Our blog often covers user authentication challenges confronting financial institutions and merchants. We feel this topic is essential given that consumers are increasingly going online to make payments and their passwords tend to be weak. Financial institutions and merchants face a difficult balancing act. They must be confident that their authentication tools effectively confirm the legitimacy of the individual attempting a transaction, but they also have to make sure these tools don't create a bad experience for the customer.
A meeting in 2009 between a fingerprint-sensor manufacturer and a global, third-party payment provider to fingerprint-enable online payments quickly turned into a conversation on how to develop an industry standard for the general use of biometrics to identify online users. Ultimately, this meeting led to the formation of the FIDO (Fast IDentity Online) Alliance in 2012. FIDO currently has a global membership of more than 250 companies and agencies spanning the payments, mobile, PC, and transaction security industries.
FIDO's principal effort has been to develop a set of specifications and certifications covering consumer devices, mobile and web applications, and biometric authentication methods for e-commerce applications. Products certified to these authentication specs reduce password dependence, transaction friction, and stolen password attacks such as phishing, man-in-the middle attacks, and transaction replays.
FIDO initially focused on mobile devices—which allow authentication with the fingerprint sensor, microphone, and camera—and developed the Universal Authentication Framework. This framework provides enhanced security using public-key cryptography, with the keys and biometric templates remaining on the mobile device. The user goes through a device registration process that creates the biometric template and a cryptographic key pair on the device and registers only the public key with the online service. To perform a transaction, the customer uses one of the phone's biometric sensors to unlock the private key on the device.
To expand these strong cryptographic authentication capabilities to second-factor use cases on the web, FIDO established a second set of specifications known as FIDO U2F, or Universal Second Factor protocol. With this protocol, the user inserts a certified U2F device, also known as a security key, into a device's USB port or uses the device's Bluetooth or near-field communication features. The application running in a FIDO-compliant web browser first challenges the user for a password and then authenticates the user with the cryptographic private key on the U2F device.
Authentication of customers, especially on a remote basis, will always be a challenge as criminals find more and more ways to spoof identities. The industry's efforts to increase the security of remote payments remain ongoing and the cooperative work demonstrated by groups such as the FIDO Alliance plays an important part in that effort.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed