By Brett McDowell, executive director of the FIDO Alliance
What is online authentication? For the sake of this article; online authentication is the process you either pass or fail when you present credentials to “prove” you should be granted access to an online service or authorised to approve an online transaction. The most common examples today include presenting a username and password to “login” to an account and presenting payment card information to authorise a purchase.
To some, this simple process can seem like a small, almost insignificant aspect of our increasingly rich and complex experiences online. However, getting authentication right is the most important challenge facing security and fraud teams working in the financial sector today due to a combination of converging trends. This includes increased demand by customers to transact from a growing variety of internet-connected personal devices and biometric modalities, record-breaking growth of data breaches worldwide driven by the commoditisation of password and one-time-passcode (OTP) exploits, and the pending PSD2 mandate for multi-factor “Strong Customer Authentication” of online transactions across Europe.
The problem with passwords
Attacks against today’s more common “shared secret” credentials are effective, in part, because consumers and even corporate employees are easily tricked into giving those credentials to an attacker who has effectively “spoofed” the app or website the user believes they are interacting with. This allows the attacker to take those stolen credentials, even short-lived OTPs, and use them to authenticate to the real service while sitting in the middle between the legitimate user and the legitimate service. The alarming truth, recently documented in a leading industry study, is that the use of stolen, weak, or default passwords is the root cause for 81 percent of all data breaches across all industries.This makes authentication the top priority security problem for the industry to solve, because when your credentials fall into the wrong hands, a cybercriminal is able to assume your identity to gain access to your online accounts resulting in exfiltration of valuable personal information and the ability to transact in your name.
Today, our biggest authentication problem is that we’re still using yesterday’s approach and ignoring the ways in which technology has transformed both our habits and the options available to us. The traditional username and password combination has outlived its usefulness and is no longer fit for purpose as a security barrier between a user and their financial accounts, among other valued online resources.
The ‘always on’ consumer
With so many of our daily online tasks now carried out using personal devices such as laptops, smartphones and tablets, authentication processes must be quick, simple and convenient. Typing a username and password or credit card number into the small screen of a mobile device is a hassle today’s consumer is decreasingly likely to tolerate. There are a number of user experience innovations that provide viable alternatives for authentication that financial services can take advantage of if they can effectively manage the risks. These alternatives include biometric modalities like fingerprint, voice, and face recognition and portable security keys as a modern replacement for OTP tokens. Given the successful adoption of biometrics by nearly all the leading manufacturers for locking our devices, consumers understandably prefer to be able to use these same experiences when transacting online. These device-based capabilities are collectively referred to as “authenticators” and are differentiated from passwords by replacing an arduous multi-gesture experience with a single gesture, such as simply touching a sensor (fingerprint or security key), look at the camera (face or iris recognition) or saying a passphrase (voice recognition) to authenticate.
While biometric authentication, in particular, has gained a lot of consumer adoption for the convenience it offers, how is a financial institution supposed to leverage these technologies securely online, when they were originally designed to simply unlock a personal device locally and offline? Paradoxically, these new technologies are most effectively secured for online use by means of an old reliable security framework known as public key cryptography. In this model, the private key is the “secret” that remains in the possession of the device and is never shared, while a corresponding public key, mathematically matched to that private key, is shared and stored with the online service. By only sharing the public key online vs. sharing the credential secret itself (the private key) the exploits that work against “shared secrets” like passwords and OTPs simply won’t work. Authentication utilising these modern on-device credentials allow financial institutions to leverage the convenience and consumer adoption of biometrics, while receiving very strong cryptographic assurance that the consumer’s device attempting to authenticate is the same device they enrolled originally.
No shared secrets
Biometric modalities deliver a number of user experience benefits, and can be secured by tried-and-true public key cryptography. That said, financial institutions investigating these technologies need to understand not all biometric systems are built on this foundation. The privacy and security implications of biometric authentication systems need to be carefully considered. As with all symmetric authentication methods, biometrics relies on matching an input to a held piece of original data. How that matching process is managed, and in particular how identifying data is stored, raises a host of security and privacy questions. For instance, if data is held in an online central database, the potential damage of a breach of that data could be considerable.
We’ve witnessed instances of biometric data breaches, and these underline the importance of getting biometric privacy and security measures right. More than five million sets of fingerprints were compromised following a breach involving data of the US Federal Government Office of Personnel Management (OPM) a couple of years ago. The impacted data belonged to US federal employees, contractors, and other subjects of federal background checks. Similarly, the Philippine Commission on Elections also fell victim to a cyberattack involving personal data of up to 55 million people, including over 15 million fingerprint records. These events call out the dangers of large databases containing biometric information that is stored in its raw form. The preferred method of storage is to derive a mathematical “template” from the raw biometric information upon enrollment to the device, something we’re seeing modern computer and mobile phone manufacturers employ. Generally, the commercial biometric systems that financial service companies would be evaluating use this template method for storage. However, they often also store the templates in a central system, which opens the possibility of attacked at scale by biometric “spoofs” such as fake fingerprints, recorded or even synthesised voices, etc. Examples of all such spoofs, also known as presentation attacks, exist in the wild today. While the biometrics industry continues to improve its presentation attack detection, often referred to as liveness detection, it is essentially an arms race with the advantage going back and forth between attackers and security features. The good news is there are architectures that avoid this vulnerability to scalable spoof attacks that simultaneously provide stronger privacy guarantees to users by eliminating the need to share their biometric templates at all.
The best of all worlds is when the secure and convenient on-device biometric matching found today across nearly all modern mobile devices, is combined with public key cryptography, ensuring user credentials and biometric templates are stored on the user’s actual device and never shared online. Bearing the aforementioned data breaches in mind, if individual user authenticators are always stored on-device, the user never has to give away their private key and the risk of data breach from a compromised credential is reduced to only those attacks that start with actual physical theft of a user’s personal device. This is a game changer for the profit model of cybercrime because the attacks have no scale and are therefore cost prohibitive in nearly all cases. Also erased are the risks of phishing, social engineering and other common ways that passwords are taken from users.
Technical, regulatory and habitual evolution
The financial sector is in a transitional phase, with organisations trying to get authentication right and keep up with the demand of their ‘always on’ customers. This is in addition to incoming regulation such as PSD2 that will call for tighter, multi-factor “Strong Customer Authentication” of online transactions across Europe.
As it stands, biometric modalities have huge potential to make authentication more convenient, simple and secure. It is intrinsically personal to an individual, easy to use and cannot be forgotten. What’s more, as the range of activities we undertake online using mobile devices continues to rise, the more sensitive transactions – such as payments and money transfers – can be facilitated using device-enabled strong authentication. However, its overall success will hinge on the security and privacy measures adopted to protect these new credentials and, most importantly of all, the ability for the industry to offer this modern authentication infrastructure at internet scale.
As such, it has become important to have industry standards bodies, such as the FIDO (Fast Identity Online) Alliance. The Alliance is a nonprofit consortium of over 250 global service providers, government agencies, software and hardware vendors that has developed open standards for simpler, stronger authentication. FIDO authenticators are already shipping in hundreds of millions of mobile phones and poised to become ubiquitous on all modern internet-connected devices over time. Backed by the FIDO Certified testing and branding programme, these devices have enabled a broad ecosystem of ‘single gesture’ authenticators that can be used with many online applications and an increasing number of websites. With FIDO’s innovative approach, organisations can finally get authentication right by combining the most convenient user experiences with the most proven security architecture, available through standardisation across a growing number of modern devices resulting in stronger data protection and happier customers.