud forums, stolen social security numbers are sold for $2 each. In contrast, logins and passwords associated with email accounts and in particular Gmail accounts are worth $80 each.

The first day of the event concluded with a pair of panels on different aspects of identities and authentication. In a panel on things the government is doing to co-ordinate and improve identity, Jason Lim, Branch Manager for Screening Technology Integration Program (STIP), TSA, Phil Lam Executive Director for Identity, U.S. General Services Administration, Tim Weiler Economic Policy Advisor & Legislative Counsel, U.S. Rep. Bill Foster, and Kate Wechsler, Executive Director, Consumer First Coalition, each detailed their views on what different agencies are doing.

Identity is also about access, which isn’t the same for all members of society. That was a key theme in the final panel of the day hosted by Eva Velasquez President and CEO, Identity Theft Resource Center (ITRC), alongside panelists Birdell Lewis, Senior Vice President, Centralized Shared Services, Synchrony; Pastor Ben Roberts, Foundry United Methodist Church; and Chris Peterson, Penny Forward and Community Member.

Day Two: The Future of Strong Authentication

In an opening keynote on the second day of the event, Eric Mill Senior Advisor, White House Office of Management and Budget (OMB) delivered a keynote that outlined the direction of strong authentication in the government.

Mill noted that in the fall of 2021, the OMB published a draft of its federal zero trust strategy, which defines having a defense against phishing as a key priority. Mills said that phishing is one of the most common ways that adversaries gain a foothold in an enterprise and the government wants to focus on having an order of magnitude better defense against that kind of attack.

“We are trying to create a clear baseline for civilian federal agencies around not using multifactor authentication methods that don’t resist phishing,” Mills said.

Mills noted that PIV, or Personal Identity Verification cards are commonly used in the government and they can be an effective phishing deterrent. He added that there is a need to have a broader approach with FIDO WebAuthn platform authenticators as well.

“We really expect to see PIV, FIDO and web based authenticators in commingled use throughout the federal government and other weaker methods in the context  of phishing,  discontinued,” Mills said.

The zero trust strategy was officially published the day following the conference and requires the use of phishing-resistant MFA, like FIDO Authentication.

FIDO Alliance’s efforts for strong authentication and identity

In a keynote, Andrew Shikiar, Executive Director of the FIDO Alliance, outlined the progress and initiatives that his organization has underway to help improve the state of strong authentication.

Shikiar emphasized that the imperative that FIDO is seeking to address is not just to be a checkbox item for multi-factor authentication (MFA), but rather to truly be a foundation to secure connected services that are critical to today’s networked society. 

Shikiar predicted that 2022 will be the year that MFA attacks become mainstream. Having a phishing-resistant approach, which is what FIDO provides, is critical. The need for phishing-resistant MFA and strong authentication has been cited by multiple governments as a best practice. 

“Passwords are part of our lives because they’re ubiquitous and they’re part of the web’s DNA,” Shikiar said. “Simply put, we need to supplant them, keep them out of that role and take their place.” 

Barriers to MFA and the need for improved identity proofing

In a panel on how the government and industry are rethinking authentication, panelists provided insight into what holds adoption back and what needs to happen next.

Pam DIngle, Director of Identity Standards at Microsoft, commented that while there is awareness about the need for strong authentication and MFA there are several reasons why it isn’t always implemented. One type of organization that doesn’t deploy is where there are some sort of organization barriers to MFA.

“So customers come to us and say they know they need to do it right, but they have legacy technology or they have other reasons why they can’t adopt,” Dingle said. “For everyone else, I believe it’s on people’s lists.”

Christine Owen Director, Advanced Solutions, Cybersecurity at Guidehouse, commented that a challenge she sees with MFA deployment is on service accounts. Owen noted that adding MFA to those types of accounts is not always as easy as it should be. Grant Dasher from CISA noted in his organization’s view, identity is clearly the foundation of a zero trust architecture. Dasher added that the President’s Executive Order has committed the government on both civilian and national security sides to go in that direction.In fact CISA has referred to FIDO as the gold standard for authentication in its recent guidance.

Helping to ensure that a given identity is in fact authentic is the domain of identity proofing, that also helps with the initial verification of identity documentations and attributes. In an afternoon panel, Rae Rivera, Director of Certification Programs at the FIDO Alliance, outlined the ongoing efforts to create certification programs for identity proofing.

Brighton Haslett, Counsel in the U.S. House of Representatives, Committee on Financial Services, noted that it’s important that any new regulations in the identity proofing space need to be based on real information.

“I think the biggest threat in this space is any kind of legislation or regulation born out of misunderstanding and fear,” Haslett said. “I think when we see a rush to regulate a new technology, it’s usually an attempt to mitigate bad outcomes whether those are real or not.”

Strong Authentication, Identity and the Banking System

The need for strong authentication to help secure identity is of critical importance to the financial sector and its government regulators.

“If you look at so many of the things that bring risk to the financial sector in the United States they are all anchored on identity, ” commented Sultan Meghji, Chief Innovation Officer, FDIC.

Meghji’s views were echoed by Kay Turner, Senior Counselor to the Director, FinCEN Digital Identity, Inclusion, and Digital Payment Infrastructure. She noted that FinCEN’s role in the financial sector as the primary administrator of the Bank Secrecy Act and the U.S. financial intelligence unit, is to help prevent illicit finance, money laundering and related crimes like countering the financing of terrorism.

“Identity is at the heart of all financial services, and it’s core to trust,” Turner said. “So we recognize that the ability to assess risk is only as good as your ability to figure out with whom you’re engaging.”

Much of Turner’s sentiment were echoed in a keynote by Elizabeth Rosenberg Assistant Secretary for Terrorist Financing and Financial Crimes, at U.S. Treasury.

Rosenberg said that many of the critical problems plaguing the financial system stem from an inability to readily and reliably know who is dealing with whom.

“As a policy matter, digital ID has the potential to immediately and dramatically improve how we protect our national security and financial security,” Rosenberg said. 

Looking beyond just being aware of the importance of strong authentication for identity, Rosenberg said that the U.S. Treasury is approaching 2022 as a year of action for digital ID.

“I don’t want us to be addressing the same problems when next year’s identity forum convenes,” Rosenberg said. “At least I don’t want to see the same problems happening as frequently to the same degree as they are right now and the Treasury is committed to making that happen.”

In the closing keynote, Carole House Director for Cybersecurity and Secure Digital Innovation, White House National Security Council (NSC), also noted that she sees identity as being critical to national security.

“Many cyber incidents that we’ve seen involve vectors of compromise that could have been thwarted through stronger identity and access management solutions, including implementation of multifactor authentication solutions,” House said.

Recordings of Day 1 and Day 2 are now available.

The post Recap: Identity, Authentication, and the Road Ahead #IDPolicyForum appeared first on FIDO Alliance.

Editor’s Note: This is the final blog posting covering the 2021 FIDO Developer Challenge. We invite you to read the previous blog posts to learn more about past stories:

• Announcing the FIDO Developer Challenge for Developers Across the Globe
• FIDO Developer Challenge: Welcoming Teams to the Implementation Stage

This year’s FIDO Developer Challenge reached a successful conclusion, with a ceremonial event during Authenticate 2021 in Seattle. The recorded video of the ceremony is available now, and we’re pleased to share more detailed stories of the three finalists as well as the rest of the teams that made it to the final stage.

Gold Winner – Lockdrop

Lockdrop, a company based in Toronto, Canada, strengthened their document transfer service using end-to-end encryption with WebAuthn as an MFA authentication option. The team wants to help businesses and people exchange larger datasets easily and securely, a problem that is prevalent across most industries and results in people falling back to insecure and/or archaic forms of data transfer such as email, fax, CD-ROMs (yes, CD-ROMs!), and USB sticks.

Silver Winner – Shaxware

Shaxware is a company located in Tokyo, Japan. They created a Proof of Concept, fashioning the Japanese National ID Card (My Number Card) into a FIDO roaming authenticator. They proposed to extend WebAuthn by using the external IC card as a primary digital certificate.

Bronze Winner – SoundAuth

SoundAuth is the team name for a company (Trillbit) based in Boston with R&D staff stationed in India. This team built a FIDO MFA solution that leverages data over sound technology to provide a seamless user experience while eliminating the need to rely on an additional hardware token or internet connectivity.

From the initial pool of applicants, fourteen teams from eight different countries (Canada, France, India, Japan, Malaysia, South Korea, USA, Vietnam) competed throughout the FIDO implementation stage – including the three finalists detailed above. There were also many concepts that did not make the top three yet have shown compelling ways to leverage the strength and usability of FIDO Authentication. Examples include:

• FIDO and AI-based remote test proctoring system (India)
• Web payment system, leveraging FIDO-based digital wallet (France)
• FIDO-based online note-taking apps for developers (Vietnam)
• FIDO-based VPN access (South Korea)
• FIDO and AI-based assisted technology for visually impaired people (South Korea)

Thanks and final thoughts

The 2021 FIDO Developer Challenge was made possible by the support and active engagement from the event sponsors – who not only helped fund the event operations and prizes, but gave hands-on feedback and guidance as judges. Thanks also to the W3C and WebAuthn community for guidance and support through the FDC Discord Channel – it was great to see so many people weighing in to help these development teams.

We were very pleased to have built off of our prior developer hackathon efforts in Korea, to have brought the challenge global, and to have added  a focus on public APIs. The Challenge demonstrated that the combination of open technology coupled with the entrepreneurial vision of a developer will result in inspiring outcomes and innovation. We look forward to expanding this effort in 2022. Please don’t hesitate to reach out (https://fidoalliance.org/contact/) should you have any feedback or suggestions on the program.  

The post 2021 FIDO Developer Challenge: Outcomes and Winners appeared first on FIDO Alliance.

SINGAPORE, November 5, 2021 — The FIDO Alliance announced the agenda and speaker lineup for its free Virtual Authenticate Summit: APAC Innovation, the quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication. This three-day event, being held December 8-10, 2021, features expert speakers from around the globe, with regionally specific tracks focused on strong authentication trends in China, India, the ASEAN region, Korea, Japan and Taiwan.  

“Asia has long been a hub of innovation for FIDO Authentication – with some of the earliest and most noteworthy implementations having taken place throughout the region,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are pleased to build upon FIDO’s Authenticate Virtual Summit series to allow local participants to gain insights into the latest trends and technologies from FIDO Alliance and its global stakeholders.”

Fraud and identity theft continues to grow throughout APAC as a result of lingering reliance on weak authentication methods such as passwords, as witnessed by the recent FIDO Alliance Online Authentication Barometer survey. The survey shows that while security is a priority with 84% of respondents having taken steps they believe will better protect their accounts from compromise, 43% did so by strengthening their passwords.

This Virtual Summit will give attendees the necessary tools to start their companies on a journey towards a passwordless future – as regional stalwarts such as NTT DOCOMO, Samsung, LINE and many more have done already.

Participants will also gain insights from subject matter experts in identity and authentication, with case studies including:

• Asia Pacific — Electronic Transactions Development Agency (ETDA), Malaysian Ministry of Finance, SecureMetric
• China — FIME, Lenovo
• India — Ensurity, RBL Bank, Reserve Bank of India
• Japan — AXELL, Digital Agency of Japan Government, Josai University, OpenID Foundation Japan, NTT DOCOMO, Rakuten, Yahoo! Japan
• Korea — AWS/AirCuve, LINE, SK Telecom/Octaco, TrustKey, Telecommunications Technology Association of Korea 
• Taiwan — AuthenTrend/NEC, FIME, Financial Supervisory Commission, PUFsecurity

Authenticate Virtual Summit: APAC Innovation is free to attend for anyone interested in learning more about and/or deploying FIDO Authentication. Most sessions will also be available on-demand after they air, and translated subtitles for global contents will be available in Chinese, Japanese or Korean (as well as for the event platform). Attendees and sponsors will also have the ability to engage and network, as well as visit sponsor booths via the virtual platform. 

Visit the 2021 Authenticate Virtual Summit: APAC Innovation event page to find out more and register for the event.

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
press@fidoalliance.org 

Megan Shamas, Director of Marketing
FIDO Alliance
+1 (203) 231-9280
megan@fidoalliance.org

Jareth Cheng
FINN Partners for FIDO Alliance
+65 3157 5619
yingFIDO@finnpartners.com

The post FIDO Alliance Announces Asia Pacific Authenticate Virtual Summit to Drive Further Adoption of Modern User Authentication appeared first on FIDO Alliance.

At the Authenticate Virtual Summit on Sept. 23, 2021, users, experts and vendors from around the world detailed how strong authentication helps to enable government services and new efforts to secure online identities. Users including the U.K. National Health Service (NHS), as well as the U.S. Government’s login.gov and Internal Revenue Service (IRS) provided insights into the present and future of online authentication and digital identities.

In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, outlined the strategic imperative for FIDO in government services around the world.

“COVID-19 created an imperative to really accelerate digital transformation activities,” Shikiar said. “When the pandemic hit all of a sudden, everyone was at home and all activity brought requirements for modern authentication schemes that go far beyond passwords, even beyond traditional multi-factor authentication.”

Shikiar noted that the FIDO Alliance standards align very well with global regulations and policies and there is a growing trend of government guidance for authentication that cites the use of FIDO.

“It’s important to enable trust in the government ecosystem,” Shikiar said. “This comes through the engagement FIDO does with different regulators and government bodies and ultimately will be manifested through the secure implementation of digital identity services to citizens worldwide.” 

Technology Helping to Push FIDO Strong Authentication Forward

A key path for enabling FIDO specification is via vendors that support government efforts. 

Patrick Sullivan, CTO of security strategy at Akamai, commented that password credential stuffing attacks are very common. He noted that Akamai’s platform sees as many as a billion password attacks per day. That’s where multi-factor authentication and more specifically strong authentication based on FIDO Alliance standards play a strong role. Sullivan noted that there is a clear need to provide multi-factor authentication in a low friction environment where it’s delivered in the form factor of an app on a smartphone.

“We’re not asking users to carry around a hardware token to accomplish FIDO2 as we move in that direction, and by introducing less friction, there’s less risk of our users doing something anomalous,” Sullivan said.

Jeff Frederick, manager of solutions engineering at Yubico, noted during his session that in government, many agencies in the U.S use Common Access Card (CAC)/Personal Identity Verification (PIV) credentials that go beyond basic passwords. Frederick noted that FIDO2 standards, which are supported on his company’s YubiKey device, provide a strong impersonation resistant authentication protocol that uses public private key cryptography.

“It’s very similar to PIV/CAC and FIDO2 is an open standard that’s managed by the FIDO Alliance, so that any vendor can support this and use it today,” Frederick said. “It’s built into all major operating systems and all major browsers so there’s no middleware that you need to install to make this work and it’s just an easy to implement solution that will modernize the federal authentication infrastructure across the board.”

Making Identity and Authentication Less Taxing at the IRS

The IRS proofs and authorizes tens of millions of taxpayers every year, across both digital and non digital channels, according to Courtney Rasey, assistant to the director, Identity Assurance, Privacy Governmental Liaison, & Disclosure (PGLD) at the IRS.

“None of those tens of millions of taxpayers who are calling the IRS are doing so just because they want to, it’s not really a fun weeknight activity,” she said. “They need to resolve an issue to meet their tax obligation and we know that, so we’re always striving to provide better service to taxpayers, to help them get the service that they need in the most convenient and efficient way possible.”

One way the IRS is looking to be more convenient to taxpayers is with its Secure Access Digital Identity (SADI) platform that was launched in June of 2021. Rasey explained that SADI leverages a Credential Service {rovider (CSP) that identity proofs the taxpayer and then provides the IRS with a digital identity credential.

“Users are eventually going to be able to access all IRS online applications utilizing that single digital identity credential,” Rasey said. “The IRS is moving more and more applications behind SADI throughout fiscal year 2022 and as we do move more applications taxpayers are going to be able to do so many things with just one credential.”

Moving Toward Zero Trust with Strong Authentication

In May, President Biden signed Executive Order 1402, which directs U.S. government agencies to improve cybersecurity. One of the primary provisions of the executive order is to move the federal government toward a zero trust architecture.

“When we talk about zero trust, we’re talking about an architecture where people and their devices aren’t trusted just by virtue of being inside an organization’s enterprise network,” explained Eric Mill, senior advisor, Office of Management and Budget (OMB).

Mill noted that in a zero trust model, people and devices are validated at each step and  authentication is context-aware. The OMB is strongly encouraging the adoption of phishing resistant multi-factor authentication, with FIDO WebAuthn as a good alternative option in environments where CAC/PIV isn’t feasible.

“We’re pushing very hard on multi-factor authentication and we really view reliable authentication as a critical foundation of zero trust architecture,” Mill said.

In a Policy Deep Dive session, Jeremy Grant, managing director, technology business strategy at Venable, noted that there are a number of reasons why authentication is important to governments. 

Grant said that FIDO specifications can help governments to protect access to their own assets and can help to enable more high-value citizen facing services to the public. 

“I think what we’re seeing in 2021, is a really different environment across the globe, where FIDO authentication is emerging, not just as another permitted option, but in many cases as a preferred choice of governments across the world,” Grant said.

How the National Health Service (NHS) uses FIDO

Among the areas in the world where FIDO is finding a home is in the U.K. 

The National Health Service (NHS) is the publicly funded medical and healthcare system in the U.K. and it has embraced FIDO standards to help improve human health.  With the NHS Login service, citizens get a centralized identity for health services while the NHS app provides a simplified application for accessing and managing an individual’s access to health services.

Priyanka Mittal, technical architect for the NHS Login and NHS app, said that over the past 18 months there has been a 10-fold increase in the user base for NHS login as demand has grown during the pandemic.

Sean Devlin, tech lead for the NHS App, explained that initially the services started out using an SMS based two-factor authentication approach, but wanted to find a more seamless approach. NHS decided to use FIDO UAF and built out its own implementation, using eBay’s open source FIDO implementation as a starting point.

Devlin said that before using FIDO, users had to navigate as many as five different screens to get through a multi-factor authentication flow. With FIDO, it’s a single screen.

The NHS has also saved a lot of money by moving to FIDO. With over 500,000 FIDO logins per day, Devlin estimates that the NHS is saving on the order of £8,000 per day on SMS messaging costs.

Bringing FIDO Strong Authentication to Login.gov

FIDO specifications also play a pivotal role at login.gov, which is a single sign-on platform for U.S. government services.

Jonathan Hooper, login.gov Engineering Lead at the General Services Administration (GSA), explained that the authentication portal fronts over 200 sites across the U.S. government,  spread across 27 different agencies. Hooper explained that starting in 2018, login.gov began expanding the use of multi-factor authentication, including the WebAuthn specification.

“We don’t want to be ‘big brother,’ we want to make sure that we can protect users’ privacy and the things built into the protocol that helped to do that were very attractive to us,” Hooper said. “WebAuthn is also very cheap, it is much cheaper to do a WebAuthn authentication event than it is to do SMS by several orders of magnitude.”

Improving Digital Identity with FIDO

A FIDO-based approach for digital identity could soon be finding its way to Canada as well according to Joni Brennan, president, Digital ID & Authentication Council of Canada (DIACC). An effort currently underway is the Pan Canadian Trust Framework (PCTF) which is an information assurance framework.

“We think that there’s a great opportunity here to leverage an information assurance framework, coupled with FIDO Alliance driven specifications, to create and to verify that end to end experience that’s needed for digital ID adoption,” she said.

The need for secured digital identities was also highlighted by Amit Mital, special assistant to the President and senior director, National Security Council at the White House.

“Today, when we authenticate ourselves and identify ourselves, we might use one of dozens of popular systems,” Mital said. “

So the ecosystem itself is very decentralized, and it’s very unharmonized. It is also fundamentally unsecure.”

Mital said that there is a clear need for strong remote identity solutions that can provide easy, secure, affordable and reliable ways to identify consumers across digital systems. 

“It’s clear that there are a diverse and large number of scenarios that need digital identity and there is no single entity that can solve all these scenarios,” Mital said. “We need an ecosystem that brings together the best ideas and innovation from the private sector, both large companies and startups, as well as the government at both the federal and the state, the local, tribal and territorial lands.”

Wrapping up the day’s event, Andrew Shikiar, executive director of the FIDO Alliance, observed that there are a lot of conversations ongoing about  different types of government services and their dependency on secure digital identity.

“Ultimately, identity and authentication are core to deploy new services at scale, in a way that meets the requirements for government agencies, and for citizens alike,” Shikiar said.

The webcast is now available on demand. To watch the recording, visit the event page.

For more discussions on moving past passwords to modern strong authentication, attend Authenticate 2021 on October 18-20, 2021 in Seattle or virtually. The full agenda and details to register are available at authenticatecon.com. 

The post Authenticate Virtual Summit: The Imperative for Strong Authentication for Government Services appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, AUGUST 31, 2021 — The FIDO Alliance has announced the agenda and speaker lineup for its next Virtual Authenticate Summit, “The Imperative for Strong Authentication for Government Services,” taking place September 23, 2021 from 11:00 am – 2:30 pm EDT. Authenticate Virtual Summits are a quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication across various markets and geographies.

Register for free and view the agenda on the Authenticate Virtual Summit event page.

“Government agencies around the world are rolling out more robust digital services for employees and citizens — and the COVID-19 pandemic has only accelerated this imperative,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Global standards and best practices are key to success in this digital transformation of e-government services — particularly in the areas of strong user authentication and identity verification. We’ve been happy to see the growing trend of governments referencing and leveraging FIDO’s outputs and look forward to sharing their insights with the broader Authenticate community.”

This government-focused Authenticate Virtual Summit brings together leaders from the public and private sector to examine strong authentication for government services, including considerations for implementing modern authentication systems for e-citizen services and remote government workforces, government agency case studies, the intersection with global policy and more.

This Authenticate Virtual Summit agenda includes:

• Keynotes from Akamai, FIDO Alliance, IRS, and Yubico
• A look at how the IRS is leveraging new digital identity proofing procedures for non-digital authentication
• Case studies from GSA and NHS on how they are leveraging FIDO to streamline and secure logins
• Discussions on the state of strong authentication in government and how policies and directives are changing how governments authenticate
• Considerations and best practices for optimizing the strong authentication for government experience 

Akamai and Yubico are Signature sponsors for this Authenticate Virtual Summit. To participate as a sponsor, visit https://authenticatecon.com/sponsors/. 

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact

authenticate@fidoalliance.org   

PR Contact

press@fidoalliance.org

The post FIDO Alliance Announces Speakers for Authenticate Virtual Summit, “The Imperative for Strong Authentication for Government Services” appeared first on FIDO Alliance.

Leaders from Amazon, Apple, Google, Microsoft and IBM met with President Joe Biden at the White House last week to discuss strategies the government and private sector can use together to improve the nation’s cybersecurity. 

Following the meeting, Amazon announced that it will provide eligible AWS customers with access to free FIDO Security Keys. Not only will this protect the burgeoning number of businesses that run on AWS, but it will help instill better authentication practices as these keys can be used across many other business (e.g., G Suite, Github, Dropbox, Stripe) and consumer (Facebook, Twitter, Coinbase, Bank of America) services.

Amazon has been a leading stakeholder in FIDO Alliance for several years now – it is wonderful to see their leadership extended to the market at large. As more businesses move to the cloud, it is absolutely critical that cloud service providers follow suit to protect this critical infrastructure. Threats and attackers are growing in sophistication, and the impacts are non-trivial. Hundreds of millions of personal records are being stolen and resold on the dark web on an alarmingly regular basis. This is a clear and present threat to our economy, our national security and our society.

It’s difficult to name a breach from the past five years that wasn’t tied to stolen credentials. 

The latest prominent attack, which was carried out on Colonial Pipeline, used a single stolen password to essentially cripple the U.S eastern seaboard.

It is important that all businesses take steps to educate and protect their employees and customers from such threats. “Traditional” means of multi-factor authentication (such as OTPs) simply aren’t fit-for-purpose to protect against these attacks, which can financially cripple a company or organization. 

Ultimately, credential-based breaches (like Colonial Pipeline’s) wouldn’t be possible if accounts were protected with FIDO Authentication, which requires local possession of a device with no knowledge-based authentication credentials passed over the network. 

The FIDO Alliance has come a long way since our inception. What started as a whiteboard concept has evolved into technology that is becoming part of the web’s DNA. Virtually every platform and device can now support FIDO Authentication, and there are public SDKs and tools, plus a rich ecosystem of FIDO Certified vendor products and services that can help companies implement FIDO for their sites and apps. 

Amazon’s move to provide free FIDO Security Keys sets a strong – and important – example. We encourage all other cloud service providers to urgently consider following suit by at a minimum enabling FIDO authenticators for admin access to networks.

The post Amazon is Giving Free FIDO Security Keys to AWS Customers to Encourage Better Account Security appeared first on FIDO Alliance.

SEATTLE, August 17, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, today announced its full 2021 agenda. This three-day event, which takes place October 18-20 in Seattle and also with remote attendance options, will help educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. 

The Authenticate 2021 agenda features:

• Deployment case studies from enterprises and service providers including Capital One, eBay, Facebook, Google, Morgan Stanley, Target, Verizon, Wayfair and more 
• Technical deep dives on FIDO’s authentication specifications: IoT, biometrics and identity verification
• Vertical perspectives from leaders and practitioners in financial services, eGovernment, retail and communications
• In-depth discussions on the evolving policy landscape and deployment considerations therein 

“Relying on passwords is passé. Modern authentication systems and standards have emerged to provide more efficient ways for organizations to provide strong security and better interactions with their brands,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The FIDO Alliance encourages organizations of all sizes to prioritize stronger security, and it is our mission to share the tools and resources to help them get there. ​​This year’s agenda delivers on that mission, providing attendees with a strong foundation for deploying simpler, stronger authentication.” 

This year’s headlining keynote speakers are: Bob Lord, former CSO of the Democratic National Committee; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehrensvard, CEO and founder of Yubico; David Henstock, head of identity and authentication products, Visa; and Dave Kleidermacher, vice president for engineering, Android security and privacy, Google. A full list of speakers is available on the Authenticate conference website. 

The conference agenda features 45+ in-person sessions and 20+ sessions on-demand, all of which will be available to all attendees. Authenticate also features an expo hall with product and service offerings with 20+ sponsors, as well as various networking and social events built into the three-day schedule – all while adhering to all CDC and local health/distancing requirements. 

Register Today!
Take advantage of early-bird pricing by registering by September 3. To register, visit https://authenticatecon.com/event/authenticate-2021-conference/. Authenticate will be held in conjunction with the FIDO Alliance member plenary, scheduled for October 20-22. FIDO Alliance members have exclusive access to discounted rates to attend both events.

Get involved at Authenticate

There are still select sponsorship opportunities available for Authenticate 2021; companies interested can learn more at https://authenticatecon.com/sponsors/.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: The @AuthenticateCon agenda is here! Visit the event website to take a look at this year’s speakers and session topics for the latest in user #authentication. www.authenticatecon.com

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif hotel in Seattle, Washington with the option to participate remotely via live stream and on-demand sessions. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact

authenticate@fidoalliance.org  

PR Contact

Morgan Mason
Aircover PR
408-612-9889
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate 2021 Agenda appeared first on FIDO Alliance.

By Joon Hyuk Lee, APAC Market Development Director

Editor’s Note: This is the second blog covering the FIDO Developer Challenge.  To learn more about the background and process, please read the earlier blog post, Announcing the FIDO Developer Challenge for Developers Across the Globe.

We are happy to announce that 14 teams from eight different countries (the U.S., Japan, Canada, France, India, Malaysia, Vietnam, and South Korea) have been invited to participate in the implementation stage of the 2021 FIDO Developer Challenge. Six of the teams are early-stage ventures and an equal number hail from academia; the other two are individual developers.

[Faces of participants, captured during online interviews in late July]

All of the teams share a commitment to using FIDO authentication to provide a smoother and more secure user experience across a variety of application areas. As was the case in our earlier Hackathons, we are seeing yet again that the mix of entrepreneurial vision coupled with the capabilities of FIDO Authentication can be realized in a wide array of use cases and industries. We will share more details on each of the submissions as the review process carries forward.

The teams are now engaged in designated virtual lounges for possible Q&As and support from the Developer Challenge sponsors and broader FIDO development community.  To that end, we would like to recognize and give special thanks to the W3C WebAuthn Adoption Community Group for managing the private Discord Channel to provide technical support for participating teams.

Implementations will be done by the end of August and the judges will evaluate the teams’ final presentations and demos by early September.  Please stay tuned for our announcement of the Top 3 by the middle of September – with the winner being announced at the Authenticate conference in Seattle on October 20.

The post FIDO Developer Challenge: Welcoming Teams to the Implementation Stage appeared first on FIDO Alliance.

SEATTLE, June 30, 2021 — Authenticate, the only industry conference dedicated to the who, what, why and how of user authentication, is coming October 18-20, 2021 to the Motif hotel in Seattle, Washington. Featured keynote speakers at the second annual event include Bob Lord, former CSO of the Democratic National Committee, Dave Kleidermacher, Vice President for Engineering, Android Security & Privacy at Google, Joy Chik, Corporate Vice President for Identity at Microsoft, David Henstock, Head of Identity and Authentication Product, of VISA and Stina Ehrensvard, CEO and co-founder of Yubico.  

Registration is now open for the event, with options for in-person or remote experiences. The 2021 edition of Authenticate will focus on providing excellent live and on-demand content, a live expo hall with 20+ sponsors, as well as a variety of networking opportunities — all while adhering to all CDC and local health/distancing requirements.

“We look forward to welcoming our keynote speakers to the Authenticate stage to share their vision and experience in moving to modern and secure FIDO Authentication,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “After a year of increasingly severe data breaches and user login frustrations, each speaker brings a unique perspective and insight on easing the adoption of simpler, stronger and standards-based authentication.”

CISOs, security strategists, enterprise architects, product and business leaders will walk away from this three-day event with an understanding of the FIDO approach to simpler, stronger authentication, and the tools and best practices they need to integrate FIDO Authentication into their own services.

In addition to the keynote sessions, Authenticate 2021 speakers will go in-depth on the state of authentication including a range of topics including:

• Authentication trends & insights
• Case studies
• Modern authentication implementation strategy
• Vertical trends & initiatives
• Industry standards
• Regulatory impact on authentication
• Technical & developer tutorials

Register Today!

Take advantage of early bird pricing by registering before August 18. 

Get involved at Authenticate

In addition to the Authenticate stage, the FIDO Alliance has a limited number of sponsorship and exhibitor opportunities remaining for the 2021 event. Companies looking to showcase their brand and products front and center at Authenticate can contact authenticate@fidoalliance.org.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

About Authenticate

Authenticate is the only conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. This year’s Signature Sponsors include Google, Microsoft, Visa and Yubico. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org   

PR Contact
Morgan Mason
Aircover PR
408-612-9889
press@fidoalliance.org 

The post FIDO Alliance’s Authenticate Conference Announces 2021 Keynote Speakers and Open Registration appeared first on FIDO Alliance.

The digital security, privacy and authentication landscape is evolving quickly in the European Union with new regulations that could have a broad ranging impact for its citizens, as well as companies around the world. 

At the Authenticate Virtual Summit: Focus on Europe, which was held on June 17, experts on the authentication market in Europe provided insight into the latest developments including PSD2 SCA (Payment Services Directive Strong Customer Authentication), delegated authentication, eIDAS (electronic IDentification, Authentication and trust Services) and the EU Digital Wallet among other efforts.  

Kicking off the virtual summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance outlined how the FIDO specifications work and why strong authentication is essential for multiple use cases including ecommerce, Internet of Things (IoT) and identity verification. 

“FIDO’s goal from day one was to certainly reduce reliance on passwords, but in some ways that was just a means to an end, really trying to address the data breach problem, as the vast majority of data breaches are caused by weak credentials,” Shikiar said.

As FIDO is moving forward, there has been a need to strengthen identity verification assurance to support better and safer account recovery. As part of that, Shikiar noted that the FIDO Alliance launched the Identity Verification & Binding Working Group (IDWG) which is driving that work forward.

“We’re seeking to establish best practices for possession based identity verification,” Shikiar said. “That will not only enable safer, easier and stronger account recovery, but doing so will also stop hackers from using the account recovery process as an opening for social engineering account takeovers.”

Helping to Limit Cart Abandonment

There is a tangible connection between ecommerce success and strong authentication, according to Rolf Lindemann, VP products at NokNok.

Lindermann noted that during the pandemic, ecommerce grew faster than ever before. But with 13% of credit card online payments not being completed, it’s clear that cart abandonment is still impacting business in a significant manner.

“We learned that authentication friction in general is a major factor for card abandonment,” Lindermann said. “This becomes obvious given that online authentication is at the core of all online transactions. Authentication is the front door to digital services in general.” 

The path to reducing authentication friction involves the use of FIDO, which Lindermann said can help to enable strong customer authentication that can be implemented in a single convenient step.

Toward a Strongly Authenticated Digital Identity 

In Europe and elsewhere around the world, there is a growing conversation about the need to enable and provide some form of digital identity. According to Steve Pannifer, COO of Consult Hyperion, digital identity consists of three things: identification, authentication and authorization. 

Pannifer explained that identification is all about asking the question – is this person real, unique and identifiable? Authentication is the process of realizing that an identified person is coming in to use the service again, as the service provider wants to know if it is the same person that established the identity at some point in the past. Authorization ties it all together, which uses identity and authentication to access services.

“Digital identity is not a means in and of itself, it’s a means to an end,” Pannifer said. “The end that it is serving is all of those services that I’m trying to get access to.”

Fabian Eberle, co-founder and COO at Keyless is also a big believer in digital identity. In a session, Eberle outlined the need for a decentralized system for personal identity management. Such a system puts users in control of their own identity information, and lets them selectively disclose that identity data in a more private and secure way.

Eberle noted that at LUISS Guido Carli University, over 10,000 students are now benefiting from a digital identity system that helps to support remote education services. The Keyless approach benefits from FIDO standards that helps to authenticate a device and identify students in a frictionless approach.

Digital Identity in Europe: eIDAS

In the European Union, there is an effort known as eIDAS which is a legal framework for mutual recognition of national digital identity schemes.

“The purpose of eIDAS is cross border access for citizens in any European country to gain access to any public service in the EU,”Sebastian Elfors, senior solutions architect at Yubico explained.

FIDO standards are being increasingly adopted by European governments to help support eIDAS efforts. Among those that Elfors highlighted is healthcare authentication in Norway, EduID for universities in Sweden and the National Health Service (NHS) in the U.K. 

FIDO standards are also helping the Czech Republic with its CZ.NIC top level domain registry which also operates the mojedID (my ID in Czech) service. 

Jaromi Talir, technical fellow at CZ.NIC and member of eIDAS Technical subgroup explained that the domain registry had a requirement to authenticate the identity of domain owners. That requirement led to the creation of mojeID, which has been using FIDO standards since 2019. Talir explained that CZ.NIC uses FIDO to support a multi-factor strong authentication based approach to help authentication user identity.

Using FIDO to Support Delegated Authentication

With the European Union’s Payment Services Directive Strong Customer Authentication (PSD2 SCA), that came into effect in 2021, there are very stringent requirements for merchants to authenticate consumers with payment providers.

In a panel discussion, Jonathan Grossar, VP, product development at Mastercard commented that within a few months of the introduction of PSD2 SCA there has been an increase in the number of transactions that have been abandoned by consumers.

“So a problem with PSD2 SCA is that consumers may have to authenticate twice,” Grossar siad. “First with the merchant to have access to the account or to the card that is stored on file and then a second time doing the transaction with the bank and potentially then with a different authentication mechanism.”

All those extra steps introduce additional friction and complexity for both merchants and consumers that can be alleviated with an approach known as delegated authentication. Grossar explained that with delegated authentication, the entire authentication piece is handled  with a secure mechanism by merchants. Using FIDO standards in combination with EMVco’s 3-D Secure standards to share authentication and risk data is the way forward in Grossar’s view.

“FIDO is interoperable across multiple devices and platforms,” Grossar said. “So in short, you have today billions of devices that are enabled with FIDO, and that potentially can be used for delegated authentication.”

Jason Muncey, principal, EU Payment Acceptance & International Expansion, at Amazon is also optimistic about using FIDO for delegated authentication. Muncey commented that even before the PSD2 SCA requirements cart abandonment was just a pain that all merchants have had to live with. In his view, there is a real need to have some form of consistent approach.

Lee Goddard, product director, head of authentication at Worldpay also noted that – there will always be some amount of abandonment potential in that purchase process. 

“I think the FIDO approach to delegated authentication will really take things a step further in removing evermore abandonment,” she said.

Remote Identity Verification in Europe

With the pandemic, the ability to do in-person identity verification became challenging, which led to a need for increased remote identity verification in Europe and other areas around the world.

In a panel discussion, Santosh Rajvaidya, senior director, product management at Jumio noted that to date, there is no consistent approach when it comes to remote ID verification in Europe. That situation could be changing with the new digital identity wallet approach from the European Commission that could be the first step in the right direction.

“What is happening with digital identity wallet is you do a one time verification of your ID and the identity is created in the digital identity wallet,” Rajvaidya said. “From there on the user can reuse it multiple times across different applications.”

There is now also an ID Verification and Binding Working Group IDWG within FIDO that is doing work that will also help with remote identity verification efforts. Rayissa Armata, Head of Regulatory Affairs at IDnow, commented that when it comes to verification, user experience and convenience are key attributes.

“Most users aren’t concerned with their identity or the data privacy, they’ll tick the boxes and move on, they just want to get their service,” she said.

Wrapping up the virtual Authenticate Summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance emphasized that the FIDO Alliance is in a very good place today, in Europe and around the world.

“We’re seeing more and more companies adopt FIDO authentication,” Shikiar said. “I personally firmly believe that virtually every consumer service online will be offering passwordless login options in the next few years and our hope is that the vast majority of these leverage FIDO.”

Looking forward to the next FIDO Authenticate virtual summits is in September with a focus on government services. Then in October, the FIDO Alliance will be hosting its first live event with the Authenticate Conference in Seattle.

The post Authenticate Virtual Summit: Focus on Europe Recap appeared first on FIDO Alliance.

Identiverse, Denver, CO June 23, 2021 – The FIDO Alliance today announced its first user experience (UX) guidelines and new FIDO2 standards enhancements aimed at accelerating the world’s move beyond passwords. With over 4 billion devices, all major browsers and operating systems now supporting FIDO authentication, today’s releases make it even easier for service providers and enterprises to provide simple, phishing-resistant and privacy-enhancing sign-in experiences.

Today’s announcements come as the widespread support for FIDO Authentication has led to an increased demand from service providers and consumers alike – but they need an implementation path to follow that maximizes adoption and simplifies FIDO deployments. The FIDO UX guidelines provide that path, allowing service providers to help consumers understand, adopt and benefit from logging in with FIDO.

At the same time, the increase in remote work and subsequent increase in phishing attacks on their infrastructure is accelerating enterprises’ digital transformation plans and making strong authentication a priority. The FIDO2 enhancements announced today address enterprises’ unique authentication and device management needs for faster, more efficient FIDO deployments.

“Eliminating the reliance on passwords is now a major objective for everyone offering online services – both to provide a more seamless yet secure access to consumer services, as well as to address the growing threat from sophisticated attacks targeting distributed workforces and systems. Our first UX guidelines and FIDO2 enhancements give consumers and enterprises the tools, protection and roadmap to a simpler, more secure, passwordless future,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance.

UX Guidelines to speed consumer adoption of FIDO authentication 

Virtually every modern device and web browser now supports FIDO Authentication, allowing consumers to leverage the same technology they use to unlock their device (a fingerprint or face scan for example) to now sign-in to web services in a secure and private manner. A growing number of large service providers and financial institutions are providing this built-in functionality in order to give their customers the option to log in without the risk and hassle of passwords. These FIDO UX guidelines were created as a set of best practices to help service providers encourage their customers to log in with FIDO Authentication on desktop environments; other FIDO authentication use cases will be addressed through UX guidelines in the future. 

The UX guidelines are available to view and download at www.fidoalliance.org/UX-guidelines.

The UX Guidelines were developed following many sessions of moderated and unmoderated consumer research conducted by third-party research firm Blink UX, in collaboration with UX and design experts from FIDO Alliance member companies including Bank of America, eBay, Facebook, Google, IBM, Intuit, JP Morgan Chase Bank, Microsoft, Trusona, Visa and Wells Fargo.

For more detail on this work and recommendations visit Andrew’s blog. FIDO Alliance also has updated the consumer resource site loginwithfido.com with added information on how and where to use FIDO Authentication.  

Enhancements to FIDO standards to accelerate passwordless in the enterprise

The FIDO Alliance has announced enhancements to its FIDO2 specifications, which include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies – with the World Wide Web Consortium  (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.

Key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of FIDO authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.

Other updates include support for cross-origin iFrames and Apple attestation, as well as improvements to resident credentials. More details on these and other FIDO specification enhancements are available here. 

Join the Optimizing User Experience for FIDO Authentication Panel Live today at 1:30pm MT

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is enabling simpler and stronger online experiences and more secure online identities and devices. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and educates consumers in order to build confidence and trust in FIDO Certified products and services.

Contacts

Morgan Mason
FIDOteam@aircoverpr.com

The post Major FIDO Updates Launched to Accelerate Global Charge Past Passwords appeared first on FIDO Alliance.

Today we are announcing enhancements to two of the core FIDO protocols, the Client To Authenticator Protocol (CTAP) v2.1 and WebAuthn Level 2 – which collectively comprise FIDO2. Both are significant advances in extending FIDO’s capabilities specifically for enterprise users and supporting more complex application use cases. These enhancements come at an appropriate time, given the increased demand and rate of adoption for FIDO methods as the pandemic and remote work continues throughout the world.

The FIDO2 WebAuthn protocol is a set of application programming interfaces (APIs) that describe how to enable authentications inside browser sessions. Level 2 is the latest version of the standard, which is maintained by the W3C organization and was released in April. This standard makes it easier to write web applications that use FIDO Authentication, which is now supported across the five major endpoint operating systems (Windows, MacOS, Linux, Android, ChromeOS, and iOS).  

There are six major improvements that we are announcing today:

Enterprise attestation

Today’s announcements increase support for enterprise management of devices and users. The CTAP and WebAuthn protocols have added features that make it easier for enterprises to add specific user identity data during the registration process, so corporate administrators can more easily track key distribution and usage. Because these features can reveal some private user information – information that they would have divulged anyway to their employer – this feature is not available directly to consumers’ authenticators. Instead, authenticators must be pre-programmed (before credential registration) with these enterprise attestations by the enterprises themselves. 

Cross-origin iFrame support

This feature allows web-based ecommerce transactions to be completed within pop-up windows on a browser, something that was forbidden in earlier FIDO versions as a way to protect potential man-in-the-middle and man-in-the-browser attack scenarios. The new standards make a very safe, secure and encrypted way to accomplish these transactions, without revealing data pulled from multiple domains such as the originating vendor, the user’s bank account, a credit card issuer, and so forth. It also helps in situations when users are connecting via bandwidth-limited circumstances (such as via Bluetooth or poor Wifi signals) to keep the authentication workflow moving without a lot of back-and-forth network traffic and latency delays. 

Support for Apple Attestations

FIDO Alliance has been pleased to have Apple as a contributing member for the past 18 months. This feature adds support for Apple’s method of doing attestation on their devices using the WebAuthn protocols.

Better biometric management

The CTAP v2.1 additions include better biometric enrollment and management features, so that users can register multiple fingerprints and other bio-markers. Additionally, enterprises can set minimum PIN lengths. As more mobile devices include facial and fingerprint recognition, this keeps FIDO current with the latest authentication technologies.

Large blob support

An alternative to running a centralized authentication service, this feature includes a way to store things like certificates that may be necessary for other authentication scenarios, such as using encrypted SSH connections. 

Resident credential improvements 

Now called discoverable credentials, this enables passwordless workflows to re-authenticate a user. The authentication dialog automatically finds and applies an existing credential and asks for user confirmation, thus making FIDO easier to use.

Always Require User Verification

This feature allows a user to protect the credentials on their authenticator with some form of user verification independent of the Relying Party. Platform authenticators and other authenticators with the feature enabled will always perform user verification. Some certification programs such as US FIPS 140-3 prohibit the authenticator performing signing operations without authentication.

The post FIDO2 Enhancements for Enterprise & Complex Security Applications appeared first on FIDO Alliance.

Mountain View, CA  June 10, 2021 – The FIDO Alliance today announced the first global FIDO Developer Challenge. Building on the success of the FIDO Hackathon in Korea over the last few years, FIDO is globally expanding the program and encouraging developer teams to create and present compelling and innovative applications leveraging FIDO standards and technologies. 

“User authentication historically has been an afterthought for web developers – largely because more advanced capabilities were too difficult and couldn’t be utilized by most developers,” said Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance. “FIDO changes all of that – with the WebAuthn API providing an open mechanism that includes advanced cryptographic protection that doesn’t require a security expert. And with billions of devices now supporting this functionality, now is the time for developers to get acquainted with FIDO Authentication,” Shikiar said. “Teams will be able to use public web frameworks and/or SDKs from FIDO’s members and sponsors of the Developer Challenge. The Alliance is looking forward to seeing the creative and technical capabilities of the broader web developer community,” he said.

The FIDO Developer Challenge takes place within a virtual format and focuses on implementation of the FIDO2 WebAuthn API. The Challenge is open to students, individual developers, and pre-seed-stage companies. Projects should apply FIDO authentication protocols to address modern technical or social challenges within various fields such as Fintech, eCommerce, IoT, retail, blockchain, gaming and education. 

The winning team will be invited to the Authenticate conference (Oct. 18-20 in Seattle) with all expenses paid by FIDO Alliance. In addition to exposure at Authenticate, the top three teams of the Challenge will receive prizes from FIDO membership, public recognition, and the unique opportunity to share their business vision with panels of early-stage investors.

The deadline to register is July 2, 2021. Registration to participate can be found here: https://docs.google.com/forms/d/1J2YqpAGQAsMjF4iIlB0L27u9ii8J2HU7vOJWwOGMUZU/viewform?edit_requested=true 

Sponsors include: AuthO, Google, Hanko.io, LINE, LoginID, Octatco, Samsung, StrongKey, TrustKey and Yubico.

Additional resources for the event can be found on the Developer Challenge homepage: https://fidoalliance.org/fido-developer-challenge/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. By harnessing the collective expertise of hundreds of leading technology, consumer services and government organizations, the FIDO Alliance is changing the nature of security and identity in order to enable simpler and stronger online experiences. The FIDO Alliance creates and publishes specifications, executes rigorous certification programs and drives market education programs in order to build confidence and trust in FIDO Certified products and services.

The post FIDO Alliance Announces the FIDO Developer Challenge appeared first on FIDO Alliance.

By Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance

Welcome to the Challenge

The FIDO Alliance is pleased to announce our first global FIDO Developer Challenge, where participating developer teams will create and demonstrate compelling and innovative applications leveraging FIDO standards and technologies. Prior challenges based in Korea over the past two years proved to be very successful and  we are now pleased to expand this program globally.

FIDO has come a long way since the Alliance’s inception in 2012, going from a whiteboard concept to a core technology supported by billions of consumer devices worldwide.  With over 85% of browsers now supporting FIDO Authentication, now is the time for web developers to ditch password-based logins in favor of FIDO’s approach, which provides a superior user experience and prevents phishing and other computer hacks. We are looking forward to seeing the selection  of implementations the developer community comes up with this year, leveraging the public FIDO2 WebAuthn API to bring FIDO Authentications to websites and services.  

Projects we are looking for 

We are looking for projects that address a technical or social challenge in today’s world. There is no limit on the development ideas, but we expect implementation of FIDO Authentication to take place in various fields such as Fintech, eCommerce, IoT, retail, blockchain, gaming and education. Samples from the previous regional challenge include projects like FIDO-based IoT storage services for low-income families, FIDO-based drone platforms, FIDO-based smart home security systems, FIDO- and DID-based smart health insurance card services and a FIDO-based passwordless WiFi router control system. We are happy to expand this year’s program globally to attract even more innovative ideas to solve technical and social challenges.

The process

The FIDO Developer Challenge takes place in a virtual format and focuses on implementation of the FIDO2 WebAuthn API. The Challenge is open to students, individual developers, and pre-seed stage venture companies only.

Our website contains all the details on how to participate in the FIDO Developer Challenge. Here are a few milestones we are looking forward to:  

• We will be accepting applications until July 9. Upon receiving applications from all over the world, we will do the initial screenings and announce the top 20 teams within two weeks of the application submission deadline.  
• Then, we will invite 20 teams to implement the FIDO2 WebAuthn API in their inventions, online services or products.
• The teams that successfully implement FIDO2 will be invited to the final evaluation step, where they will give an online presentation and demo. They will also  participate in a Q&A with our judges.
• The judges will select the top three teams, all of which will be featured in a session at our Authenticate conference (Oct 18-20 in Seattle, WA; USA), with the winner being offered the opportunity to attend with all their expenses paid by the FIDO Alliance.  

Prizes and opportunities

In addition to exposure at Authenticate, the top three teams will receive prizes from FIDO members, awarded public recognition, and the unique opportunity to share their business vision with panels of early-stage investors. More details can be found on the Challenge website. 

We encourage you to think outside the box, considering new experiences and benefits that FIDO can bring to users and developers alike. Best of luck to you all. We cannot wait to see your submissions!

For more information visit https://fidoalliance.org/fido-developer-challenge/

The post Announcing the FIDO Developer Challenge for Developers Across the Globe appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, June 8, 2021 — The FIDO Alliance has announced its agenda and speaker lineup for it’s 2021 Virtual Authenticate Summit: “Focus on Europe,” taking place June 17 from 2:00pm – 5:30pm Central European Summer Time. Authenticate Virtual Summits are a quarterly series of virtual seminars that will delve into specific topics related to the FIDO approach to modern user authentication.

More details and free registration are available on the Authenticate Virtual Summit registration page.

Featured keynotes will be presented by Steve Pannifer, COO of Consult Hyperion; and Fabian Eberle, Co-Founder and COO of Keyless; Rolf Lindemann, Vice President, Products of Nok Nok. The half day Summit includes sessions in which representatives from Amazon, CZ.NIC, IDnow, Jumio, Mastercard, Thales, Venable LLP, WorldPay and Yubico will discuss the state of authentication in Europe in light of regulations like PSD2 SCA, eIDAS and GDPR, open banking and the COVID-19 pandemic.

In Europe, financial services organizations, merchants, telecommunications companies, enterprises and the broader ecosystem are working to balance regulatory demands and rapidly evolving user expectations – all amidst a global pandemic and digital transformation efforts. Implementing strong authentication has become a challenge for these organizations striving to protect valuable usr and transaction data without introducing friction in the process. 

It is more critical than ever for leaders in this sector to find balance between compliance, security and user experience. This Authenticate Virtual Summit tackles these issues with a half day agenda that includes:

• Keynotes from Consult Hyperion, FIDO Alliance, Keyless and Nok Nok
• Roundtable discussion on FIDO & Delegated Authentication, featuring expert perspectives from Amazon, Mastercard, Thales and WorldPay
• Panel discussion on The State of Technology and Regulation for Remote Identity Verification in Europe, featuring expert perspectives from IDnow, Jumio and Venable LLP
• Details BBVA’s FIDO implementation 
• Details on eIDAS, FIDO Deployments and Recognition in the EU discussed by CZ.NIC and Yubico 
• Considerations and best practices for optimizing the strong authentication user experience

“Building off of the success of our first Authenticate Virtual Summit this past March, we are excited to continue the Authenticate Virtual Summit Series with a focus on Europe. In light of recent regulations and the COVID-19 pandemic, the discussion of authentication in Europe is a natural area of focus for our upcoming Summit,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are honored to have such an esteemed roster of thought leaders committed to imparting their collective insight, especially as we work together to balance regulatory demands and rapidly evolving user expectations.”

Keyless and Nok Nok are signature sponsors for this Authenticate Virtual Summit. For more information about additional summits: https://authenticatecon.com.

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Announces Speakers for Second 2021 Authenticate Virtual Summit: “Focus on Europe” appeared first on FIDO Alliance.

Federal agencies should choose FIDO as they seek to comply with the new Executive Order that requires the implementation of multi-factor authentication within the next 180 days.

By: Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance

In the face of recent attacks that have exposed areas of weakness in critical U.S. infrastructure assets, President Biden signed a new Executive Order Wednesday to help bolster the nation’s cybersecurity.

There have been a number of high profile attacks against critical American infrastructure in recent months, including the Solarwinds supply chain attack that exposed much of the government to potential risk. Top of mind in recent days is the ransomware attack against Colonial Pipeline, which significantly impacted the flow of refined oil across America. These attacks expose the vulnerability of critical infrastructure in the United States, and the Biden Administration is issuing federal directives that will minimize or eliminate risk.

A key part of the Executive Order is a requirement that agencies adopt multi-factor authentication (MFA) and encryption for data at rest and in transit to the maximum extent possible. Federal Civilian Branch Agencies will have 180 days to comply with the Executive Order and will need to report on progress every 60 days until adoption is complete. If for some reason agencies cannot fully adopt MFA and encryption within 180 days, they must report to Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA with a rationale for not meeting the deadline.

At the FIDO Alliance, we welcome today’s directive from the Biden Administration and applaud its focus on the importance of multi-factor authentication. What’s notable about this Executive Order is that the White House is prioritizing MFA everywhere, rather than limiting MFA to the PIV/PKI platform that agencies have depended on for more than 15 years. Today’s Executive Order marks an important step forward, in that it makes clear the priority is protecting every account with MFA — without mandating any specific technology. This is a notable shift, because we know that the weakest forms of MFA can still stop some attacks where passwords are the attack vector. We also know that FIDO Authentication is the only standards-based alternative to PIV for those applications that need protection against phishing attacks. This Executive Order opens the door for agencies to deploy FIDO Authentication — something we’ve heard they’ve wanted to do but have held back as use of any non-PIV authentication has not been permitted.  

This isn’t the first time the U.S Government has advocated for the use of MFA and strong encryption. In an advisory issued by CISA in September 2020 on election security, the government agency noted that the majority of cyber-espionage incidents are enabled by phishing, and FIDO security keys are the only form of MFA that offer protection from phishing attacks 100% of the time.

In fact, the U.S. Government hasn’t just been advocating for the use of strong authentication with FIDO, it has actually already been implementing it since at least 2018 on the login.gov portal. With login.gov the U.S. Government is already offering a secure approach to help citizens and agencies to securely access Federal resources. In June 2019, the FIDO Alliance hosted a webinar detailing the deployment case study for login.gov, which is now even more timely with the need for agencies to adopt strong authentication in the next 180 days.

Since its inception, the FIDO Alliance has been bringing industry partners together, including every major operating system vendor as well as technology and consumer service providers across all industry verticals including financial services, ecommerce and government. All those diverse groups have been working together in common purpose to standardize strong authentication. Billions of devices around the world today can support FIDO Authentication and are ready to play their part in ensuring a strong authentication future. The fact that most major cloud providers, device manufacturers and browser vendors all ship with support for FIDO means that agencies can easily leverage MFA that is built in, rather than other products that need to be “bolted on.”  

If there is one thing that the recent spate of attacks has served to once again remind us, it’s that the private sector and public sector need strong security measures to protect critical infrastructure — and the FIDO Alliance believes this begins with authentication.

We urge government agencies to adopt only the strongest forms of MFA when complying with this directive. The FIDO Alliance and its members stand ready to serve and help agencies with the education, resources and tools to implement strong authentication to help reduce risk and improve the cybersecurity posture of the U.S. Government.

The post FIDO Alliance Supports Biden Administration EO on Cybersecurity appeared first on FIDO Alliance.

What’s the role of FIDO authentication in financial services and what can be done to help consumers and issuers be more secure? Those topics were at the foundation of the Authenticate Virtual Summit: Modern Authentication for Financial Services, hosted by the FIDO Alliance on March 25.

The financial services focused event included speakers from eBay, Financial Data Exchange, Gemini, Google, Javelin Strategy and Research, Mastercard, JP Morgan Chase, StrongKey, Trusona and Visa, with topics spanning from the future of authentication to best practices on how to optimize the authentication experience for users.

In his opening keynote, Andrew Shikiar, executive director and CMO of the FIDO Alliance noted that over the course of the pandemic there has been an increase in cyberattacks against financial services institutions, which has only heightened the need for stronger authentication methods.

“At the end of the day, the vast majority of statistics and the vast majority of these problems come down to fundamental truth, which is that we’re trying to run a hyper connected economy, a networked society, on a authentication model that simply is not fit for purpose and that of course is our dependence on passwords,” Shikiar said.

Shikiar detailed how the FIDO Alliance is working to help move the world away from passwords and help users benefit from stronger forms of authentication. In particular, FIDO is playing a key role in the financial services market across a number of categories. FIDO specifications are being used today by financial services firms to help protect online accounts against account takeovers and phishing attacks. A key goal is to also make it easier for organizations to use strong authentication. Shikiar emphasized that the FIDO Alliance’s tagline is: simpler, stronger authentication.

“If there’s one thing the industry has seen is that the more complex the approach is for MFA [Multi-Factor Authentication] , the less likely someone is to stick with it,” Shikiar said. “So for people to keep using strong authentication, it needs to be easy and single gesture, which is the core of FIDO’s approach.” 

Improving Authentication with FIDO at Visa

Visa is one of the world’s largest credit card brands and financial services firms on the planet and it sees FIDO as being a strong tool for helping to improve security and reduce fraud. 

In a keynote presentation, David Henstock, Head of Identity and Authentication Products at Visa, observed that FIDO specifications have a significant role to play in helping to drive better outcomes within the payments industry. Henstock noted that what has increasingly occurred in recent years is that fraudsters are targeting the authentication layer.

“The question that always comes up is what can Visa do to help fight account takeover fraud?” Henstock stated. “The culprit more often than not is knowledge based authentication, or simply put  – passwords.”

Henstock noted that FIDO is an easy way to upgrade from usernames and passwords to a more secure standard upgrading the authentication experience that sellers have. He added that overall FIDO helps to provide a better, more easy to use customer experience for authentication. 

FIDO is also important to help with regulatory compliance. In Europe, the PSD2 [Payment Services Directive version 2] is a key driver for strong authentication adoption as it mandates the use of Strong Customer Authentication (SCA).

“If you’re doing digital commerce in Europe, you must abide by the SCA regulations,” Henstock said.

In a bid to help organizations with FIDO deployment, Arshad Noor, CTO at StrongKey used his Authenticate session to detail new capabilities in the StrongKey FIDO server that can help organizations meet the challenges of global requirements.

“We see a lot of confusion in the WebAuthn and FIDO ecosystem where people are confused between security capability, and the user experience that consumers go through when interacting with FIDO,” Noor said. “We believe that FIDO should first be viewed as a security technology, and second as a convenience technology.”

Consumer Confidence in Passwords is Declining

The need to move away from passwords isn’t just about regulation, it’s also about consumer confidence in the security of password based authentication.

In a session, Javelin Strategy & Research analysts Rachel Huber and John Buzzard outlined the state of the market in terms of fraud and online security.

“We have discovered trend wise that consumer confidence with passwords is down substantially and I want to say -finally,” Buzzard stated. 

Buzzard noted that consumers have begun to realize that stronger authentication methods including biometrics are effective ways to validate identity. He added that consumers are now indicating that they are ready to move away from passwords.

“Whether the password disappears, maybe it becomes sort of like the Mayor McCheese of the city in the sense that it’s there but it doesn’t mean anything if that’s what it requires,” Buzzard said. “That’s still okay because we’re ready to move forward with stronger forms of authentication.”

Payments and the Future of Authentication 

FIDO standards are at the core of security efforts at eBay, which helps the online marketplace meet the needs of its diverse user base. In a panel on Payments and the Future of Authentication Ashish Jain, Product Management Executive, Identity, Mobility & Analytics, eBay explained that a key challenge for his platform is having the right experience that can fit the needs and requirements of a broad customer base.

“When we started investigating FIDO and saw that it was supported by Google, Microsoft, and Apple, it gave us the confidence that it can meet the needs for a variety of our customers and hence, we continue to investigate and invest in the protocol,” Jain said.

For Christiaan Brand, Product Manager for Identity & Security at Google, FIDO adoption started out as a way to help curb phishing risks and has evolved to become a way to help improve multiple aspects of security for both Google and its users.

“FIDO is one of those few security inventions, which aims to both address security and improve on that axis, while at the same time also improving on the usability front,” Brand said. “The FIDO components that have been built into the platforms nowadays do give our users, better and more secure experiences.”

For Ranjita Iyer, SVP, Identity Solutions at Mastercard, FIDO specifications are being combined with other standards including the EMV 3D Secure effort to enable a seamless authentication and payment experience that can lead to better approval rates for digital transactions and lower fraud. 

Integrating FIDO with other standards is also something that the Financial Data Exchange (FDX) is implementing with its stack. Don Cardinal, Managing Director, Financial Data Exchange explained in a session that his organization is dedicated to unifying the financial service industry around an interoperable royalty free standard for secure permission to access data.

“The whole idea is to stop sharing user IDs and passwords and stop using them in the entire session,” Cardinal said. “Ideally, if you have OIDC [OpenID Connect] and FIDO throughout FDX you can enroll, use and consume the whole setup and never use a credential, which I think is really powerful in today’s day and age.”

Optimizing UX for Strong Authentication 

While the technical details of FIDO specifications are critical to enabling strong authentication, optimizing the user experience is critical to adoption. 

In the final panel of the day, Megan Shamas, Director of Marketing, FIDO Alliance noted that there is an effort that is currently underway to to test and improve the FIDO user experience. Guidance from that testing effort is set to be publicly available in late 2021.

Kerry Hebert, Design Director (CX/UI) at Visa emphasized that it’s likely that FIDO implementation hinges on user adoption and adoption is only going to happen if the user registers. She noted that for  users to take the step of registering, they need to believe that there’s value in what it provides and in some way makes the consumer’s life a little bit better.

Kevin Goldman, Chief Experience Officer, Trusona strongly suggests that financial services firms not think about user experience as something that is bolted on to the end of the process. Rather he suggests that it’s an integrated part of the entire process of supporting and enabling FIDO standards.

Judy Clare, Vice President, Product Manager, Digital Identity and Authentication at JPMorgan Chase & Co, suggested during the panel that from an experience perspective, FIDO engagement needs to be easily digestible for consumers. 

“You really have to have that value proposition out there  – what’s in it for me, and why should I be clicking through this and take an extra 30 seconds to sign up for it and then go on my way, because I am here to do something and this wasn’t it,” Clare stated. “So it’s really important to keep the user in mind.”

Next Up: More Authenticate Summits and Authenticate 2021 Conference

There’s much more content to come from the FIDO Alliance in 2021.

Looking forward there is another virtual event coming in June which will focus on strong authentication in Europe. Plans are also coming together for a physical Authenticate conference set for October in Seattle.

“In general, what we see is a lot of best practice sharing, everyone is in this together, and is motivated to help protect the networked economy and FIDO authentication presents a great way of doing so,” Shikiar said. “So we encourage you to certainly take part.”

The post FIDO Authenticate Summit Wrap Up: Modern Authentication for Financial Services appeared first on FIDO Alliance.

The second and final day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 5 brought together government officials, tech experts and policy advocates in a packed agenda.

The two-day event was hosted by the FIDO Alliance together with the Better Identity Coalition and the ID Theft Resource Center (ITRC) and had over 1,000 registered attendees. The first day of the event saw sessions that outlined the clear and present need for the government and industry to make identity and strong authentication systems more pervasive, to help protect and serve individuals and businesses alike. The second day in contrast had a strong focus on the need for strong authentication and was highlighted by an expert panel that explained how FIDO authentication was able to help secure the 2020 U.S. election.

The day’s event kicked off with a keynote from Congressman John Katko (R-NY) who emphasized the critical need for secure digital identity.

“Our homeland security, national security, economic security and way of life are threatened in unprecedented ways by highly sophisticated adversaries and simply being vigilant is no longer enough,” Katko (pictured) said. “Today’s threat environment demands a posture of unwavering resilience. This is particularly true for ensuring the sanctity and resilience of our digital identities.”

How FIDO Helped to Secure the 2020 Election

The resilience of digital identity and strong authentication was called into question during the 2016 election cycle when hackers were able to infiltrate the email accounts of Democratic party staffers, notably the attack of Clinton campaign chair John Podesta’s gmail account.

The same type of event didn’t re-occur during the 2020 election cycle, in part thanks to FIDO standards and a concerted effort to make sure that both Democratic and Republican party officials had access to strong authentication. In a panel during the event, Michael Kaiser, President and CEO of Defending Digital Campaigns (pictured) explained that his organization was created to help solve the challenge of political campaigns not having the right cybersecurity resources to defend themselves. As companies cannot directly donate to campaigns, Defending Digital Campaigns was formed to act as an intermediary, that enables political campaigns to get cybersecurity services including FIDO based strong authentication resources, for free or low cost.

Kaiser explained that political campaigns are not like a typical organization in that they are short lived and don’t have long term thinking about a security maturity model. Despite that, political campaigns need to be protected as they sit on incredibly valuable and important information.

“I think we gave away more than 10,000 security keys in the political sector in the 2020 cycle,” Kaiser said. “That’s a lot of people and a lot of accounts as we gave away more than $1 million worth of products to 183 campaigns.”

Bob Lord (pictured), chief security officer of the Democratic National Committee (DNC) noted that after the events of the 2016 election, security was clearly under the microscope.

“Security is a real challenge and everybody really understands the importance of it, but the dollar figures really can get in the way,” Lord said. “Making sure that there was a reliable source for things like security keys was really instrumental in moving forward.”

Within the DNC and across campaigns, Lord and his team strictly implemented the use of FIDO based security keys to provide strong authentication capabilities and limit the risk of potential phishing attacks. 

“Today 100% of the people at the DNC who need to get access to their email and  access to their documents, they’re all using security keys – no exceptions, no executive privilege to opt out of this,” Lord said.

The DNC also benefited from Google’s Advanced Protection Program (APP) which provides additional levels of protection and assurance beyond what a basic gmail account enables. 

“We’re big supporters and real big believers in the combination of FIDO security keys and the APP,” Lord said.

Why DNC Believes in FIDO

Lord noted that there are a number of reasons why he is a big supporter of FIDO standards. For one is the fact that FIDO standards are built into the Google Chrome browser. Lord explained that the DNC was pushing the use of Chromebooks to campaigns and the integrated FIDO capabilities made it easier to deploy strong authentication.

While there are multiple types of two-factor authentication available in the market, for Lord there are really only two categories.

“I think there are really two kinds of multi-factor that are available in the consumer space – I think there are FIDO security keys and then there’s everything else,” Lord stated emphatically. “When I refer to everything else, I refer to those other multi-factors systems as legacy and I do that because I want people to get the mental model that this is something to be contained, minimized and eventually moved out.”

Lord observed that other multi-factor approaches, while better than not using multi-factor at all, have shown weaknesses, which is why in his view as an industry it’s important to really be pushing people pretty aggressively to move down the path of FIDO strong authentication adoption.

While Lord is an advocate for adopting FIDO based strong authentication with security keys, he also noted that there were some usability challenges his team had to work through as well training that was needed to educate and onboard users. The learning from the DNC’s efforts are all now being publicly shared by Lord’s team at https://democrats.org/security/.

“It’s a non-partisan thing so there’s nothing red or blue about these best practices, but you’ll see in there that we really push pretty hard on security keys and the APP in particular,” he said.

Mark Risher, Senior Director of Security and Identity at Google (pictured) emphasized during the panel that in general adding a second factor does still objectively decrease the chances of a user becoming the victim of a phishing attack. That said, he noted that for an attacker, phishing a password, or just phishing a password plus a One Time Password (OTP) PIN code basically just  requires basically one more line of code for an attacker.

“It does not require the funding of the nation state,” Rischer said about the ability to bypass OTP for phishing attacks. “So we need to get the world to understand the distinction, and to move into and start requiring these much more stringent hardware based strong authentication technologies and standards.”

How FIDO is Moving Forward to Enable Digital Transformation

The afternoon keynote at the event was delivered by Andrew Shikiar (pictured) the Executive Director of the FIDO Alliance. Shikiar noted that passwordless authentication is an important cornerstone for digital transformation.

“The security and authentication aspects of digital transformation came to the fore as everything was accelerated due to the pandemic,” Shikiar said.

Shikiar noted that social engineering had kind of a renaissance in 2020 as phishing continued to be successful.

“Simply put, the only way to break this cycle is to eliminate our dependence on server side credentials and password,” Shikiar said. “Anything on a server can and will eventually be stolen so they’re easy to phish, harvest and replay.”

The need to create stronger authentication is why FIDO was born. Shikiar explained that the FIDO Alliance’s mission is to create open standards for simpler, stronger authentication with public key cryptography and asymmetric public key cryptography, which is something that the average consumer should never have to pronounce, let alone know what it means.

Shikiar also outlined some of the FIDO Alliance’s highlights from 2020 including Apple joining the group. He added that Apple joining served as a powerful signal to the industry that really everyone is coalescing around the FIDO Alliance as the organization to collaborate on the standards based user friendly and strong authentication. Another key highlight from 2020 for FIDO was the level of support across operating system and browser combinations with different transport mechanisms for the authenticator. 

“Over 4 billion devices can support FIDO authentication,” Shikiar said. “So in short, you know, we think FIDO is becoming part of the DNA of the web itself, which is a pretty audacious thing.”

“To summarize, FIDO is very much the present and the future of user authentication.”

The Solarwind #Solorigate Attack as an Identity Authentication Issue

A key topic that resonated throughout the second day of the policy forum was the impact of the recent Solarwinds attack which is also commonly referred to as Solorigate.

During a panel about what policies the Biden Administration should consider with regards to Identity, John Miller Senior Vice President of Policy and Senior Counsel at ITI, commented that the Solarwinds attack has been accurately described as a software supply chain attack but it really is also fairly characterized as an identity attack.

“Characterizing Solarwinds as an identity attack presents an opportunity to remind policy makers of how fundamental identity is to not only what we’re doing online as consumers but to, but an enterprise environment,” Miller said.

In the final keynote of the event, Alex Weinert (pictured) Partner Director of Identity Security, at Microsoft, outlined the gory authentication and identity details behind the Solorigate incident and why zero trust principles would help to mitigate many risks.

Weinert noted that the Solorigate attack was a fundamental attack on trust. He also emphasized the clear role that authentication played in the attacks and the need to move to strong authentication.

“What are we doing to encourage explicitly verifiable credentials, we all know passwords are crap, we know they’re incredibly vulnerable,” Weinert said. “Are we doing enough as an industry to push for the end of passwords?”

Today’s sessions (February 5) have been recorded and will be available soon.

The post Identity, Authentication and the Road Ahead: Virtual Policy Forum Day 2 appeared first on FIDO Alliance.

The intersection of identity and authentication and how it can help to improve business as well as people’s lives was a core topic of conversation on the first day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 4.

The FIDO Alliance joined together with Better Identity Coalition and the ID Theft Resource Center (ITRC)  to host the two day event running on Feb. 4-5, which has over 1,000 registered attendees who are gathering to learn more and discuss the current and future state of identity and authentication. The first day of the event had a strong focus on things the U.S. can and is doing to help improve the state identity, while recognizing the many challenges on the road ahead.

Identity is a National Security Issue

In the opening keynote, Michael Mosier (pictured), Deputy Director & Digital Innovation Officer at the U.S. Treasury departments Financial Crimes Enforcement Network (FinCEN), outlined what’s at stake when it comes to digital identity.

“I view identity as a national security issue, and it will take the intellectual power and creativity of all of us to figure out how to secure identities and keep people from harm,”  Mosier said.

Mosier emphasized that digital identity solutions are a key factor to help prevent fraud and financial crime. He added that in order to get payments right, there is a clear need to first get identities done right. The right way in his view, is an approach that preserves privacy while ensuring integrity in the system.

“The ability to detect and address risks is only as good as the ability to determine with whom you’re engaging,” Mosier said. “So the real question for identity related risk is, do you have the information necessary to reliably assess the risk of your counterpart or your customer.”

A key challenge FinCen is seeing is at the account opening stage, with identity proofing and verification. A July 2020 advisory from FinCen highlighted the issue reporting that criminals are undermining identity verification processes, through identity theft and synthetic identity fraud.

“We’re seeing a lot of identity authentication compromise, leading to account takeovers, as  a lack of multifactor and multi step authentication is too prevalent across the financial sector,” Mosier said. 

The costs of those takeovers is far from trivial. FinCEN is seeing around 5,000 account takeover reports each month, reaching approximately $400 million per month over the last two months.

“The bottom line is that many account takeovers and fraud are occurring because of failures to enforce stronger levels of assurance and identity verification in authentication processes,” Mosier said.

Phishing is Top Source of Identity Theft and Cybercrime

The Identity Theft Resource Center (ITRC) is seeing the same trends as FinCEN with phishing and credential theft being the leading source of identity theft, according to the groups recent release 2020 Data Breach Report. In a keynote session, Eva Velasquez, President and CEO and James Lee, Chief Operating Officer (pictured) of the  ITRC outlined the high level findings of the report and its impact.

“Credentials are the coin of the realm today, as opposed to what we have traditionally thought of as being the kind of information that threat actors wanted to collect.” Lee said.

While other failures and vulnerabilities including unpatched software can and do lead to data breaches, Lee emphasized that the majority of the root causes of cyberattacks rely primarily on user logins and passwords

How the Pandemic has Accelerated the Need for Strong Authentication

With tens of millions of Americans looking to the U.S. government for help during the pandemic, there has been a clear need for strong authentication and identity technology.

During a panel, Sanjay Gupta, chief technology officer for the US Small Business Administration (SBA) noted that the SBA has been able to ramp up during the pandemic thanks in part to the deployment of a strong authentication based single sign on technology that makes use of FIDO Alliance standards. The SBA uses the login.gov platform from the U.S Government’s General Service Administration (GSA).

In a keynote session, Congressman Bill Foster (D-IL) (pictured) stated that the COVID crisis has laid bare many of the inadequacies of the identity system in the U.S.

Just to pick one example, Foster noted that over a million stimulus checks were sent to dead people and for millions of others, the stimulus checks were delayed because of challenges in verifying who is eligible based on where they live. While there are challenges, Foster noted that there has also been a lot of relevant technological progress, independent of government action. 

“The use of a secure enclave on a modern cell phone as a FIDO second factor device is a huge step forward,” Foster said.  “The increasing use of privacy preserving biometric sensors on smartphones as a means of providing digital online authentication for human identity is going to be transformative.”

In a panel following the keynote on where the government can help with identity and authentication, Paul Rosenzweig, Resident Senior Fellow, Cybersecurity and Emerging Threat at the R Street Institute commented that good identity is clearly one of those common public goods that economic theory teaches us, is best provided at a governmental level. That’s an idea that panelist Phil Lam (pictured), Executive Director of Identity for the U.S. General Services Administration (GSA) agreed with.

“I think that we as a government are providing a lot of benefits to Americans today and in order to facilitate providing that benefit, we kind of need to know who you are and  are you eligible for a benefit,” Lam said. 

Lam re-iterated that the FIDO-enabled login.gov portal is a critical part of the U.S. government’s authentication strategy and now serves over 25 million users.

The final panel of the day tackled the socially important topic of equity and inclusion when it comes to identity and the individual. Among the panelists was Reverend Ben Roberts (pictured) who runs the ID Ministry, which is an effort to help the underprivileged get their identity so they can qualify for government assistance or even just to get a bank account.

Roberts detailed a number of heart-breaking cases of individuals that have had extreme challenges in getting some form of verified identity. He had a strong message for government policy makers and technology developers alike for how to enable strong authentication and identity systems.

“As we’re bringing things online and as new policies and new systems come into play, really do your level best to ensure that people are not getting left behind,” Roberts said.

Today’s sessions (February 4) have been recorded and can be found here. There’s still time to register for tomorrow’s sessions (February 5). Register here.

The post Identity, Authentication and the Road Ahead: Virtual Policy Forum Day 1 appeared first on FIDO Alliance.

On February 4-5, 2021, the Better Identity Coalition, FIDO Alliance, and Identity Theft Resource Center will be hosting an online event, “Identity, Authentication and the Road Ahead”. 

The event will bring together leaders from government, industry and the nonprofit sector to tackle how the government plans to modernize identity and authentication, how COVID-19 has affected the identity landscape, ways the government can help address pain points in our identity infrastructure, standards updates and more. Our keynote speakers include Congressman Bill Foster [D-IL], Financial Crimes Enforcement Network (FinCEN) Deputy Director and Digital Innovation Officer Michael Mosier, Congressman John Katko [R-NY] and Partner Director of Identity Security for Microsoft Alex Weinert. 

“The COVID-19 pandemic has laid bare our challenges in digital identity and authentication – not just from a security perspective, but also a human one,” said Jeremy Grant, Coordinator of the Better Identity Coalition. “We’re thrilled to partner with the FIDO Alliance and the Identity Theft Resource Center on this two-day event to highlight different facets of the challenges in identity and authentication – and discuss ways the government and industry can partner together to spur new solutions that can help all Americans.”

“The FIDO Alliance is pleased to be working with the Better Identity Coalition and the ID Theft Resource Center to advance awareness of and inspire action for  simpler and stronger authentication and improved identity verification processes,” said Andrew Shikiar, Executive Director & CMO of the FIDO Alliance. “Jarring events of late, such as the global COVID pandemic and threats to the U.S. election, have accelerated the urgency to move forward with digital transformation plans and enable secure and phish-proof access to remote systems and applications. We’re looking forward to sessions that will uncover the critical role that FIDO Authentication has played this past year and will play in the future of identity and authentication.”

“The Identity Theft Resource Center is honored to co-host the 2021 Policy Forum with the Better Identity Coalition and FIDO to bring awareness to digital security, privacy and convenience for everyone,” said Eva Velasquez, president and CEO of the Identity Theft Resource Center. “It is critically important we take a look at identity crimes and their impacts on individuals, businesses and policies, particularly when it comes to equity and inclusion. We hope that the two-day event highlights how government and decision-makers can address the pain points in our identity infrastructure and leads to discussions on how to improve identity use and protection in America.”

Our hashtag for the event is #IDPolicyForum.  You can find the full schedule here and RSVP here. This event is on the record and open to the public. 

About the Better Identity Coalition 

Launched in 2018, the Better Identity Coalition is an organization focused on bringing together leading firms from different sectors to develop a set of consensus, cross-sector policy recommendations that promote the adoption of better solutions for identity verification and authentication. The Coalition’s founding members include recognized leaders from diverse sectors of the economy, including financial services, health care, technology, FinTech, payments, and security. More on the Coalition is available at https://www.betteridentity.org/. 

About the Identity Theft Resource Center  

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime. Through public and private support, the ITRC provides no-cost victim assistance and consumer education through its website live-chat idtheftcenter.org, toll-free phone number 888.400.5530, and ID Theft Help app. The ITRC also equips consumers and businesses with information about recent data breaches through its data breach tracking tool, notified.   

About the FIDO AllianceThe FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contact: 

Better Identity Coalition: Joshua Lamel
jlamel@insight-dc.com, 202-246-1400 

FIDO Alliance: Karen Arena
press@fidoalliance.org, 732-407-8510

ITRC: Alex Achten     
media@idtheftcenter.org, 888-400-5530 Ext. 3611 

The post EVENT: Identity, Authentication and the Road Ahead appeared first on FIDO Alliance.

Joon Hyuk Lee and Atsuhiro Tscuhiya, APAC Market Development Team

The reason to put passwords in the rearview mirror is more evident than ever. Our recent survey on consumer behavior says that 58% of abandoned online purchases are due to the difficulty of managing passwords. The Gartner Group’s research indicates that 20-25% of all helpdesk calls are password reset requests. The World Economic Forum (WEF) assessed that cybercrime costs the global economy $2.9 million every minute; about 80% of the attacks targeted passwords.

But the tide is turning. During our inaugural Authenticate conference, which took place in November 2020, Microsoft announced that they now have more than 150 million people are using their passwordless sign-in each month. That is a 50% increase from last year’s report at Microsoft Ignite back in November 2019.

We have all seen how the global pandemic has drastically accelerated the willingness of and the need for organizations to embrace passwordless FIDO Authentication. It is now a matter of how and with whom, instead of when.

Updates from APAC Marketing Forum

We are happy to share meaningful progress since the first FIDO AllianceAsia Pacific Marketing Forum (AMF) in July. Here are some updates from our members across the region:

Taiwan

Mentioned in our previous post was  the introduction of FIDO’s standards in official documents developed by Taiwan Association of Information and Communication Standards (TAICS) and SEMI (Semiconductor Equipment and Materials International) Taiwan, as well as FIDO’s logo on the app of Taiwan-Cathay United Bank.

Recently, the government of Taiwan has also adopted FIDO’s authentication method for the purpose of citizen’s tax filing, a government service that supports more than 200,000 users. 

India

FIDO2 is now accepted by the CCA (Controller of Certifying Authorities), under India Ministry of Electronics and Information Technology, as an alternative to SMS OTP.  The guidelines have been published on the CCA website (http://cca.gov.in/eSignAPI.html).

FIDO Alliance member Singular Key’s FIDO Certified authentication service is being used by ReBIT, the cybersecurity subsidiary of the Reserve Bank of India.

Additionally, a whitepaper on FIDO authentication for banking space has recently been submitted to ReBIT. Webinars designed to educate the public on FIDO’s standards are also in the works. These efforts will no doubt help to drive up FIDO awareness amongst the India population.

Hong Kong

In Hong Kong, the passion for horse racing continued even as people stayed home and betting branches closed because of the global pandemic.

For the first time ever, the Hong Kong Jockey Club (HKJC) kicked off the horse racing season with all-digital betting. Punters had to log on to HKJC’s mobile betting app, provided by FIDO Alliance member Tradelink.

The betting channels, which are secured by FIDO via biometric authentication on users’ mobile devices, provided a user-friendly and safe experience that helped to secure a record HK$1.376 billion turnover – 6.83% higher than the previous record set in the 2017/2018 season! This was made possible, despite the record low number of attendees at the races in year 2020.

Separately, the Hong Kong Special Administrative Region (HKSAR) government rolled out a new initiative powered by Tradelink’s FIDO Certified authentication – the “iAM Smart” initiative, which enables Hong Kong citizens to authenticate their identities using mobile devices for access to financial services. 

Malaysia

There is a clear transition towards a passwordless future in Malaysia.

The FIDO Certified authentication service from SecureMetric is recently being adopted by a number of public services in the country as part of the government’s Malaysia Cyber Security Strategy 2020-2024. This means that FIDO authentication will play a role in services such as Malaysia Central Bank’s (Bank Negara) Electronic Know Your Customer (eKYC), the Ministry of Science, Technology and Innovation (MOSTI) National Technology as well as Innovation Sandbox (NTIS) from the Ministry of Science.

Vietnam

In Vietnam, the shift away from passwords is accelerating. Currently, there are 32 licensed e-Wallet providers all vying to lead the charge to facilitate the country’s shift to a more cashless society. There is also a major focus on smart city, digital signatures and electronic ID developments.

Earlier this year, FIDO member VinCSS became the first company in the country to develop FIDO2 Certified authenticators. Since then, it has met the FIDO2 standard for the second time, announcing its achievement of FIDO2 Certification for its strong authentication server named VinCSS FIDO2 Server.

This achievement also means VinCSS is currently one of only 13 companies globally with a FIDO2 certified server that can accept any FIDO certified authenticator, irrespective of its manufacturer – an amazing feat!

Other Notable Updates in Asia

Additionally, Japan-based telecommunications operator KDDI recently deployed FIDO2 for its “au ID” and started FIDO authentication service. Instant messaging app LINE, introduced biometric authentication that utilizes FIDO standards for iPad users, eliminating the need to key in passwords. The FIDO Japan Working Group Chair was invited as an expert by the Japan Ministry of Internal Affairs and Communication on their discussions using My Number Card capabilities on smartphones.

Furthermore, in Korea, the Blue House, the executive office and official residence of the president of the Republic of Korea, deployed TrustKey’s login solution powered by FIDO’s standards for remote work and internal security access.

—

If you wish to take part in these exciting new initiatives, or have any inquiries, please do not hesitate to contact tsuchiya@fidoalliance.org.

By joining AMF, you will not only get to connect with key authentication players in APAC, but also gain benefits of participating in FIDO branded awareness and promotional activities together with global champions.

The post Deployments and Government Recognitions on the Rise in Asia: Updates from FIDO APAC Marketing Forum appeared first on FIDO Alliance.

Today, the IoT Security Foundation (IoTSF) and FIDO Alliance announced that they are collaborating to improve the status of IoT security.

The main aims of the collaboration are to raise awareness on the limitations of passwords for IoT devices and provide practical alternatives for product manufacturers. The goals of the collaboration will be achieved by joint messaging and providing publicly accessible materials to help industry implement password-less authentication. 

What’s the problem with passwords?

Passwords are a traditional and simple method for authenticating a user and allowing access to resources. In the past this may have been sufficient, but passwords dramatically fall short in many ways when billions of devices are expected to be connected to networks to collect and share data or provide automation – the era of IoT.

Although this is not a new problem, users are still finding it a challenge to manage and keep track of different accounts and app login credentials. The result is that many take shortcuts – using easy to remember (and guess) passwords, or using the same password across many accounts¹. This weakens security. Now consider the growing number of home, business, medical, industrial and national infrastructure uses of IoT which bring efficiency, innovation and user benefits. IoT devices are everywhere and the trend is set to continue as this article illustrates. For IoT-class products such as routers and webcams, traditionally manufacturers have opted to have factory universal default passwords² and whilst these can be changed, a significant number remain set to the default. This makes them prime targets for botnets which weaponize devices for DDOS attacks such as the famous Mirai and its many variants.

This means that the sheer volume of devices is only going to exacerbate the issues experienced with passwords today. In summary, passwords are not a good solution to the requirements of IoT authentication now, or in the future.

How can this be addressed?

New standards and forthcoming regulation are helping to drive change. The ETSI 303 645³ baseline requirements for consumer IoT cyber security standard published mid 2020, has a provision for “no universal default passwords” and this standard is now being used as a basis for regulation and certification schemes internationally⁴.

Whilst “no universal passwords” is a good start for regulation⁵, it does not go far enough. The good news is that there are good alternatives to passwords, so they can be eliminated, and they are also better and simpler to use. 

How are IoTSF and FIDO Alliance working together?

Both organisations will work together to promote the awareness and use of password-less forms of authentication and link working group activities to ensure industry can access publicly available materials when designing new products.

The IoT Technical Working Group of the FIDO Alliance aims to build a comprehensive authentication framework for IoT devices which provides detailed technical specifications for password-less authentication.

The IoT Security Foundation publishes best practice cyber security advice for product manufacturers and users of IoT systems. Its IoT Security Compliance Framework Working Group is dedicated to the creation and maintenance of the framework which guides developers through a structured process of questioning and evidence gathering. This helps companies make better products with security by design. It is in this area where both organisations intend to collaborate at the technical level to complement the advocacy of passwords alternatives.

John Moor, Managing Director IoTSF said, “The use of passwords for security is an outdated and outmoded security practice for the digital age. There are solutions which are stronger from a technical perspective and better from a user’s perspective. We are delighted to be working closely with the FIDO Alliance to help eliminate the use of passwords and drive better practice for our manufacturing members.”

Christina Hulka, executive director and COO of the FIDO Alliance said, “The FIDO Alliance mission is to reduce the world’s reliance on passwords with simpler and stronger authentication, including in IoT which unfortunately continues to rely on default or weak password authentication. We look forward to working with the IoT Security Foundation to accelerate our path toward bringing passwordless authentication to IoT.”

References

¹ https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
² https://www.router-reset.com/default-router-password-lookup
³ https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf
⁴ https://www.iotsecurityfoundation.org/consumer-iot/
⁵ https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products

About the Internet of Things Security Foundation (IoTSF)

IoTSF is a non-profit corporate and professional membership association.

The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.

IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at key stages of the IoT ecosystem – those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.

IoTSF was formed as a response to existing and emerging threats in the Internet of Things applications.

IoTSF is an international, collaborative and vendor-neutral members’ initiative, driven by the IoT ecosystem and inclusive of all parties including technology providers and service beneficiaries.

For more information, news and further announcements, please visit the official website at www.iotsecurityfoundation.org.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Press Contact

Jenny Devoy
IoT Security Foundation
+44 (0)1506 401210
contact@iotsecurityfoundation.org
twitter: @IoT_SF

The post The IoT Security Foundation and FIDO Alliance Announce Collaboration to Eliminate Passwords in IoT appeared first on FIDO Alliance.

Yuriy Ackermann, Certification Technical Manager, FIDO Alliance

With the advancement and modifications to specifications and program requirements, certification processes and policies will need to be modified from time-to-time. With the recent changes and publication of the FIDO Authenticator Certification program as they relate to V1.4 of the Security Requirements, and the current FIDO Registry of Values specification, we are recommending currently certified servers make necessary changes.

It is strongly recommended that you update your FIDO2 and UAF servers in order to correctly process current and future metadata statements based on the latest updates to the FIDO Registry of Predefined Values.

The spec changes are as follows:

• All previous USER_VERIFY methods have been post-fixed with _INTERNAL to identify them explicitly as INTERNAL user verification methods 
  • Example: USER_VERIFY_PRESENCE → USER_VERIFY_PRESENCE_INTERNAL.
    
• New USER_VERIFY methods have been added: USER_VERIFY_PASSCODE_EXTERNAL (0x00000800) and USER_VERIFY_PATTERN_EXTERNAL (0x00001000)
  
• RS1 or ALG_SIGN_RSASSA_PKCSV15_SHA1_RAW (0x0010) IANA ALG_KEY_COSE “alg” identifier has been changed to -65535

Servers should make the following updates to support these changes:

• FIDO2 servers: Update pubKeyCredParams to contain -65535 alg
  
• FIDO2 and UAF servers: Change old user verification methods values to the new post-fixed values. Example: USER_VERIFY_PRESENCE → USER_VERIFY_PRESENCE_INTERNAL
  
• FIDO2 and UAF servers: Run the conformance tools to verify support for these changes

The latest FIDO Registry of Predefined Values is now available in JavaScript.

The post FIDO Certified Servers: Updates for Processing Current Metadata Statements appeared first on FIDO Alliance.

Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance

Editor’s Note: This is the final blog posting covering the 2020 FIDO Hackathon – Goodbye Password Challenge. To learn more about the background and process, please read previous blog posts:

• 2020 FIDO Hackathon: Goodbye Password Challenge in Korea
• 2020 FIDO Hackathon in Korea: Learn & Implement Phase
• 2020 FIDO Hackathon in Korea Update: Mid-term Meetup Event

The 2020 FIDO Hackathon – Goodbye Password Challenge has come to a close – a big thank you to the FIDO Alliance Korea Working Group members and event sponsors. The Korean video versions of the entire 2020 FIDO Hackathon journey and presentations by the top 5 winners are available through FIDO Videos Library and a ZDNet Korea interview. We hope this blog will help English readers to understand these winners’ projects, and how their ideas showcase the myriad possibilities for FIDO Authentication in the future.

Here is an overview of the winners and their projects: 

Moses’ Miracle – Gold Award

Moses’ Miracle is a team consisting of three students majoring in computer engineering and industrial design. They developed a gate access control system based on FIDO Authentication. The smartphone-based system helps people access different security areas much faster and more conveniently without remembering passwords, physical keys, or smart cards. From a management perspective, this solution consumes less time, cost, and labor. For more technical information and a demo of the system, please watch their video presentation.

Protect Homes – Silver Award

Protect Homes is a team that consists of two developers and two designers, half studying in university and the rest working for venture companies. The team integrated FIDO Authentication to strengthen a smart home ecosystem’s security, coming up with a management app for IoT devices. By going passwordless, the system demonstrated that security and usability are both enhanced. For more technical information and a demo of the solution, please watch their video presentation.

Dr. Who – Silver Award

Dr. Who is a team consisting of one project manager, two developers, and one public healthcare specialist from WHO (World Health Organization). The team came up with a Proof of Concept project, introducing smart health insurance card services that link Distributed IDentity technology and FIDO Authentication. They wanted to solve the problem with the existing physical health insurance card, which is an inferior way of identifying a patient’s actual identity. For more technical information and a demo of the service, please watch their video presentation.

Fingerprint 486 – Bronze Award

Fingerprint 486 is a team that consists of seven university students; two app developers, two front-end, one backend developer, and one computer graphic designer. They developed a FIDO Authentication-based document sharing system, which grants file access rights more securely and conveniently without sharing passwords. For more technical information and a demo of the system, please watch their video presentation.

AWS (Add Wi-Fi Security) – Bronze Award

AWS is a team that consists of two backend, two front-end developers, and one computer graphic designer coming from the same woman’s university. The team developed a FIDO Authentication-based passwordless Wi-Fi router control system, which does not disclose an administrator’s information. For more technical information and a demo of the system, please watch their video presentation.

Building upon the success of the FIDO Hackathon in Korea over the last two years, we are looking at possibilities for APAC-wide (or global) Hackathon in the year 2021. We believe such a Hackathon (or challenge program) helps us engage and empower developers to accelerate service deployment with out-of-box ideas.

The post 2020 FIDO Hackathon in Korea: Introducing the Top 5 Winners appeared first on FIDO Alliance.

The post E-Commerce Magazine: More than one out of two French people give up on their online purchase because of passwords appeared first on FIDO Alliance.

December 1, 2020 – The FIDO Alliance wrapped its first public conference, Authenticate, on November 19 following six days of virtual sessions, networking and an expo hall all focused on the future of strong authentication with FIDO standards. The conference drew 3,000+ registrants seeking the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate provided the opportunity for attendees to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services. Attendees heard case studies from many companies that have or are in the midst of rolling out FIDO for consumer and enterprise applications, including Target, IBM, CVS Health, Microsoft, Intuit, Google, NTT DOCOMO and eBay. Other sessions gave both beginners and FIDO veterans content on the core aspects of FIDO’s specifications, a WebAuthn workshop for developers, deployment best practices, insights into biometric security, account recovery and more. The dynamic expo hall complemented the sessions, allowing attendees to meet the vendors providing FIDO solutions that can help them quickly get on the path to simpler, stronger authentication. 

“After years of increasingly severe data breaches and user login frustration, enterprises and consumer service providers understand that they need to end their dependence on passwords. The excitement and engagement in Authenticate showcased that organizations are ready to embrace a new way to provide secure access to online services and applications with FIDO,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. 

Authenticate 2020 sessions are available on-demand, and highlights from the conference can be found on the Authenticate blog. Those interested in attending future Authenticate Summits and Conferences should sign up for updates at www.authenticatecon.com. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Wraps Inaugural Authenticate Conference After 50+ Sessions and Expo Focused on the Future of Strong Authentication appeared first on FIDO Alliance.

According to the FIDO Alliance’s survey, conducted with 1,000 consumers in the U.S., password frustrations are leading to abandoned carts and lost sales. 58% in the U.S. have abandoned purchases due to the difficulty of managing passwords. They cancelled these transactions because they either could not remember their password or were being forced to create a new account and password to make the purchase.

The research also identified several reasons for potential loss of repeat business, as multiple factors stop people from setting up new accounts after making an initial purchase. Their chief concern, cited by 40% of customers, is that they don’t want their financial information to be stored on retailers’ databases. Having to enter billing and personal data (34%) was another reason, and passwords were again a source of frustration with 28% stating that having to set up and remember a new password would stop them from opening an account.

“Many common online retail practices, like setting up new passwords and accounts, are being rejected by consumers and consequently are hurting retailers’ bottom lines. These outdated processes introduce friction into an experience that people rightfully expect to be as smooth as possible,” said Andrew Shikiar, executive director at the FIDO Alliance. “While historically there has been little that merchants can do other than to be frustrated at password-related losses, that is no longer the case – and retailers need to look for new solutions to removing needless friction from online transactions, or run the risk of losing customers to the competition.”

The survey also revealed on-device biometrics as an alternative to passwords that consumers prefer. This is especially true as more retailers and banks are required to implement Strong Customer Authentication to comply with emerging regulations around the world. 

According to the survey, consumers overwhelmingly prefer the retailers that enable them to log in and make transactions simpler by using their on-device biometrics, such as a fingerprint or FaceID. 

68% of consumers believe these on-device methods are quicker than using traditional two-factor authentication requiring both a password and a one-time password (OTP), and 66% believe they are easier to use.

In addition, 60% of U.S. consumers believe retailers offering on-device authentication care more about their customer experience, 58% believe they care more about their privacy, and 61% believe they care more about their security. They are also more likely to recommend these retailers to friends and family, with 60% stating they would do so.

Young consumers (aged 18 – 24) in the United States are by far the most likely to adopt on-device biometrics, with 76% believing they are easier to use and 81% that they are quicker to use, and 66% would recommend retailers offering on-device biometrics to friends and family.

“2020 has found more and more people fulfilling many of their needs by making a bulk of their purchases online,” added Shikiar. “Merchants especially need to make the buying experience simpler for consumers without sacrificing security. The good news is that most consumer devices today ship equipped with the technology to provide these simpler, stronger authentication methods – it is now incumbent upon retailers to take advantage of these capabilities.” 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post New research reveals consumer frustrations with online retail appeared first on FIDO Alliance.

Mountain View, Calif., November 5, 2020 – The FIDO Alliance’s first industry conference dedicated to user authentication is giving attendees the opportunity to experience a first-hand look at the latest product and service innovations from companies showcasing their solutions at the event.

Authenticate is being held virtually from November 9-19, 2020. Complimentary registration is at www.authenticatecon.com. Pre-session Expo-only hours start on November 9th from 1-5pm PST,  and the full conference starts on the 10th at 8:30 AM PST.

Participating companies will showcase their newest solutions in the Virtual Expo Hall throughout the conference and beyond. Virtual booths are 360-degree experiences, allowing registered attendees to explore content, see demos, talk live with company executives, and come away with the tools needed to implement FIDO authentication within their organization. 

“The enthusiasm we’ve seen from our sponsors is a testament to their commitment to solving one of the industry’s most challenging security problems of our time,” said Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance. “We’re thrilled that we can deliver an interactive and engaging virtual platform for these companies most interested in transforming the user authentication process through their leading edge, software, products, applications and services.”

Authenticate 2020 Exhibiting Sponsors

For more information on each, go to the Authenticate Expo Guide.

The free conference is singularly focused on authentication, providing the industry with a forum to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services. Industry professionals seeking education, tools and best practices to roll out modern authentication across web, mobile, enterprise and government applications should register for free and check out the full agenda at www.authenticatecon.com. 

Follow us on social media @authenticatecon and join the conversation with #Authenticate2020!

About Authenticate
Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to replace passwords with simpler, stronger authentication.

Register for Authenticate today! www.authenticatecon.com 

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

###

The post Leading Technology Companies Showcase Modern Authentication Products, Services and More at Authenticate 2020 appeared first on FIDO Alliance.

First work product from Web Payment Security Interest Group outlines the roles of complementary technologies that can enhance the security and convenience of web payments for merchants and their e-commerce customers.

November 5, 2020 – EMVCo, the FIDO Alliance and the World Wide Web Consortium (W3C) have published a document explaining the roles of their related technology specifications, that together can support merchants in delivering a more secure and convenient payment experience for the benefit of their e-commerce customers.  

The ‘How EMVCo, FIDO, and W3C Technologies Relate’ document is the first output of the Web Payment Security Interest Group, a collaborative industry-led initiative focused on enhancing the interoperability of web payments. Key to this ongoing effort is identifying gaps between relevant specifications to increase compatibility among different technologies.

This new educational resource informs payments industry stakeholders on the roles of EMV® Secure Remote Commerce (SRC), EMV 3-D Secure (3DS), EMV Payment Tokenisation, FIDO Alliance’s FIDO2 specifications, and W3C’s Web Authentication and Payment Request APIs, which may be used together to enable more secure and convenient card-based payment during an e-commerce guest checkout on the Web.

The document also addresses how these technical specifications can support merchant efforts to fight fraud, protect user privacy and meet regulatory requirements, while helping to reduce cost and streamline the online payment process. 

Following the document’s publication, the Web Payment Security Interest Group is actively seeking feedback from interested organizations to improve and enhance the document. For more information and details on how to submit feedback, please visit: https://www.w3.org/securepay/.    

At the Authenticate 2020 Conference on 18 November, representatives from EMVCo, the FIDO Alliance and W3C will participate in a virtual panel session to discuss the document and seek input on it from payments industry stakeholders. The conference is open and free for anyone to attend. 

“As more merchants move online, especially since the start of the COVID-19 pandemic, and fraud attempts increase, EMVCo sees this collaboration with the FIDO Alliance and W3C as a major contribution to advancing secure web-based payments, while also simplifying the online payment process for merchants and helping to reduce friction for their e-commerce customers,” said Bastien Latge, Director of Technology for EMVCo. 

“FIDO Authentication can complement EMVCo and W3C technologies by securely and conveniently authenticating users and transactions in a variety of scenarios,” said Christina Hulka, executive director and chief operating officer of the FIDO Alliance.  “The Web Payments SIG and this first resource are intended to educate and answer questions so ultimately these technologies can be implemented for stronger and simpler web payments. We look forward to industry feedback to help us to frame future educational outputs.” 

“W3C, EMVCo, and FIDO have been working together for a number of years, and now is the time for the industry to start to reap the benefits,” said Ian Jacobs, W3C’s payments lead. “We published ‘How EMVCo, FIDO, and W3C Technologies Relate’ to usefully answer real-world industry questions. Through it, the three organizations have also advanced their understanding of each other’s activities. This now allows us to accelerate our joint efforts, and in collaboration with industry, to develop the next generation of secure and user-friendly technologies to streamline e-commerce.”

– ENDS –

Notes to Editors:
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

About EMVCo
EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. EMV is a technology toolbox that enables globally interoperable secure payments across face-to-face and remote environments. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are available royalty free, designed to be flexible, and can be adapted regionally to meet national payment requirements and accommodate local regulations.

EMVCo is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, and focuses on the technical advancement of the EMV Specifications. To provide all payment stakeholders with a platform to engage in its strategic and technical direction, EMVCo operates an Associates Programme and encourages all interested parties to get involved. 

www.emvco.com │ EMV® Insights │ LinkedIn │ Twitter │ An Introduction to EMVCo │ YouTube

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

About the World Wide Web Consortium 
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C well-known standards HTML and CSS are the foundational technologies upon which websites are built. W3C works on ensuring that all foundational Web technologies meet the needs of civil society, in areas such as accessibility, internationalization, security, and privacy. W3C also provides the standards that undergird the infrastructure for modern businesses leveraging the Web, in areas such as entertainment, communications, digital publishing, and financial services. That work is created in the open, provided for free and under the groundbreaking W3C Patent Policy.

For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award. And for its work to standardize a Full TV Experience on the Web, W3C received a 2019 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. Organizationally, W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. For more information see https://www.w3.org/.

EMVCo PR Contacts
Dave Amos / Chloe Smith – david@iseepr.co.uk / chloe@iseepr.co.uk 
+44 1943 468007

FIDO PR Contact
Karen Arena, Aircover PR – press@fidoalliance.org
+1 732-407-8510

W3C PR Contact
Amy van der Hiel – w3t-pr@w3.org
+1.617.253.5628 

The post EMVCo, FIDO Alliance and W3C Collaborate on Educational Resource for More Secure and Convenient Web Payments appeared first on FIDO Alliance.

Mountain View, Calif., October 14, 2020 – The FIDO Alliance has opened registration for its inaugural Authenticate virtual conference for identity and security professionals around the world. Authenticate is the first conference dedicated to who, what, why and how of user authentication – with a focus on the FIDO standards-based approach.

Authenticate is being held virtually from November 9-19, 2020. Industry professionals seeking education, tools and best practices to roll out modern authentication across web, mobile, enterprise and government applications should register for free at www.authenticatecon.com. 

The Authenticate agenda includes six days of jam-packed opportunities to transform attendees authentication knowledge and procedures. Authenticate is singularly focused on authentication, providing the industry with a forum to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services. 

Here’s a glimpse at some of the content attendees will get from their complimentary registration:

• Keynotes from the world’s greatest minds on cryptography, security and identity: 
  • Dr. Whitfield Diffie, Co-inventor of Public Key Cryptography and Senior Advisor, Uniken
  • Joy Chik, Corporate Vice President, Microsoft Identity
  • Stina Ehrensvärd, CEO and founder, Yubico
  • Mark Risher, Senior Director of Product Management, Google
  • Andrew Shikiar, Executive Director and Chief Marketing Officer, FIDO Alliance
• Case studies from service and technology providers including CVS Health, EMILY’s List, Facebook, Google, IBM, Mass Mutual, Microsoft, MITRE Corporation, NTT DOCOMO, PNC Bank, and Target
• Policy discussions around PSD2, GDPR and eIDAS; authentication to enable better privacy for citizens; authentication from a regulator’s perspective and more
• Standards and technical implementation presentations focusing on FIDO for identity verification; bringing FIDO Authentication to IoT; OpenID for open banking; standards and the future of payments; account recovery; FIDO certification; attestation and more
• Sessions on the state of authentication, building an authentication strategy, and how FIDO fits with initiatives like W3C Web Payments, and EMVCo 3DS and SRC

See FIDO Authentication in Action in the Virtual Expo Hall

Attendees will join peers in the virtually rich and immersive expo hall that feels like they’re with colleagues in person through creatively-produced networking lounges and other interactive features that will help them make new connections and reunite with old friends. Sponsoring company booths will be a 360-degree experience, allowing them to explore content, see demos, talk live with company executives, and come away with the tools needed to implement modern authentication with FIDO inside of their organization.

Exhibiting sponsors include: signature sponsors Google, Microsoft and Yubico; platinum sponsors Feitian, HID, Identiv, NokNok, Secret Double Octopus and Strongkey; gold sponsors AuthenTrend, Aware, Daon, Duo, HYPR, RSA, SurePass and Uniken; and startup sponsors AuthAmor, Iproov and One World Identity.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to replace passwords with simpler, stronger authentication.

Register for Authenticate today! www.authenticatecon.com 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

The post FIDO Alliance Opens Free Registration for Authenticate 2020 Conference appeared first on FIDO Alliance.

“While it’s disappointing we cannot be together for the very first Authenticate, the safety of our community is our biggest priority,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Due to continuing concerns over COVID-19, and in alignment with the information we’re hearing from local officials, we decided to transition to a digital-only format, and focus on giving attendees a powerful and informative virtual experience.”

As FIDO recasts the conference to a virtual-only format, it will expand it to a multi-day November event spread across all time zones to accommodate global participation, including live Q&A sessions with presenters. The virtual format allows for sponsoring companies to showcase their solutions through virtual exhibit booths and other branding and networking opportunities. 

2020 headlining keynote speakers are as formerly announced: Dr. Whitfield Diffie, the co-inventor of public key cryptography; Joy Chik, corporate vice president of identity at Microsoft; Mark Risher, senior director of product management at Google; and Stina Ehrensvard, CEO and founder of Yubico. A full list of speakers is available on the Authenticate website.

The conference agenda will contain informative content on authentication, with a focus on the FIDO approach, including these topics: 

• Case studies from service and technology providers including CVS Health, EMILY’s List, Facebook, Google, IBM, Mass Mutual, Microsoft, MITRE Corporation, NTT DOCOMO, PNC Bank, and Target
• Sessions on the state of authentication, building an authentication strategy, and how FIDO fits with initiatives like W3C Web Payments, and EMVCo 3DS and SRC
• Standards and technical implementation presentations focusing on FIDO for identity verification; bringing FIDO Authentication to IoT; OpenID for open banking; standards and the future of payments; FIDO certification; attestation and more
• Policy discussions around PSD2, GDPR and eIDAS; authentication to enable better privacy for citizens; authentication from a regulator’s perspective and more

Please visit www.authenticatecon.com for the latest information.  

Contact: fidoalliance@aircoverpr.com

The post Authenticate 2020 Conference, Hosted by FIDO Alliance, to be Virtual Event this November appeared first on FIDO Alliance.

The FIDO Alliance has launched a new microsite, LoginWithFIDO.com, for high level, non-technical information about FIDO for consumers and service providers. As part of this project, we wanted to learn more about consumer attitudes and habits around authentication. What are their password habits? What do they think about the FIDO approach? Do they want to see FIDO at login? 

To find out, we conducted a survey of 1,000 U.S. consumers – the results of which we’ll be sharing on this webinar. Join us to see the findings from our research and to learn how you may be able to utilize the data for your own FIDO offerings and/or deployments. 

Join this webinar to hear: 

• How many different passwords consumers really use for their online accounts
• What tactics they use for password management and how often they are resetting passwords and 
• Their familiarity with various types of authentication technologies including SMS OTPs, biometrics and others
• The types of apps and services where consumers most want to use FIDO
• How consumers want to be communicated with about FIDO at enrollment and login

We will also give the audience a detailed look at LoginWithFIDO.com and how you can consider using it for your own educational initiatives around FIDO. You’ll learn:

• How to navigate through the microsite and its two landing pages
• How you can reference the site and its materials for your own offerings and deployments
• Added insights into how to utilize FIDO’s consumer-facing marks

Register for the webinar here.

Tuesday, July 28 at 2-3pm ET

Speakers: 
Megan Shamas, Director of Marketing, FIDO Alliance
Andrew Shikiar, Executive Director and CMO, FIDO Alliance

The post Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com appeared first on FIDO Alliance.

Andrew Shikiar, Executive Director & CMO, FIDO Alliance

At its WWDC, Apple detailed that its upcoming release of Safari in iOS and MacOS 14 will enable users to use Touch ID and Face ID for web logins, and we couldn’t be happier. It marks a giant step forward in the industry’s quest to move beyond passwords in favor of cryptographically secure authentication based on FIDO standards. 

The functionality, based on the WebAuthn API in the FIDO2 standard, will make logging in to a website as easy as it is to unlock your iPhone or iPad using whichever biometric option is available. Apple’s built-in support in its stock web browser means that every modern device platform now has built-in FIDO support, which furthers our aim of making FIDO Authentication as ubiquitous as other critical internet protocols.  

To that end, we’ve recently provided a resource that shows the latest progress for FIDO support across browsers and platforms.  This image (shown below) is permanently hosted on our WebAuthn resources page. 

It’s been really cool to watch this diagram grow both wider  (adding in the Apple operating systems) and greener over the past 12 months or so since Apple ramped up its FIDO support. This rapid maturation and support for WebAuthn is accelerating adoption; with over 85 percent of today’s browsers now supporting FIDO Authentication, many service providers are now actively working to deploy FIDO to their customers worldwide. 

The FIDO Alliance was founded on a singular mission: To eliminate dependence on passwords by creating and driving adoption of open standards for simpler, stronger user authentication. Today, we’re closer to reaching that audacious goal that the FIDO ecosystem has been working on for the past several years. Thanks, Apple!

The post Expanded Support for FIDO Authentication in iOS and MacOS appeared first on FIDO Alliance.

Last April, the FIDO Korea Working Group announced our initiative to distribute FIDO Security Keys to Korean citizens to help better secure their identities, data and systems while working remotely due to the Coronavirus outbreak. We were able to do this thanks to FIDO Alliance Korea Working Group Deployment & Marketing Sub-Group’s efforts and in-kind sponsorship by FIDO Security Key vendors like TrustKey (previously known as eWBM), AirCuve (Yubico’s local partner) and Octatco. Today, we are happy to share the results of this initiative, which ended with positive impacts and pleasant surprises. 

In short, the outcome can be summarized as following:

• The campaign was covered by 15+ local online media, spreading positive awareness of FIDO Authentication
• We reached out to 52 organizations and individuals exposed to greater cyber risk by working at home and distributed 156 FIDO Security Keys
• 70% of them were new relationships that we had not previously had through previous on/offline events (e.g. hospitals, pharmaceutical companies, healthcare centers, patent offices, online game developers, ecommerce owners, retail shop owners, architects, hospitality industries, financial institutes, financial investors, school teachers, semiconductor industries, sports video analyst, advertisement agency, etc.)
• 25% of them had potential to be business partners or relying parties

Here are some remarks by recipients of free FIDO Security Keys who agreed to disclose their identities:

“We are a group of 5 university hospitals working together on a suicide prevention project.  Securing personal and medical information of these patients are very important, especially when we are working remotely.  We hope to try out the FIDO Security Key through this giveaway campaign and find out how to adopt it into our database protection system.” – Mr. Dohyun Kwon, Seoul National University Hospital

“It is a shame but we have been writing passwords on a wall thus far, so we do not have to ask each other when logging into shared computers.  It is scary that these passwords can be exposed to others with bad intentions.  We have a great hope that FIDO Security Keys would eliminate these worries and even enable architects to work at home while feeling secured and safe.” – Mr. Taehoon Hur, Ruha Architectural Design Firm

“I operate over 10 healthcare and fitness centers in Seoul and always felt uncomfortable about having all these members’ personal information sitting on our computer where any staff with passwords can access it , not to mention some staff with such privileges kept on forgetting these long and hard-to-remember passwords.  It would be interesting experiments for us to test out these FIDO Security Keys in practice.” – Ms. Jaehee Yoon, STAR Health Care and Fitness

“We are food product wholesalers mainly doing businesses online.  Due to the Coronavirus outbreak, we would have to have our staff work at home with much of our purchasing and customer information in their laptops.  Hope our staff would not have to expose the passwords by using these FIDO Security Keys. Thank you!” – Mr. Hoyoon Jung, NongGa Food Products

“WIPS is the number one patent database related services and consulting firm in Korea.  We are used to working under Bring Your Own Device environment but have struggled managing passwords.  Happy to take part in this experiment program and hope to see positive results.” – Mr. Taewoo Kwon, WIPS

Once again, we truly appreciate the undivided attention and efforts given by all FKWG members on this campaign, and especially recognize TTA (Telecommunications Technology Association) and Dr. Heung Youl Youm, for their extra efforts in the early stage of ideation and promotions.  

As Dr. Stephen Oh, the Co-Leader of FKWG Deployment & Marketing Sub-Group said, “It was an amazing experience not just because we have learned a lot from the market where we could not usually reach through conventional approaches, but also it only took less than a month from ideation to full execution.”

The post Sharing the Outcome of FIDO Security Key Support Campaign in Korea appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, May 27, 2020 – The FIDO Alliance today announced a new website and suite of supporting assets aimed at educating consumers and their service providers on the benefits of FIDO’s approach to simpler, stronger user authentication.  At the core of this effort is the debut of loginwithFIDO.com, a site to inform people about FIDO Authentication technologies. It launches in conjunction with the FIDO “I-Mark”, an easy-to-spot symbol that indicates the device or website consumers are using is authenticating with FIDO technology. Fueled by popular demand, these new tools further the Alliance’s mission to reduce the world’s reliance on passwords and encourage further adoption of FIDO Authentication. 

With over 250 members representing global leaders in internet services, security, finance, communications and government, the FIDO Alliance collaborates to fulfill its mission of addressing the plague of data breaches caused by outdated, password-based authentication. Since its inception, the FIDO Alliance has established technical specifications that have become the trusted standard for user authentication on the devices and web browsers we use every day. FIDO has created a fast and easy alternative to passwords, letting people unlock a device or log in to a website using options like biometrics, a security key, or a local PIN code. These simple yet secure methods remove reliance on passwords and stand to turn the tide in the industry’s battle against data breaches and credential theft.  

“As the FIDO standards are reaching a tipping point with widespread adoption among technology companies, it’s a natural next step for us to provide consumers with a place to learn more, and to help companies implement user logins that are easier to use and that keep personal data and information secure in order to instill further trust in their brands, ” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance. “Soon, when consumers see the I-Mark on the sites they use, they can be confident that they’re getting a common user experience that is easy, trusted and fully secure.” 

Leading up to the launch of loginwithfido.com, the Alliance conducted a survey of 1,000 U.S. consumers to understand their behaviors when it comes to login passwords and security. The research indicated their desire to have stronger security for banking/ payment apps and e-commerce sites, but those consumers do not follow proper safety protocols when managing their passwords. 52 percent are using five or fewer passwords across all of their accounts and most (45 percent) keep track of them in their head and nowhere else. 

“While most people know they shouldn’t repeatedly use the same password, convenience is currently winning over security,” added Shikiar. “The research tells us that consumers will benefit greatly if they understand FIDO’s technology —  marrying convenience with security that goes beyond the ways they are currently managing their passwords.”

In the same study, consumers were briefed on FIDO technology and its benefits, and 71 percent would trust mobile apps and websites more if they knew these sites and devices were using the FIDO Alliance authentication standards and validation technology. The I-Mark button is a direct response to help consumers discern quickly which sites and devices are secured through its technology. Now, they can easily spot the button on their login pages and immediately recognize they can use FIDO authentication for a safer, more secure login. 

FIDO Alliance members are enthusiastic supporters of the direction the Alliance is taking with this consumer effort.

For more information for both consumers and service providers, please visit www.loginwithfido.com

For a full copy of the FIDO Alliance Research Report, https://fidoalliance.org/consumerresearch/

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Contacts
Karen Arena
FIDOteam@aircoverpr.com

FIDO Alliance Member Quotes

“We have known for a long time that consumers need to authenticate securely and safely leveraging an industry standard. As more and more of our commerce and interactions move online, consumers should be able to check for that “seal of security;” this is a great step in helping them learn about the benefits of FIDO.” — Phillip Dunkelberger, CEO Nok Nok Labs

“FIDO Alliance has an important role in educating consumers on strong authentication. Users have more influence than they may believe on what security features online services implement. We can all ask for solutions that are easy to use while keeping our accounts well protected. Right now, hardware-backed authentication with FIDO is the only technology proven to eliminate account takeovers at scale — and loved by users.” — Stina Ehrensvärd, CEO and Co-Founder, Yubico

“We congratulate FIDO Alliance on launching the LoginWithFIDO.com and FIDO I-Mark! This is a long-awaited landmark that brings consumers a real sense of where the FIDO authentication is being supported and how FIDO works. All of those that have experienced the pain of passwords can now shift to the simpler but safer FIDO-secured login to eliminate passwords!” — Tibi Zhang, Vice President, FEITIAN Technologies 

“Raonsecure is very pleased to support the new consumer focus that marks a new stage in the standardization effort of FIDO Alliance. As a board member of the Alliance, Raonsecure has been strongly involved in its development by performing various deployments of FIDO-based technology not only with public institutions but also with the enterprise. The variety of use cases to date provides the FIDO Alliance with enough maturity to educate consumers and relying parties on its benefits.” — Soon Hyung Lee, CEO, Raonsecure

The post FIDO Alliance Debuts New Consumer Educational Site, loginwithfido.com, and New I-Mark Web Symbol appeared first on FIDO Alliance.

The coronavirus outbreak is not only raising public health concerns, but also exposing many office employees who are forced to work at home to greater cybersecurity risk, especially online phishing attacks which is known to be the origin of more than 80% of cyber attacks.

In order to help Koreans to stay protected from such online phishing attacks, the FIDO Alliance Korea Working Group just launched the FIDO Security Key Support Campaign. Sponsored by eWBM, AirCuve (Yubico Partner) and Octatco, the FIDO Security Key Support Campaign will provide 300 FIDO physical security keys to Koreans who are working remotely where their networks and devices are less protected.

Dr. Daniel Ahn, the Co-Chair of FIDO Alliance Korea Working Group, said, “It is our pleasure to practice social contribution by closely collaborating among the FIDO Alliance members in Korea. Similar to our 2020 FIDO Hackathon – Goodbye Password Challenge, we will continue to develop and provide social contribution programs that can educate the public about FIDO protocols while leaving positive social impacts.”

The application for campaign ends on April 17^th, 2020.  For those who wish to receive a free FIDO security key, the online application site can be found by clicking the campaign banner on the sponsoring member’s website.  

Links to sponsoring member websites:
eWBM (https://www.ewbm.co.kr/)
AirCuve (http://www.aircuve.com/)
Octatco (https://octatco.com/)

We are happy to work with our members on this campaign in Korea, and plan to evaluate its success and lessons learned to inform possible programs in other regions of the world.

The post FIDO Alliance Offers 300 Free FIDO Security Keys to Protect Koreans Working at Home appeared first on FIDO Alliance.

Authenticate, the inaugural FIDO conference, will be postponed from its original date of June 2-3. The good news is we have secured a date later this year in the same location in Seattle, WA. 

Authenticate 2020 will now take place on November 9-10, 2020, with the FIDO Alliance member plenary following on November 11-12. Please visit www.authenticatecon.com for the latest information and to register. 

The industry response to Authenticate has been outstanding on all fronts. We had nearly four times the amount of speaking submissions than we had available sessions, which allowed us to put together a highly compelling agenda with some of the brightest minds in authentication. Also, sponsorships are nearly sold out – with all expo space now reserved. Lastly, registration has trended well above projections, which would point to a potential sell-out for this inaugural event. 

Our hope is that the threat of COVID-19 will have dissipated by this fall and that we’ll be able to bring forward all of the above enthusiasm to our new dates. 

We greatly appreciate the support and enthusiasm from the broader FIDO Community, and we’re looking forward to a successful event in November. Until then, we hope everyone stays safe and well. If any questions about Authenticate, contact authenticate@fidoalliance.org. 

The post An Update from FIDO Alliance on Authenticate Conference appeared first on FIDO Alliance.

FATF Recommendations are the recognized standards for  global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice. 

The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:

“Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches.  Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.

Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.”

This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate  when they are looking to craft new or updated rules on digital identity and authentication. 

Read the full FATF Recommendations here. 

The post Financial Action Task Force Guidance Points to FIDO as Preferred Approach to Combat Authentication Vulnerabilities appeared first on FIDO Alliance.

SEATTLE, February 26, 2020 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, today announced its full 2020 agenda. This two-day event, coming to Seattle on November 9-10, 2020, will inspire attendees to embrace a new way to authenticate and present the necessary tools to move past passwords.

The Authenticate 2020 agenda features:

• Case studies from service and technology providers including CVS Health, EMILY’s List, Facebook, Google, IBM, Mass Mutual, Microsoft, MITRE Corporation, NTT DOCOMO, PNC Bank, and Target
• Sessions on the state of authentication, building an authentication strategy, and how FIDO fits with initiatives like W3C Web Payments, and EMVCo 3DS and SRC
• Standards and technical implementation presentations focusing on FIDO for identity verification; bringing FIDO Authentication to IoT; OpenID for open banking; standards and the future of payments; FIDO certification; attestation and more
• Policy discussions around PSD2, GDPR and eIDAS; authentication to enable better privacy for citizens; authentication from a regulator’s perspective and more

“Authenticate provides the industry with an opportunity for education and discussion on implementing modern authentication,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. “FIDO encourages organizations of all sizes to prioritize stronger security, and we are eager to share the tools and resources to help them get there. The conference agenda features practical presentations and case studies that will give attendees a deep understanding of the best practices they need to integrate FIDO’s approach to simpler, stronger authentication into their own services.”

2020 headlining keynote speakers are: Dr. Whitfield Diffie, the co-inventor of public key cryptography; Joy Chik, corporate vice president of identity at Microsoft; Mark Risher, senior director of product management at Google; and Stina Ehrensvard, CEO and founder of Yubico. A full list of speakers is available on the Authenticate website.

Authenticate will also feature an expo hall with product and service offerings from over two dozen vendors, as well as various networking and social events built into the two-day schedule.

Register today!
Take advantage of early bird pricing by registering by September 9. To register, visit https://authenticatecon.com/register/. Authenticate will be held in conjunction with the FIDO Alliance member plenary being held November 11-12. FIDO Alliance members have exclusive access to discounted rates to attend both events!

Get involved at Authenticate
There are still select sponsorship opportunities available for Authenticate 2020; companies interested can learn more at https://authenticatecon.com/sponsors/.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: The @AuthenticateCon agenda has been released! Visit the event website to take a look at this year’s speakers and session topics for the latest in user #authentication. www.authenticatecon.com

About Authenticate
Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2020, Authenticate will be held November 9-10 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org 

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post Agenda Announced for Authenticate 2020, the First FIDO Conference appeared first on FIDO Alliance.

SEATTLE, January 30, 2020 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, announced today it’s 2020 keynote speaker lineup. Featured keynoter Dr. Whitfield Diffie, the co-inventor of public key cryptography, and executives from Google, Microsoft and Yubico will headline the inaugural event, being held June 2-3, 2020 in Seattle.

Other headlining keynote speakers are: Joy Chik, corporate vice president of identity at Microsoft; Mark Risher, senior director of product management at Google; and Stina Ehrensvard, CEO and founder of Yubico.

“We’re excited to welcome our keynote speakers to the Authenticate stage to share their vision and experiences in moving to more modern and secure FIDO Authentication,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “These speakers each offer unique perspectives on the state of authentication today, and will provide the ideal kickoff to our program filled with case studies and implementation advice for organizations to adopt simpler, stronger authentication.”

CISOs, security strategists, enterprise architects, product and business leaders will walk away from this two-day event with a real understanding of the value of the FIDO approach to simpler, stronger authentication, and the tools and best practices they need to integrate FIDO Authentication into their own services.
Experts will go in-depth on the state of authentication today at Authenticate 2020, covering a range of topics including:

• Authentication trends & insights. Passwords, one-time passcodes and push-based authentication; FIDO Authentication; risk-based authentication and behavioral biometrics; smart cards; single sign on; decentralized authentication; authentication factors (biometrics, FIDO security keys)
• State of security & credential attacks. Phishing, credential stuffing, password spraying, man-in-the-middle, presentation attack
• Case studies & implementation strategy. Global consumer/enterprise/government case studies, IAM integration, industry standards, certification programs, identity verification, account enrollment and recovery
• Vertical trends & initiatives. IoT, payments, healthcare, government 
• Industry standards. FIDO, EMVCo 3DS and SRC, W3C WebAuthn and Web Payments
• Regulatory impact on authentication. PSD2, GDPR, CCPA

Register Today!
Take advantage of early bird pricing by registering by March 8. To register, visit https://authenticatecon.com/register/. Authenticate will be held in conjunction with the FIDO Alliance member plenary being held June 4-5. FIDO Alliance members have exclusive access to discounted rates to attend both events!

Get involved at Authenticate
Companies looking to showcase their brand and products front and center at Authenticate can learn more about remaining sponsorship opportunities at www.authenticatecon.com.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: .@AuthenticateCon has announced its keynote speakers. It’s time to embrace a new way to #authenticate – these great speakers will show you how! @Uniken_Inc @WhitfieldDiffie @microsoft @joychik @MRisher @Google #StinaEhrensvärd @Yubico #Authenticate2020! http://www.authenticatecon.com

About Authenticate
Authenticate is first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2020, Authenticate will be held June 2-3 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post FIDO Alliance’s Authenticate Conference Announces 2020 Keynote Speakers appeared first on FIDO Alliance.

A new paper from the World Economic Forum (WEF) showcases FIDO Authentication as a ready-to-be-implemented option to save organizations the high costs and user experience frustrations of passwords. The paper was released this week during the WEF annual meeting in Davos.

The paper, Passwordless Authentication: The next breakthrough in secure digital transformation, was developed in collaboration with the FIDO Alliance and includes contributions from many of our members including Aetna/CVS Health, Google, HYPR, Intuit, Microsoft, Nok Nok, Onfido, Trusona, the UK government and Yubico.  

According to the report, ending our reliance on passwords can make us safer and businesses more efficient. Cybercrime is set to cost the global economy $2.9 million every minute in 2020 and some 80% of these attacks are password-related. Knowledge-based authentication like passwords is not only a major headache for users, it is costly to maintain. For larger businesses, it is estimated that nearly 50% of IT help desk costs are allocated to password resets, with average annual spend for companies now at over $1 million for staffing alone.

The lead of the project, Adrien Ogee, Platform for Shaping the Future of Cybersecurity and Digital Trust, World Economic Forum, points out in a press release accompanying the paper that “better authentication practices are not just possible they are a necessity.” The possibility of moving beyond passwords is more real than ever as the growing availability of next generation, FIDO-based technologies like biometrics and security keys can meet consumer demands for both user convenience and security. There are several mini case studies from our members in the report that highlight their use today, and the benefits they are seeing. A few examples:

• A mid-sized U.S. retail bank saved more than $2.9 million annually and saved customers up to 30% in time to finish a payment (Source: Nok Nok)
• A U.S. financial software company brought its authentication success rate to 99.9% and reduced sign in time by 78% (Source: Intuit)
• Google’s internal use of FIDO security keys dropped total time spent authenticating by nearly two-thirds, and they experienced zero authentication failures

It’s validating to see WEF not only educate world leaders on the economic impact of our legacy authentication practices, but to recognize that there are viable alternatives that are ready to implement today. With cryptographically secure and convenient FIDO Authentication now supported in all major web browsers as well as Android and Windows platforms, there is no reason to delay — now is the time to move past passwords and embrace simpler, stronger authentication.

The post Davos: World Economic Forum Points to FIDO as Viable Alternative to Passwords appeared first on FIDO Alliance.

From consumer brands to vendors to enterprises, FIDO has been embraced across the globe in 2019, and this is more evident than ever with the growth in our certification programs. Today organizations are requiring certification before deploying FIDO Authentication. The increase in certified FIDO products illustrates its value to the industry.

With that, we’re excited to announce our newest certifications today, which puts us over 688 certified products. Certifications across all specifications were strong this quarter, as tech providers look to provide solutions for those with cross-platform and mobile-first strategies.

It’s notable that we now have 107 authenticator certifications at L1 and L2 levels – big growth since this program was launched last year. This program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO Certified authenticators. Certification gives enterprises and online services the ability to make better informed risk management decisions when registering credentials from FIDO-enabled devices. Today, we offer certifications at Levels 1, 2, 3 and 3+ and plan to introduce more levels in the future.

These companies have achieved FIDO certification since our last update:

• FIDO2: Acceptto Corporation; Authentrend; CANTON Consulting; Capy Japan Inc.; CROSSCERT: KECA(Korea Electronic Certification Authority); ellipticSecure; Excelsecu Data Technology Co., Ltd.; GoTrustID Inc.; Hanko GmbH; HID Global; Hypersecu Information Systems, Inc.; Kensington Computer Products Group; knowledgesuite,inc.; Login ID Inc.; Paywax; RSA; SEOWOOSNC Co.,Ltd.; SoloKeys; SurePassID; Target; TOKEN2; TWCA; Uni-ID Technology (Beijing) Co., Ltd.; Veridium ID Ltd; XionITS; WebComm Technology Co.,Ltd.; Yubico
  
  
• FIDO U2F: Kensington Computer Products Group; Synaptics Incorporated; Yubico
  
  
• FIDO UAF: Giesecke+Devrient Mobile Security GmbH; LG Electronics; Novatek Microelectronics Co.; PNC; SurePassID; WebComm Technology Co.,Ltd.
  
  

In Biometric Component Certification program news, Telecommunications Technology Association (TTA) and TUV Informationstechnik GmbH are now accredited independent labs performing biometric evaluations (see our labs page for details and additional labs). This program is gaining momentum, with several certifications in process.

Technology providers and relying parties interested in FIDO certification should start with the Certification Overview. Ready for interoperability testing? Join us at our next event, March 3-5, 2020 in Seoul, South Korea where we will be testing FIDO UAF, FIDO U2F and FIDO2 implementations. Get all of the details and register here.

The post FIDO Certification Program Ends Year Strong With 688 Certified Products appeared first on FIDO Alliance.

TOKYO, December 5, 2019 — 2019 was a year of strong progress for the FIDO Alliance in realizing its mission to make secure and convenient logins available to web service providers and users across the globe, the Alliance said today in its 2019 progress report.

FIDO platformization makes simpler, stronger authentication available to billions
2019 was the year of FIDO platformization, with leading platforms and web browsers adding support for FIDO Authentication out-of-the-box. This support allows websites to enable FIDO-based logins via a simple API call on billions of devices consumers use every day.

Highlights of this year’s FIDO enablement progress include:

• WebAuthn, the web API portion of the Alliance’s FIDO2 specifications, became an official W3C web standard
• Browser support for FIDO2 was introduced for Google Chrome, Microsoft Edge, Mozilla Firefox, Apple Safari and Opera
• Google received FIDO2 certification for the Android 7.0+ platform, which makes FIDO available for use in all Android mobile devices operating on Android 7 or later
• Microsoft achieved FIDO2 certification for Windows Hello, which makes FIDO available on any Windows 10 device

“We know that realizing the FIDO Alliance’s mission to move the world beyond the password ‘shared secret’ model of authentication requires making FIDO a ubiquitous feature across all of the devices, operating systems and browsers we use every day. Given the platform enablement progress of this year, we are well on our way to that ubiquity,” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance. “Never before have service providers and developers had the ability to enable convenient, cryptographically secure authentication to a user base this broad. Service providers are now taking advantage of these new capabilities on a global scale.”

Leading service providers tapping into the power of FIDO Authentication
As platform enablement grew in 2019, service providers continued their FIDO rollouts across mobile and web applications on a global scale. This includes these notable developments:

• Intuit rolled out FIDO passwordless authentication across its mobile apps, reducing sign-in time by 78% and successfully authenticating 99.9% of the time, compared to 80-85% for SMS-based multi-factor authentication
• Microsoft made FIDO Authentication a fundamental component in its efforts to provide users a seamless, password-free login experience. Most recently, Microsoft rolled out FIDO-based passwordless sign-in for Azure Active Directory (Azure AD)
• Building upon their prior FIDO innovations, NTT DOCOMO announced d ACCOUNT Passwordless Authentication — the option to disable password logins and set accounts to login via FIDO biometric authentication only 
• The General Services Administration (GSA) enabled FIDO Authentication for login.gov, its single sign-on website for the U.S. public and federal employees to interface and transact with federal agencies online
• The National Health Service (NHS) in the United Kingdom released open source code for developers to add FIDO biometric security for app login
• Google continued to add FIDO support across its platforms, including the ability to use Android phones as a physical security key and built-in Chromebook support.  
• LINE Pay became the first mobile payment app to support FIDO2, allowing users to simply scan their fingerprint or face to authenticate themselves or confirm transactions

New work areas address adjacent technology areas to advance FIDO adoption
Earlier this year, the FIDO Alliance launched new work areas in the Internet of Things (IoT) and identity verification and binding. These initiatives build upon the Alliance’s ongoing focus on driving the efficacy and market adoption of FIDO Authentication by addressing adjacent technology areas that leave security vulnerabilities on the web.

The Alliance aims to strengthen identity verification assurance to support better account enrollment and recovery, and automate secure device onboarding to remove password use from IoT. The Alliance has formed two new working groups: the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas.

New perspectives and participants
The ongoing growth of the FIDO ecosystem was reflected through many new FIDO Alliance members in 2019. These include sponsor-tier organizations AdNovum Informatik AG, FIME SAS, the government of Thailand, IBM, IDNow GmbH, Imagination Technologies, Intuit, Jumio Corporation, the Mitre Corporation, Phoenix Technologies Ltd., Ping Identity, and Secure Identity, LLC (CLEAR).

Looking Ahead to 2020
In the coming year, the FIDO Alliance will continue enabling FIDO rollouts with best practices documentation and developer-focused initiatives. The Alliance is also debuting a new conference, Authenticate, focused on FIDO Authentication and the surrounding ecosystem of technologies, innovations and adopters.The inaugural event will be held June 2-3, 2020 in Seattle, WA. 

TWEET THIS: 2019 Progress Report: #FIDO standards for simpler, stronger web logins are well on their way to ubiquity thanks to a year of strong progress incl. platformization, official standardization & broad support https://fidoalliance.org/fido-alliance-2019-progress-report

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post FIDO Alliance 2019 Progress Report: FIDO Authentication for Simpler, Stronger Web Logins Now Ready for Rollout on Billions of Consumer Devices appeared first on FIDO Alliance.

By Henry Lee and Sanghun Won, Co-Chairs, FIDO Alliance Korea Working Group

For our Hackathon program, more teams than we expected completed proof of concepts. We had more than 40 applications, and 12 teams made it through the initial screening process and were given the opportunity to participate in a three-month mentorship program. One team had to drop out in the midst of the mentorship program, due to the team leader receiving a promising career opportunity. This blog serves as a way to celebrate these finalists’ efforts, while introducing their ideas to unlock the potential of FIDO protocols to the world.

EASY

EASY is a team made up of three university students and they were mentored by CrossCert. They developed an IoT Storage Service based on FIDO protocols, so that families in low-income brackets would not have to visit certain places with their ID cards to pick up care packages from government agencies. For more technical information on the proposed solution, please visit page 78 of FIDO Alliance SlideShare.

Social Mix

Social Mix is a venture company with a business model providing simpler and more secure payment services for influencers on social networks. They wanted to find a solution for troubles that merchandise transactions on social networking services are facing. By participating in the Mentorship program by BC Card, the team implemented FIDO protocol based log-ins which not only enabled confirming buyer and seller’s identities but also sped up the transaction with a single click of a button in less than five seconds. For more technical information on the proposed solution, please visit page 77 of FIDO Alliance SlideShare.

Umbridge

The team Umbridge had an idea to utilize unused umbrellas at home in the perspective of a sharing economy. In a populated city like Seoul, people often buy umbrellas due to unexpected rain, and many of them keep piling up at home. The three university students, mentored by SK Telecom, wanted to increase usability of such umbrellas by introducing IoT Umbrella lockers which can be used by any citizens once they are authenticated through FIDO protocols. For more technical information on the proposed solution, please visit page 76 of FIDO Alliance SlideShare.

KISMI

KISMI is a startup company developing a decentralized identity-based ERP system. The team was mentored by eWBM, due to the fact that FIDO security keys were an essential part of their project. They acquired the FIDO technology from ETRI (Electronics and Telecommunications Research Institute), another proud member of FIDO Alliance, which expedited their development process by integrating other blocks of required technologies. For more technical information on the proposed solution, please visit page 57 of FIDO Alliance SlideShare.

LinkMe

LinkMe is quite unique team, because the four members come from four different companies from various industries. The team developed a smart-contract based crowdfunding service with FIDO authentication payment features, securing the money exchange with simple procedures. For more technical information on the proposed solution, please visit page 56 of FIDO Alliance SlideShare.

GwangHae

GwangHae developed a Linux SSH (Secure Shell) login system with FIDO2 protocols. The team realized public IP addresses in Linux can be an easy target for attackers due to the fact about 82% of data breaches are due to poor passwords. The team, made up of only one university student, customized PAM, implemented FIDO2 authentication service for easier yet more secure logins while eliminating needs for end-user password management. GwangHae was mentored by Yubico and AirCuve, which are considering publishing the results as open source to the public. For more technical information on the proposed solution, please visit page 55 of FIDO Alliance SlideShare.

Drones Without Passwords

Aerospace Engineering major university students, mentored by SK Telecom, wanted to challenge the common problems of drone platform, low security and difficulties on identifying users. By implementing FIDO security keys, the team developed FIDO Authentication system for drones. For more technical information on the proposed solution, please visit page 75 of FIDO Alliance SlideShare.

SoonDae

The team SoonDae, university students with specific talents on hacking, wanted to make the public Wi-Fi environment much simpler and more secure by implementing FIDO protocol-based logins. Mentored by Yubico and AirCuve, they tried to develop Wi-Fi networks that are convenient yet secure, protecting user data. For more technical information on the proposed solution, please visit page 58 of FIDO Alliance SlideShare.

The post FIDO Hackathon in Korea: Meet the Finalists appeared first on FIDO Alliance.

There is more big news out of Japan today:  NTT DOCOMO, Japan’s largest mobile network operator with over 78 million subscriptions, has announced a new authentication option: d ACCOUNT® Passwordless Authentication. Starting in February 2020, d ACCOUNT users will have the option to disable password logins and set their accounts to login via FIDO biometric authentication only. The goal of d ACCOUNT Passwordless Authentication is to provide an even stronger way to prevent unauthorized logins with FIDO so that even if a user’s password is stolen, it can no longer be used to access the account. This new option will be available on DOCOMO-supported mobile handsets with biometric authentication capabilities — currently more than 90 models are available. 

DOCOMO has long supported FIDO standards, offering FIDO Authentication to its users since 2015 and contributing to the FIDO Alliance and its specifications at the board level. Now, it is great to see DOCOMO as amongst the first to offer true passwordless authentication backed by FIDO standards, and on its journey to becoming completely passwordless. 

We’re often asked what it’s going to take to achieve our mission to end the world’s reliance on passwords. The answer is that it is a journey, not one that will happen overnight, but one that will happen one application at a time. With native support for FIDO now built into Android, Windows, Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari, and FIDO Universal Servers available to support all FIDO specifications, the implementation work is largely done. Now, the stage is set for more service providers and enterprises to take DOCOMO’S example and start on their passwordless journeys. 

If you’d like to learn more about DOCOMO’s journey with FIDO, read our new case study here. 

The post NTT DOCOMO introduces passwordless authentication for d ACCOUNT appeared first on FIDO Alliance.

SEATTLE, September 4, 2019 — The FIDO Alliance today announced Authenticate, the industry’s first conference dedicated to the who, what, why and how of modern user authentication, coming in June 2020. This two-day event will provide all of the education, tools and best practices for CISOs, security strategists, enterprise architects, product and business leaders to roll out modern authentication across web, enterprise and government applications – with a focus on the FIDO standards-based approach.

The inaugural Authenticate conference features Google, Microsoft and Yubico as Signature Sponsors and will be held June 2-3, 2020 at the Motif Seattle in Seattle, Washington.

“After years of increasingly severe data breaches and user login frustration, now is the time to end our dependence on passwords and embrace a new way to provide secure access to online services and applications,” said Andrew Shikiar, executive director and CMO of FIDO Alliance. “Authenticate is singularly focused on authentication, providing the industry with a forum to delve more deeply into the FIDO approach, hear from real-world implementers, and come away with everything they need to start the journey towards simpler, stronger authentication for their own brands and services.”

Authenticate Call for Speakers Now Open
Speaking at Authenticate 2020 is an opportunity to increase visibility, share insights and make connections with colleagues in all stages of modern authentication rollouts.

The Authenticate conference program committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices.

The committee seeks global perspectives and presentations on these topic areas:

• Authentication trends & insights (passwords, one-time passcodes and push-based authentication; FIDO Authentication; risk-based authentication and behavioral biometrics; smart cards; single sign on; decentralized authentication; authentication factors (biometrics, FIDO security keys))
• State of security & credential attacks (phishing, credential stuffing, password spraying, man-in-the-middle, presentation attack)
• Case studies & implementation strategy (global consumer/enterprise/government case studies, IAM integration, industry standards, certification programs, identity verification, account enrollment and recovery)
• Vertical trends & initiatives (IoT, payments, healthcare, government, blockchain, Project Verify)
• Industry standards (FIDO, EMVCo 3DS and SRC, W3C WebAuthn and Web Payments)
• Regulatory impact on authentication (PSD2, GDPR, CCPA)
• Technical & developer tutorials

Industry professionals with unique perspectives, implementation experiences or authentication expertise are encouraged to submit a speaking proposal by November 1, 2019. To submit a speaking proposal, visit www.authenticatecon.com.

Get involved at Authenticate
In addition to the Authenticate stage, the FIDO Alliance has a number of sponsorship and exhibitor opportunities for the 2020 event. Companies looking to showcase their brand and products front and center at Authenticate can learn more about these opportunities at www.authenticatecon.com.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: .@FIDOAlliance is hosting the first-ever industry event dedicated to modern #authentication: #Authenticate2020! Held June 2-3 in Seattle, the event will provide tools + best practices for authentication with a focus on the FIDO standards-based approach http://www.authenticatecon.com

About Authenticate
Authenticate is first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortia providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2020, Authenticate will be held June 2-3 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
authenticate@fidoalliance.org 

PR Contact
Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post FIDO Alliance Announces Authenticate, a New Event Providing Real-world Strategies, Solutions to Modernize Authentication appeared first on FIDO Alliance.

IDENTIVERSE, WASHINGTON, D.C., June 26, 2019 — The FIDO Alliance today announced two new standards and certification initiatives in identity verification and the Internet of Things (IoT). These initiatives build upon the Alliance’s ongoing focus on driving the efficacy and market adoption of FIDO Authentication by addressing adjacent technology areas that leave security vulnerabilities on the web.

Specifically, the Alliance aims to strengthen identity verification assurance to support better account recovery, and automate secure device onboarding to remove password use from IoT. The Alliance has formed two new working groups: the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas. The FIDO Alliance will continue to focus on development and adoption of its user authentication standards and related programs and use them as a foundation for this expanded work, featuring contributions from current members and new industry participants.

“The FIDO Alliance has catalyzed a diverse set of stakeholders who have collaborated to answer the industry’s password problem through the standardization of FIDO Authentication – which has grown from concept to global web standard supported in leading browsers and platforms in just seven years,” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance. “As we look at the threat vectors in the marketplace, however, it has become apparent that there’s a gap between the high assurance provided by FIDO Authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication. This gap can be most effectively addressed through industry collaboration and standardization rather than siloed, proprietary approaches.”

Identity Verification & Binding Working Group Overview

For accounts protected from phishing and other credential-based attacks with FIDO Authentication, the account recovery process when a FIDO device is lost or stolen becomes critical to maintaining the integrity of the user’s account. Validating a user’s identity with high assurance is an important aspect of this process, as well as for account onboarding processes, meeting Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.

The FIDO Alliance has identified newer remote, possession-based techniques including biometric “selfie” matching and government-issued identity document authentication as having the potential to greatly improve the quality of identity assurance for new account onboarding and account recovery. The Alliance has also determined a market need for authoritative guidance, performance evaluation and certifications for their use.

The FIDO Alliance has created the IDWG to fill this need. The IDWG will define criteria for remote identity verification and develop a certification program and educational materials to support the adoption of that criteria.

The IDWG is led by co-chairs Rob Carter, Mastercard and Parker Crockford, Onfido Ltd. Other participating organizations include Aetna, Google, Idemia, Lenovo, Microsoft, Nok Nok Labs, NTT DOCOMO, OneSpan, Phoenix Technologies Ltd., Visa Inc., Yahoo! JAPAN, Yubico and the UK Cabinet Office.

IoT Technical Working Group Overview

Gartner forecasts that 20.4 billion connected things will be in use by 2020, opening up opportunities for increased efficiencies and innovation across industries. Yet, lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices, and the networks they operate on, open to large-scale attack.

The IoT TWG aims to tackle this issue by providing a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the Alliance – passwordless authentication.

The working group will develop use cases, target architectures and specifications covering:

• IoT device attestation/authentication profiles to enable interoperability between service providers and IoT devices
• Automated onboarding, and binding of applications and/or users to IoT devices
• IoT device authentication and provisioning via smart routers and IoT hubs

The IoT TWG is led by co-chairs Marc Canel, ARM Holdings and Giridhar Mandyam, Qualcomm, Inc. Other participating organizations include Google, Idemia, Infineon Technologies, Intel Corporation, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies Ltd., Yahoo! JAPAN and Yubico.

Getting involved

The IDWG and IoT TWG are now open to industry participants. Participation in FIDO Alliance working groups is open to all board and sponsor level members of the FIDO Alliance. For more information on joining the Alliance, visit https://fidoalliance.org/members/membership-benefits/.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact

Adrian Loth
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post FIDO Alliance Announces New Identity Verification and IoT Initiatives to Expand the Reach and Impact of FIDO Authentication appeared first on FIDO Alliance.

MOUNTAIN VIEW, CALIF., May 6, 2019 — FIDO Alliance announced today that Microsoft has achieved FIDO2 certification for Windows Hello. With this news, any compatible device running Windows 10 is now FIDO2 Certified out-of-the-box following the Windows 10 May 2019 update. Windows 10 users can now move beyond centrally-stored passwords and leverage Windows Hello biometrics or PINs to access their devices, apps, online services and networks with FIDO Certified security.

FIDO2¹ is a set of standards that enables easy and secure logins to websites and applications via biometrics, mobile devices and/or FIDO Security Keys. FIDO2’s simpler login experiences are backed by strong cryptographic security that is far superior to passwords, protecting users from phishing, all forms of password theft and replay attacks. Learn more about FIDO2 at https://fidoalliance.org/fido2/.

“Our work with FIDO Alliance, W3C and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords. Windows Hello was built to align with FIDO2 standards so it works with Microsoft cloud services and within heterogeneous environments. Today’s certification announcement brings this full circle, allowing organizations and websites to extend certified FIDO Authentication to over 800 million active Windows 10 devices,” — Yogesh Mehta, Principal Group Program Manager, Microsoft Corporation

Microsoft, a leader in the charge towards a passwordless future, has made FIDO Authentication a fundamental component in its efforts to provide users a seamless, password-free login experience. As a FIDO Alliance board member and a lead contributor to the development of the FIDO2 specifications, Microsoft produced one of the market’s first FIDO2 rollouts with Windows Hello, supports FIDO2 on its Microsoft Edge browser, and also supports log in to Windows Account with FIDO Security Keys.

The Windows 10 May 2019 update includes support for passwordless FIDO Authentication via Windows Hello or FIDO Security Key on Microsoft Edge or the most recent versions of Mozilla Firefox. Read Microsoft’s blog post for more information.

“As a board member and vital contributor to the development of FIDO2, Microsoft has been a preeminent advocate of FIDO Alliance’s mission to move the world beyond passwords. This certification builds upon Microsoft’s long-standing support for FIDO2 technologies in Windows 10 and opens the door for its customers and partners throughout the Windows ecosystem to benefit from FIDO’s approach to user authentication,” said Andrew Shikiar, Chief Marketing Officer of the FIDO Alliance. “FIDO2 is now supported in the world’s most-used operating systems and web browsers, setting the stage for enterprises, service providers and app developers to rapidly bring a simpler and stronger authentication experience to billions of users worldwide.”

In addition to Microsoft Edge, FIDO2 is also supported by leading web browsers Google Chrome and Mozilla Firefox (with preview support by Apple Safari). Android has also been FIDO2 Certified, allowing mobile apps and websites to leverage FIDO standards on over a billion devices supporting Android 7.0+. In addition, several FIDO2 Certified products have been announced to support implementation.

Manufacturers interested in taking advantage of out-of-the-box certification and displaying the FIDO Certified logo on their Windows 10 devices should consult FIDO Alliance’s new trademark and service mark usage agreement.

About FIDO Certification

The FIDO Alliance certifies authentication devices like biometrics and/or security keys, clients and servers to verify that they comply with FIDO specifications including FIDO2 and meet certain security profiles. This ensures that web users can use their FIDO Certified device across all FIDO-enabled web services for a seamless experience. For websites and organizations, they need only to FIDO-enable once and gain access to all FIDO Certified devices in the market.

OEM’s can further differentiate their devices to meet added market requirements by taking part in security level testing — which evaluates how strongly the user’s authentication credentials are protected.

Visit the FIDO Alliance website to get more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, fidoalliance.org was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, more private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact

press@fidoalliance.org

¹ FIDO2 is comprised of the World Wide Web Consortium’s (W3C) Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance.

The post Microsoft Achieves FIDO2 Certification for Windows Hello appeared first on FIDO Alliance.

The continued strong interest in FIDO certification shows that globally, technology providers, service providers and enterprises not only understand the importance of certification when implementing and/or deploying FIDO authentication, but require it.

The list of certifications from the first quarter includes Google, which achieved FIDO2 certification for Android. With this, mobile apps and websites can leverage FIDO standards to provide a simple and secure biometric login for users on over a billion devices supporting Android 7.0+.

It also includes Samsung, which received our first certification under the FIDO Biometric Component Certification Program for its Samsung Galaxy S10 and S10+ smartphones. This certification validates that the new in-display fingerprint recognition system meets industry standards for user verification and detecting presentation (or “spoof”) attacks.

The full list of companies that achieved certification this quarter are:

• FIDO UAF: Aisino Corporation; Daon; and GoTrustID Inc.
• FIDO U2F: LAWtrust and Yubico
• FIDO2: Daon; Egis Technology Inc.; Feitian Technologies Co., Ltd.; Google; HYPR; Hyundai Motor Group; NXP Semiconductors; Softgiken; Shenzhen Excelsecu Data Technology Co., Ltd.; StrongKey; Vancosys Data Solutions Inc.; and Yubico
• FIDO Biometric Component Certification: Samsung

With this strong start for 2019, we expect to see continued movement toward FIDO adoption and deployments. If you’re interested in getting started with FIDO Authentication, check out our knowledge base for detailed information on business case, implementation guidance and more.

Want to get certified? Find details about all of our certification programs and how to get started here.

The post First Quarter Certifications Highlight Continuing Expansion of FIDO Ecosystem appeared first on FIDO Alliance.

Industry Demand for Interoperability

“FIDO Alliance, W3C, and EMVCo develop complementary technologies that can enhance the security and convenience of web payments,” said Karteek Patel, Chair of the EMVCo Executive Committee. “This group has been created to better understand and shape the future of secure web-based payments, and ensure alignment on the work of the three technical bodies. EMVCo looks forward to productive discussions and ultimately, increased interoperability for web payments.”

“FIDO standards for simpler, stronger authentication can help secure user interactions specified in domain-specific standards developed in other technical bodies,” added Brett McDowell, executive director, FIDO Alliance. “We are pleased to be working with our payment industry partners on how FIDO authentication and authenticator metadata can support their transaction authorization goals. This interest group will help to streamline coordination and requirements sharing with EMVCo and W3C.”

The Web Payment Security Interest Group complements existing specification-level discussions around EMV® Secure Remote Commerce (SRC), EMV 3-D Secure (3DS), FIDO Alliance’s FIDO2 specifications, and W3C’s Web Authentication and Payment Request APIs. The group also provides the foundation for collaboration around future technical specifications.

Deliverables: Vision and Analysis

The Web Payment Security Interest Group charter defines a scope of activities that includes formulation of a vision for web payment security, development of use cases, gap analysis, liaisons with other organizations, and identification of standardization opportunities for each organization. The Interest Group does not publish specifications. Technical work is carried out in other groups within each organization, such as the FIDO2 Technology Working Group, the W3C Web Payments Working Group, or one of EMVCo’s working groups.

“W3C’s authentication and payments standards are part of the bigger story of the transformation of the payments industry,” said Jeff Jaffe, W3C CEO. “The transformation will continue in unpredictable ways as the web adds new services such as streaming video, real-time communications, and augmented reality. This Interest Group will help ensure that new payment models for these services will have security as a fundamental requirement.”

Call for Participation

EMVCo, FIDO Alliance, and W3C encourage their respective members to join the Interest Group. For more information about how to join the group, please see the Web Payment Security Interest Group home page.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

About EMVCo

EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. EMV is a technology toolbox that enables globally interoperable secure payments across face-to-face and remote environments. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are available royalty free, designed to be flexible, and can be adapted regionally to meet national payment requirements and accommodate local regulations.

EMVCo is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, and focuses on the technical advancement of the EMV Specifications. To provide all payment stakeholders with a platform to engage in its strategic and technical direction, EMVCo operates an Associates Programme and encourages all interested parties to get involved.

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

Visit www.emvco.com for further information and join EMVCo on LinkedIn.

About the World Wide Web Consortium

The mission of the World Wide Web Consortium (W3C), www.w3.org, is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C develops well known specifications such as HTML5, CSS, and the Open Web Platform as well as work on security and privacy, all created in the open and provided for free and under the unique W3C Patent Policy. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing nearly 500 Member organizations and dozens of industry sectors. W3C is jointly hosted by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. For more information see https://www.w3.org/.

End Press Release

FIDO Alliance PR Contacts

Megan Shamas
Montner Tech PR
+1 203-226-9290
press@fidoalliance.org

EMVCo PR Contacts

For further EMVCo media information, please contact:
Kirsty Blackburn / David Amos – Tel: +44 113 3501922 or email: kirsty@iseepr.co.uk / david@iseepr.co.uk

W3C PR Contact

Amy van der Hiel, W3C Media Relations Coordinator <w3t-pr@w3.org> 
+1.617.253.5628 (US, Eastern Time)

The post EMVCo, FIDO Alliance, and W3C Form Interest Group to Enhance Security and Interoperability of Web Payments appeared first on FIDO Alliance.

This is a significant first in the world of FIDO. While the WebAuthn component of FIDO2 enables FIDO Authentication to be built directly into browsers and platforms, Google’s newest offering utilizes the complementary component of FIDO2 — the Client to Authenticator Protocol (CTAP). CTAP is what facilitates the use of external devices like FIDO security keys or mobile devices for logins on FIDO2-enabled browsers and operating systems. Google’s announcement is the first implementation of FIDO2 CTAP with a mobile device that we’re seeing in action.

This a great example of how both components of FIDO2 work together to provide more choice and flexibility to service providers rolling out FIDO Authentication. Now, users can add Android 7+ devices to the long list of options available to protect themselves from phishing and other credential-based attacks with FIDO Authentication. Currently, your Android phone can be a security key only for Google accounts; however, we look forward to seeing it become available for all FIDO2-enabled services sometime in the future.

Check out Google’s announcement here for more details on how to get started with this new capability today.

The post News: Your Google Android 7+ Phone Is Now a FIDO2 Security Key appeared first on FIDO Alliance.

It’s been an exciting few weeks of news and events for the FIDO Alliance — including expansive presence at Mobile World Congress in Barcelona and then the RSA Conference in San Francisco. At both events we saw high volumes of traffic to our booths, with attendees wanting to explore how FIDO Authentication can address a variety of business cases – and also to get more details on the latest news from the FIDO Alliance and our members.  

Here’s a recap of the whirlwind of major milestones that made the past few weeks so noteworthy:

Samsung Galaxy S10/+ Smartphones First to Be FIDO Biometric Certified      

Shortly before Mobile World Congress, Samsung’s new Galaxy S10 and S10+ devices were announced as the world’s first to feature FIDO Alliance Biometric Certification. This means that the new in-display fingerprint recognition system meets globally recognized industry standards for user verification and detecting spoof attacks.

This major announcement positions the Galaxy S10 and S10+ as the industry best practice for biometric-enabled devices. It also validates the necessity of our certification program to provide this important benchmark to the marketplace.

Google Android 7.0+ Devices Achieve FIDO2 Certification

Less than a week later, Android earned FIDO2 Certification, enabling simpler, stronger authentication for over a billion devices running the platform. With this news, users now have the ability to leverage their device’s built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites and native applications that support the FIDO2 protocols.

This was one of the most significant developments for the FIDO ecosystem to date due to the dramatic expansion in the number of users with FIDO Authentication capabilities in their hands today – and also as the Android developer community can now more easily tap into the advanced cryptographically-backed authentication that FIDO provides.  

WebAuthn Becomes Official W3C Web Standard

Up next was the W3C’s Web Authentication API (WebAuthn) – a core component of the FIDO Alliance’s FIDO2 set of specifications – which was announced as an official web standard. Web services and apps can – and should – turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much stronger security over passwords alone.

This announcement signaled a major step forward in making a secure web experience more accessible for users around the world. It also represents many years of industry collaboration within the FIDO Alliance and W3C to develop a practical solution for phishing-resistant authentication on the web.

FIDO Alliance Named SC Magazine Editor’s Choice Award Winner

At RSAC 2019,  FIDO was crowned the winner of SC Media’s 2019 Editor’s Choice Award. It was a landmark year in 2018 for the FIDO Alliance and its mission to move the world towards cryptographically secure, standards-backed authentication mechanisms such as on-device biometrics and FIDO Security Keys. Being named the winner of this award validates the impact the FIDO standards have in helping solving the world’s password problem. Learn more about our award in our recent blog post.

From all of this great news, the key takeaway is that the time to deploy FIDO is now. And with all of these momentous events taking place in the span of just a month, we’re excited to see what the rest of 2019 brings.

The post ICYMI: FIDO Alliance Off to Landmark Start to 2019 appeared first on FIDO Alliance.

2018 was a landmark year for the FIDO Alliance in our mission to move the world towards cryptographically secure, standards-backed authentication mechanisms such as on-device biometrics and FIDO Security Keys. Being named the winner of this award validates the impact FIDO standards have in helping solving the world’s password problem.

Each year, hundreds of applications are reviewed and narrowed down to a select group of finalists that represent the best solutions and services to protect today’s businesses from an ever-changing landscape of security threats.

The individuals, programs and teams selected as winners are run through a rigorous judging process that includes testimonials, industry assessments and additional research. Winners in the Professional Award categories (such as the Editor’s Choice Award) were hand-picked by a panel of judges for their outstanding service, qualifications and advancements to the cybersecurity industry.

See in detail why SC Media chose FIDO Alliance to receive this honor in their awards recap.

The post FIDO Alliance Wins SC Media’s 2019 Editor’s Choice Award appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., and https://www.w3.org/, March 4, 2019 – The World Wide Web Consortium (W3C) and the FIDO Alliance today announced the Web Authentication (WebAuthn) specification is now an official web standard. This advancement is a major step forward in making the web more secure – and usable – for users around the world.

W3C’s WebAuthn Recommendation, a core component of the FIDO Alliance’s FIDO2 set of specifications^[i], is a browser/platform standard for simpler and stronger authentication. It is already supported in Windows 10, Android, and Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (preview) web browsers. WebAuthn allows users to log into their internet accounts using their preferred device. Web services and apps can – and should – turn on this functionality to give their users the option to log in more easily via biometrics, mobile devices and/or FIDO security keys, and with much higher security over passwords alone.

“Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.”

A user-friendly solution to password theft, phishing and replay attacks
It’s common knowledge that passwords have outlived their efficacy. Not only are stolen, weak or default passwords behind 81 percent of data breaches, they are a drain of time and resources. According to a recent Yubico study, users spend 10.9 hours per year entering and/or resetting passwords, which costs companies an average of $5.2 million annually. While traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security, they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.

With FIDO2 and WebAuthn, the global technology community has come together to provide a shared solution to the shared password problem. FIDO2 addresses all of the issues of traditional authentication:

• Security: FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

• Convenience: Users log in with simple methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device.

• Privacy: Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites.

• Scalability: websites can enable FIDO2 via simple API call across all of supported browsers and platforms on billions of devices consumers use every day.

“The Web Authentication component of FIDO2 is now an official web standard from W3C, an important achievement that represents many years of industry collaboration to develop a practical solution for phishing-resistant authentication on the web,” said Brett McDowell, executive director of the FIDO Alliance. “With this milestone, we’re moving into the next phase of our shared mission to deliver simpler, stronger authentication to everyone using the internet today, and for years to come.”

TWEET THIS: #WebAuthn is an official web standard via @w3c @FIDOAlliance. This is a major step forward in making the web more secure — and usable — for users around the world https://fidoalliance.org/w3c-and-fido-alliance-finalize-web-standard-for-secure-passwordless-logins

Getting started
For services providers and vendors ready to get started with FIDO2 specifications and browser/platform support, the FIDO Alliance has provided testing tools and launched a certification program. Currently, there are many FIDO2 Certified solutions available to support a wide variety of use cases. These include FIDO Certified Universal Servers that support FIDO2 and all prior FIDO UAF and FIDO U2F devices for full backward compatibility with the full range of certified FIDO authenticators.

Visit the FIDO Alliance website for more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, fidoalliance.org was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

About the W3C
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C develops well known specifications such as HTML5, CSS, and the Open Web Platform as well as work on security and privacy, all created in the open and provided for free and under the unique W3C Patent Policy. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. W3C is jointly hosted by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China. For more information see https://www.w3.org/.

FIDO Alliance PR Contact

Megan Shamas
Montner Tech PR
203-226-9290
press@fidoalliance.org

W3C PR Contact

Amy van der Hiel
W3C Media Relations Coordinator
w3t-pr@w3.org
1.617.253.5628 (US, Eastern Time)

Testimonials

Duo Security (Cisco)

“The WebAuthn specification is a major and collaborative leap forward in the evolution of simpler, stronger user authentication. As pioneers in the authentication space, Duo Security knows that for security to be effective, it has to be easy. WebAuthn’s security and privacy protections, built-in phishing resistance and ease-of-use give it the potential to drive widespread adoption across enterprise and consumer markets, making everyone safer as a result. True passwordless authentication has been sought for a long time – today, we’re closer to realizing that goal with WebAuthn.” – James Barclay, Senior R&D Engineer, Duo Security, a Cisco business unit

Google

“The fact that users get phished is not really their failing. It was a gap in the internet infrastructure that made them vulnerable. With today’s announcement, the internet community is closing that gap. The internet infrastructure now has the tools to provide user friendly phishing-resistant authentication at scale. Google has been part of this journey since the earliest days, we introduced Security Key based authentication in 2014, the Advanced Protection Program in 2017, and the Titan Security Key in 2018. Now with W3C WebAuthn and FIDO2 client support coming across all major client platforms, an expanded set of capabilities is enabled. We look forward to leveraging these to offer our users additional new intuitive login experiences that are phishing-resistant.” – Sam Srinivas, Product Management Director, Google and President, FIDO Alliance

Microsoft

“Our work with W3C and FIDO Alliance, and contributions to FIDO2 standards have been a critical piece of Microsoft’s commitment to a world without passwords, which started in 2015. Today, Windows 10 with Microsoft Edge fully supports the WebAuthn standard and millions of users can log in to their Microsoft account without using a password.” – Alex Simons, Corporate Vice President, Program Management, Microsoft Identity Division

Mozilla

“Out of all multi-factor authentication solutions I know of, Web Authentication is our best technical response to the scourge of phishing. Protecting individuals’ privacy and security is fundamental to Mozilla, and Web Authentication plays a key role in that protection. Mozilla supports the advancement of Web Authentication, and its end-goal of a phishing-free future for all the web.” – J.C. Jones, Cryptography Engineer, Mozilla

Nok Nok Labs

“Providing an alternative to phishable and inconvenient passwords that works across devices, apps, browsers, and websites has been the mission of Nok Nok Labs since our inception. The Web Authentication API is an important step towards the goal of enabling simple and strong authentication on the devices we use in our daily lives. It is imperative that the industry as a whole continues to add support for FIDO Authentication into all platforms to better protect consumers in our digital world.” – Rolf Lindemann, Sr. Director of Products at Nok Nok Labs

Yubico

“Today’s standardization of W3C’s WebAuthn marks a milestone in the history of open authentication standards and internet security. Together, we achieved the near-impossible: the creation of a global standard supported by all platforms and browsers. Yubico is grateful to be a part of this journey and we look forward to the possibilities this is going to open for seamless, ubiquitous security for all internet users.” – Stina Ehrensvard, CEO and Founder, Yubico

[i] FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthn) and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP)

The post W3C and FIDO Alliance Finalize Web Standard for Secure, Passwordless Logins appeared first on FIDO Alliance.

Beginning with a focus on two specifications addressing distinct use cases, we now have also released FIDO2 in conjunction with W3C, which builds upon this original vision and brings expanded capabilities. Our certification program has had meteoric growth and has seen nearly 600 products complete conformance and interoperability testing. And on top of this, we’ve had various deployment-related initiatives across the globe.

All of this growth has been led by members on our Board of Directors in conjunction with our founding executive director, Brett McDowell. Over the past seven years, Brett has grown an excellent team to address the industry. With this growth comes change. As the Alliance enters this exciting next chapter, Brett McDowell is taking on added professional projects in the industry in addition to his role as FIDO Alliance executive director. Specifically, he will be leveraging his deep experience managing multi-stakeholder industry bodies to advise Hedera Hashgraph Council as its executive director. The Alliance is grateful for his ongoing service and for the work he’s done to bring the organization to this point.

The stage is now set for for 2019 to be a year of widespread deployment and adoption of FIDO solutions — particularly with FIDO2 now in market. And the Alliance’s work is just beginning. The specifications and certification programs are continuing to evolve, and our deployment work is taking on even greater importance. Additionally, the Alliance has launched study groups to evaluate new work areas in IoT and eKYC, which would leverage the Alliance’s broad coalition of leading organizations from around the world to help standardize technologies adjacent to user authentication.

Moving forward, the Alliance’s officers and Board of Directors, led by Sam Srinivas of Google as president and Sean Estrada of Amazon as vice president, will continue to guide the organization alongside the senior executive staff of FIDO Alliance. We look forward to seeing how all of these changes help us move closer to reducing the world’s over-reliance on passwords.

The post With Progress Comes Change for FIDO Alliance in 2019 appeared first on FIDO Alliance.

BARCELONA, February 25, 2019 — FIDO Alliance announced today that Android is now FIDO2 Certified, bringing simpler, stronger authentication capabilities to over a billion devices that use this platform every day. With this news, any compatible device running Android 7.0+ is now FIDO2 Certified out of the box or after an automated Google Play Services update. This gives users the ability to leverage their device’s built-in fingerprint sensor and/or FIDO security keys for secure passwordless access to websites and native applications that support the FIDO2 protocols.

Web and app developers can now add FIDO strong authentication to their Android apps and websites through a simple API call, to bring passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future.

“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks. Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users,” said Christiaan Brand, Product Manager, Google.

Already supported in market by leading web browsers Google Chrome, Microsoft Edge, and Mozilla Firefox (with preview support by Apple Safari), FIDO2 is comprised of the World Wide Web Consortium’s (W3C) Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. Collectively, these standards enable users to more easily and securely login to online services with FIDO2-compliant devices such as fingerprint readers, cameras and/or FIDO security keys.

“FIDO2 was designed from day-one to be implemented by platforms, with the ultimate goal of ubiquity across all the web browsers, devices and services we use every day. With this news from Google, the number of users with FIDO Authentication capabilities has grown dramatically and decisively. Together with the leading web browsers that are already FIDO2 compliant, now is the time for website developers to free their users from the risk and hassle of passwords and integrate FIDO Authentication today,” added Brett McDowell, Executive Director, FIDO Alliance.

FIDO2’s simple user experiences are backed by strong cryptographic security that is transparent to the user and protects against phishing, man-in-the-middle and attacks using stolen credentials. FIDO2 support has been growing since the specifications were introduced last spring. In addition to browser and platform support, several FIDO2 Certified products have been announced to support implementation.

Device manufacturers interested in taking advantage of out-of-the-box certification and displaying the FIDO Certified logo on their Android devices should consult FIDO Alliance’s new trademark and service mark usage agreement.

About FIDO Certification

The FIDO Alliance certifies authentication devices like biometrics and/or security keys, clients and servers to verify that they comply with FIDO specifications including FIDO2 and meet certain security profiles. This ensures that web users can use their FIDO Certified device across all FIDO-enabled web services for a seamless experience. For websites and organizations, they need only to FIDO-enable once and gain access to all FIDO Certified devices in the market.

OEM’s can further differentiate their devices to meet added market requirements by taking part in security level testing — which evaluates how strongly the user’s authentication credentials are protected.

Visit the FIDO Alliance website to get more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program. Mobile World Congress attendees can also visit the FIDO Alliance member pavilion located on the upper walkway between Hall 2 and Hall 3.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, fidoalliance.org was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact

press@fidoalliance.org

The post Android Now FIDO2 Certified, Accelerating Global Migration Beyond Passwords appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., February 20, 2019 – The FIDO Alliance announced today that the Samsung Galaxy S10 and S10+ smartphones are the first products to feature certification from the FIDO Alliance’s new Biometric Component Certification Program. This certification validates that the new in-display fingerprint recognition system meets industry standards for user verification and detecting presentation (or “spoof”) attacks.

“As mobile devices increasingly become our primary means of storing sensitive information and conducting critical transactions, the industry leaders in FIDO Alliance have determined the market needs a standard-based means to assess the efficacy of biometric certification components — which is why we recently launched our Biometric Component Certification Program,” said Brett McDowell, Executive Director of FIDO Alliance. “By being first to market with FIDO Alliance biometric component certification for their new line of Galaxy devices, Samsung is positioning the Galaxy S10 and S10+ as the industry best practice for biometric-enabled devices, while at the same time validating the necessity of our program to provide this important benchmark to the marketplace.”

The FIDO Alliance developed the first biometric certification program to fill a gap in the market, which previously required biometric vendors to repeatedly prove performance for each customer. This ability to test and certify a biometric system only once results in substantial time and cost savings for vendors and gives customers a standardized way to trust the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition. The program utilizes accredited independent labs to certify that biometric subcomponents meet globally recognized performance standards¹ for biometric recognition performance and Presentation Attack Detection (PAD)².

“Protection of customers’ data and privacy on our devices is of utmost importance to Samsung, which is why we went through the FIDO Biometric Component Certification Program,” said Henry Jong-Hyeon Lee, SVP and Head of Mobile Security Technologies Group, IT & Mobile Communications Division, Samsung Electronics. “We are very pleased to be the first device manufacturer to have qualified and completed the program, which provides the industry with a strong baseline to assess performance of biometric authentication components.”

“The FIDO Alliance Biometric Component Certification program fills an important gap in our industry as biometrics expand out of the enterprise and government marketplace into the mainstream consumer electronics marketplace,” said Dr. Kevin Wilson of iBeta.  “We are very pleased to be the first accredited lab to perform biometric certification assessments under this program.”

FIDO biometric certification program details

The Biometric Component Certification Program is open to all biometric authenticator subcomponents. Those vendors who achieve certification receive a Biometric Subcomponent Certificate to show they have passed the well-defined testing administered by the FIDO Alliance and accredited labs. Biometric technology suppliers interested in participating in the program can visit https://fidoalliance.org/certification/biometric-component-certification/ to get started.

About The FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact

Megan Shamas
Montner Tech PR
203-226-9290203-226-9290
press@fidoalliance.org

ENDNOTES

¹ ISO standards: ISO/IEC 19795; ISO/IEC 30107
² PAD (Presentation Attack Detection) i.e. liveness detection/detection of a spoof attack.

The post New Samsung Galaxy Ultrasonic Fingerprint System World’s First to Achieve FIDO Biometric Certification appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., JANUARY 22, 2019 — As data breaches and increasingly sophisticated phishing attacks continue to drive online account compromise and financial loss, organizations are finally stepping up and investing in stronger, phishing-resistant forms of authentication, Javelin Strategy & Research’s new “The State of Strong Authentication 2019” report has found.

The report, sponsored by the FIDO Alliance, analyzes the state of customer and enterprise (employee) authentication amongst U.S. businesses and draws conclusions on the role strong authentication is playing in protecting accounts and securing access to valuable data and critical systems.

The 30-page report is available for free download at https://fidoalliance.org/2019-strong-authentication-report/.

In the report, Javelin’s key findings and recommendations show:

• Strong authentication implementations have grown dramatically since 2017. The number of organizations using cryptographically-backed strong authentication, where one of multiple authentication factors uses public key cryptography, has tripled since 2017 for consumer authentication and increased by nearly 50 percent for enterprise authentication in the same period. This form of authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials — which are known vulnerabilities with passwords and one-time passwords (OTPs).
• Regulation is accelerating strong authentication adoption. Nearly 70 percent of businesses agree they face strong regulatory pressure to provide strong authentication for their customers. This is attributed to the introduction of PSD2, along with data protection regulations in the EU and U.S. states such as California.

• Strong authentication holdouts are underestimating risks to their businesses and customers. Two-thirds of businesses that use only passwords to authenticate their employees do so because they believe passwords are “good enough” for the type of information they are protecting, despite cybercriminals’ continuing to target a wide variety of consumer and business information.

• Not all strong authentication is created equal. According to Javelin, adopting strong authentication solutions that are based on standards and employ cryptographic security (like FIDO Authentication) can help organizations lower the cost of keeping up with regulation, customer expectations and increasingly sophisticated fraud schemes.

• It’s time to sunset OTPs. With cyber criminals using social engineering, phone porting and malware to compromise OTP authenticators, Javelin recommends moving away from them and adopting cryptographically-backed strong authentication.

The report includes case studies from Google, Tradelink and Visa, all of which are leveraging FIDO Authentication to provide stronger protection for customer and employee accounts.

“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice president and research director, Javelin Strategy & Research. “What’s less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security. These companies need to realize that even data they may think is low-risk can provide significant value to fraudsters and expose them to regulatory scrutiny. As such, they need to make plans to move to strong authentication now or they will find themselves an attractive target for cybercriminals.”

“It’s great to see that organizations are recognizing that passwords, and even one-time-passcodes, do not provide sufficient protection against today’s threats,” said Brett McDowell, executive director, FIDO Alliance. “I hope this study helps to raise awareness of new cryptographically-backed authentication capabilities, compliant with industry standards from FIDO Alliance and W3C, now widely available in leading web and mobile app platforms. These capabilities enable applications to bind account credentials to the user’s physical device, so they cannot be phished by remote attackers. Platforms are packaging these security capabilities into more convenient experiences for users — allowing them to use their finger, face or security key to login to all of their favorite websites and applications.”

Those interested in taking a deep dive in “The State of Strong Authentication Report 2019” should attend a free webinar on February 7, 2019 at 10:00 a.m. PT/1:00 p.m. ET. To register, visit https://fidoalliance.org/webinar-state-of-strong-authentication-2019.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact
Megan Shamas
Montner Tech PR
203-226-9290
press@fidoalliance.org

The post New Report Shows Data Breaches, Phishing and Regulations Driving Rapid Adoption of Strong Authentication appeared first on FIDO Alliance.

Earlier this month, the FIDO Alliance was in Asia for a series of seminars sharing the latest updates on FIDO Authentication and adoption. In Beijing, Taipei, Seoul and Tokyo, we had standing-room only sessions showcasing a year of great progress throughout the region as major organizations rallied around FIDO2 to reduce reliance on passwords with simpler, stronger authentication.

Each stop on the ‘tour’ provided insights on local adoption trends. In Beijing, we saw strong uptake with leading banks, particularly for their mobile apps. Taipei featured a very enthusiastic audience with great interest across the board from government, finance and mobile communications. Korea has long been an epicenter for FIDO innovation, and this seminar was no different. Presentations showcased how FIDO can be utilized for everything including mobile banking, blockchain, voice-based commerce and more.

In Japan, we held a press conference that featured significant updates from the local market including the announcement that Yahoo! Japan (which in September was among the first service providers to have a FIDO2 Certified server) has joined the FIDO Alliance Board of Directors. Yahoo! Japan also gave a presentation to seminar attendees on how FIDO Authentication will be deployed to its users. On the certification front, it was announced that leading service providers KDDI and LINE achieved FIDO2 certification, with LINE also becoming the second company to achieve Universal Server Certification. Notably, LINE also announced that it will be rolling out FIDO Authentication for LINE Login next Spring. In more deployment news from Tokyo, two companies announced new FIDO biometrics-based mobile applications  — Aflac Japan (developed by Fujitsu Global) and the Bank of Tokyo Mitsubishi (developed by Hitachi Global).

Collectively, these presentations, discussions and announcements showcase the fact that millions of consumers across Asia are now experiencing the more secure, faster and convenient experiences that FIDO Authentication provides,while deploying organizations are enjoying the benefits of lower risk and increased customer satisfaction. This is in line with what we’re seeing globally. Organizations are paying close attention to the increasing browser and product support for FIDO2 and making their rollout plans. These seminars were an inspiring way to wrap up 2018, and point to 2019 as a year of further FIDO adoption and deployments around the world.

The post New Certifications, Deployments Further Illustrate Strong FIDO Momentum throughout Asia appeared first on FIDO Alliance.

FIDO2 support is growing rapidly in the ecosystem, setting the stage for a future that is far less dependent on passwords. Since FIDO2 was introduced last April, we’ve seen a rapid succession of supporting browser announcements including Google Chrome, Microsoft Edge and Mozilla Firefox. More recently, Microsoft announced FIDO2-based Microsoft Account sign-in using Windows Hello or a FIDO Security Key — no passwords needed. And then, just last week, the news broke that Apple has shipped FIDO2 support in their latest technology preview version of their Safari web browser.

With this comprehensive FIDO2 browser support now in place, websites need to build corresponding support into their authentication infrastructure. This will allow websites to process FIDO messages that the web browser will pass between the user’s device and the website’s server. To support the adherence to the standard, FIDO ensures compliance and interoperability with the specifications through its FIDO Certified Program.   

While browser vendors were busy building FIDO2 support into their releases, leading industry tech vendors were equally busy building the products to support implementation. The FIDO2 certification program was launched in September to ensure interoperability and to support these vendors. The result was a variety of servers, clients and authentication devices that quickly achieved FIDO2 Certifications.

Today, that list grows longer as we announce the most recently certified products from leading vendors including: Aerendir Mobile Inc., Capy Japan Inc., DreamSecurity Co., Ltd., Hancom Secure, Hyper Blockchain System Co., Ltd., Irisys Co. Ltd., NXP Semiconductors, Octatco, Penta Security Systems Inc., SSenStone Inc., Uni-ID Libra, and Vancosys Data Security. Going through certification verifies that products comply with FIDO2 and meet certain security profiles.

Also certified were leading service providers including network operators KDDI of Japan and SK Telecom of Korea. In a similar vein, social media giant LINE became the second company to achieve Universal Server Certification, which ensures service providers have compatibility with authenticators based on all FIDO specifications (FIDO UAF, FIDO U2F and FIDO2).

This is just a start and we expect 2019 to be a year of further FIDO adoption and deployments. If you’re interested in getting started with FIDO Authentication, check out our new knowledge base for detailed information on business case, implementation guidance and more.

The post FIDO2 Browser Support, New Certified Products Continue Momentum Towards Passwordless Future appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., September 6, 2018 – Biometric user verification has become a popular way to replace passwords and PINs, but the lack of an industry-defined program to validate performance claims has led to concerns over variances in the accuracy and reliability of these solutions. To fill this gap, the FIDO Alliance today announced its Biometric Component Certification Program – the first such program for the industry at large. The program utilizes accredited independent labs to certify that biometric subcomponents meet globally recognized performance standards[i]  for biometric recognition performance and Presentation Attack Detection (PAD)[ii] and are fit for commercial use.  

The FIDO Alliance aims to deliver several benefits to providers and users of biometric recognition systems through the new Biometric Component Certification Program. Until now, due diligence was performed by enterprise customers who had the capacity to conduct such reviews. This required biometric vendors to repeatedly prove performance for each customer. The FIDO Alliance program allows vendors to test and certify only once to validate their system’s performance and re-use that third-party validation across their potential and existing customer base, resulting in substantial time and cost savings. For customers, such as regulated online service providers, OEMs and enterprises, it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks.

“The lack of standards has long been an issue in biometrics, forcing security professionals to ‘get deep in the weeds’ to not only understand the attributes that are important but subsequently evaluate vendors on those attributes. An unbiased Alliance-based certification program expedites solution evaluation for companies but also eases adoption by providing assurances to the C-suite of proper choice,” said Frank Dickson, research vice president, IDC.

“With biometrics being a popular option for mobile and web applications implementing FIDO Authentication, there is a growing need for those service providers to appropriately assess the risk of fraud from lost or stolen devices. While border control and law enforcement markets have mature assessment programs for their biometric systems, we were surprised that no such program existed for this rapidly growing consumer market,” said Brett McDowell, executive director of the FIDO Alliance. “As an organization that is driven by our members’ real-world business requirements, and already experienced at delivering globally scalable high-quality certification programs, the FIDO Alliance was the organization our members chose to fill this gap in the market.”

 Program Details

The Biometric Component Certification Program is open to all biometric authenticator subcomponents. Those vendors who achieve certification receive a Biometric Subcomponent Certificate to show they have passed the well-defined testing administered by the FIDO Alliance and accredited labs.

To fully meet anticipated customer requirements, a vendor may also choose to go through the FIDO Authenticator Certification Program to validate that the biometric authenticator conforms to cryptographic FIDO specifications, interoperates with other products in the market and meets certain security requirements in addition to biometric performance. For authenticators that incorporate biometric sensors, the biometric subcomponent certificate is required in order to achieve the highest levels of FIDO Authenticator security certification but remains optional for the lower levels of assurance. Only those that successfully complete the FIDO Authenticator Certification Program can use the FIDO or FIDO Certified trademarks.

Biometric technology suppliers interested in participating in the program can visit https://fidoalliance.org/biometric-component-certification-program to get started.

The FIDO Alliance is set to host a webinar on its certification programs on September 12, 2018 at 1:00 p.m. eastern time. Registration information can be found at https://fidoalliance.org/events/certification-webinar/.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

FIDO Alliance PR Contact

Megan Shamas
Montner Tech PR
203-226-9290
fidopr@montner.com

The post FIDO Alliance Launches Biometrics Certification Program appeared first on FIDO Alliance.

Industry’s First Biometric Component Certification Program

Earlier today we announced the industry’s first biometric certification program. The new Biometric Component Certification Program utilizes independent labs to certify that biometric subcomponents meet globally recognized performance standards for reliable identification and are fit for commercial use.

We anticipate that achieving certification will save vendors a substantial amount of time and money in bringing new biometric systems to market, and will give their customers confidence in the reliability of these solutions.

Read the full news announcement about the Biometric Component Certification Program at https://fidoalliance.org/fido-alliance-launches-biometrics-certification-program/ and find out what you need to get started at https://fidoalliance.org/biometric-component-certification-program.

Introducing FIDO Certified L3 and L3+ Authenticators

Last March, we announced the Authenticator Certification Program, which introduces security requirements for authenticators going through FIDO Certification, with two levels: Level 1 (L1) Authenticator and FIDO Certified Level 2 (L2) Authenticator. Today we are expanding the program by launching Level 3 (L3) and Level 3+ (L3+) testing and certification.

Authenticator Certification L3 evaluates FIDO Authenticator protection against enhanced-basic effort software and hardware attacks. Authenticator Certification L3+ evaluates FIDO Authenticator protection against moderate or high-effort software and hardware attacks.

To achieve L3 and L3+ certification, authenticators that include biometrics must also pass the Biometric Component Certification Program. For more information on L3 visit https://fidoalliance.org/certification/authenticator-level-3/, and L3+ visit https://fidoalliance.org/certification/authenticator-level-3-plus/.

Newly Certified Products

In addition to today’s developments, several companies have been certified under the FIDO Functional and L1/L2 programs. Newly certified companies include Aware, Inc. and Transmit Security. Note that the FIDO Alliance recently completed our first FIDO2 interoperability testing event, meaning that we’ll soon be announcing the first FIDO2 Certified solutions.

Want to learn more about our certification programs? Attend our webinar, “FIDO Certified Program Updates: Biometrics, Authenticator Levels and FIDO2,” on Monday, September 12, 2018 at 10am PT/1pm ET.

The post FIDO Certification Programs: Introducing New Biometric Component Certification, Authenticator Levels and Certified Companies appeared first on FIDO Alliance.

The FIDO Alliance is pleased to announce that nine new companies have completed FIDO certification. This brings the total number of FIDO® Certified products to 465.

The FIDO Certified program for functional certification provides assurance of compliance to FIDO standards, and has been a driving force for realizing the Alliance’s vision for universal and interoperable strong authentication. The broad, worldwide lineup of certified products gives service providers an array of options to roll out FIDO Authentication.

Today, more companies are taking advantage of FIDO’s new Authenticator Certification Levels program. The Authenticator Certification Levels are currently divided into two levels: FIDO Certified Level 1 (L1) Authenticator and FIDO Certified Level 2 (L2) Authenticator. These security evaluations increase consumer, enterprise and service providers’ confidence that their devices are protected from targeted attacks. The program also enables enterprises and online services to make better informed risk management decisions when registering credentials from FIDO-enabled devices.

The newly certified companies include: Acceptto; AirCUVE Inc.; Fishbag technology (Beijing) Co.Ltd.; Gemalto; Jazz Networks; SMART TECHNOLOGIES INVESTMENT AND DEVELOPMENT Co. Ltd (STID).

In the near future, FIDO will be holding its first FIDO2 certification tests for servers and authenticators. This will also include the new Universal Server certification mark for servers that support the full range of FIDO Authenticators (UAF, U2F, FIDO2); FIDO recommends that relying parties consider deploying a Universal Server in order to ensure optimal end-user experience and compatibility.

Interested in getting FIDO Certified? Learn how to achieve Functional Certification and about the Authenticator Certification Levels program, as well as the value of FIDO certification.

The post FIDO Announces Latest Set of FIDO Certified Products appeared first on FIDO Alliance.

Ashok Chandak, the co-chair for the FIDO India Working Group, will present “FIDO Story Emphasizing Enhanced Privacy and User Experience” at the India PKI Forum Symposium – 2018. The mutual liaison agreement was signed off and announced at this event in New Delhi. 

The two organizations have agreed to work together on promoting FIDO’s standards and best practices for strong authentication, alongside outputs from the India PKI Forum. Such technologies will provide better security for both clients and businesses as they expand online services such as income tax, passports, company law, e-procurement, bidding and government social services. Public Key Infrastructure (PKI) forms the backbone of digital trust for all these services; FIDO’s standards-based ecosystem — the world’s largest — makes it easier for people to use and businesses to deploy related solutions.

“In recent years, the government’s farsighted initiatives have emphasized paperless, cashless and presence-less services, and encouraged policies and innovations around these goals. This effort is helping make India one of the world’s leading password-less ecosystems,” said Mr. V. Srinivasan, chairman of India PKI Forum and founder and chairman of eMudhra Limited. “This joint initiative will help us accelerate the adoption and use of PKI applications and digital signature certificates, and facilitate interoperability through multi-vendor testing of industry standards and educational outreach—both key missions of our organization.”

India PKI Forum (IPKI) is a non-profit organization sponsored by the Government of India’s Controller of Certifying Authorities (CCA) within the Ministry of Information Technology. IPKI Forum serves as an Indian information resource for PKI and an advocate for industry cooperation and market awareness. This enables organizations to understand and embrace the value of PKI in applications relevant to their businesses. India PKI Forum is also an active member of the Asia PKI Consortium, which is a non-government organization headquartered in Hong Kong.

“With support from the leading digital economy platforms and service providers, FIDO Authentication has reached the tipping point in its adoption curve,” said Ashok Chandak, co-chair of FIDO Alliance India Working Group and senior director of global sales and marketing at NXP Semiconductors. “With W3C’s recent WebAuthn spec and support commitments from leading web browsers will help ensure FIDO’s near ubiquitous availability worldwide, including India. These advantages mesh perfectly with the India PKI Forum’s and the government’s mutual goal to accelerate the adoption and use of PKI applications and digital signature certificates.”

About India PKI Consortium

India PKI Forum (IPKI) is a non-profit organization aimed at bringing technology and service providers, integrators and end-users together to accelerate the adoption and use of PKI applications and digital signature certificates, as well as to facilitate interoperability through multi-vendor testing of industry standards and educational outreach. Sponsored by Controller of Certifying Authorities (CCA), Ministry of Information Technology, Government of India, IPKI Forum serves as an Indian information resource for PKI and advocates cooperation and market awareness, enabling organizations to understand and exploit the value of PKI in applications relevant to their businesses. India PKI Forum is also an active member of the Asia PKI Consortium which is a non-government organization headquartered in Hong Kong.

About The FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact:

Gaurav Punjabi, gaurav@fidoalliance.org

The post FIDO Alliance Teams with India PKI Forum to Drive Strong Authentication and Security Standards appeared first on FIDO Alliance.

This work builds upon the pre-existing liaison relationship between the organizations. The initial collaboration focused on how FIDO’s authentication protocol can be used to support EMVCo’s cardholder verification technology, leading to User Verification Caching (UVC) extensions of the FIDO specifications. UVC allows an app to specify user caching time — i.e., how long a user who has already been verified by his/her authenticator can wait before being required to re-authenticate.  

“The EMV 3DS Specification promotes more secure, consistent consumer e-commerce transactions across browser and in-app channels, while optimizing the cardholder’s experience,” comments Cheryl Mish, EMVCo Board of Managers Chair. “Incorporating support for the FIDO Authentication protocol will provide stronger authentication, enhance transaction security and provide a more convenient and simpler authentication experience for cardholders. Our expanded collaboration with FIDO will support EMVCo’s efforts to deliver a consistent and more secure global solution that will be less likely to compromise user experience.”

“FIDO’s approach to modern authentication has taken root in devices around the world, and we’re happy to work with EMVCo to further expand this paradigm into the EMV payments arena,” said Brett McDowell, executive director of FIDO Alliance. “By ensuring interoperability of privacy-respecting authentication metadata between merchants, payment service providers, and banks in a 3DS transaction, fraud risk is reduced whenever FIDO Certified devices are used.”

– ENDS –

Notes to Editors
EMV^® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.

About EMVCo
EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. EMV is a technology toolbox that enables globally interoperable secure payments across face-to-face and remote environments. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are available royalty free, designed to be flexible, and can be adapted regionally to meet national payment requirements and accommodate local regulations.

EMVCo is collectively owned by American Express, Discover, JCB, Mastercard, UnionPay and Visa, and focuses on the technical advancement of the EMV Specifications. To provide all payment stakeholders with a platform to engage in its strategic and technical direction, EMVCo operates an Associates Programme and encourages all interested parties to get involved.

Visit www.emvco.com for further information and join EMVCo on LinkedIn.

About The FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

PR Contact:
press@fidoalliance.org

The post EMVCo and the FIDO Alliance to Address FIDO Authentication in EMV® 3-D Secure Use Cases appeared first on FIDO Alliance.