Passwordless Experience – The FIDO Standards behind this

As security breaches continued to grab headlines over 2014, I was intrigued by new claims that not only could online security be improved for consumers, but it could actually become a more delightful user experience. The launch of Apple Pay has proven to us that this is possible.

With over 150 FIDO members, the Board of Directors alone reads like a Who’s Who List: Alibaba/Alipay, ARM, Bank of America, CrucialTec, Discover Financial Services, Google, Identity X, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA Security, Samsung, Synaptics, Visa, and Yubico.

Keen to understand what attracted so many key players, I was delighted to have an opportunity to interview Executive Director of the FIDO Alliance, Brett McDowell, to understand more about how all this works and what changes we are likely to see in the world of payments because of this.

 

Brett, I’ve heard so much about FIDO as the standard behind high profile launches of 2014, and am keen to understand more. Could you share a bit about yourself and your mission at FIDO?

 

clip_image002

I am currently the Executive Director of the FIDO (Fast IDentity Online) Alliance which I helped to found in July 2012, when I was the Head of Ecosystem Security at PayPal, to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. At the FIDO Alliance, we are changing the nature of online authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online and mobile services.

Previously I spent several years at PayPal where, as Head of Ecosystem Security, I was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and its customers. I spearheaded authentication strategy, including working with global policy makers to evolve best practices in strong authentication regulation. Prior to joining PayPal I spent several years as Executive Director of industry standards organizations, including Liberty Alliance and Kantara Initiative, which produced standards and accreditation programs in the field of digital identity.

At the FIDO Alliance, our mission is tightly scoped to producing open standards and industry adoption programs that enable implementers to change the nature of online authentication by improving user experience while simultaneously providing better security in a very privacy-respecting manner. We just released the final FIDO 1.0 specifications at the end of 2014.

 

Why did you feel standards were needed relating to strong authentication, and how does this differ from traditional authentication?

 

clip_image004So, “traditional” is an interesting word in the context of strong authentication, as the concept has not gotten a tremendous amount of adoption, especially not from consumers. Before FIDO authentication, if you were an online service provider, in order to authenticate your users, you would typically use username and password. If you wanted more security you had to add another authentication factor from a set of options that were not necessarily designed for ease-of-use. The “historic” approach to multi-factor authentication, or “strong authentication” as it is often called, combines “something you know” (like a password or other form of “shared secret”) with another factor, such as “something you are” (a biometric for instance) or “something you have” (such as a token or physical device). The industry norm in 2011-2012, before FIDO authentication was announced, was username and password as the ubiquitous first-factor, and the second factor, if there was one, was typically a 6-digit one-time-use passcode. You’d get the second factor through an SMS to your mobile device or create it on a specialised hardware device or copy it from a code-generating mobile app on your smartphone. This 6 digit number- the one-time password (OTP) - is called a security token.

The first problem with OTP -- and one of the many issues that FIDO authentication inherently addresses -- is usability. The first word in FIDO is fast, and it helps to explain why FIDO technologies became so disruptive so quickly. We are not about bolting on extra security that puts the burden on the user. We are about delivering an end-to-end innovative approach to authentication through a new, open, online cryptographic protocol that enables best-of-breed device-centric authentication to be used for online access.

 

How does the FIDO UAF Architecture enable online services and websites to leverage native security features of devices and what problem does this address?

 

From the payments perspective our standards enable a better user experience – faster, more secure, privacy respecting and easier-to-use. An example is, Samsung has enabled a number of payments applications using FIDO to allow a user to simply swipe a finger across a sensor on their smartphone or tablet. This is arguably easier than everything else in the market, certainly easier than passwords.

Although the concept of strong authentication has been around for a while and pretty well adopted by pockets of the enterprise market, it has not achieved widespread adoption beyond the enterprise because it has lacked the means to achieve interoperability among systems and devices; FIDO authentication standards enable any strong authentication method, what we call “authenticators”, to interoperate with any online service, independent of solution vendor or device.

Without interoperable strong authentication, you are left with the classic “token necklace” problem; wearing specialized security tokens, often around your neck with your security badge at work, for each online service that requires strong authentication because you cannot use any one of them to authentication into the other online applications. This is because “traditional” strong authentication relied on proprietary centralized servers (closed systems) connecting authenticators in the hands of users to proprietary server side functionality. Limited in both reach and function, strong authentication solutions have been neither open nor interoperable, until FIDO UAF and U2F 1.0 standards , which have opened the door for ubiquitous strong authentication through “net effects” that only emerge from an open ecosystem.

 

Is this interoperability issue something you address through UAF and U2F?

 

Yes, both UAF and U2F protocols, applied to devices, client software and online servers, produce entirely interoperable strong authentication. What the FIDO Alliance founders introduced first was the Universal Authentication Framework (UAF) protocol. This solves pain points around first-factor authentication because it is designed to replace the password, usually (but not exclusively) with a biometric factor that is retained only locally on the user device, never shared centrally or in the cloud. FIDO UAF is a strong authentication framework that enables online services and websites, whether on the open Internet or within enterprises, to transparently leverage native security features of end-user computing devices. In a FIDO ecosystem online service providers can easily achieve strong user authentication, and free users from creating and remembering more online credentials, simply by leveraging existing FIDO devices to authenticate at their sites and to use their services, such as mobile payments where UAF has seen early industry adoption.

If you are going to offer a replacement for passwords, you need a robust mechanism that isn’t based on the same “what you know” shared secret security design that has been the bane of password systems of late. We decided upon asymmetric public key cryptography, which uses a private key paired with a public key for each authenticator registration. However, we knew that putting the private key in the server could create vulnerability and undesired externalities in the case of a breach. We wanted to get to a model that would have no secrets on the server side. With FIDO authentication, the server holds a public key, but the private key is held only by the individual’s personal device, such as a mobile phone, and is never shared outside of that device. We saw the opportunity to make 1st factor authentication both easy & more secure by relying upon existing device-specific user verification methods being embedded in smartphones, tablets and PC’s. FIDO UAF then enables those local device authentication methods to be used securely online.

We found that before FIDO authentication, existing strong authentication options had very low user acceptance rates, sometimes less than 3% of users choosing to register for strong authentication when it was available as an option. The user acceptance of natural authentication methods that don’t tax the user’s memory or require extra steps in the process have been far more successful as seen by the increased number of people opting to lock their phone with gesture locks, 4 digit pin codes, and now biometric sensors like fingerprint sensors. However, under FIDO UAF, fingerprints are just one of many biometric options supported by the protocol- iris scanning, voice recognition, and behavioural sensors from wearable devices, are all supported in FIDO UAF.

We wanted a standard that could support any future authentication method, and support the industry in its drive to continuously innovate. Proprietary innovation happens between the device and user; this is where the industry can compete with differentiating solutions. FIDO standards come into play in the implementation between the device and the online service.

Another question is how online Payment Service Providers (PSPs) would know that the technique between device and user is trustworthy? FIDO standards incorporate the ability for online services like PSPs to set their own security policy defining the devices or device characteristics they want to trust. The members of the FIDO Alliance wanted a solution set that enabled trust between all devices and all services, but didn’t mandate it. They want a solution to be flexible enough to leave the trust decision in the hands of the online service provider who is in the position of making the risk decision related to any authenticated transaction.

 

We have discussed UAF in some detail. What then is U2F and where does it fit in the FIDO ecosystem?

 

FIDO U2F authentication addresses a totally different use case. FIDO UAF provides a simpler, stronger 1st factor authenticator where U2F provides a simpler, stronger 2nd factor authenticator. FIDO U2F does not replace the password but instead replaces the second factor and enables a simpler form of password, like a short PIN number, because the security burden can now be placed on the FIDO U2F authenticator and not the password. FIDO U2F has already been deployed by Google Accounts and now ships in all Google Chrome browsers.

So far the implementations of FIDO U2F authenticators are in the form of external specialized devices, but these capabilities could be embedded directly in handsets or other form factors in the future. What separates FIDO U2F security tokens from the OTP tokens discussed previously is that one device will work with any FIDO U2F server, regardless of vendor solution or device manufacturer. Another key differentiator is the phishing resistance inherent in the FIDO U2F standard. A FIDO U2F user cannot be tricked into giving a secret to a fraudster the way they can in a OTP use case.

Yubico and Plug-up are the two primary providers of U2F-enabled devices today, which work by being inserted into a USB slot. NFC and BLE support for U2F tokens is coming soon and will accommodate U2F devices for use with devices that don’t have USB slots.

To learn more about all the UAF and U2F FIDO Ready™ implementations please visit our website where they are all listed along with the profiles they support.

 

This is very interesting and thanks for helping to make our online experiences easier as well as more secure. Do you have any final message for us?

 

One thing I’d like to emphasize is the relationship between authentication and payments. Payments is just another application that requires strong user authentication. FIDO standards can be used for a whole variety of use cases that require strong online authentication… for healthcare applications, airline bookings, gaming, banking, enterprise use cases and anything that requires a user to authenticate online. The reason we saw the first adoption in mobile payments is because that industry segment had the greatest amount of pent-up demand for faster, easier strong authentication from mobile devices where typing passwords was the least convenient option.

The second topic I would like to emphasize is the relationship between FIDO standards and government regulation around strong authentication. Sticking with the payments example, you recently asked me about how FIDO UAF could be used to meet the criteria developed by regulatory regimes such as the EBA Guidelines. Though an analysis of exactly how a FIDO UAF implementation could meet the requirements of this specific regulation is beyond the scope of this interview, most multi-factor regulatory regimes are looking for two or more of a “what you know”, “what you are”, or “what you have” authentication factors. In just the example we see in the market already on Samsung Galaxy® devices, it may appear there is only a single “what you are” factor being offered by the fingerprint sensor, but there is also a “what you have” factor due to the secure protection of the private keys on the device, resulting in a multi-factor authentication event from a single user gesture. The Privacy and Public Policy Working Group in FIDO Alliance is going to make a concerted effort to educate regulators across various industries and geographical regions in 2015 to help them understand how to apply FIDO authentication to the markets they oversee.

 

Thanks Brett and I wish you the very best for all the further innovation that you plan in this very important space!


image

Brett McDowell currently serves as Executive Director of the Fast IDentity Online (FIDO) Alliance, the organization Brett helped establish in 2012 to remove the world's dependency on passwords through open standards for strong authentication. Brett is also an advisor to Agari and the Bitcoin Foundation.

Previously, Brett spent several years at PayPal where, as Head of Ecosystem Security, he was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and their customers.

 


Charmaine Oak

Author of The Digital Money Game, co-author Virtual Currencies – From Secrecy to Safety

DMGCovervcbookcover

http://www.linkedin.com/in/charmaineoak

Join me on Twitter @ShiftThoughtDM and The Digital Money Group on LinkedIn

Increasingly large businesses forming in China to serve the needs of increasingly smaller businesses

 

After Alibaba successfully floated a record-breaking $25 billion IPO one of it’s first initiatives is consolidation of a number of its financial services initiative under an umbrella private bank set up in China. The business is to focus on serving the needs of small businesses. MSME business is a largely unserved and promising area, but how will large groups such as Alibaba balance innovation as they scale to address this segment?

 

 

china

 

While a lot of focus has been rightly given to the unbanked and the under-banked, I believe not enough has been done to address the needs of businesses that have are growing increasingly smaller and have distinctive requirements. When Square brought out the Square reader in 2011 it opened the floodgates to a whole new set of MPOS services and rapidly commoditised that market. Yet businesses such as my own struggle to effectively take small payments in multiple currencies without the help of a massive organisation behind us with dedicated functions for this. Alipay spotted this opportunity and grew very rapidly, supporting such businesses in acquiring payments and managing the complexities that innovative entrepreneurs in China faced.

 

In China there is now a new trend towards the formation of private banks. Alibaba has recently received a license from CBRC, as one of three recently established private banks. This development stems from the Communist Party of China pledge in November 2013 to increase the competition in the Chinese banking sector.

 

Now Alibaba’s Ant Financial Services Group (rebranded this month from Ant Small and Micro Financial Services Company) will bring together it’s diverse financial services businesses, focussed on the huge opportunity from businesses that are growing progressively small. These include:

  • Alipay, their main payments service provider
  • Yu’e Bao, a money market fund
  • Zhao Cai Bao, a financial services platform
  • Ant Micro, a micro-loan provider
  • Huarui: Shanghai-based newly formed private bank addressed as MyBank but English name still pending

Alibaba helps companies in the US find and use the services of really small merchants in China, and caters to their needs for payments, escrow services, P2P lending and more.

Along with 249 other businesses (from across sectors and including China Mobile), Alipay received a license as a payments service provider. It has initially focussed on adding mobile and offline channels to it’s popular Alipay online digital wallet. Now it is pulling ahead of the pack with it’s own bank MYBank, and consolidation of six different businesses that will together focus on the MSME Opportunity.

 

To my mind this raises a number of questions that we answer in our Digital Money in China and other recent reports:

  • Will Alibaba succeed to keeping the dynamism that allowed it to grow, as it grows into such a large business, and how will it cope with the responsibilities of being a bank and still adapting and growing to meet the unique requirements of MSMEs?
  • So far China had one private bank, China Minsheng Bank. Alibaba’s main competitor Tencent has also set up a banke, Webank. Which of the other 248+ recently licensed PSPs are likely to follow suit, and how will being a bank help or hinder them?
  • As Chinese companies increasingly go international, how can global brands be protected? In Europe MyBank has just been investing heavily in setting itself up as a pan-European initiative. MYBank is not yet finalised as the English name that will be used by Alibaba, but are there sufficient deterrents to prevent it from using this existing brand name? I see this as yet another example of how consumers may be confused as they seek to use services from increasingly global players.
  • Where does this leave PayPal as it leaves the protection of EBay and must compete with the likes of Alibaba and Tencent?
  • And most important of all, perhaps – are the needs of increasingly small businesses best met by increasingly large conglomerates, rather than community co-ops and MFI institutions as in the past?

Will Open-to-SMEs continue to be Alibaba’s Open Sesame?

 

For more about developments in China see: Disruptions in Digital Payments in China - What does this mean for you?

Contact us at contact@shiftthought.com for details on our Digital Money in China Viewport and other recent research.

viewport_china_2014

 


Digital Money in Retail –3 years on, where are the digital wallets now?–Blog 1

In mid 2011 we saw the launch/announcements regarding digital wallets from Google, Visa, MasterCard, American Express and many more. Would this mean the end of PayPal’s 10 year domination of this space? 3 years down the line let’s take a look at how these digital wallets fared.

 

image

In Mid-2011, led by Google Wallet, digital wallets became the new kid on the block. Shift Thought defines these as customer accounts that can hold stored value and allow users to make electronic commerce transactions.

It was recently reported that Google has no intention of giving up on its slow-growing wallet service or mobile payments, and amusingly it was reported “We have been doing this for a while ..And we’ll continue to keep doing this for a long while.”. By “this” I am sure they do not mean growing the wallet slowly. This piqued my curiosity. Where are the digital wallets now? What are the gains and losses?

In March 2014 Eat24, a restaurant delivery app which integrated with Google end November 2013, reported customers spend an average of 11% more when paying with Google Wallet. Subway was one of the first to accept the Google Wallet, offering the option in 5 markets since 2011. Jack in the Box also started testing Google Wallet in 35 of its restaurants in the Los Angeles and San Francisco markets in November 2011.

Now Google is reportedly changing the way they support contactless payments on the newest versions of Androids. This seems a good time to share our research on how each of the different digital wallets announced in mid-2011 have fared since then.

I’d like to share a bit about the landscape at the time when they launched, as a backdrop for discussing how this has changed, and the main initiatives we see today. In 2011, I created the figure below to explain in one page what the Digital Money ecosystem looked like then.image

There were 7 billion consumers making payments in the world at the time, which included payments between each other (P2P), to and from governments (P2G/G2P) and corporates (P2B/B2P). The figure shows the main industries and players that supported such payments.

In that year banks and money transfer operators were joined by new entrants to create a vastly different competitive market for payments. Alipay and Paypal led the world at the time, but expectations were high for the new Google wallet which offered a business model based on ‘Google Offers’, a targeted sales mechanism that sent promotions to smartphones. This was a scheme by which consumers and merchants benefited, but it raised concerns about personal data.

In the next blog posts I will look in more detail at each of the industries in this figure to see how they have moved on since 2011.