Blog article
See all stories »

The Passwordless Experience is set to transform the way we pay

As security breaches continue to grab headlines, I was intrigued by new claims that not only could online security be improved for consumers, but it could actually become a more delightful user experience. The launch of Apple Pay has proven to us that this is possible. 

With over 150 FIDO members, the Board of Directors alone reads like a Who’s Who List: Alibaba/Alipay, ARM, Bank of America, CrucialTec, Discover Financial Services, Google, Identity X, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA Security, Samsung, Synaptics, Visa, and Yubico.

Keen to understand what attracted so many key players, I was delighted to have an opportunity to interview Executive Director of the FIDO Alliance, Brett McDowell, to understand more about how all this works and what changes we are likely to see in the world of payments because of this.

This post shares a summary of what I learnt from Brett about how all this works.

The FIDO Alliance

The FIDO Alliance produces open standards and industry adoption programs that enable implementers to change the nature of online authentication by improving user experience while simultaneously providing better security in a privacy-respecting manner. They just released the final FIDO 1.0 specifications at the end of 2014.

Strong authentication and the need for standards

Before FIDO authentication, online service provider typically used username and password for authentication. For more security they would add another authentication factor from a set of options that were not necessarily designed for ease-of-use. Strong authentication combines something you know (such as a password), with something you are (such as a biometric) or something you have, such as a token.

The industry norm in 2011-2012, before FIDO authentication was announced, was username and password as the ubiquitous first-factor. As for the second factor, if there was one, it was typically a 6-digit one-time-use passcode. The consumer would get the second factor through an SMS to their mobile device or create it on a specialised hardware device or copy it from a code-generating mobile app on their smartphone. This 6 digit number, or one-time password (OTP), is called a security token.

However there are usability and other problems with OTP that FIDO addresses. The first word in FIDO is fast, and it helps to explain why FIDO technologies became so disruptive so quickly. Instead of bolting on extra security in a way that burdens the user, FIDO aims to deliver an end-to-end innovative approach to authentication through a new, open, online cryptographic protocol that enables best-of-breed device-centric authentication to be used for online access. 

The FIDO UAF Architecture enables online services and websites to leverage native security features of devices

Brett explained how the standards enable a better user experience – faster, more secure, privacy respecting and easier-to-use. For instance Samsung enabled a number of payments applications using FIDO to allow a user to simply swipe a finger across a sensor on their smartphone or tablet.  This is arguably easier than most other ways, especially passwords. 

Strong authentication has been around for a while but failed to achieve widespread adoption in the consumer market as it lacked the means to achieve interoperability among systems and devices. Now FIDO authentication standards enable any strong authentication method, they call "authenticators", to interoperate with any online service, independent of solution vendor or device.

The interoperability issue is something FIDO addresses through UAF and U2F

Brett explains that both UAF and U2F protocols, applied to devices, client software and online servers, produce entirely interoperable strong authentication.  The Universal Authentication Framework (UAF) protocol was introduced first. It solves pain points around first-factor authentication because it is designed to replace the password, usually (but not exclusively) with a biometric factor that is retained only locally on the user device, never shared centrally or in the cloud. FIDO UAF is a strong authentication framework that enables online services and websites, whether on the open Internet or within enterprises, to transparently leverage native security features of end-user computing devices. 

U2F provides a simpler 1st factor authenticator

FIDO U2F authentication addresses a totally different use case.  While FIDO UAF provides a simpler, stronger 1st factor authenticator, U2F provides a simpler, stronger 2nd factor authenticator. FIDO U2F does not replace the password but instead replaces the second factor and enables a simpler form of password, like a short PIN number, because the security burden can now be placed on the FIDO U2F authenticator and not the password. FIDO U2F is already been deployed by Google Accounts and now ships in all Google Chrome browsers.  

So far the implementations of FIDO U2F authenticators are in the form of external specialized devices, but these capabilities could be embedded directly in handsets or other form factors in the future.  What separates FIDO U2F security tokens from the OTP tokens discussed previously is that one device will work with any FIDO U2F server, regardless of vendor solution or device manufacturer.  Another key differentiator is the phishing resistance inherent in the FIDO U2F standard.  A FIDO U2F user cannot be tricked into giving a secret to a fraudster the way they can in an OTP use case.

Yubico and Plug-up are the two primary providers of U2F-enabled devices today, which work by being inserted into a USB slot.  NFC and BLE support for U2F tokens is expected soon and will accommodate U2F devices for use with devices that don’t have USB slots.

How do you see passwordless experience evolving, and what other methods are you using in your part of the world? 


 

 

FIDO Passwordless Experience
6572

Comments: (3)

Abhishek Chatterjee
Abhishek Chatterjee - Gartner Inc. - London 01 February, 2015, 12:391 like 1 like

Why Apple is not participating in this?

A Finextra member
A Finextra member 01 February, 2015, 18:35Be the first to give this comment the thumbs up 0 likes

Abhishek Chatterjee, thanks, that is a great question. This is a fast evolving area and adoption of standards and alliances is all part of the strategies that are themselves evolving.

We can see that in the area of mobile operating systems too there has been a difference between the approach of Google, who went all out to build an open ecosystem versus Apple's approach which is more controlled. I think we'll hear more on this area as 2015 progresses - still early days.

A Finextra member
A Finextra member 01 February, 2015, 18:48Be the first to give this comment the thumbs up 0 likes

Abhishek, as a further answer to your question, a couple of days ago Sebastien Taveau, Founding Board member of the FIDO alliance shared views on how he sees Touch ID architecture aligns well with FIDO : http://www.scmagazine.com/expanded-apple-touch-id-payments-can%20succeed-expert-suggests/article/331482.

Retired Member

Member since

19 Mar 2009

Location

Blog posts

5,372

Comments

5,784

More from Retired

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.


See all