The first in-person Authenticate event got underway on Oct. 18, with both live and remote attendees watching the proceedings from the Motif Hotel in Seattle, WA.

The first day had a mix of industry leader keynotes and adoption stories about the role of strong authentication and the FIDO Alliance in helping to secure and enable the modern digital economy.

Andrew Shikiar, FIDO’s Executive Director and CMO, kicked off the Authenticate event announcing a series of new initiatives including the Online Authentication Barometer and the FIDO Certified Professional Program.

“The goal with the Online Authentication Barometer is to track what are the latest consumer habits, trends and adoption points of modern authentication technologies across the globe,” Shikiar said.

Shikiar noted that the research was what he referred to as a ‘mixed bag’ with many users still clinging to passwords. That being said, he noted that the research shows some positive trends in that people are aware that they need to do more, yet they’re not quite taking the right approach.

As part of the effort to help advance FIDO deployments, Shikiar explained that the new FIDO Certified Professional Program is all about helping to train professionals who wish to improve and showcase their FIDO deployment skills. 

“We think this will help address the implementation skill gap, and also get these professionals a chance to showcase skills which will help them be more marketable for future jobs and employment,” he said.

There are Two Types of MFA: FIDO and Legacy

In an engaging keynote, Bob Lord, former Chief Security Officer for the Democratic National Committee (DNC), outlined his views on strong authentication and detailed how the DNC was able to rapidly scale up and deploy it during the last election cycle.

Lord emphasized early in his keynote that there are two types of MFA today: FIDO security and Legacy 2FA that needs to be replaced. Simply put, non-FIDO forms of MFA can be phished and that’s a risk that really worries Lord.

“I call it legacy because I want to put into your mind the idea that this is something that you need to eradicate,” Lord said of non-FIDO MFA. “If you’re an IT person working on the inside of an enterprise you need to eradicate this, if you are a service provider offering services to either enterprises or consumers, you need to think about eradicating it as well, whether it’s SMS or an authenticator app, as the situation is likely to become super urgent seemingly out of nowhere, seemingly overnight.”

To help protect the DNC, Lord – who joined the DNC in 2018 – began a push to adopt FIDO. During the election cycle, he noted that more than 3,200 people joined the campaign effort and they all needed security keys. As part of the onboarding process for the campaign every person had to get a security briefing where they were educated on the importance and usage of security keys. Going a step further, if a new person missed the security briefing they were kicked out of the rest of the onboarding process by human resources until the security piece was completed.

“It’s fine of the security team to say security is important to people, they expect that,” Lord said. “What’s critical is for different parts of the organization, the management chain to say, it’s actually a core value.”

Dave Kleidermacher, Google’s VP of Engineering for Android Security outlined what he sees as big challenges of digital safety during his keynote. Those challenges include the need to have simple, strong access control over digital and physical spaces and identity. That’s where he sees digital wallets that benefit from FIDO specifications as being a big help.

Kleidermacher explained that Android devices now offer a digital wallet with a built-in security key. 

“We’ve worked with the FIDO Alliance to build standard protocols and API’s for developers to incorporate what’s really a miracle of unphishable authentication to any service,” Kleidermacher said. 

The legacy of past authentication methods was also the topic of Derek Hanson’s keynote. Hanson is VP of Business Development at Yubico, and in his talk he detailed the painful history of past authentication devices, where users had to carry a separate unique key for each service.

“With FIDO2, what we saw was solutions to all of the lessons and the pains of the past, actually being

incorporated into solutions that we could go build,” Hanson said.

FIDO for 5G

Among the big telco adopters of FIDO is Verizon which is using strong authentication for a number of different services.

Josna Kachroo, Sr. Manager for Device Technology at Verizon, commented in a session that password phishing continues to be a major problem. She noted that Verizon has adopted FIDO standards to enable a best in class authentication solution and one that is able to scale across many different use cases. Bjorn Hjelm, Distinguished Member of Technical Staff at Verizon, outlined a number of use cases including the ZenKey app that is a joint development across AT&T, T-Mobile and Verizon to enable access to services.

The need for strong authentication and FIDO is also important for 5G wireless. Hjelm explained that 5G enables operators to do network slicing. With network slicing, an operator can virtually reserve network resources for a specific purpose. One such specific purpose can be for first responders, where there is a need also for strong user authentication in order to grant access to the service.

“We are positioning FIDO as part of the user authentication for first responders,” Hjelm said.

The Challenge for Developers

The challenges and opportunities that developers face with FIDO was the topic of an engaging panel session at Authenticate. Moderator Vittorio Bertocci, Principal Architect at Auth0, asked panelists where the biggest blockers were with FIDO deployment for developers.

Nick Steele, Principal Security Research Engineer at Gemini Trust, sees terminology as being a big blocker.

“There’s a lot of terminology that can trip people up, and it can sort of confuse developers that are coming in with basic or even zero knowledge about what FIDO is about,” Steele said.

Steele suggested that there is a need for more developer education and materials to help show how FIDO technology is built. Simon Law, co-founder and CEO of LoginID, commented that while there are many robust libraries to help developers implement FIDO, it’s not always a plug-and-play deployment for most use cases at this point.

“Really you need the attestation and it’s still confusing now,” Law said.

Managing Risk with an Enterprise Plan for FIDO Deployment

The path to implementing FIDO and strong authentication is all about managing risk, according to a pair of speakers from Capital One.

Vaibhav Gupta, Cyber CTO and Product Manager for IAM and Capital One, noted that many organizations grow via mergers and acquisitions, ac

cumulating technical debt and a confusing array of authentication schemes. While there is complexity, with the right plan in place, it’s possible to eliminate some of that technical debt in the journey toward FIDO.

Kiran Mantripragada, Senior Manager, Identity and Access Management at Capital One, explained that the first step in the journey to passwordless is for the organization to get control over its applications by creating an accurate inventory of what’s in use and how each application does authentication.

She suggests that once the inventory is understood, it makes sense to group related applications together with Federation and a Single Sign On (SSO) approach. The next step is to start introducing MFA and passwordless approaches. Mantripragada cautioned that there can be resistance from application teams to rolling out MFA and passwordless so she suggests taking a risk based approach to deployment.

“Identify opportunities where by applying MFA and modern authentication will reduce the risk profile and get you the biggest bank for the buck,” she said.

More coming on Day 2 of Authenticate

What a great start with Day 1 and there is much more to come. On Day 2 of Authenticate, are keynotes from Microsoft and Visa. We also have multiple panels tackling hot topics including document authentication and mobile driver’s licenses (mDLs), also known as digital driver’s licenses.

There’s also no shortage of insight into FIDO with sessions on the value of certification and understanding the importance of user experience.

Authentication plays an increasingly important role in how governments are providing services around the world.

At the Authenticate Virtual Summit on Sept. 23, 2021, users, experts and vendors from around the world detailed how strong authentication helps to enable government services and new efforts to secure online identities. Users including the U.K. National Health Service (NHS), as well as the U.S. Government’s login.gov and Internal Revenue Service (IRS) provided insights into the present and future of online authentication and digital identities.

In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, outlined
the strategic imperative for FIDO in government services around the world.

“COVID-19 created an imperative to really accelerate digital transformation activities,” Shikiar said. “When the pandemic hit all of a sudden, everyone was at home and all activity brought requirements for modern authentication schemes that go far beyond passwords, even beyond traditional multi-factor authentication.”

Shikiar noted that the FIDO Alliance standards align very well with global regulations and policies and there is a growing trend of government guidance for authentication that cites the use of FIDO.

“It’s important to enable trust in the government ecosystem,” Shikiar said. “This comes through the engagement FIDO does with different regulators and government bodies and ultimately will be manifested through the secure implementation of digital identity services to citizens worldwide.” 

Technology Helping to Push FIDO Strong Authentication Forward

A key path for enabling FIDO specification is via vendors that support government efforts. 

Patrick Sullivan, CTO of security strategy at Akamai, commented that password credential stuffing attacks are very common. He noted that Akamai’s platform sees as many as a billion password attacks per day. That’s where multi-factor authentication and more specifically strong authentication based on FIDO Alliance standards play a strong role. Sullivan noted that there is a clear need to provide multi-factor authentication in a low friction environment where it’s delivered in the form factor of an app on a smartphone.

“We’re not asking users to carry around a hardware token to accomplish FIDO2 as we move in that direction,
and by introducing less friction, there’s less risk of our users doing something anomalous,” Sullivan said.

Jeff Frederick, manager of solutions engineering at Yubico, noted during his session that in government, many agencies in the U.S use Common Access Card (CAC)/Personal Identity Verification (PIV) credentials that go beyond basic passwords. Frederick noted that FIDO2 standards, which are supported on his company’s YubiKey device, provide a strong impersonation resistant authentication protocol that uses public private key cryptography.

“It’s very similar to PIV/CAC and FIDO2 is an open standard that’s managed by the FIDO Alliance, so that any vendor can support this and use it today,” Frederick said. “It’s built into all major operating systems and all major browsers so there’s no middleware that you need to install to make this work and it’s just an easy to implement solution that will modernize the federal authentication infrastructure across the board.”

Making Identity and Authentication Less Taxing at the IRS

The IRS proofs and authorizes tens of millions of taxpayers every year, across both digital and non digital channels, according to Courtney Rasey, assistant to the director, Identity Assurance, Privacy Governmental Liaison, & Disclosure (PGLD) at the IRS.

“None of those tens of millions of taxpayers who are calling the IRS are doing so just because they want to, it’s not really a fun weeknight activity,” she said. “They need to resolve an issue to meet their tax obligation and we know that, so we’re always striving to provide better service to taxpayers, to help them get the service that they need in the most convenient and efficient way possible.”

One way the IRS is looking to be more convenient to taxpayers is with its Secure Access Digital Identity (SADI) platform that was launched in June of 2021. Rasey explained that SADI leverages a Credential Service {rovider (CSP) that identity proofs the taxpayer and then provides the IRS with a digital identity credential.

“Users are eventually going to be able to access all IRS online applications utilizing that single digital identity credential,” Rasey said. “The IRS is moving more and more applications behind SADI throughout fiscal year 2022 and as we do move more applications taxpayers are going to be able to do so many things with just one credential.”

Moving Toward Zero Trust with Strong Authentication

In May, President Biden signed Executive Order 1402, which directs U.S. government agencies to improve cybersecurity. One of the primary provisions of the executive order is to move the federal government toward a zero trust architecture.

“When we talk about zero trust, we’re talking about an architecture where people and their devices aren’t trusted just by virtue of being inside an organization’s enterprise network,” explained Eric Mill, senior advisor, Office of Management and Budget (OMB).

Mill noted that in a zero trust model, people and devices are validated at each step and  authentication is context-aware. The OMB is strongly encouraging the adoption of phishing resistant multi-factor authentication, with FIDO WebAuthn as a good alternative option in environments where CAC/PIV isn’t feasible.

“We’re pushing very hard on multi-factor authentication and we really view reliable authentication as a critical foundation of zero trust architecture,” Mill said.

In a Policy Deep Dive session, Jeremy Grant, managing director, technology business strategy at Venable, noted that there are a number of reasons why authentication is important to governments. 

Grant said that FIDO specifications can help governments to protect access to their own assets and can help to enable more high-value citizen facing services to the public. 

“I think what we’re seeing in 2021, is a really different environment across the globe, where FIDO authentication is emerging, not just as another permitted option, but in many cases as a preferred choice of governments across the world,” Grant said.

How the National Health Service (NHS) uses FIDO

Among the areas in the world where FIDO is finding a home is in the U.K. 

The National Health Service (NHS) is the publicly funded medical and healthcare system in the U.K. and it has embraced FIDO standards to help improve human health.  With the NHS Login service, citizens get a centralized identity for health services
while the NHS app provides a simplified application for accessing and managing an individual’s access to
health services.

Priyanka Mittal, technical architect for the NHS Login and NHS app, said that over the past 18 months there has been a 10-fold increase in the user base for NHS login as demand has grown during the pandemic.

Sean Devlin, tech lead for the NHS App, explained that initially the services started out using an SMS based two-factor authentication approach, but wanted to find a more seamless approach. NHS decided to use FIDO UAF and built out its own implementation, using eBay’s open source FIDO implementation as a starting point.

Devlin said that before using FIDO, users had to navigate as many as five different screens to get through a multi-factor authentication flow. With FIDO, it’s a single screen.

The NHS has also saved a lot of money by moving to FIDO. With over 500,000 FIDO logins per day, Devlin estimates that the NHS is saving on the order of £8,000 per day on SMS messaging costs.

Bringing FIDO Strong Authentication to Login.gov

FIDO specifications also play a pivotal role at login.gov, which is a single sign-on platform for U.S. government services.

Jonathan Hooper, login.gov Engineering Lead at the General Services Administration (GSA), explained that the authentication portal fronts over 200 sites across the U.S. government,  spread across 27 different agencies. Hooper explained that starting in 2018, login.gov began expanding the use of multi-factor authentication, including the WebAuthn specification.

“We don’t want to be ‘big brother,’ we want to make sure that we can protect users’ privacy and the things built into the protocol that helped to do that were very attractive to us,” Hooper said. “WebAuthn is also very cheap, it is much cheaper to do a WebAuthn authentication event than it is to do SMS by several orders of magnitude.”

Improving Digital Identity with FIDO

A FIDO-based approach for digital identity could soon be finding its way to Canada as well according to Joni Brennan, president, Digital ID & Authentication Council of Canada (DIACC). An effort currently underway is the Pan Canadian Trust Framework (PCTF) which is an information assurance framework.

“We think that there’s a great opportunity here to leverage an information assurance framework, coupled with FIDO Alliance driven specifications, to create and to verify that end to end experience that’s needed for digital ID adoption,” she said.

The need for secured digital identities was also highlighted by Amit Mital, special assistant to the President and senior director, National Security Council at the White House.

“Today, when we authenticate ourselves and identify ourselves, we might use one of dozens of popular systems,” Mital said. “

So the ecosystem itself is very decentralized, and it’s very unharmonized. It is also fundamentally unsecure.”

Mital said that there is a clear need for strong remote identity solutions that can provide easy, secure, affordable and reliable ways to identify consumers across digital systems. 

“It’s clear that there are a diverse and large number of scenarios that need digital identity and there is no single entity that can solve all these scenarios,” Mital said. “We need an ecosystem that brings together the best ideas and innovation from the private sector, both large companies and startups, as well as the government at both the federal and the state, the local, tribal and territorial lands.”

Wrapping up the day’s event, Andrew Shikiar, executive director of the FIDO Alliance, observed that there are a lot of conversations ongoing about  different types of government services and their dependency on secure digital identity.

“Ultimately, identity and authentication are core to deploy new services at scale, in a way that meets the requirements for government agencies, and for citizens alike,” Shikiar said.

The webcast is now available on demand. To watch the recording, visit the event page.

For more discussions on moving past passwords to modern strong authentication, attend Authenticate 2021 on October 18-20, 2021 in Seattle or virtually. The full agenda and details to register are available at authenticatecon.com. 

September 23 event features executives from Akamai, GSA, IRS, NHS, OneSpan, Yubico and more

MOUNTAIN VIEW, CA, AUGUST 31, 2021 — The FIDO Alliance has announced the agenda and speaker lineup for its next Virtual Authenticate Summit, “The Imperative for Strong Authentication for Government Services,” taking place September 23, 2021 from 11:00 am – 2:30 pm EDT. Authenticate Virtual Summits are a quarterly series of virtual seminars that delve into the FIDO approach to modern user authentication across various markets and geographies.

Register for free and view the agenda on the Authenticate Virtual Summit event page.

“Government agencies around the world are rolling out more robust digital services for employees and citizens — and the COVID-19 pandemic has only accelerated this imperative,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Global standards and best practices are key to success in this digital transformation of e-government services — particularly in the areas of strong user authentication and identity verification. We’ve been happy to see the growing trend of governments referencing and leveraging FIDO’s outputs and look forward to sharing their insights with the broader Authenticate community.”

This government-focused Authenticate Virtual Summit brings together leaders from the public and private sector to examine strong authentication for government services, including considerations for implementing modern authentication systems for e-citizen services and remote government workforces, government agency case studies, the intersection with global policy and more.

This Authenticate Virtual Summit agenda includes:

• Keynotes from Akamai, FIDO Alliance, IRS, and Yubico
• A look at how the IRS is leveraging new digital identity proofing procedures for non-digital authentication
• Case studies from GSA and NHS on how they are leveraging FIDO to streamline and secure logins
• Discussions on the state of strong authentication in government and how policies and directives are changing how governments authenticate
• Considerations and best practices for optimizing the strong authentication for government experience

Akamai and Yubico are Signature sponsors for this Authenticate Virtual Summit. To participate as a sponsor, visit https://authenticatecon.com/sponsors/.

For more information about the Authenticate Virtual Summit Series: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Authenticate Contact

[email protected]

PR Contact

[email protected]

Agenda features practical sessions to move past passwords and towards modern authentication

SEATTLE, August 17, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, today announced its full 2021 agenda. This three-day event, which takes place October 18-20 in Seattle and also with remote attendance options, will help educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. 

The Authenticate 2021 agenda features:

• Deployment case studies from enterprises and service providers including Capital One, eBay, Facebook, Google, Morgan Stanley, Target, Verizon, Wayfair and more 
• Technical deep dives on FIDO’s authentication specifications: IoT, biometrics and identity verification
• Vertical perspectives from leaders and practitioners in financial services, eGovernment, retail and communications
• In-depth discussions on the evolving policy landscape and deployment considerations therein 

“Relying on passwords is passé. Modern authentication systems and standards have emerged to provide more efficient ways for organizations to provide strong security and better interactions with their brands,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “The FIDO Alliance encourages organizations of all sizes to prioritize stronger security, and it is our mission to share the tools and resources to help them get there. ​​This year’s agenda delivers on that mission, providing attendees with a strong foundation for deploying simpler, stronger authentication.” 

This year’s headlining keynote speakers are: Bob Lord, former CSO of the Democratic National Committee; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehrensvard, CEO and founder of Yubico; David Henstock, head of identity and authentication products, Visa; and Dave Kleidermacher, vice president for engineering, Android security and privacy, Google. A full list of speakers is available on the Authenticate conference website. 

The conference agenda features 45+ in-person sessions and 20+ sessions on-demand, all of which will be available to all attendees. Authenticate also features an expo hall with product and service offerings with 20+ sponsors, as well as various networking and social events built into the three-day schedule – all while adhering to all CDC and local health/distancing requirements. 

Register Today!
Take advantage of early-bird pricing by registering by September 3. To register, visit https://authenticatecon.com/event/authenticate-2021-conference/. Authenticate will be held in conjunction with the FIDO Alliance member plenary, scheduled for October 20-22. FIDO Alliance members have exclusive access to discounted rates to attend both events.

Get involved at Authenticate

There are still select sponsorship opportunities available for Authenticate 2021; companies interested can learn more at https://authenticatecon.com/sponsors/.

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

TWEET THIS: The @AuthenticateCon agenda is here! Visit the event website to take a look at this year’s speakers and session topics for the latest in user #authentication. www.authenticatecon.com

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif hotel in Seattle, Washington with the option to participate remotely via live stream and on-demand sessions. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact

[email protected]  

PR Contact

Morgan Mason
Aircover PR
408-612-9889
[email protected]

Keynote speakers to include executives from Google, Microsoft, Visa and Yubico

SEATTLE, June 30, 2021 — Authenticate, the only industry conference dedicated to the who, what, why and how of user authentication, is coming October 18-20, 2021 to the Motif hotel in Seattle, Washington. Featured keynote speakers at the second annual event include Bob Lord, former CSO of the Democratic National Committee, Dave Kleidermacher, Vice President for Engineering, Android Security & Privacy at Google, Joy Chik, Corporate Vice President for Identity at Microsoft, David Henstock, Head of Identity and Authentication Product, of VISA and Stina Ehrensvard, CEO and co-founder of Yubico.  

Registration is now open for the event, with options for in-person or remote experiences. The 2021 edition of Authenticate will focus on providing excellent live and on-demand content, a live expo hall with 20+ sponsors, as well as a variety of networking opportunities — all while adhering to all CDC and local health/distancing requirements.

“We look forward to welcoming our keynote speakers to the Authenticate stage to share their vision and experience in moving to modern and secure FIDO Authentication,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “After a year of increasingly severe data breaches and user login frustrations, each speaker brings a unique perspective and insight on easing the adoption of simpler, stronger and standards-based authentication.”

CISOs, security strategists, enterprise architects, product and business leaders will walk away from this three-day event with an understanding of the FIDO approach to simpler, stronger authentication, and the tools and best practices they need to integrate FIDO Authentication into their own services.

In addition to the keynote sessions, Authenticate 2021 speakers will go in-depth on the state of authentication including a range of topics including:

• Authentication trends & insights
• Case studies
• Modern authentication implementation strategy
• Vertical trends & initiatives
• Industry standards
• Regulatory impact on authentication
• Technical & developer tutorials

Register Today!

Take advantage of early bird pricing by registering before August 18. 

Get involved at Authenticate

In addition to the Authenticate stage, the FIDO Alliance has a limited number of sponsorship and exhibitor opportunities remaining for the 2021 event. Companies looking to showcase their brand and products front and center at Authenticate can contact [email protected].

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

About Authenticate

Authenticate is the only conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. This year’s Signature Sponsors include Google, Microsoft, Visa and Yubico. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact

[email protected]   

PR Contact
Morgan Mason
Aircover PR
408-612-9889
[email protected] 

By: FIDO Alliance Staff

The digital security, privacy and authentication landscape is evolving quickly in the European Union with new regulations that could have a broad ranging impact for its citizens, as well as companies around the world. 

At the Authenticate Virtual Summit: Focus on Europe, which was held on June 17, experts on the authentication market in Europe provided insight into the latest developments including PSD2 SCA (Payment Services Directive Strong Customer Authentication), delegated authentication, eIDAS (electronic IDentification, Authentication and trust Services) and the EU Digital Wallet among other efforts.  

Kicking off the virtual summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance outlined how the FIDO specifications work and why strong authentication is essential for multiple use cases including ecommerce, Internet of Things (IoT) and identity verification. 

“FIDO’s goal from day one was to certainly reduce reliance on passwords, but in some ways that was just a means to an end, really trying to address the data breach problem, as the vast majority of data breaches are caused by weak credentials,” Shikiar said.

As FIDO is moving forward, there has been a need to strengthen identity verification assurance to support better and safer account recovery. As part of that, Shikiar noted that the FIDO Alliance launched the Identity Verification & Binding Working Group (IDWG) which is driving that work forward.

“We’re seeking to establish best practices for possession based identity verification,” Shikiar said. “That will not only enable safer, easier and stronger account recovery, but doing so will also stop hackers from using the account recovery process as an opening for social engineering account takeovers.”

Helping to Limit Cart Abandonment

There is a tangible connection between ecommerce success and strong authentication, according to Rolf Lindemann, VP products at NokNok.

Lindermann noted that during the pandemic, ecommerce grew faster than ever before. But with 13% of credit card online payments not being completed, it’s clear that cart abandonment is still impacting business in a significant manner.

“We learned that authentication friction in general is a major factor for card abandonment,” Lindermann said. “This becomes obvious given that online authentication is at the core of all online transactions. Authentication is the front door to digital services in general.” 

The path to reducing authentication friction involves the use of FIDO, which Lindermann said can help to enable strong customer authentication that can be implemented in a single convenient step.

Toward a Strongly Authenticated Digital Identity 

In Europe and elsewhere around the world, there is a growing conversation about the need to enable and provide some form of digital identity. According to Steve Pannifer, COO of Consult Hyperion, digital identity consists of three things: identification, authentication and authorization. 

Pannifer explained that identification is all about asking the question – is this person real, unique and identifiable? Authentication is the process of realizing that an identified person is coming in to use the service again, as the service provider wants to know if it is the same person that established the identity at some point in the past. Authorization ties it all together, which uses identity and authentication to access services.

“Digital identity is not a means in and of itself, it’s a means to an end,” Pannifer said. “The end that it is serving is all of those services that I’m trying to get access to.”

Fabian Eberle, co-founder and COO at Keyless is also a big believer in digital identity. In a session, Eberle outlined the need for a decentralized system for personal identity management. Such a system puts users in control of their own identity information, and lets them selectively disclose that identity data in a more private and secure way.

Eberle noted that at LUISS Guido Carli University, over 10,000 students are now benefiting from a digital identity system that helps to support remote education services. The Keyless approach benefits from FIDO standards that helps to authenticate a device and identify students in a frictionless approach.

Digital Identity in Europe: eIDAS

In the European Union, there is an effort known as eIDAS which is a legal framework for mutual recognition of national digital identity schemes.

“The purpose of eIDAS is cross border access for citizens in any European country to gain access to any public service in the EU,”Sebastian Elfors, senior solutions architect at Yubico explained.

FIDO standards are being increasingly adopted by European governments to help support eIDAS efforts. Among those that Elfors highlighted is healthcare authentication in Norway, EduID for universities in Sweden and the National Health Service (NHS) in the U.K. 

FIDO standards are also helping the Czech Republic with its CZ.NIC top level domain registry which also operates the mojedID (my ID in Czech) service. 

Jaromi Talir, technical fellow at CZ.NIC and member of eIDAS Technical subgroup explained that the domain registry had a requirement to authenticate the identity of domain owners. That requirement led to the creation of mojeID, which has been using FIDO standards since 2019. Talir explained that CZ.NIC uses FIDO to support a multi-factor strong authentication based approach to help authentication user identity.

Using FIDO to Support Delegated Authentication

With the European Union’s Payment Services Directive Strong Customer Authentication (PSD2 SCA), that came into effect in 2021, there are very stringent requirements for merchants to authenticate consumers with payment providers.

In a panel discussion, Jonathan Grossar, VP, product development at Mastercard commented that within a few months of the introduction of PSD2 SCA there has been an increase in the number of transactions that have been abandoned by consumers.

“So a problem with PSD2 SCA is that consumers may have to authenticate twice,” Grossar siad. “First with the merchant to have access to the account or to the card that is stored on file and then a second time doing the transaction with the bank and potentially then with a different authentication mechanism.”

All those extra steps introduce additional friction and complexity for both merchants and consumers that can be alleviated with an approach known as delegated authentication. Grossar explained that with delegated authentication, the entire authentication piece is handled  with a secure mechanism by merchants. Using FIDO standards in combination with EMVco’s 3-D Secure standards to share authentication and risk data is the way forward in Grossar’s view.

“FIDO is interoperable across multiple devices and platforms,” Grossar said. “So in short, you have today billions of devices that are enabled with FIDO, and that potentially can be used for delegated authentication.”

Jason Muncey, principal, EU Payment Acceptance & International Expansion, at Amazon is also optimistic about using FIDO for delegated authentication. Muncey commented that even before the PSD2 SCA requirements cart abandonment was just a pain that all merchants have had to live with. In his view, there is a real need to have some form of consistent approach.

Lee Goddard, product director, head of authentication at Worldpay also noted that – there will always be some amount of abandonment potential in that purchase process. 

“I think the FIDO approach to delegated authentication will really take things a step further in removing evermore abandonment,” she said.

Remote Identity Verification in Europe

With the pandemic, the ability to do in-person identity verification became challenging, which led to a need for increased remote identity verification in Europe and other areas around the world.

In a panel discussion, Santosh Rajvaidya, senior director, product management at Jumio noted that to date, there is no consistent approach when it comes to remote ID verification in Europe. That situation could be changing with the new digital identity wallet approach from the European Commission that could be the first step in the right direction.

“What is happening with digital identity wallet is you do a one time verification of your ID and the identity is created in the digital identity wallet,” Rajvaidya said. “From there on the user can reuse it multiple times across different applications.”

There is now also an ID Verification and Binding Working Group IDWG within FIDO that is doing work that will also help with remote identity verification efforts. Rayissa Armata, Head of Regulatory Affairs at IDnow, commented that when it comes to verification, user experience and convenience are key attributes.

“Most users aren’t concerned with their identity or the data privacy, they’ll tick the boxes and move on, they just want to get their service,” she said.

Wrapping up the virtual Authenticate Summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance emphasized that the FIDO Alliance is in a very good place today, in Europe and around the world.

“We’re seeing more and more companies adopt FIDO authentication,” Shikiar said. “I personally firmly believe that virtually every consumer service online will be offering passwordless login options in the next few years and our hope is that the vast majority of these leverage FIDO.”

Looking forward to the next FIDO Authenticate virtual summits is in September with a focus on government services. Then in October, the FIDO Alliance will be hosting its first live event with the Authenticate Conference in Seattle.

June 17 event features representatives from Amazon, Consult Hyperion, Mastercard, Nok Nok, WorldPay, Yubico, and more

MOUNTAIN VIEW, CA, June 8, 2021 — The FIDO Alliance has announced its agenda and speaker lineup for it’s 2021 Virtual Authenticate Summit: “Focus on Europe,” taking place June 17 from 2:00pm – 5:30pm Central European Summer Time. Authenticate Virtual Summits are a quarterly series of virtual seminars that will delve into specific topics related to the FIDO approach to modern user authentication.

More details and free registration are available on the Authenticate Virtual Summit registration page.

Featured keynotes will be presented by Steve Pannifer, COO of Consult Hyperion; and Fabian Eberle, Co-Founder and COO of Keyless; Rolf Lindemann, Vice President, Products of Nok Nok. The half day Summit includes sessions in which representatives from Amazon, CZ.NIC, IDnow, Jumio, Mastercard, Thales, Venable LLP, WorldPay and Yubico will discuss the state of authentication in Europe in light of regulations like PSD2 SCA, eIDAS and GDPR, open banking and the COVID-19 pandemic.

In Europe, financial services organizations, merchants, telecommunications companies, enterprises and the broader ecosystem are working to balance regulatory demands and rapidly evolving user expectations – all amidst a global pandemic and digital transformation efforts. Implementing strong authentication has become a challenge for these organizations striving to protect valuable usr and transaction data without introducing friction in the process. 

It is more critical than ever for leaders in this sector to find balance between compliance, security and user experience. This Authenticate Virtual Summit tackles these issues with a half day agenda that includes:

• Keynotes from Consult Hyperion, FIDO Alliance, Keyless and Nok Nok
• Roundtable discussion on FIDO & Delegated Authentication, featuring expert perspectives from Amazon, Mastercard, Thales and WorldPay
• Panel discussion on The State of Technology and Regulation for Remote Identity Verification in Europe, featuring expert perspectives from IDnow, Jumio and Venable LLP
• Details BBVA’s FIDO implementation 
• Details on eIDAS, FIDO Deployments and Recognition in the EU discussed by CZ.NIC and Yubico 
• Considerations and best practices for optimizing the strong authentication user experience

“Building off of the success of our first Authenticate Virtual Summit this past March, we are excited to continue the Authenticate Virtual Summit Series with a focus on Europe. In light of recent regulations and the COVID-19 pandemic, the discussion of authentication in Europe is a natural area of focus for our upcoming Summit,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are honored to have such an esteemed roster of thought leaders committed to imparting their collective insight, especially as we work together to balance regulatory demands and rapidly evolving user expectations.”

Keyless and Nok Nok are signature sponsors for this Authenticate Virtual Summit. For more information about additional summits: https://authenticatecon.com 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Call for speakers now opened

SEATTLE, April 6, 2021 — Authenticate, the only industry conference dedicated to the who, what, why and how of user authentication with a focus on the FIDO standards-based approach, is coming in October 2021. This is the second year the FIDO Alliance is hosting this public conference to provide CISOs, security strategists, enterprise architects, product and business leaders with all the education, tools and best practices to roll out modern authentication across web, enterprise and government applications.

Authenticate 2021 will be held October 18-20, 2021 at the Motif Seattle in Seattle, Washington. For more information and to sign up for event updates, visit authenticatecon.com.

Last year’s Authenticate conference featured 50+ sessions, including detailed case studies, technical tutorials and expert panels — all helping educate attendees on business drivers, technical considerations and overall best practices for deploying modern authentication systems. The 2021 event will again focus on providing excellent content, a dynamic expo hall, and other networking opportunities while adhering to all CDC and local health/distancing requirements. 

Authenticate Call for Speakers Now Open

Speaking at Authenticate 2021 is an opportunity to increase visibility, educate about in-market solutions, and allow for networking between those involved in modern authentication. 

The Authenticate conference program committee is looking for vendor-neutral, educational presentations that focus on modern authentication implementations and best practices. The committee seeks global perspectives and presentations on the following topic areas, though other topics will be considered:

• Authentication trends & insights
• Case studies
• Modern authentication implementation strategy
• Vertical trends & initiatives
• Industry standards
• Regulatory impact on authentication
• Technical & developer tutorials

The call for speakers is now open through May 31, 2021. Professionals who have ideas that are unique, expertise-driven and reflect diversity are encouraged to submit by visiting www.authenticatecon.com. It is strongly suggested to submit early, as the program committee will be reviewing and accepting proposals as they are submitted.

Get involved at Authenticate

In addition to the Authenticate stage, the FIDO Alliance has a number of sponsorship and exhibitor opportunities for the 2021 event becoming available on April 15, 2021 Companies looking to showcase their brand and products front and center at Authenticate can contact [email protected].

Follow Authenticate on Twitter @AuthenticateCon to participate in the conversation and get important updates leading up to and during the event.

About Authenticate

Authenticate is the first conference dedicated to the who, what, why and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate is the place for CISOs, security strategists, enterprise architects, product and business leaders to get all the education, tools and best practices to embrace modern authentication across enterprise, web and government applications.

Authenticate is hosted by the FIDO Alliance, the cross-industry consortium providing standards, certifications and market adoption programs to accelerate utilization of simpler, stronger authentication. In 2021, Authenticate will be held October 18-20 at the Motif Seattle in Seattle, Washington. Visit www.authenticatecon.com for more information and follow @AuthenticateCon on Twitter.

Authenticate Contact
[email protected]  

PR Contact
Morgan Mason
Aircover PR
408-612-9889
[email protected]

By: FIDO Alliance Staff

What’s the role of FIDO authentication in financial services and what can be done to help consumers and issuers be more secure? Those topics were at the foundation of the Authenticate Virtual Summit: Modern Authentication for Financial Services, hosted by the FIDO Alliance on March 25.

The financial services focused event included speakers from eBay, Financial Data Exchange, Gemini, Google, Javelin Strategy and Research, Mastercard, JP Morgan Chase, StrongKey, Trusona and Visa, with topics spanning from the future of authentication to best practices on how to optimize the authentication experience for users.

In his opening keynote, Andrew Shikiar, executive director and CMO of the FIDO Alliance noted that over the course of the pandemic there has been an increase in cyberattacks against financial services institutions, which has only heightened the need for stronger authentication methods.

“At the end of the day, the vast majority of statistics and the vast majority of these problems come down to fundamental truth, which is that we’re trying to run a hyper connected economy, a networked society, on a authentication model that simply is not fit for purpose and that of course is our dependence on passwords,” Shikiar said.

Shikiar detailed how the FIDO Alliance is working to help move the world away from passwords and help users benefit from stronger forms of authentication. In particular, FIDO is playing a key role in the financial services market across a number of categories. FIDO specifications are being used today by financial services firms to help protect online accounts against account takeovers and phishing attacks. A key goal is to also make it easier for organizations to use strong authentication. Shikiar emphasized that the FIDO Alliance’s tagline is: simpler, stronger authentication.

“If there’s one thing the industry has seen is that the more complex the approach is for MFA [Multi-Factor Authentication] , the less likely someone is to stick with it,” Shikiar said. “So for people to keep using strong authentication, it needs to be easy and single gesture, which is the core of FIDO’s approach.” 

Improving Authentication with FIDO at Visa

Visa is one of the world’s largest credit card brands and financial services firms on the planet and it sees FIDO as being a strong tool for helping to improve security and reduce fraud. 

In a keynote presentation, David Henstock, Head of Identity and Authentication Products at Visa, observed that FIDO specifications have a significant role to play in helping to drive better outcomes within the payments industry. Henstock noted that what has increasingly occurred in recent years is that fraudsters are targeting the authentication layer.

“The question that always comes up is what can Visa do to help fight account takeover fraud?” Henstock stated. “The culprit more often than not is knowledge based authentication, or simply put  – passwords.”

Henstock noted that FIDO is an easy way to upgrade from usernames and passwords to a more secure standard upgrading the authentication experience that sellers have. He added that overall FIDO helps to provide a better, more easy to use customer experience for authentication. 

FIDO is also important to help with regulatory compliance. In Europe, the PSD2 [Payment Services Directive version 2] is a key driver for strong authentication adoption as it mandates the use of Strong Customer Authentication (SCA).

“If you’re doing digital commerce in Europe, you must abide by the SCA regulations,” Henstock said.

In a bid to help organizations with FIDO deployment, Arshad Noor, CTO at StrongKey used his Authenticate session to detail new capabilities in the StrongKey FIDO server that can help organizations meet the challenges of global requirements.

“We see a lot of confusion in the WebAuthn and FIDO ecosystem where people are confused between security capability, and the user experience that consumers go through when interacting with FIDO,” Noor said. “We believe that FIDO should first be viewed as a security technology, and second as a convenience technology.”

Consumer Confidence in Passwords is Declining

The need to move away from passwords isn’t just about regulation, it’s also about consumer confidence in the security of password based authentication.

In a session, Javelin Strategy & Research analysts Rachel Huber and John Buzzard outlined the state of the market in terms of fraud and online security.

“We have discovered trend wise that consumer confidence with passwords is down substantially and I want to say -finally,” Buzzard stated. 

Buzzard noted that consumers have begun to realize that stronger authentication methods including biometrics are effective ways to validate identity. He added that consumers are now indicating that they are ready to move away from passwords.

“Whether the password disappears, maybe it becomes sort of like the Mayor McCheese of the city in the sense that it’s there but it doesn’t mean anything if that’s what it requires,” Buzzard said. “That’s still okay because we’re ready to move forward with stronger forms of authentication.”

Payments and the Future of Authentication 

FIDO standards are at the core of security efforts at eBay, which helps the online marketplace meet the needs of its diverse user base. In a panel on Payments and the Future of Authentication Ashish Jain, Product Management Executive, Identity, Mobility & Analytics, eBay explained that a key challenge for his platform is having the right experience that can fit the needs and requirements of a broad customer base.

“When we started investigating FIDO and saw that it was supported by Google, Microsoft, and Apple, it gave us the confidence that it can meet the needs for a variety of our customers and hence, we continue to investigate and invest in the protocol,” Jain said.

For Christiaan Brand, Product Manager for Identity & Security at Google, FIDO adoption started out as a way to help curb phishing risks and has evolved to become a way to help improve multiple aspects of security for both Google and its users.

“FIDO is one of those few security inventions, which aims to both address security and improve on that axis, while at the same time also improving on the usability front,” Brand said. “The FIDO components that have been built into the platforms nowadays do give our users, better and more secure experiences.”

For Ranjita Iyer, SVP, Identity Solutions at Mastercard, FIDO specifications are being combined with other standards including the EMV 3D Secure effort to enable a seamless authentication and payment experience that can lead to better approval rates for digital transactions and lower fraud. 

Integrating FIDO with other standards is also something that the Financial Data Exchange (FDX) is implementing with its stack. Don Cardinal, Managing Director, Financial Data Exchange explained in a session that his organization is dedicated to unifying the financial service industry around an interoperable royalty free standard for secure permission to access data.

“The whole idea is to stop sharing user IDs and passwords and stop using them in the entire session,” Cardinal said. “Ideally, if you have OIDC [OpenID Connect] and FIDO throughout FDX you can enroll, use and consume the whole setup and never use a credential, which I think is really powerful in today’s day and age.”

Optimizing UX for Strong Authentication 

While the technical details of FIDO specifications are critical to enabling strong authentication, optimizing the user experience is critical to adoption. 

In the final panel of the day, Megan Shamas, Director of Marketing, FIDO Alliance noted that there is an effort that is currently underway to to test and improve the FIDO user experience. Guidance from that testing effort is set to be publicly available in late 2021.

Kerry Hebert, Design Director (CX/UI) at Visa emphasized that it’s likely that FIDO implementation hinges on user adoption and adoption is only going to happen if the user registers. She noted that for  users to take the step of registering, they need to believe that there’s value in what it provides and in some way makes the consumer’s life a little bit better.

Kevin Goldman, Chief Experience Officer, Trusona strongly suggests that financial services firms not think about user experience as something that is bolted on to the end of the process. Rather he suggests that it’s an integrated part of the entire process of supporting and enabling FIDO standards.

Judy Clare, Vice President, Product Manager, Digital Identity and Authentication at JPMorgan Chase & Co, suggested during the panel that from an experience perspective, FIDO engagement needs to be easily digestible for consumers. 

“You really have to have that value proposition out there  – what’s in it for me, and why should I be clicking through this and take an extra 30 seconds to sign up for it and then go on my way, because I am here to do something and this wasn’t it,” Clare stated. “So it’s really important to keep the user in mind.”

Next Up: More Authenticate Summits and Authenticate 2021 Conference

There’s much more content to come from the FIDO Alliance in 2021.

Looking forward there is another virtual event coming in June which will focus on strong authentication in Europe. Plans are also coming together for a physical Authenticate conference set for October in Seattle.

“In general, what we see is a lot of best practice sharing, everyone is in this together, and is motivated to help protect the networked economy and FIDO authentication presents a great way of doing so,” Shikiar said. “So we encourage you to certainly take part.”