Authenticate Con Day 3: Improving Authentication Improves User Experience
By: FIDO ALLIANCE STAFF
A key theme throughout the day was how FIDO authentication is being used by financial services firms to reduce customer friction and enable improved security. Once again, across multiple sessions, speakers detailed why taking a passwordless approach is a cornerstone of digital transformation efforts.
In the opening session for the day, Jim Routh, Chief Information Security Officer, Head of Enterprise Cyber Security at MassMutual and Bojan Simic, CTO and Co-founder of HYPR outlined the challenges of passwords for both consumers and enterprises. Routh noted that while passwords can lead to security problems, it’s the combination of passwords and people that are the real issue. Routh noted that password reuse is a common problem and it’s one that criminals regularly exploit.
“Passwords have served us well for the last 60 years in terms of enterprise protection in the online world so it’s really not a defect in passwords, it’s a defect in how passwords are used by people,” Routh said.
Beyond passwords, Routh commented that it’s time to rethink authentication from just being a point in time event that enables access to a service. Routh suggested authentication should be a continuous process where information about behavior is being constantly captured to enable a continuous form of authentication.
In his half of the session, Simic emphasized user experience is a primary reason why organization should move toward a passwordless experience.
“As part of the FIDO Alliance and as part of the FIDO standard, we’re always looking at the user experience,” Simic said.
Improving User Experience at PNC Bank
Improving the user experience for authentication is one of the primary reasons why PNC Bank has embarked on the journey to embrace FIDO standards and a password-less future. Sridhar Kotamraju, SVP, Head of Digital Identity & Fraud at PNC, said a key goal for him was to make authentication a frictionless experience under as many situations as possible.
“The key attribute here is when fraud has occurred, we want to make it easy for customers to be able to get back to their accounts in a FIDO way, so that we don’t ask them more questions than obviously we need to,” said Kotamraju.
Target Takes Aim at Password-less
Among the user organizations that spoke on Day 3 of the Authenticate Conference was Target. Nataraj Rao, Principal Engineer for Security Solutions at Target, explained that the retailer was undergoing an effort to modernize its platforms to enable a secure login experience across applications at the company.
Rao noted that a key goal for his group at Target was to reduce friction wherever possible, be it in the authentication flow by reducing the dependencies on passwords, or in the onboarding process by making it easier for applications and business owners to easily consume the enterprise authentication services.
“FIDO2 in particular was of great interest to us, given its WebAuthn API that is baked into most modern browsers, enabling the use of external security keys or on device biometrics without the need of installing any third party software or plugin on my device on the browser,” Rao said.
Standards and the Future of Payments
The role of standards in financial services and payment systems was the topic of several sessions on Day 3 including a panel moderated by Randy Vanderhoof, Director at U.S Payments Forum.
Vanderhoof said that it’s important that the payments industry be aware of the standards as well as the best practices that have emerged to address identification and authentication challenges. FIDO plays a key role in helping to enable secure authentication for the financial services industry.
“Regardless of who you’re talking to, anyone that’s looking for secure simple interoperable authentication, that’s what we offer,” commented Christina Hulka, Executive Director and Chief Operating Officer at the FIDO Alliance. “We’re very laser focused in terms of that authentication piece, whether that is to make a payment. whether that’s to access financial services, whether that’s access confidential data – that’s really where FIDO is focused.”
Authenticate Returns Next Week
The Authenticate Conference continues next week with Day 4 on Nov. 17 which has a strong focus on the regulatory environment for privacy and authentication. Among the sessions on regulations is a panel session on the intersection of PSD2, GDPR and eIDAS in Europe and how FIDO fits in.
Authentication isn’t just about access either, it’s also an enabler of better privacy, which is a topic that another panel will dig into. Rounding out Day 4 are a number of technical sessions including a deep dive on biometrics and the W3C Web Authentication specification.