Standards Bodies Set Sights On Biometrics, Online Authentication

By Jeffrey Green (@epaymentsguy) 

It’s generally a good sign that a market is about the pop when alliances form to make sure everyone is doing things properly. For online and mobile authentication, at least two efforts are underway to develop standards where biometrics could play a role in helping eliminate the use of usernames and passwords for online and mobile authentication.

Earlier this month, French standards-setting body Natural Security announced the formation of an alliance dedicated to collaborative creation of secure wireless biometric authentication and payment solutions. 

Its members include major French banks, retailers, payment providers, vendors and members of IT communities, including AS 24 (TOTAL group), Banque Accord, BizRaiser, BNP Paribas, Carrefour Banque, CITC”EuraRFID, Intervale, Concert International, Crédit Agricole, Crédit Mutuel Arkea, Dictao, Elitt, Galitt, Groupe Auchan, Groupement des cartes bancaires CB, ID3, Ingenico, Leroy Merlin, Oberthur Technologies, Paycert, PW Consultants, Sesame Touch, Six Payment Services, Swiss Capital International Group, Trust Designer, UINT and UL. MasterCard also is a member.

The alliance hopes its eventual creation of a Natural Security Standard will resolve issues around biometrics privacy, convenience and universality, and it plans to support a consumer trial to test its technology. Natural Security wants to have its standards and specifications used by anyone developing and using biometric systems for payment, logical access and IT access globally.

The organization plans to license manufacturers that use the standard it creates, and it hopes to build an interoperability strategy that includes tests and certification processes for the standard. At deadline, the alliance had yet to form its first working groups but had planned to have them in place shortly. The initial topics it planned to explore were EMV face-to-face payments and cash withdrawals, online authentication, and mobile wallet for face-to-face payments.

A Call For FIDO

Natural Security’s efforts should complement those of another, nonprofit, organization called the FIDO (Fast Identity Online) Alliance, which in July 2012 formed “to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords.” Since its official launch in February 2013, the alliance’s membership has grown to more than 50 organizations covering a broad array of industry players, including BlackBerry, Google, Lenovo, MasterCard, NXP Semiconductors and PayPal.  

FIDO’s goal is to secure broad acceptance and use of a standard for secure devices and browser plug-ins so any website or cloud application may interface with existing and future FIDO-enabled devices used for online security. Its protocols use standard public key cryptography techniques. During registration online, the user’s client device creates a new key pair. The device retains the private key and registers the public key with the online service. In the authentication process, the client’s private keys are used only after the user’s device unlocks them locally, such as by swiping a finger, entering a PIN, speaking into the microphone, inserting a second-factor device or pressing a button.

User privacy is one of the key goals behind the FIDO protocol. For example, if biometric information is used, the data never leave the user’s device, and the protocols do not provide data that different online services may use to collaborate and track a user across services.

Uniformity In Authentication

FIDO’s efforts, which are not particularly concerned with biometrics but with all forms of strong authentication, should go a long way in creating uniformity in the establishment of online and mobile authentication, while ensuring simpler, stronger authentication methods. Its efforts are only now beginning, but Apple’s decision to keep Touch ID biometric credentials in each individual’s phone is a sign such protocols are likely to become standard for biometric authentication.

Apple, though, is not a FIDO member, and it doesn’t comply fully with FIDO’s standards. However, FIDO’s president and former PayPal chief security officer, Michael Barrett, reportedly believes Apple eventually will follow FIDO’s standards, “but that’s probably a couple years out.” Google, however, is a member, so expect Android-powered biometric devices that support FIDO’s standards next year.

FIDO’s standards do not dictate the type of authentication used, so vendors may support a broad array of biometric techniques beyond just fingerprint algorithms, including iris, facial or voice recognition. FIDO standards will not address payment options or specifications.

Natural Security and FIDO may have different but related goals, but there also are some similarities as well. French banks conceived Natural Security, so as it seeks to make its standards global it should work closely with FIDO to ensure uniformity. The fact that the two organizations share some common members should help to make sure that occurs.