Authenticate Virtual Summit Recap: The FIDO Fit in Commerce

By: FIDO Staff

Where does FIDO fit in commerce?

That question was the primary theme tackled during the Authenticate Virtual Summit broadcast March 30 and 31, 2022, and including sessions led by experts and practitioners from North America and Europe.

In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, stated candidly that financial services and payments have always been a target for hackers. With the pandemic the past few years, there has been a further acceleration of attacks.

“The core issue, of course, is that we depend on passwords,” Shikiar said. “The real problem is that they’re easy to phish, harvest and replay and that’s really where the internet breaks down, that’s what causes data breaches and that’s what the FIDO Alliance is trying to solve.”

This is true for legacy MFA – such as SMS and OTP – as well. They are equally as vulnerable to common attacks like phishing. “MFA bypass attacks using legacy MFA will be a recurring theme for 2022,” Shikiar said.

Looking specifically at financial services, Shikiar said that FIDO standards can help protect online accounts with strong authentication. He added that FIDO also helps companies comply with regulations and  make open banking a reality.

“We think that FIDO provides a very elegant, simple solution that will allow for customers to have secure commerce flows, while also helping merchants and banks comply with emerging and current regulations,” Shikiar said.

The Challenges Facing FIDO in Retail and Hospitality

In a session, Suzie Squier, President at RH-ISAC (Retail and Hospitality Information Sharing and Analysis Center), explained that her organization is all about sharing threat intelligence across its membership which includes retailers and hotels across the United States, United Kingdom and Canada.

Squier noted that the growth of ecommerce has not gone unnoticed by threat actors as the retail and hospitality industries have been hit hard with credential stuffing attacks. Those attacks are typically due to poor password hygiene, the pervasiveness of passwords available for sale on the dark web, and how easily weak passwords can be brute forced, or even guessed.

“The problem with passwords doesn’t just end with credential stuffing, account takeovers and fraud, as problematic as they are, the reliance on passwords can also lead to frustration and lost sales due to lost and forgotten passwords,” she added.

The problem with passwords is well understood across the RH-ISAC membership with more than 67% of respondents to a survey stating that they see real value in moving away from passwords. However, the majority of those moving toward passwordless do not yet have FIDO as part of their plans due to concerns around inconsistent user experience across platforms, challenges for users with lost authenticators and lack of global acceptance.

“There are major challenges and user frustration with the current passwordless authentication model,” Squier said. “When we’re talking about the consumer space, there is little tolerance for friction.”

There is some help on the way from FIDO to help reduce friction, Squier said. She noted that FIDO recently announced multi-device credentials, known as “passkeys.” She explained that the basic idea with multi-device credentials is to allow the phone itself to act as a roaming authenticator across multiple devices, which could help solve for consistency and account recovery with authentication.

Looking forward, in Squier’s view what’s needed to drive passwordless forward is more  adoption.

“We need to see broader adoption across more industries, so that this becomes more ubiquitous and familiar to the consumer world,” she said.

FIDO Supporting Digital Transformation

While FIDO is all about secure authentication, using FIDO-based technologies can enable much more according to Rolf Lindemann, VP of Products at Nok Nok.

Lindemann said that by using FIDO standards organizations can enable digital transformation. That transformation supports customer experience optimization, operational flexibility and innovation

“When using digital services, the first step in that customer experience is authentication, that is the front door,” Lindemann said. “That first authentication step is important because most digital services rely on your ability to know who’s at the other end of your services, while at the same time providing the best customer experience.”

Strong authentication is a great start but Jason Beloncik, Director of Solutions Americas at Daon suggested that organizations will sometimes need more to support the best possible user experience. Beloncik said that his company takes a hybrid approach it calls FIDO Plus. The “plus” is integrating other capabilities in the identity ecosystem to support organizations.

Gal Steinberg, VP of Product at Keyless, commented in a session that a challenge he often sees is that the world is trying to solve the fraud problem by adding friction. The challenge is that adding friction in the form of multi-factor authentication, for example, creates user churn in the consumer space. There is a balance that needs to be achieved with authentication, between introducing friction to mitigate fraud and usability.

Considerations for Standards-based Authentication in the Blockchain

Blockchain and so-called Web 3.0 distributed applications are an emerging area of technology and commerce, but it could well be that strong authentication has not played as strong a role as it should.

“A lot of the crypto exchanges typically do provide authentication methods that are far stronger than basic methods, but most people typically don’t use them because it’s not familiar to them,” Bojan Simic, CEO and CTO at HYPR said. “I think that some of the stuff will need to change.”

Nick Steele, Lead Researcher at Super Lunar, emphasized that it really is crucial for crypto exchanges to support multi-factor authentication. He noted that one of the most common forms of attacks is leveraging weak passwords to get into exchanges and steal large amounts of money.

“Exchanges are really trying to do the best they can to get users on to FIDO2 because that’s going to give us the highest grade of authentication security in the space,” Steele said.

Pushing FIDO Forward in Europe

FIDO is seeing particular success in Europe, from a number of perspectives. Petra Silsbee, Fraud Prevention/Dispute Management at PLUSCARD, explained how her organization has been able to use FIDO to support PSD2 (Payment Services Directive 2) requirements in Germany. PLUSCARD is a credit card issuing processor and its customers are individual savings banks.

PLUSCARD needed to support users that have smartphones as well as those that don’t regularly use one. To that end, Uwe Hartel, Country Manager Central Europe for technology provider Entersekt, explained that his company worked with PLUSCARD to support a FIDO hardware authenticator-based solution for PSD2 support that also enables 3DSecure based payment.

“We identified the need for a hardware token to satisfy a segment of users which do not either have a smartphone or which are kind of reluctant to use their app for, for money transactions for payment transactions,” Hartel said. “That was the start of the idea to actually define a FIDO hardware token as a solution to provide strong customer authentication.”

In a keynote session, Alan Goode, CEO and Chief Analyst of Goode Intelligence, outlined the current state of regulations for strong customer authentication (SCA) requirements across Europe and the United Kingdom.

Goode noted that there have been documented issues with the deployment of SCA technologies. Those issues include an increase in transaction failure rates, payment attrition, rejected transactions and abandonment in the payment process because of increased friction for consumers. He added that there has been criticism of SCA from European Trade bodies for too much focus on compliance versus implementation, and the need for convenient and easy-to-use transaction authorization.

“I believe that there is an opportunity to leverage a standards based authentication solution that works for both web and mobile commerce channels,” Goode said. “By adopting FIDO certified authentication solutions that are also SCA compliant, the problems of security and usability could be mitigated.”

FIDO is also set to play a critical role in the eIDAS 2.0 rollout in Europe.

Rayissa Armata, head of regulatory affairs at IDnow, explained that eIDAS 2.0 is a new initiative that introduces a digital identity stored on a digital wallet. This technology is aimed at  all European citizens and residents. eiDAS stands for electronic IDentification, Authentication and trust Services.

“This is an exciting initiative and it’s an ambitious one,”Armata said. “There are a lot of different players in this ecosystem, from relying parties to integrators to considering the tech standards that are going to be part of this wallet, and also for the Trust Services.”

“FIDO is delighted and pleased to be part of this initiative,” she added.

Best Practices for FIDO in Commerce

There are any number of good reasons for an organization to adopt FIDO standards.

For Tola Dalton, Director of Identity Software Development at eBay, the 2014 data breach at his company was a primary motivator. Dalton said that the data breach painfully highlighted the risks of password data. While using strong authentication and using FIDO to help enable a passwordless authentication workflow is important, that’s not the only benefit it brings.

“Using passwordless, and particularly multi-factor authentication, are shown to have much lower account takeover rates and that’s a big consideration for eBay as it would be for any e-commerce company,” Dalton said. “But the great thing about passwordless is that it’s also an incredibly seamless login method.”

Dalton said that in order to motivate customers to use passwordless and strong authentication, the experience has to be easy and intuitive. That’s a sentiment that Manish Gupta, Director of Global Cybersecurity Services, Starbucks strongly agrees with.

Gupta noted that there are many different ways to enable multi-factor authentication. What’s needed is standardization and that’s what FIDO provides.

“I think that the work that FIDO Alliance is doing to establish a global standard is commendable,” Gupta said. “The standard is solid, there’s buy in, but now it’s about how do we take it a step further, such that it becomes muscle memory for people, just like user ID and Password login has been for years.”

The webcast is now available on demand. To watch the recording, visit the event page.

For more discussions on moving past passwords to modern strong authentication, attend upcoming FIDO Alliance events, including the Authenticate 2022 Conference.