Sometimes a group of companies in the same industry, fighting for the same dollars, decide that maybe cooperation beats competition.
Look at EMV, in which a consortium of payments companies and banks came together to secure credit transactions. Or look at The Clearing House, in which a group of financial services companies are putting their resources together to bring real-time payments to the masses.
One such group has been fighting for better online authentication and against passwords since 2012. The FIDO Alliance (in which FIDO stands for Fast ID Online) was formed to address the lack of interoperability among strong authentication technologies, and to remedy the problems users face with creating and remembering multiple usernames and passwords.
One of the group’s key members, LoginID, has had an active year as online authentication reached critical mass with the shift to the digital-first economy. As LoginID Co-Founder and CEO Simon Law told PYMNTS in an interview, eliminating the password will help online authentication and stop a lot of the identity fraud that is out there.
The conversation came against the backdrop where earlier this month, Microsoft announced the launch of Microsoft Azure Active Directory (Azure AD) verifiable credentials. Azure, in public preview, helps Microsoft-run organizations issue digital claims about identity attributes based on Verifiable Credentials and Decentralized Identifiers open standards, per the company’s announcement. That digital claim can, in turn, be used to verify identities across organizations as they secure applications, or accelerate and streamline user onboarding, among other processes.
That decentralized identity helps securely advance single sign-on processes, Law said. At a high level, embracing the second set of standards from FIDO, commonly known as FIDO2, in the drive toward a passwordless future (through WebAuthn and CTAP2) should be relatively seamless.
“It’s easy for the end customer to adopt a solution because it is extremely simple,” Law said. “And they are used to that [passwordless] experience, especially if they have unlocked their mobile device through their fingerprint or face.”
The other side of the equation lies with the enterprise adopting the solution. In that case, said Law, firms may have access management systems in place, or have not upgraded or moved all of their identity information to a central repository.
“A lot of times, it’s about moving existing solutions into the latest and greatest technology,” said Law.
Solutions providers (such as LoginID, with OpenID Connect) integrate with existing legacy solutions to verify end user identities, he said.
In some cases, he said, enterprises can offload that responsibility to another entity that specializes in creating a vault around that personal identifiable information (PII) information and also the compliance around that PII. Helping companies upgrade their existing systems while having them be compatible with existing deployments can lead to better authentication efforts on a wide scale.
Identity Control
More robust protocols give consumers better control over their identities. Law told PYMNTS that all too often, individuals lose control of their online identities as they’ve become victimized in phishing attacks or account takeovers, a problem that has hit financial services providers especially hard.
“With the advent of FIDO and WebAuthn, you make the authentication simple,” said Law. “Instead of using an [one-time password (OTP)] text message, you use a fingerprint or your face.”
Moving away from the password and toward the single sign-on — with its federated approach across different web properties — still needs identity attestation (part of the Microsoft announcement), which in turn will require firms to consider their know your customer (KYC) processes.
But adoption of the single sign-on process also will require that companies get a bit better acquainted with biometrics. There are several forms of biometrics, said Law, and it’s important to understand the nuances of each category. In the case of the FIDO web, the biometric template is actually stored on the user’s local device in what is termed a secure enclave or trusted execution environment.
“It’s pretty secure because it is really hard for you to hack into that device because you would have to have physical control of it,” Law said.
There are other non-FIDO cases in which the biometric is stored on the server side, underscoring the importance for companies that use that model to store the template information as securely as possible — lest the server become a “honeypot” for fraudsters.
A new FIDO specification, FIDO device onboarding, said Law, allows original equipment hardware manufacturers to incorporate stronger authentication directly into devices as they are manufactured. Those devices can, eventually, be “bound” to a user’s identity — boosting the security of the Internet of Things (IoT) ecosystem.
He also noted that with the new draft specifications of FIDO, among the most exciting is the secure payment confirmation extension for WebAuthn, which leverages the security of the hardware and biometrics when transacting with cards over eCommerce channels.
“You can use the hardware and the biometrics to prove that you are who you say you are, and that you approve the transaction,” said Law.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More