By: FIDO Alliance Staff
The digital security, privacy and authentication landscape is evolving quickly in the European Union with new regulations that could have a broad ranging impact for its citizens, as well as companies around the world.
At the Authenticate Virtual Summit: Focus on Europe, which was held on June 17, experts on the authentication market in Europe provided insight into the latest developments including PSD2 SCA (Payment Services Directive Strong Customer Authentication), delegated authentication, eIDAS (electronic IDentification, Authentication and trust Services) and the EU Digital Wallet among other efforts.
Kicking off the virtual summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance outlined how the FIDO specifications work and why strong authentication is essential for multiple use cases including ecommerce, Internet of Things (IoT) and identity verification.
“FIDO’s goal from day one was to certainly reduce reliance on passwords, but in some ways that was just a means to an end, really trying to address the data breach problem, as the vast majority of data breaches are caused by weak credentials,” Shikiar said.
As FIDO is moving forward, there has been a need to strengthen identity verification assurance to support better and safer account recovery. As part of that, Shikiar noted that the FIDO Alliance launched the Identity Verification & Binding Working Group (IDWG) which is driving that work forward.
“We’re seeking to establish best practices for possession based identity verification,” Shikiar said. “That will not only enable safer, easier and stronger account recovery, but doing so will also stop hackers from using the account recovery process as an opening for social engineering account takeovers.”
Helping to Limit Cart Abandonment
There is a tangible connection between ecommerce success and strong authentication, according to Rolf Lindemann, VP products at NokNok.
Lindermann noted that during the pandemic, ecommerce grew faster than ever before. But with 13% of credit card online payments not being completed, it’s clear that cart abandonment is still impacting business in a significant manner.
“We learned that authentication friction in general is a major factor for card abandonment,” Lindermann said. “This becomes obvious given that online authentication is at the core of all online transactions. Authentication is the front door to digital services in general.”
The path to reducing authentication friction involves the use of FIDO, which Lindermann said can help to enable strong customer authentication that can be implemented in a single convenient step.
Toward a Strongly Authenticated Digital Identity
In Europe and elsewhere around the world, there is a growing conversation about the need to enable and provide some form of digital identity. According to Steve Pannifer, COO of Consult Hyperion, digital identity consists of three things: identification, authentication and authorization.
Pannifer explained that identification is all about asking the question – is this person real, unique and identifiable? Authentication is the process of realizing that an identified person is coming in to use the service again, as the service provider wants to know if it is the same person that established the identity at some point in the past. Authorization ties it all together, which uses identity and authentication to access services.
“Digital identity is not a means in and of itself, it’s a means to an end,” Pannifer said. “The end that it is serving is all of those services that I’m trying to get access to.”
Fabian Eberle, co-founder and COO at Keyless is also a big believer in digital identity. In a session, Eberle outlined the need for a decentralized system for personal identity management. Such a system puts users in control of their own identity information, and lets them selectively disclose that identity data in a more private and secure way.
Eberle noted that at LUISS Guido Carli University, over 10,000 students are now benefiting from a digital identity system that helps to support remote education services. The Keyless approach benefits from FIDO standards that helps to authenticate a device and identify students in a frictionless approach.
Digital Identity in Europe: eIDAS
In the European Union, there is an effort known as eIDAS which is a legal framework for mutual recognition of national digital identity schemes.
“The purpose of eIDAS is cross border access for citizens in any European country to gain access to any public service in the EU,”Sebastian Elfors, senior solutions architect at Yubico explained.
FIDO standards are being increasingly adopted by European governments to help support eIDAS efforts. Among those that Elfors highlighted is healthcare authentication in Norway, EduID for universities in Sweden and the National Health Service (NHS) in the U.K.
FIDO standards are also helping the Czech Republic with its CZ.NIC top level domain registry which also operates the mojedID (my ID in Czech) service.
Jaromi Talir, technical fellow at CZ.NIC and member of eIDAS Technical subgroup explained that the domain registry had a requirement to authenticate the identity of domain owners. That requirement led to the creation of mojeID, which has been using FIDO standards since 2019. Talir explained that CZ.NIC uses FIDO to support a multi-factor strong authentication based approach to help authentication user identity.
Using FIDO to Support Delegated Authentication
With the European Union’s Payment Services Directive Strong Customer Authentication (PSD2 SCA), that came into effect in 2021, there are very stringent requirements for merchants to authenticate consumers with payment providers.
In a panel discussion, Jonathan Grossar, VP, product development at Mastercard commented that within a few months of the introduction of PSD2 SCA there has been an increase in the number of transactions that have been abandoned by consumers.
“So a problem with PSD2 SCA is that consumers may have to authenticate twice,” Grossar siad. “First with the merchant to have access to the account or to the card that is stored on file and then a second time doing the transaction with the bank and potentially then with a different authentication mechanism.”
All those extra steps introduce additional friction and complexity for both merchants and consumers that can be alleviated with an approach known as delegated authentication. Grossar explained that with delegated authentication, the entire authentication piece is handled with a secure mechanism by merchants. Using FIDO standards in combination with EMVco’s 3-D Secure standards to share authentication and risk data is the way forward in Grossar’s view.
“FIDO is interoperable across multiple devices and platforms,” Grossar said. “So in short, you have today billions of devices that are enabled with FIDO, and that potentially can be used for delegated authentication.”
Jason Muncey, principal, EU Payment Acceptance & International Expansion, at Amazon is also optimistic about using FIDO for delegated authentication. Muncey commented that even before the PSD2 SCA requirements cart abandonment was just a pain that all merchants have had to live with. In his view, there is a real need to have some form of consistent approach.
Lee Goddard, product director, head of authentication at Worldpay also noted that – there will always be some amount of abandonment potential in that purchase process.
“I think the FIDO approach to delegated authentication will really take things a step further in removing evermore abandonment,” she said.
Remote Identity Verification in Europe
With the pandemic, the ability to do in-person identity verification became challenging, which led to a need for increased remote identity verification in Europe and other areas around the world.
In a panel discussion, Santosh Rajvaidya, senior director, product management at Jumio noted that to date, there is no consistent approach when it comes to remote ID verification in Europe. That situation could be changing with the new digital identity wallet approach from the European Commission that could be the first step in the right direction.
“What is happening with digital identity wallet is you do a one time verification of your ID and the identity is created in the digital identity wallet,” Rajvaidya said. “From there on the user can reuse it multiple times across different applications.”
There is now also an ID Verification and Binding Working Group IDWG within FIDO that is doing work that will also help with remote identity verification efforts. Rayissa Armata, Head of Regulatory Affairs at IDnow, commented that when it comes to verification, user experience and convenience are key attributes.
“Most users aren’t concerned with their identity or the data privacy, they’ll tick the boxes and move on, they just want to get their service,” she said.
Wrapping up the virtual Authenticate Summit, Andrew Shikiar, executive director and CMO of the FIDO Alliance emphasized that the FIDO Alliance is in a very good place today, in Europe and around the world.
“We’re seeing more and more companies adopt FIDO authentication,” Shikiar said. “I personally firmly believe that virtually every consumer service online will be offering passwordless login options in the next few years and our hope is that the vast majority of these leverage FIDO.”
Looking forward to the next FIDO Authenticate virtual summits is in September with a focus on government services. Then in October, the FIDO Alliance will be hosting its first live event with the Authenticate Conference in Seattle.