By Brett McDowell, Executive Director, The FIDO Alliance
With attacks shifting away from POS terminals to web and mobile channels, the risk of data breach and account fraud for online retailers is skyrocketing, but new global standards developed jointly by the FIDO Alliance and the W3C are being implemented by leading web browsers and consumer device manufacturers to help solve the problem.
According to the Global Fraud Index, account takeovers in Q2 2017 jumped 45% from the prior year, resulting in losses estimated at $3.3 billion for the quarter. Based upon its analysis of some 80 billion account behaviors each year, Mastercard’s NuData Security unit saw a 48.4% increase in fraudulent login attempts in 2016.
The root cause? The world has a password problem. The Verizon Data Breach report has stated that 80% of data breaches involve weak, stolen or default passwords.
Small wonder. Passwords and other shared secrets provide weak security, and are easily stolen and misused. The cyber black market is awash with hundreds of millions of stolen account, shared secret and identity credentials.
Compounding the risk, a shocking 55% of people use the same password everywhere, resulting not only in high fraud losses, but higher costs due to 119 billion false positives requiring a manual review of 29% of online transactions each year, according to Mastercard’s’ NuData.
Solving this problem takes a global alliance of major industry players to develop and deploy standards for simpler, stronger authentication, and make them available worldwide with the devices and online services people use every day. This is the mission of the FIDO Alliance—Fast IDentity Online. Its members include technology and commerce leaders such as Alibaba, Amazon, American Express, Bank of America, Facebook, Google, Intel, Mastercard, Microsoft, PayPal, Samsung, Visa and many more.
The FIDO Alliance has created technical standards and certification programs that have led to a robust marketplace of interoperable, strong authentication capabilities from security solution vendors and consumer electronics manufacturers. FIDO Authentication utilizes on-device, hardware-bound cryptographic keys in place of passwords, enabling retailers to greatly reducing the risk of credential compromise from social engineering, phishing and man-in-the middle attacks. And, importantly, they can accomplish this while reducing friction in the user experience by leveraging “single gesture” capabilities in FIDO certified computers, smartphones and security keys; for example, offering users the option of simply touching their device’s fingerprint sensor, or looking at their camera vs. typing in their password.
FIDO Authentication is already available to retailers using FIDO Certified SDKs to add this ability to their mobile apps running on flagship smartphones across Android and iOS platforms. Now, leading web browsers such as Chrome, Edge and Firefox are building in support for FIDO Authentication this summer and fall, with more browsers expected next year. To expand consumer coverage beyond web applications, Google and Microsoft are now building support for FIDO directly into Windows 10 and Android to ease adoption for native apps going forward. This means retailers can FIDO-enable their mobile apps and websites, leveraging the same future-proof standards-based infrastructure and associated low implementation costs, and immediately benefit from a large and rapidly growing ecosystem of FIDO compatible devices their customers already have.
The Alliance is also working with EMVCo to determine how FIDO Authentication can be added to 3D Secure messages, helping to further reduce the number of 3DS transactions that require step-up authentication. The timing for this collaboration could not be better as retailers look forward leveraging the functionality of 3DS 2.0.
In addition to its standards, the FIDO Alliance also supports the market with certification testing services to ensure all of the parts of the FIDO ecosystem work together successfully. These services are now being extended with more granular security levels (perfect for 3DS use cases), so that organizations that rely on FIDO Authentication can have more precise information on how an online transaction is authenticated to better inform their risk scoring decisions.
The upshot is innovation that improves customer experience and transaction security is now widely available through the power of open standards and consumer platform adoption. The time is now for merchants to FIDO-enable their authentication infrastructure and reverse the trends in account takeovers and data breach. Learn more about how your organization can take action at www.fidoalliance.org.