By: FIDO Alliance Staff

MOUNTAIN VIEW, CA, March 8, 2021 — Authenticate, the FIDO Alliance’s industry conference dedicated to the who, what, why and how of modern user authentication, announced today the speaker line up for it’s first 2021 Virtual Summit: “Modern Authentication for Financial Services”taking place March 25 from 9:00am – 12:00pm PDT. 

Featured keynotes will be presented by Rachel Huber, Senior Analyst, Payments and John Buzzard, Lead Analyst, Fraud & Security, both of Javelin Research; David Henstock, Head of Identity & Authentication Products, Visa and Arshad Noor, CTO, StrongKey. The half day format includes sessions in which executives from eBay, Gemini, Google, Mastercard, JP Morgan Chase, Visa and Trusona will talk about the rapidly evolving security and usability measures being developed and deployed to safeguard financial service users by way of modern authentication.

Payments and financial services are amongst the leading industries for adoption of modern authentication systems – and digital transformation in general – with use cases ranging from simpler and stronger account sign-on to mobile banking to secure payments. COVID-19 has only accelerated the imperative to protect valuable resources while still providing secure access to online banking services. 

Between current and emerging regulations, the ongoing battle against hackers and a fickle yet demanding consumer base, it is more critical than ever for leaders in this sector to find balance between compliance, security and user experience. This edition of the Authenticate Virtual Summit tackles these issues with an agenda that includes:

• Keynotes from FIDO Alliance, Visa, StrongKey and Javelin Strategy & Research 
• Panel discussion on Payments & the Future of Authentication, featuring expert perspectives from eBay, Google and Mastercard
• Tips on how to secure users can their crypto from Gemini
• Details on how to leverage the FDX and FIDO protocols to enable secure access and data sharing
• Considerations and best practices for optimizing the strong authentication user experience

“Building off of the success of our Authenticate conference last year, we developed the Authenticate Virtual Summit Series to provide informative and interactive content on the role of modern authentication in organizations’ evolving digital transformation plans. Payments, financial services and cryptocurrency are natural focus areas for our first Summit, as these are amongst the leading industries for adoption of modern authentication systems – an imperative that has only accelerated during COVID-19,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “We are proud to have such an esteemed roster of financial services industry thought leaders committed to imparting their collective insight, especially as the risks of security breaches remain high and consumers demand increasing convenience.”

To view the full agenda and register, visit www.authenticatecon.com

For more information about additional summits: https://authenticatecon.com/introducing-the-authenticate-virtual-summit-series/

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

By: FIDO Alliance Staff

Building off of the success of the 2020 Authenticate conference, FIDO Alliance is pleased to introduce Authenticate Virtual Summits!

Authenticate Virtual Summits are a quarterly series of virtual seminars that will delve into specific topics related to the FIDO approach to modern user authentication. The summits will be free to attend to anyone interested in learning more about and/or deploying FIDO Authentication. Each Summit will be approximately three hours in length and include multiple sessions from subject matter experts in identity and authentication in various vertical markets and geographies.

The preliminary schedule for the Virtual Summit Series is as follows (dates subject to change):

• March 25: Modern Authentication for Financial Services
• June 17: Focus on Europe
• September 23: FIDO for Government Services
• December 8-10: Focus on APAC

Authenticate Virtual Summits are complementary to our full Authenticate Conferences. The next full conference, Authenticate 2021, will be held in-person in Seattle, Washington USA next October. Please stay tuned for more details on Authenticate 2021!

We look forward to welcoming you to this Summit series. If you are interested in sponsorship or speaking opportunities at Authenticate, please contact [email protected].

By: FIDO Alliance Staff

After six full days of insightful content and engaging speakers, the inaugural Authenticate Conference wrapped up on Nov. 19.

A theme that resonated throughout multiple sessions on the final day of the conference was the future of authentication. The potential future impact of machine learning on authentication, the future of PKI and the decentralized future, were all topics of discussions across sessions. Another highlight of the day was a morning session where Microsoft outlined its path toward password-less and the lessons learned as it has embraced FIDO standards for strong authentication.

At its core, FIDO standards make use of public-key cryptography though it differs from traditional Public Key Infrastructure (PKI) in a number of important ways. In a session, Arshad Noor, CTO of StrongKey outlined the future PKI and FIDO. Noor explained that unlike PKI, FIDO does not make use of x.509 digital certificates for end users. He added that FIDO keys do not expire like digital certificates and as such managing the lifecycle of FIDO authentication requires a different mindset and philosophy than PKI.

“A lot of the complexity that PKI brings to the table, doesn’t exist with FIDO,” Noor said. “There’s a different kind of complexity. I’m not going to make this sugar coat it, but there is a certain amount of complexity in FIDO too, but it’s not quite as complex PKI in my personal opinion.”

Microsoft Says Hello to FIDO

There are a lot of good reasons why Microsoft has embraced FIDO authentication standards. Aakashi Kapoor, Senior Program Manager at Microsoft explained that one of the reasons why Microsoft began its journey with FIDO is because the company realized that it had to help its customers move away from passwords.

“Everyone assumes passwords are easy to use but they are not,” Kapoor said. “They’re actually difficult to use.”

She noted that users often end up using the same password across multiple platforms. Adding a second factor is often seen as being inconvenient as users not only have to remember a password, but they also need a second factor that is available. 

“So when we were working on our passwordless options we wanted to ensure that there is something that gives users high security while also being convenient to use,” Kapoor said.

To that end Microsoft has embraced FIDO to help enable its strong authentication and password-less approach. Kapoor noted that the biggest learning that Microsoft has had from the deployment was that credential management is equally important as authentication. 

“It’s not only important for users to have a strong highly secure authentication method, but it’s also important for them to have a way to manage the entire end to end lifecycle of that credential,” Kapoor said.

The Future of Machine Learning, Identity and Authentication

While cryptography is at the core of FIDO strong authentication, there is also a role for machine learning and artificial intelligence, according to Asad Ali, Technologist at Thales.

One area where he sees machine learning having potential impact on authentication is with a concept known as device vicinity context. The basic idea behind device vicinity is that a user will have a similar set of devices around them whenever they are performing certain action.

“So I have l this array of peripheral devices around my working life and the question is can we develop an algorithm for an application, which would over time make sense of what it is that I have around me when I work,” Ali said. “And by doing so essentially predict what authentication method should we use, or if any authentication method is needed at all.”

While machine learning might have a strong role to play in the future of technology, for Steve Wilson, Managing Director at Lockstep Technologies, the future of identity lies in authentication and analyzing data quality. In Wilson’s view, it’s critical to have infrastructure that establishes the quality and reliability of data.

 “A little epiphany I’ve had recently about digital identity is that digital identity can’t be anything other than data – it’s all we’ve got,” Wilson said.

The Decentralized Future of Identity

The final panel of the Authenticate conference was moderated by Brett McDowell who currently serves as the Executive Director of the Hedera Council. McDowell is well known in the FIDO community as being the founding executive director of the FIDO Alliance.

“The cryptographic authentication technologies of FIDO and the cryptographic technologies being deployed in distributed ledgers are complimentary building blocks that can be used to improve the overall state of identity management,” McDowell said.

Ramesh Kesanupalli, who was one of the founders of the FIDO Alliance and currently serves as the CEO of Digital Trust Networks commented that FIDO already has a decentralized authentication process.

“There is no centralization of authentication anymore,” Kesanupalli said.

Nat Sakimura, Chairman of the Open ID Foundation noted that identity now and in the future will remain decentralized. He explained that his version of identity is about the ability to identify a person or entity based on a set of attributes and claims.

“When you think about it, there won’t be any single source of identity for all attributes,” Sakimura emphasized. “Each place has got its own authoritative sources and it’s not going to be unified.”

That’s a Wrap

With six full days of content, over 50 sessions including technical deep dives, panel discussions and case studies, the first Authenticate Conference was a resounding success.

In his closing keynote, Andrew Shikiar, Executive Director and Chief Marketing Officer at FIDO Alliance reminded attendees that FIDO’s mission is to move the world to a modern form of authentication.

“Simply put, the old model isn’t fit for purpose and nor has it been for some time, whereas the FIDO model is built to address today’s use cases, as well as those emerging in the future,” Shikiar said. “I’d say FIDO has matured from a whiteboard concept, nine years ago, through early adoption to becoming a must have feature for user authentication.”

Shikiar also announced that the next Authenticate Conference is planned to be held in person in Seattle, Washington next October 19-20, 2021! Stay tuned for more details!

By: FIDO ALLIANCE STAFF

The penultimate day for FIDO Alliance’s Authenticate conference brought with it more insightful content to help attendees and their organizations benefit from the opportunities of strong authentication.

Among the organizations that presented on the fifth day of the conference was online auction site eBay, which outlined how it has embraced strong authentication and is moving toward enabling a password-less future. A key challenge that many organizations face is how to deal with the issue of account recovery, which was addressed in a morning session. The role of FIDO standards in the smart card world was the topic of a session as attendees learned about how strong authentication is making an impact in that sector. Standards were once again a key topic of discussion during the day, with a lunch and learn session that included speakers from the W3C, EMVCo and FIDO detailing how the different groups can work together.

The day’s session began with an overview of how the government of the Netherlands provides strong authentication to its services. Among the agencies in the Netherlands is SURFconext, which provides a  national identity federation for research and higher education.

“Especially since the COVID crisis began, we’ve seen a lot of phishing campaigns launched against our users and we see FIDO2 as an excellent way to mitigate this threat,” commented Joost van Dijk, Technical Product Manager at SURF.

Raising the Authentication Bar at eBay

Among the most popular websites in the world today is online auction site eBay which has approximately 180 million active users.

Ashish Jain, Head of Identity at eBay noted that for the most part, users need to be able to have an account, either as a seller, or a buyer to be able to transact at eBay. Jain explained that eBay has now implemented FIDO2 WebAuthn to help improve the authentication experience for its users.

“At the end of the day, identity, authentication and sign-in, are means to an end,” Jain said. “We have to make sure that whatever experience we pick is not going to hamper the eventual experience that we want to give to the end user.”

Dealing with the Challenge of Account Recovery

When users lose or forget their password, a common approach is to have an email based recovery option. That approach however is not secure and negates many of the benefits that a strong authentication model from FIDO provides.

Hidehito Gomi, Senior Chief Researcher at Yahoo Japan Corporation explained that when a user loses their authentication credentials there needs to be an alternate method available to recover the account. To that end, he noted that the FIDO Alliance has written several white papers, providing guidance on what organizations can do. Among the options, is enabling users to set up multiple authenticators when the account is created.

Christiaan Brand, Product Manager of Identity and Security at Google noted that the overall issue of account recovery is a really hard problem to solve. That said, in Brand’s view there is a real opportunity for FIDO to help solve the challenge.

“Imagine the following, say the user loses their FIDO authenticator and they have that registered with 40 different relying parties, wouldn’t it be much easier if they had to perform that account recovery process only once, and get access to everything, versus having to do that forty times?” Brand said.

The Intersection of FIDO, EMVco and W3C

The W3C is a web standards body, EMVCo is a technical body that handles EMV payment standards and FIDO, of course, is focused on strong authentication standards and certifications.

The three organizations can and do work together, according to a panel of experts at the Authenticate conference. Christina Hulka,  Executive Director and Chief Operating Officer of the FIDO Alliance noted that representatives of the three groups have a special interest group to see how each respective specification can work with the other and to identify potential gaps.

Ian Jacobs,Web Payments Lead at the W3C explained that his organization started working in the payment space approximately five years ago with an effort to improve and streamline ecommerce. That effort is manifest in the Payment Request API which provides a specification to help enable payment methods.

“A lot of the work in W3C is about  adding capabilities to browsers and then web developers can use these building blocks in different ways to build different payment flows or different user experiences,” Jacobs said. “All along the way we’re trying to ensure that these building blocks provide for security, privacy, accessibility and internationalization and they fit with other blocks in the web architecture.”

As to how the three organizations all fit together to help end users, Nick Telford-Reed Managing Director, Stormglass Consulting Ltd, who moderated the panel session, provided a visual description.

“So this is like a venn diagram where there’s an intersection between the payments expertise of EMVCo,  the authentication experiences and capability of the FIDO Alliance and then the web technologies piece at the W3C,” commented Telford-Reed. “We’re in that sweet spot of privacy and authentication and security for making payments on the web.”

The Path to Passwordless

According to J. Wolfgang Goerlich Advisory CISO at Cisco’s Duo Security division, often more is asked of people than machines, when it comes to passwords and authentication. For example, it is up to the user to choose a password and update it. What’s needed is to have an environment where machines do more and are relied on to protect and authenticate users, which is what the password-less journey is all about.

Chris Demundo, product manager, authentication at Cisco Duo outlined the key steps that organizations need to take on the journey to passwordless.

“The first step is really around ensuring you have strong multi-factor in place already, and really strategizing and identifying use cases that exist in your environment where you can start with passwordless, because there are a ton of them,” Demundo said.

The second key step is to consolidate authentication workflows, with things like Single Sign On (SSO) and federation as a way to reduce the number of passwords that are needed. The third step is to increase trust in password-less authentication across the organization so users feel confident about its use.

“Making systems easier to use and actually aligning with human behavior, so we’re not offloading risk from one system to additional things that we want our users to do, is a critical step for both password-less and zero trust in general,” Demundo said.

Final Day is Up Next!

After five full days of content, the sixth and final day of the Authenticate Conference is up next on Nov. 19 with another great lineup of sessions.

A key theme for Day Six, is the future of authentication. Among the topics is a session about the future PKI and FIDO2.  A panel of experts will discuss whether the future of authentication is decentralized and what the implications are for FIDO and the organizations that use it. And of course, there are user stories, with Microsoft sharing lessons learned from the experience of being an early adopter of FIDO2 WebAuthn standards.

By: FIDO ALLIANCE STAFF

With a weekend sandwiched in between, Day 4 of the Authenticate Conference on Nov. 17, continued the solid lineup of speakers and topics that attendees learned from last week.

The morning sessions had a strong focus on the intersection of regulations, privacy and authentication. During the lunch and learn, attendees got a deep dive on biometrics and the FIDO Alliance’s Alliance’s Biometric Component Certification, including new updates to the program. During the afternoon sessions there were a pair of talks about the latest updates to the W3C Web Authentication specification, as well as insights into how developers can start to make use of technology in their own applications and services.

The Regulatory Environment and FIDO

According to Jeremy Grant Managing Director, Technology Business Strategy at Venable LLP, what governments have to say about authentication often has a significant impact on what types of authentication are used around the world.

In his session on What Regulators Want, Grant explained that authentication is important to governments for a few different reasons. Governments need to have strong authentication to protect access to their own assets and can also enable more high value citizen facing services. Overall, authentication is getting increasing attention as an important layer for cybersecurity risk management, to secure critical assets and infrastructure.

Over the last five years, Grant said that FIDO standards have started to find their way into governmental regulatory standards and guidance as an approach to help enable strong authentication.

“What we’re seeing now in 2020 is FIDO is increasingly emerging as the preferred choice of governments around the world,” Grant said.

In a panel session moderated by Grant, specific regulations in Europe including PSD2 (Payment Services Directive 2), GDPR (General Data Protection Regulation) and eIDAS (electronics IDentification, Authentication and trust Services) were detailed, and how FIDO Authentication can be used to comply with each regulation.

Grant explained that PSD2 is the European Union’s payment services directive that is focused on open banking and opening up the whole financial services ecosystem in terms of data and payments. The eIDAS initiative is about having electronic identification that can be used to help facilitate authentication in different industries including financial services. Finally, Grant noted that GDPR has emerged, not just as a European standard for privacy but arguably a global standard for privacy.  While both PSD2 and eIDAS include some direction on strong authentication, that’s not the case with GDPR.

Alain Martin, Head of Consulting & Industry Relations, Banking & Payment Services at Thales stated that GDPR does not talk about authentication and access rights at all, rather it leaves it open. 

“If you leave the access to the data protected by passwords, clearly there is a big gap,” Martin said. “In light of the heavy fines, our message is that generally speaking service providers should implement strong customer authentication in order to protect access to data.”

Privacy and Data Subject Rights

Looking beyond GDPR, a morning panel looked at the topic of Authentication as an Enabler of Better Privacy.

Annie C. Bai, Global Privacy Lead at  Socure explained that governments and regulators are now trying to empower individuals with data subject rights. That said she noted that there are protections and safeguards that need to accompany them that shouldn’t necessarily be in the hands of individuals. Shannon Dahn, Chief of the Privacy Section & FDIC’s Office of the Chief Information Security Officer outlined what federal rights privacy exist. Those rights provide consumers with information about their data and transparency about how the data is collected. 

“Certainly having your data kept secure is another privacy right,” Dahn said.

Jamie Danker, Director of Privacy at Easy Dynamics Corp, noted that it’s important for organizations to also consider how secure access to private information is enabled.

“If you are advising a program that’s building a product or service that’s creating records or data that can be about individuals, you also have to think about the capabilities for your organization to actually permit such access,” Danker said.

W3C Web Authentication Specification Moving Forward

One of the key technologies that is helping to enable strong authentication is FIDO2 WebAuthn, which is standardized as the W3C Web Authentication specification.

Jeff Hodges, Software Engineer at Google explained that WebAuthn is a web platform API that facilitates strong authentication for web applications.

“We care about it (WebAuthn) because it’s a replacement for username/password, bringing strong, phishing resistant authentication to the web,” Hodges said.

Version one of W3C Web Authentication was published in March 2019, and it’s now being updated in the second version, known as level two. Hodges noted that level two addresses some bugs that were found in the initial specification and it also benefits from a series of enhancements.

John Bradley, Senior Architect for Standards at Yubico highlighted the new Large Blob Storage extension in level two. He explained that the large Blob Storage extension allows a relying party to store encrypted arbitrary data along with the credential. He explained that a primary use case for this is to FIDO enable web based SSH sessions. 

“So think, SSH public key certificates, being stored alongside the credentials on an authenticator,” Bradley said.

Looking beyond just the evolving WebAuthn standards, there is also a need to make sure the standards are adopted. That was the key theme in a session about democratizing WebAuthn that was delivered by Vittorio Bertocci, Principal Architect at Auth0.

Bertocci suggests that organizations embrace a staged approach to WebAuthn implementation. For each and every step, developers should be able to see how WebAuthn is advantageous, providing value for the organization and its users.

“The adoption of WebAuthn is a journey and the standardization was a huge step, but now, we’ve got to roll up our sleeves and help the industry to adopt it,” Bertocci said.

Day 5 is Up Next!

The Authenticate conference continues for its fifth day on Nov. 18 with another great lineup of sessions.

Among the insightful content, there is a user session from eBay, a panel on account recovery best practices and a lunch and learn on how FIDO, EMVCo and W3C specifications work together.

By: FIDO ALLIANCE STAFF

Following day one and two, day three of Authenticate 2020 was another full day of informative sessions about the present and future state of authentication.

A key theme throughout the day was how FIDO authentication is being used by financial services firms to reduce customer friction and enable improved security. Once again, across multiple sessions, speakers detailed why taking a passwordless approach is a cornerstone of digital transformation efforts.

In the opening session for the day, Jim Routh, Chief Information Security Officer, Head of Enterprise Cyber Security at MassMutual and Bojan Simic, CTO and Co-founder of HYPR outlined the challenges of passwords for both consumers and enterprises. Routh noted that while passwords can lead to security problems, it’s the combination of passwords and people that are the real issue. Routh noted that password reuse is a common problem and it’s one that criminals regularly exploit.

“Passwords have served us well for the last 60 years in terms of enterprise protection in the online world so it’s really not a defect in passwords, it’s a defect in how passwords are used by people,” Routh said.

Beyond passwords, Routh commented that it’s time to rethink authentication from just being a point in time event that enables access to a service. Routh suggested  authentication should be a continuous process where information about behavior is being constantly captured to enable a continuous form of authentication.

In his half of the session, Simic emphasized user experience is a primary reason why organization should move toward a passwordless experience.

“As part of the FIDO Alliance and as part of the FIDO standard, we’re always looking at the user experience,” Simic said.

Improving User Experience at PNC Bank

Improving the user experience for authentication is one of the primary reasons why PNC Bank has embarked on the journey to embrace FIDO standards and a password-less future. Sridhar Kotamraju, SVP, Head of Digital Identity & Fraud at PNC, said a key goal for him was to make authentication a frictionless experience under as many situations as possible.

“The key attribute here is when fraud has occurred, we want to make it easy for customers to be able to get back to their accounts in a FIDO way, so that we don’t ask them more questions than obviously we need to,” said Kotamraju.

Target Takes Aim at Password-less

Among the user organizations that spoke on Day 3 of the Authenticate Conference was Target. Nataraj Rao, Principal Engineer for Security Solutions at Target, explained that the retailer was undergoing an effort to modernize its platforms to enable a secure login experience across applications at the company.

Rao noted that a key goal for his group at Target was to reduce friction wherever possible, be it in the authentication flow by reducing the dependencies on passwords, or in the onboarding process by making it easier for applications and business owners to easily consume the enterprise authentication services.

“FIDO2 in particular was of great interest to us, given its WebAuthn API that is baked into most modern browsers, enabling the use of external security keys or on device biometrics without the need of installing any third party software or plugin on my device on the browser,” Rao said.

Standards and the Future of Payments

The role of standards in financial services and payment systems was the topic of several sessions on Day 3 including a panel moderated by Randy Vanderhoof, Director at U.S Payments Forum.

Vanderhoof said that it’s important that the payments industry be aware of the standards  as well as the best practices that have emerged to address identification and authentication challenges. FIDO plays a key role in helping to enable secure authentication for the financial services industry.

“Regardless of who you’re talking to, anyone that’s looking for secure simple interoperable authentication, that’s what we offer,” commented Christina Hulka, Executive Director and Chief Operating Officer at the FIDO Alliance. “We’re very laser focused in terms of that authentication piece, whether that is to make a payment. whether that’s to access financial services, whether that’s access confidential data – that’s really where FIDO is focused.”

Authenticate Returns Next Week

The Authenticate Conference continues next week with Day 4 on Nov. 17 which has a strong focus on the regulatory environment for privacy and authentication. Among the sessions on regulations is a panel session on the intersection of PSD2, GDPR and eIDAS in Europe and how FIDO fits in.

Authentication isn’t just about access either, it’s also an enabler of better privacy, which is a topic that another panel will dig into. Rounding out Day 4 are a number of technical sessions including a deep dive on biometrics and the W3C Web Authentication specification.

By: FIDO ALLIANCE STAFF

After a busy and eventful first day of sessions of the Authenticate conference, the second day continued the trend with a full lineup of insightful speakers and sessions.

Multiple speakers including those from CVS, NTT Docomo and Intuit outlined their respective efforts using FIDO standards as a base to improve authentication and move toward a passwordless future. 

Looking beyond user authentication, the co-chairs of the FIDO Alliance Identity Verification and Binding Working Group (IDWG) outlined how the Alliance is expanding its efforts to help enable identity verification as well. FIDO2 WebAuthn was the topic of discussion during a Lunch and Learn session, providing technical details on how FIDO works from the developer perspective. Looking to the future, members of the FIDO Alliance IoT working group detailed how the future of IoT device onboarding and authentication might work with FIDO. 

A key theme throughout the day’s sessions was about the value that organizations, individuals as well as industries as a whole, can gain from FIDO Alliance efforts.

In a morning session, Dr. Rae Rivera, certification director for the FIDO Alliance outlined the benefits of FIDO certification and the path to get there, in a way that enables interoperability and market differentiation.

“We have found that organizations have seen around a 30% saving in their purchase operation when buying products that have been developed against industry standards,” Rivera said.

The FIDO Fit for Identity Verification

Authentication is at the core of what the FIDO Alliance and its specifications are all about. There is however another class of issues that are related to authentication where FIDO might soon be playing a key role. That area is in identity proofing which comes into play for account creation and account recovery activities. Within the FIDO Alliance, this work is led by the Identity Verification and Binding Working Group (IDWG)

“The work we are doing in the IDWG is identity-proofing as opposed to authentication,” commented Rob Carter Director, Product Development for Identity Solutions, Mastercard and co-chair of the IDWG . “There is a gap with account recovery and IDWG is trying to help close that gap.”

Carter explained that part of the IDWG’s efforts are to define acceptance criteria for identity document verification and then building test programs to support the adoption of those criteria. Additionally, the IDWG will be working on defining acceptance criteria for facial similarity match, an approach more commonly known as “selfie match.” With both the selfie and document match, a user has to provide the information or live picture to prove that they are who they say they are to confirm identity.

IDWG co-chair Hsin Hau Hanna explained that a key part of the ID proofing process is also verifying the integrity of the process that validates a given identity.

“The ultimate goal of having these ID proofing mechanisms in place is really to go back to enabling the FIDO authentication mechanism,” Hanna said. “So there’s a very important step in between those two which is how to make sure that we bind the ID proofing ourselves to the FIDO authenticator.”

FIDO for IoT

Another key area where FIDO Authentication will play a key role in the future is with the Internet of Things (IoT). 

Intel’s Richard Kerslake who co-chairs the IoT working group explained during a session that one of the key goals of the group is to develop a standardized solution that  automates the whole challenge of onboarding devices. Kerslake noted that it typically takes 20 minutes or more to onboard a new device.

“We want companies to be able to drop ship their device to the point of installation, have a semi skilled technician present to connect it to the network, and then then have all of the provisioning handled in a secure and automated fashion,” Kerslake said.

A key part of the effort to enable secure authentication with IoT devices is with the Secure Device Onboard (SDO) project which was started by Intel and is now part of the Linux Foundation’s LF Edge organization. Giridhar (Giri) Mandyam Chief Security Architect – IoT and Automotive, Qualcomm and co-chair of the IoT working group explained that the SDO project is effectively an open source implementation of the FIDO IoT standards. While much has been done, he emphasized that it’s still a work in progress that won’t be finalized until early 2021.

“Solving the challenge of secure device onboarding in the IoT world we believe is critical to the safe growth of IoT,” Mandyam said. “The FIDO Alliance, and its members, are really making great progress here.”

Moving Toward a Passwordless Future with FIDO 

Among the end user organizations that spoke on the second day of Authenticate was CVS Health. Amy Ulrich, security advisor at CVS Health commented during a session that her company is on a path to help make its consumer authentication experience not only secure, but easier to use. CVS Health is also on a path toward enabling passwordless experiences for consumers wherever possible.

Cisa Kurian, senior security advisor at CVS Health said that her company is building out an authentication platform to provide passwordless authentication capabilities in its web, mobile, IoT and voice applications.

“Our goal is to increase friction for a potential threat actor, while enabling ease of use for the legitimate user,” Kurian said.

NTT Docomo is also on a journey to create a passwordless experience for its users in Japan. Koichi Moriyama, Senior Director of Security Service and Platform at NTT DOCOMO detailed his organization’s FIDO adoption path beginning with the deployment of UAF 1.0 standards in 2015 and more recently moving to support FIDO2 standards.

“NTT Docomo is on a journey to create a world without passwords,” Moriyama said.

Intuit is also on the passwordless journey to help the customers of its various platforms including Turbotax, Quickbooks and Mint. Marcio Mello, Head of Product for Identity and Profile Platform & Solutions at Intuit, emphasized that consumers just want to get their own jobs done and don’t want to be wasting time with authentication. Reducing the friction associated with authentication, while still maintaining the highest levels of security is critical for Intuit.

Mello explained how Intuit has embraced FIDO standards to help reduce authentication friction for users. The end result has been a measurable improvement to Intuit’s operations.

“Identity and authentication, instead of being a source of pain and drop is actually a source of reduction of costs and increase of customer satisfaction,” Mello said. “So we are now part of the success of the company.”

Authenticate Day 3 is Jam Packed

Coming up for day 3 of Authenticate is another packed slate of informative sessions. The opening session will see speakers from MassMutual and HYPR providing insight into how passwordless is taking the center stage for the next generation of authentication… We’ll also see more companies detail how they are leveraging FIDO Authentication to protect their customers and employees including PNC Financial Services and Target, among others. The day will close out with a great panel session on the topic of standards and the future of payments – we can’t wait to see you there! 

By: FIDO ALLIANCE STAFF

The inaugural Authenticate Conference got underway on Nov. 10, kicking off six days full of sessions on the future of authentication, including speakers talking about their organization’s experiences with FIDO and the route toward a passwordless future.

The opening day started with a series of keynotes, including: cryptography pioneer Dr. Whitfield Diffie; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehversard, founder of Yubico, and Mark Risher, senior director of product management, security and private at Google. Setting the tone and the direction for the event as a whole, Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance outlined in his keynote address why FIDO exists, the ecosystem of certified vendors and the path forward.

“The FIDO Alliance has always had a truly audacious mission: to change the nature of authentication, to move the entire world away from usernames and passwords and traditional multi-factor authentication to a much simpler and stronger way to log in with FIDO,” Shikiar said. “Audacious, yes, but given the progress we’ve made in 7-8 years..  suddenly, this thing seems doable.”

Shikiar noted that over 2 billion devices support FIDO authentication standards today and more than 250 of the world’s leading organizations across a diverse set of industries are part of the FIDO Alliance. He went on to emphasize that all of FIDO’s specifications are built upon the same principles of usability, security and privacy preservation. He also touched on the impact of the pandemic on FIDO adoption.

“COVID has turned digital transformation from a buzzword with vague 5-year plans, to a massive imperative to get complete in 5 months,” Shikiar commented. “While COVID has thrown just about everyone’s development timelines out of whack, FIDO stands to provide banks and other businesses a strong and secure cornerstone for digital transformation.”

The Role of Cryptography in Enabling Privacy and Authentication

The FIDO Alliance and its specifications make use of public key cryptography to help enable user authentication and privacy. 

Whitfield Diffie, who helped to create the foundations of modern cryptography, delivered a keynote address at Authenticate where he outlined the history of cryptography and explained why it is effective. In his view, despite having some problems, cryptography has made amazing progress over the last 50 years.

“How do you protect information that isn’t under your control?” Diffie stated. “Cryptography seems to be the only tool that is of any use.”

Microsoft’s View of a Passwordless Future

There are many reasons to like FIDO standards and one of them is because passwords are widely disliked.

“At Microsoft we like to say that nobody likes passwords, except for the hackers,” said Joy Chik, corporate vice president of identity at Microsoft, during her keynote address.

Chik noted that passwords are the weak point in modern security. Microsoft handles over 30 billion authentication requests every day and what virtually every successful attack has in common is a weak or stolen password. She added that not only are passwords insecure, they are also a pain as millions of users forget their passwords, triggering reset requests that are one of the top help desk cost drivers.

“People need more secure and more convenient alternatives,” she said. “So it’s time to say goodbye to passwords.”

FIDO is a core component of Microsoft’s password strategy as it aims to provide users with a secure way to authenticate. She noted that over 150 million Microsoft customers have already gone passwordless for a more secure, and more convenient sign-in experience.

“We built FIDO support into Windows 10, so that you can use Windows Hello authentication without any relying party,” Chik said. “And we have enabled WebAuthn in the Microsoft Edge browser, so that you can sign into your favorite web apps and services using FIDO credentials.”

FIDO: A Seat Belt for Digital Security

During her keynote address, Yubico CEO and Founder Stina Ehrensvärd detailed how the introduction of seat belts in the automobile industry 60 years ago is like authentication security today.

“Just like cars, the internet was not designed for security,” she said.

Ehrensvärd noted that in 1959 Volvo engineer Nils Bohlin invented the first three-point safety belt for automobiles. What had happened is that in the 1950’s there were more cars than ever before on the roads and those cars were going faster, which unfortunately led to fatalities.

“Today we all use seatbelts and the good news is that while there are 10 times more cars than in the 50s, there is a smaller total number of fatal accidents,” Ehrensvärd said.

She added that the same steps that led to the introduction and adoption of seat belts can be used to help advance the state of authentication security and FIDO adoption, starting with acknowledging the problem at hand. The other key steps include: simplifying the user experience, driving open standards, measuring results, educating stakeholders, building trust with transparency and continuing to innovate.

Googling the Future of (Digital) Identity

As life and work have increasingly gone online during the pandemic era, there is little distinction anymore between a user’s identity and digital identity, according to Mark Risher, senior director of product management, security and privacy at Google.

In a keynote address, Risher explained that the foundation of digital identity is authentication technology. In Risher’s view, there are three key trends that are driving the future of digital identity: the need for protection, the ability to connect with multiple services and the desire for personalization. When it comes to security, like Microsoft, Google is seeing a threat from phishing attacks that steal user credentials.

“We have an antidote for that, and the antidote is the Security Key technology that FIDO has been driving from the beginning,” Risher said. 

He noted that Google deployed FIDO Security Keys in 2017 for its employee base and has not had any successful phishing attacks since then. That technology has increasingly been made available to Google’s users in recent years to help protect high-risk individuals and organizations.

“Our digital identities, which increasingly are our real world identities, and authentication with FIDO standards are right at the heart of it,” Risher said.

More to Come on Day Two

Beyond the keynotes, the first day of Authenticate had other great sessions including one on how FIDO authentication can be used for the US government as an alternative to Common Access Card (CAC) or Personal Identity Verification (PIV) cards. IBM explained how it is deploying FIDO across its organization, and during a lunch and learn session attendees learned the basics of FIDO.

Day Two of Authenticate gets underway on Thursday November 12 with another packed day of content including identity verification, FIDO & IoT, best practices for deployment and more!

Check back daily for Authenticate 2020 conference recaps and more!