Modern authentication: the key to achieving security, usability and regulatory compliance

As banks, online services, regulators and technology providers look to revamp authentication to better address today’s challenges, an unprecedented rate of disruptive innovation and regulatory change is taking place.

Out with the old...

We are in the midst of a burst of authentication technology innovation. As a result, some of the methods that we have depended upon for authentication should now be sorted into the “old” column for methods to move past. The first on that list is single-factor passwords. One needs to read the many recent headlines to know that passwords are at the heart of the data breach problem. According to the Verizon Data Breach Investigations Report, 81% of data breaches in 2016 involved weak, default, or stolen passwords, up from 63% in 2015.

In the identity space, the idea of using two-factor authentication is a well-established mitigation for replay attacks using stolen passwords. However, even the most commonly used “strong authentication” methods have issues that have prevented their widespread adoption and therefore belong in the “old” column.

This includes one-time passwords (OTPs) delivered via text messaging or email. This method ranks low for usability: users get frustrated with having to deal with multiple screens just to log into their accounts, and reliability of SMS delivery cannot be ensured; as a result, opt-in rates for this method are low. On the security side, OTPs are still vulnerable to social engineering and phishing.

Smart cards, also a legacy method, do offer strong cryptographic security, but are inconvenient to use, costly to implement and don’t support the current mobile/BYOD environment in the workplace. This is more problematic than ever before given the growing demand for secure access to heterogeneous cloud services.

… and in with the new

New, modern authentication solutions are based on FIDO Alliance standards. FIDO Authentication takes advantage of the biometric capabilities in devices that most consumers already have, or of the increasingly popular “security key” second-factor devices, and adds interoperable protocols for strong cryptographic authentication. FIDO standards provide the ability to offer multi-factor authentication based on public key cryptography using the same device (like biometrics in a mobile device and security keys) across services. Many organisations, especially banks, are considering biometrics in particular as a good option to improve the user’s authentication experience. The trend is due, in part, to the fact that the majority of mobile devices are shipped with built-in biometric features like fingerprint scanners and facial recognition.

These devices are also being certified to validate their ability to secure on-device storage of sensitive user data, such as private key application credentials and biometric data. With user credentials stored on the user’s device and not on servers, there is no risk that criminals can re-use credentials harvested from someone else’s data breach. In the FIDO model, an attacker would have to gain physical possession of a user’s device to even attempt such an exploit. These types of attacks are not scalable or profitable for cybercriminals --essentially eliminating the threat of credential stuffing and phishing. Similarly, using an on-device method to store biometric templates is the preferred approach by today’s manufacturers because it / for it effectively protects online authentication systems against scalable attack.

A standards-based way to meet regulatory requirements

PSD2 Strong Consumer Authentication (SCA): FIDO standards provide a way to meet PSD2 SCA requirements while also addressing organisational and user demand for transaction convenience. While the final draft Regulatory Technical Standard for PSD2 requires two secure and distinct factors of authentication, it also recognises that these factors can be housed in a single “multi-purpose” device – such as a mobile phone, tablet or PC – as long as “separate secure execution environments” are used (such as trusted execution environments (TEE), secure elements (SE) and trusted platform modules (TPM)).

This is already the preferred method of FIDO authenticator implementation being practiced today.
Most internet-connected consumer devices, such as laptops and mobile phones, are shipping with these already built-in security capabilities, as well as on-device biometric authenticators. This means that organisations can leverage a rapidly growing install base of laptops and mobile phones, to meet PSD2 SCA requirements by implementing support for FIDO Authentication standards in their payment applications, such as card-on-file wallet services and merchant applications.

GDPR: Guidance from ENISA regarding GDPR compliance suggests that organisations use two-factor authentication for accessing systems that protect personal data. Using FIDO standards and implementing strong authentication with biometrics and/or security keys are a suitable option as the standards dictate that no personally identifiable information (PII) of any kind is stored centrally. Though one may use FIDO-enabled devices across services, there is no sharing of private key credentials or device identification data with those services, fulfilling the data minimisation goals of GDPR when applied to account credentials. In contrast, other online authentication and identity technologies store credentials, including biometric data, in centralised databases where they could be exfiltrated en masse from a single data breach.

Modern authentication is the path forward

It’s time for financial institutions and all organisations to embrace modern authentication as the way forward. This will lead to the widespread adoption necessary to stop the data breach problem that has been plaguing us in recent years, and to meet various regulatory requirements that have consequently emerged as a result. At the same time, it is critical to evaluate the security and privacy of the solution before adopting any new multi-factor authentication approach. Standards-based approaches like FIDO, that utilise public key cryptography and exclusively store user credentials and biometric data on the user’s own personal device, aim to be a fit-for-purpose approach to get the desired security and usability while also meeting regulatory requirements.

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

About Brett McDowell

Brett McDowell is the Executive Director of the FIDO Alliance, the organisation he helped establish in 2012 to remove the world’s dependency on passwords through open standards for strong authentication. Previously, he was Head of Ecosystem Security at PayPal, where he developed strategies and lead programs to make the Internet safer for PayPal and their customers.

About FIDO Alliance

The 250+ member, cross-industry FIDO Alliance provides specifications and certifications to enable an interoperable ecosystem of on-device authenticators that can be used for simpler, stronger authentication to many compliant mobile apps and websites. Support for FIDO authentication has been built into flagship devices from top handset manufacturers, while some of the most trusted brands including Google, Facebook and PayPal have made FIDO authentication available to protect more than 3 billion end-user accounts.