This post explains why and how you should deploy strong customer authentication (SCA) to protect your user accounts. SCA deployment is a process rather than an event. Great user experiences and messaging are the keys to a successful deployment.
In this post you will find a short guide on what FIDO stands for, why consumer financial institutions, FinTechs and payment networks are adopting FIDO and how to get started with FIDO.
Improve real and perceived security
Account takeover is the worst user experience. Consumers feel vulnerable and betrayed by a service that they trusted. One recent survey showed “Just over 10% of consumers reported an incident of fraud in connection with their digital debit and credit card accounts.”4 While direct fraud losses may be manageable, brand damage and the loss of valued customers are more difficult to measure, McKinsey & Company estimates that only 10% of total fraud costs are direct fraud losses. Many consumers will close their accounts if they have an account takeover, so the bank loses the future lifetime value of the account. Consumers will tell their friends about poor security if they have an event. Bad news travels faster and farther than good news, so a single event can wipe out years of brand loyalty.
Unfortunately, most account takeovers are the result of consumer behavior through poor passwords like L3tm3in!, reuse of passwords across many accounts and falling for phishing scams and malware. Internet sites are somewhat unfairly blamed for this behavior, but if the consumer has no better alternatives than passwords it is not entirely their fault.
Passwords are a liability for banks because 72% of consumers re-use the same password across multiple accounts2. With over 11 Billion pwned accounts, every time a user chooses a password it is likely the same password is available online for any hacker to find. Account-Take-Over in the USA alone reached a record of $712B fraud losses3 becoming a growing concern for retail banks. Allowing consumers to access their accounts with stronger authentication methods such as FIDO2 passwordless authentication protects the bank account takeover, loss of customers and brand damage.
Consumers are aware of security options and better account security builds brand loyalty:
“72% of digital account users say that seamless logins will increase their trust in a service provider, while 69% and 66% that this will boost their affinity and loyalty, respectively”4
Better strong customer authentication allows banks to increase the online digital capabilities. FIDO is the new authentication security standard to address the weakness of passwords. FIDO standards rely on standard public key cryptography to eliminate security and privacy vulnerabilities. It eliminates the risk of man-in-the-middle or phishing attacks, allowing Banks to increase their online digital offerings, increase transaction limits for consumers, FX transaction or wealth management.
With FIDO strong authentication, consumers are able to step-up sensitive transactions with the right level of friction. FIDO provides a reassuring level of security with the familiar biometric authentication using finger or face native to the device. Studies from the FIDO alliance showed that consumers have more trust in biometric authentication than any other authentication schemes. Fraud has many faces, and friendly fraud or liar buyer fraud is usually the hardest to identify. LoginID supports Transaction Confirmation using FIDO to confirm suspicious purchases with a digital signature. The consumer sees the transaction value and swipes their finger to bind the consumer authentication to a specific transaction, eliminating friendly fraud with cryptographic proof of a payment.
This prevents family members from using the account without permission and provides proof if someone gets buyer’s remorse later. Consumers that have confirmed a transaction with their biometric are much less likely to even attempt to lie about the transaction.
Better User Experience: Login Success
Low friction experiences are an important factor in digital success. FIDO removes the need to even enter a password. Just swipe or smile to complete your purchase.
“86% of Americans want to use biometric security to verify their identity or authorize payments”6
Once FIDO is connected to the consumer’s favorite merchant account, they won’t need to remember a password. If they can’t remember their password many consumers defer or go to another merchant site instead of going through the password recovery flow. This transaction abandonment is lost revenue for the merchant.
Improving the Authentication experience won’t win you a new customer, but it can make you lose one. Even with the correct password, suspicious transactions may trigger the need for step-up authentication like SMS OTP. The phone number may not be current or delivery may take too long or fail. If customers are not able to complete a step-up challenge successfully they get frustrated and annoyed. Satisfied customers are twice as likely to spend more on their cards than are unsatisfied customers.6
“72%: SHARE OF DIGITAL ACCOUNT USERS WHO SAY THAT SEAMLESS LOGINS WILL INCREASE THEIR TRUST IN A SERVICE PROVIDER”7
An increase in MFA (Multi Factor Authentication) success rates increases customer satisfaction. The FIDO Authentication makes it easy for consumers to authenticate on any device - mobile, tablet or desktop. Also, it eliminates the SMS failure risk. FIDO Alliance case studies show an increase from 80% to 99.9% in successful MFA compared to SMS OTP. In addition, FIDO standards reduce the MFA time by 20% compared to SMS providing the best-in-class user journey.
Consumer Privacy
FIDO2 passwordless authentication protects consumers and your bank from 3rd party applications that use consumer credentials to scrape consumers accounts and resell the data. FIDO authentication protects against 3rd party applications using passwords to impersonate the consumer, therefore protecting your consumer privacy.
Reduce password reset calls
Password reset is usually the number one reason for online customers calling call centers. Since Consumers do not need to remember passwords or where they wrote them down, there is nothing to forget. FIDO Alliance case studies have shown that password resets have gone down from 65% to 7% when switching to biometric authentication. The reduction of password rests reduces the bank's costly call center fees.
LoginID’s approach allows the consumer to verify and connect multiple devices to a single identity. By connecting several devices to their account the consumer is protected against the loss of a single device. For example, if the consumer’s phone crashes, they can use another device like their PC to connect their new phone to their account.
FIDO and PSD2
FIDO is a perfect fit for PSD2 Strong Customer Authentication (SCA) and dynamic linking requirements.
FIDO authentication meets the two factors as it validates
- “something you have” = your device ; and
- “Something you are” = your biometrics ; or
- “Something you know” = a PIN or device password
Furthermore, for dynamic linking FIDO authentication provides Transaction Confirmation that binds the user authentication with the payment information. LoginID Transaction Confirmation generates an authentication code that is used to digitally sign the transaction including a payload with the payment information (amount, currency, others) and the payee FIDO identifier. This signed transaction can be verified by LoginID later if there is any dispute.
Who is using it?
Leading innovative retail banks and payment networks such as BBVA, Bank of America, TD Bank and Visa started rolling out FIDO authentication for their users. For retail financial service providers FIDO offers the convenient authentication and real time fraud prevention to keep consumers safe from identity theft and account take over.
How to get started :
Changes to user experience can be challenging and demand careful analysis. Some of the recommendations for a successful implementation of FIDO authentication:
- Phased implementation
- Messaging to users: who, when, how
- Changing the user experience
- Connecting multiple devices
1. Phased implementation:
Select Pilot: Test out the technology with a pilot with employees using the new authentication method. Roll out: Prioritize users to roll out the implementation.
- Power users: Users that are constantly logging in and would immediately benefit from the reduced time to login or perform transactions.
- High risk users: Users that are high risk because they have high net worth on the account or tend to perform high risk activities (eg. FX transactions).
- Attacked users: users who have been victims of account takeover or identity theft and need higher levels of security for their authentication.
- SMS failure: users that are constantly struggling with SMS delivery. Determine device eligibility: Roll out to all users that have FIDO supported devices. LoginID provides easy-to-integrate solutions to enable clients to detect whether or not users are on devices that support FIDO Authentication.
2. Messaging to users: what, when, how
Explaining the benefits to prospective users and implications of the transition to FIDO authentication is key for encouraging adoption. When: There are three main touch-points to promote awareness of the availability of a FIDO authentication:
- New account creation: invite new users to enable FIDO Authentication from the beginning. During the onboarding process request for device registration.
- Existing Users after authentication: If the user already has an account, the best moment to enable FIDO authentication is after a secure and low risk authentication. Eg: at a known location. After the user completes a successful authentication you can invite them to register the device and enable FIDO authentication.
- After a step-up: if the user is required to undergo a step-up authentication for a transaction, after the transaction has been successfully completed it is recommended to include call-to-actions to enable FIDO. This provides the user with a faster and more convenient alternative to the experience they just went through.
Invite users to register for FIDO multiple times, as users become aware of the alternative they become familiar and trusting. Try different messages focused on convenience and security over time because different messages will resonate with each user. FIDO UX guidelines suggest some users require multiple exposures before adoption.
What: FIDO alliance UX guide suggests two alternatives to invitation for users: “Simple” or “Optional”. The suggestions are the result of deep research and user testing on how to get the message across to the user: Simple: “You’re eligible for a simpler sign-in! Learn how you can skip your password the next time you sign in. Register now.”
Simple: “Tired of passwords? Register now.”
Simple: “Do you want more account security? Register now.”
Simple: “Do you want faster login? Find out more…
Optional: “Add an easy and safe way to access your account. Register now.”
Provide a user with a link or pop up with more details about why they can have better security and a better experience.
Give users control: always reassure users that they can revoke FIDO authentication and control the devices associated with their account.
Privacy: Offer users information about FIDO and privacy statements that show how their biometrics are always protected and never leave the device.
On demand, offer users answers to frequent concerns. FIDO Alliance tested messaging include:
- FIDO is a technology built into all leading desktop devices (PC and Mac) and browsers, that allows users to sign in securely without a password.
- In the same way your phone uses a biometric, FIDO now enables biometric sign-in on websites viewed on your desktop too.
- FIDO makes sign-in easy, safe, and private!
- FIDO technology uses your computer's built-in authentication method (i.e., Windows Hello or Apple Touch ID) to ensure your sign-in information stays safe from hackers because it never leaves your computer.
- Your face or fingerprint is secured on your device. It is never sent to the cloud, so it can’t be stolen there. FIDO security makes sure that it can’t be extracted from the FIDO device, so even if your device is lost or stolen you have no worries.
- Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your sign-in information over the internet. When you use FIDO a unique one time code is sent from your device that can’t be intercepted or ever used again. Unlike passwords that are the same each time and can be intercepted.
- Registering with FIDO provides you with an additional sign-in option for this device — your password remains valid.
- Leading companies worldwide in retail, telecommunications, finance, and technology are already using FIDO
How : Iconography: FIDO Alliance testing has demonstrated that users are familiar with the iconography related to their device platform. For example, Android and PC users recognize generic fingerprints for biometric identification and Apple users recognize Apple Touch ID or Face ID icons.
FIDO branding: FIDO branding supports the user’s awareness and trust across platforms, apps and websites. Reassure safety by leveraging the FIDO branding in your communication with users, independent of platform OS or device. If you are using a FIDO Certified solution like LoginID, you will be able to use the FIDO branding on your web pages:
More useful information check the FIDO UX guidelines
3. Changing the user experience
Passwords have been the primary authentication mechanism for more than 40 years. Since FIDO authentication is a new user experience, how it is added to the current experience is a key component of successful adoption. The FIDO Alliance has provided user experiences as good examples as a starting point. Some experimentation using A/B testing and measurement may be required to identify the best messaging and user experience for a website. PC web experiences are more diverse because there are more device types, authenticator types and different web flows. Fortunately, consumers have become accustomed to using their finger or face on their mobile devices as a starting point. The FIDO user experience can start as an alternative to passwords, but then become the preferred primary authentication method for enrolled users.
4. Connecting multiple devices
FIDO protocol authentication validates against the hardware of the device, meaning that a user needs to register every device. A good practice is to have the user register multiple devices for recovery and fall back options for when they lose access to one device. LoginID has made it easy to securely transfer trust from a first device to other devices owned by the consumer. Furthermore, it is important to offer out of band authentication with a primary device for when a user wants to authenticate a temporary device such as a friend's device or a public device. For example, when a user attempts to log into an unknown or untrusted device they can get an email or SMS to confirm the access with FIDO on their trusted device using LoginID generated temporary codes. This approach removes the need for the user to enter their password into a suspicious device or a device they will only use once.
What is FIDO?
The FIDO Alliance published a protocol that is becoming the go-to standard for Authentication across the globe and is making passwords obsolete. All major Technology Platforms and Regulators are adopting the FIDO protocol.
FIDO leverages the device hardware security to provide a protected authentication. It is compatible with all major browsers and operating systems, including Apple, Google, Microsoft and Samsung.
The FIDO protocol provides Stronger Authentication by using technology with Public key cryptography. FIDO provides a better user experience than most cumbersome authentication methods, such as hard tokens.
The FIDO Authentication is considered a 2FA combining the device as “something you have” with a second factor, either user biometrics “something you are” or a device Password or PIN “something you know”.
FIDO makes the authentication a trusted experience for the consumer by using the device’s native authentication for biometrics. FIDO standards protect the user’s privacy as the user's biometric identity never leaves the device nor is accessed by the authenticating party.
How does FIDO work?
REGISTER
LOGIN
To learn more about Implementing FIDO authentication contact sales@loginid.io
References:
- https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Financial%20crime%20and%20frau%20in%20the%20age%20of%20cybersecurity/Financial-crime-and-fraud-in-the-age-of-cybersecurity.pdf
- FIDO alliance
- https://aite-novarica.com/report/us-identity-theft-stark-reality
- Authenticating Identities in the Digital Economy, pymnts.com, December 2021
- https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/Risk/Our%20Insights/Financial%20crime%20and%20fraud%20in%20the%20age%20of%20cybersecurity/Financial-crime-and-fraud-in-the-age-of-cybersecurity.pdf
- https://www.computersciencezone.org/biometric-security/
- PYMNTS-Authenticating-Identities-In-The-Digital-Economy-December-2021.pdf
- https://fidoalliance.org/
- https://fidoalliance.org/ux-guidelines/ux-guideline-pdf/#