Despite all the recent technological improvements and connectivity advancements that aid us in our daily lives, one fact still threatens the stability and security of the whole enterprise: half of us still reuse our passwords.
It may feel like a minor issue that is relatively simple to fix, however it is far more threatening and possibly more harmful than it may seem.
The consumer is not to blame for firmly entrenched passwords. Stakeholders need to teach people about the convenience factor of the FIDO and FIDO2 authentication standards. Security, privacy, and deployment have almost entirely been satisfied as secure passwordless logins are supported by all major operating systems and internet browsers.
But while FIDO and FIDO 2 strong authentication standards are present in nearly all devices, they are not always prominently displayed on websites. However, the FIDO Alliance UX Task Force has put together specifications for what that end-user experience should look like.
With a coherent experience in place consumers will realize that multifactor authentication can be an essential part of a positive eCommerce experience.
Consumers will appreciate the benefits of using device biometrics instead of having a password keeper or reusing passwords.
That will even more so be the case when considering payments and as delegated authentication programs emerge over the next year and beyond. Merchants will flock to passwordless authentication and aid in the needed consumer education in a virtuous cycle.
Multifactor authentication and high-tech identity functions are super useful during onboarding.
If the consumer can login by presenting a biometric instead of having to fill out the same form over and over again, then they are going to experience a lot of improvements in security and convenience. SImultaneously, issuers and merchants will see decreasing instances of “drop off” when consumers first come into contact with sites.
The intersection of authentication and identity occurs where multifactor authentication in FIDO/FIDO2 and a strong identity (with valid ID info provided by the user) come together. One can visit a website or app and easily authenticate with their biometric/FIDO which is now tied to their identity and the website can say yes, ‘that’s you.’
This process gives the consumer much greater control over their privacy because they get to decide who sees their information.
Yet right now, some hurdles still exist. Many financial institutions (FIs) and banks are still not utilizing liveness detection in their biometrics. Given the rapid growth in remote onboarding activity, biometrics can still be useful as long as they also leverage liveness checks.
If someone visits a website and swipes their finger using FIDO/FIDO2, that is an example of a liveness check. The swipe provides a credential back that can be reused. And if a fraudster tries to generate an account 30 times in 15 minutes, financial institutions can be alerted to a velocity attack without incurring costs or friction down the road. Additionally, onboarding activity not tied to a smartphone could indicate a bot attack.
If a merchant or an issuer is not prepared to build and integrate FIDO/FIDO2 themselves, they can utilize a hosted service provided by companies like LoginID, which has developed easy to use APIs to integrate FIDO/FIDO2. All customer onboarding should begin with a finger swipe FIDO/FIDO2 authentication before taking any other steps in the process.
Such tech savvy biometric-based security measures can make fraud prohibitively expensive, forcing fraudsters to take their ploys and attacks somewhere else. Fraudsters will conceivably need to pay individuals to stage attacks, as automated attacks will no longer be effective.
Strong authentication will grow to be more ubiquitous beyond onboarding and will start to be utilized for government services, but it will really find its niche in payments where real-time payments are increasing. It has been well reported that real-time transactions cannot be reversed, so counting on risk models alone becomes a weakness.
To help secure payments LoginID has created a FIDO/FIDO2 certified transaction confirmation tool that acts as a digital signature. When checking out on a merchant’s website, the user is prompted to provide their biometric to confirm their purchase.
This digital signature backed by FIDO/FIDO2 protects both the consumer and the merchant by ensuring that the person making the purchase is who they say they are. The transaction confirmation with digital signature API is easy to integrate with just a few lines of code into any ecommerce platform.
As the Internet of Things (IoT) grows in popularity, all devices should be able to make or take payments for its owner. The FIDO alliance recently released their standard for secure IoT device onboarding which aids in the creation of a “secure channel” to initialize those devices and pair them with identities.
After solving authentication one now has to solve identity and identity is a far more difficult problem. The bright spot is having strong authentication and identity tied together is going to create a wide range of new experiences.
LoginID, along with their partner AuthID, have a solution to the identity verification problem that allows for secure digital onboarding with liveness detection. The solution covers 9,000 plus documents from hundreds of countries so no matter what the user’s nationality is they’re covered. By performing identity verification and FIDO/FIDO2 authentication with LoginID, merchants and issuers can rest assured that they are not being defrauded.