FIDO Authenticate Summit Wrap Up: Modern Authentication for Financial Services
By: FIDO Alliance Staff
What’s the role of FIDO authentication in financial services and what can be done to help consumers and issuers be more secure? Those topics were at the foundation of the Authenticate Virtual Summit: Modern Authentication for Financial Services, hosted by the FIDO Alliance on March 25.
The financial services focused event included speakers from eBay, Financial Data Exchange, Gemini, Google, Javelin Strategy and Research, Mastercard, JP Morgan Chase, StrongKey, Trusona and Visa, with topics spanning from the future of authentication to best practices on how to optimize the authentication experience for users.
In his opening keynote, Andrew Shikiar, executive director and CMO of the FIDO Alliance noted that over the course of the pandemic there has been an increase in cyberattacks against financial services institutions, which has only heightened the need for stronger authentication methods.
“At the end of the day, the vast majority of statistics and the vast majority of these problems come down to fundamental truth, which is that we’re trying to run a hyper connected economy, a networked society, on a authentication model that simply is not fit for purpose and that of course is our dependence on passwords,” Shikiar said.
Shikiar detailed how the FIDO Alliance is working to help move the world away from passwords and help users benefit from stronger forms of authentication. In particular, FIDO is playing a key role in the financial services market across a number of categories. FIDO specifications are being used today by financial services firms to help protect online accounts against account takeovers and phishing attacks. A key goal is to also make it easier for organizations to use strong authentication. Shikiar emphasized that the FIDO Alliance’s tagline is: simpler, stronger authentication.
“If there’s one thing the industry has seen is that the more complex the approach is for MFA [Multi-Factor Authentication] , the less likely someone is to stick with it,” Shikiar said. “So for people to keep using strong authentication, it needs to be easy and single gesture, which is the core of FIDO’s approach.”
Improving Authentication with FIDO at Visa
Visa is one of the world’s largest credit card brands and financial services firms on the planet and it sees FIDO as being a strong tool for helping to improve security and reduce fraud.
In a keynote presentation, David Henstock, Head of Identity and Authentication Products at Visa, observed that FIDO specifications have a significant role to play in helping to drive better outcomes within the payments industry. Henstock noted that what has increasingly occurred in recent years is that fraudsters are targeting the authentication layer.
“The question that always comes up is what can Visa do to help fight account takeover fraud?” Henstock stated. “The culprit more often than not is knowledge based authentication, or simply put – passwords.”
Henstock noted that FIDO is an easy way to upgrade from usernames and passwords to a more secure standard upgrading the authentication experience that sellers have. He added that overall FIDO helps to provide a better, more easy to use customer experience for authentication.
FIDO is also important to help with regulatory compliance. In Europe, the PSD2 [Payment Services Directive version 2] is a key driver for strong authentication adoption as it mandates the use of Strong Customer Authentication (SCA).
“If you’re doing digital commerce in Europe, you must abide by the SCA regulations,” Henstock said.
In a bid to help organizations with FIDO deployment, Arshad Noor, CTO at StrongKey used his Authenticate session to detail new capabilities in the StrongKey FIDO server that can help organizations meet the challenges of global requirements.
“We see a lot of confusion in the WebAuthn and FIDO ecosystem where people are confused between security capability, and the user experience that consumers go through when interacting with FIDO,” Noor said. “We believe that FIDO should first be viewed as a security technology, and second as a convenience technology.”
Consumer Confidence in Passwords is Declining
The need to move away from passwords isn’t just about regulation, it’s also about consumer confidence in the security of password based authentication.
In a session, Javelin Strategy & Research analysts Rachel Huber and John Buzzard outlined the state of the market in terms of fraud and online security.
“We have discovered trend wise that consumer confidence with passwords is down substantially and I want to say -finally,” Buzzard stated.
Buzzard noted that consumers have begun to realize that stronger authentication methods including biometrics are effective ways to validate identity. He added that consumers are now indicating that they are ready to move away from passwords.
“Whether the password disappears, maybe it becomes sort of like the Mayor McCheese of the city in the sense that it’s there but it doesn’t mean anything if that’s what it requires,” Buzzard said. “That’s still okay because we’re ready to move forward with stronger forms of authentication.”
Payments and the Future of Authentication
FIDO standards are at the core of security efforts at eBay, which helps the online marketplace meet the needs of its diverse user base. In a panel on Payments and the Future of Authentication Ashish Jain, Product Management Executive, Identity, Mobility & Analytics, eBay explained that a key challenge for his platform is having the right experience that can fit the needs and requirements of a broad customer base.
“When we started investigating FIDO and saw that it was supported by Google, Microsoft, and Apple, it gave us the confidence that it can meet the needs for a variety of our customers and hence, we continue to investigate and invest in the protocol,” Jain said.
For Christiaan Brand, Product Manager for Identity & Security at Google, FIDO adoption started out as a way to help curb phishing risks and has evolved to become a way to help improve multiple aspects of security for both Google and its users.
“FIDO is one of those few security inventions, which aims to both address security and improve on that axis, while at the same time also improving on the usability front,” Brand said. “The FIDO components that have been built into the platforms nowadays do give our users, better and more secure experiences.”
For Ranjita Iyer, SVP, Identity Solutions at Mastercard, FIDO specifications are being combined with other standards including the EMV 3D Secure effort to enable a seamless authentication and payment experience that can lead to better approval rates for digital transactions and lower fraud.
Integrating FIDO with other standards is also something that the Financial Data Exchange (FDX) is implementing with its stack. Don Cardinal, Managing Director, Financial Data Exchange explained in a session that his organization is dedicated to unifying the financial service industry around an interoperable royalty free standard for secure permission to access data.
“The whole idea is to stop sharing user IDs and passwords and stop using them in the entire session,” Cardinal said. “Ideally, if you have OIDC [OpenID Connect] and FIDO throughout FDX you can enroll, use and consume the whole setup and never use a credential, which I think is really powerful in today’s day and age.”
Optimizing UX for Strong Authentication
While the technical details of FIDO specifications are critical to enabling strong authentication, optimizing the user experience is critical to adoption.
In the final panel of the day, Megan Shamas, Director of Marketing, FIDO Alliance noted that there is an effort that is currently underway to to test and improve the FIDO user experience. Guidance from that testing effort is set to be publicly available in late 2021.
Kerry Hebert, Design Director (CX/UI) at Visa emphasized that it’s likely that FIDO implementation hinges on user adoption and adoption is only going to happen if the user registers. She noted that for users to take the step of registering, they need to believe that there’s value in what it provides and in some way makes the consumer’s life a little bit better.
Kevin Goldman, Chief Experience Officer, Trusona strongly suggests that financial services firms not think about user experience as something that is bolted on to the end of the process. Rather he suggests that it’s an integrated part of the entire process of supporting and enabling FIDO standards.
Judy Clare, Vice President, Product Manager, Digital Identity and Authentication at JPMorgan Chase & Co, suggested during the panel that from an experience perspective, FIDO engagement needs to be easily digestible for consumers.
“You really have to have that value proposition out there – what’s in it for me, and why should I be clicking through this and take an extra 30 seconds to sign up for it and then go on my way, because I am here to do something and this wasn’t it,” Clare stated. “So it’s really important to keep the user in mind.”
Next Up: More Authenticate Summits and Authenticate 2021 Conference
There’s much more content to come from the FIDO Alliance in 2021.
Looking forward there is another virtual event coming in June which will focus on strong authentication in Europe. Plans are also coming together for a physical Authenticate conference set for October in Seattle.
“In general, what we see is a lot of best practice sharing, everyone is in this together, and is motivated to help protect the networked economy and FIDO authentication presents a great way of doing so,” Shikiar said. “So we encourage you to certainly take part.”