Passwordless Experience – The FIDO Standards behind this

As security breaches continued to grab headlines over 2014, I was intrigued by new claims that not only could online security be improved for consumers, but it could actually become a more delightful user experience. The launch of Apple Pay has proven to us that this is possible.

With over 150 FIDO members, the Board of Directors alone reads like a Who’s Who List: Alibaba/Alipay, ARM, Bank of America, CrucialTec, Discover Financial Services, Google, Identity X, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA Security, Samsung, Synaptics, Visa, and Yubico.

Keen to understand what attracted so many key players, I was delighted to have an opportunity to interview Executive Director of the FIDO Alliance, Brett McDowell, to understand more about how all this works and what changes we are likely to see in the world of payments because of this.

 

Brett, I’ve heard so much about FIDO as the standard behind high profile launches of 2014, and am keen to understand more. Could you share a bit about yourself and your mission at FIDO?

 

clip_image002

I am currently the Executive Director of the FIDO (Fast IDentity Online) Alliance which I helped to found in July 2012, when I was the Head of Ecosystem Security at PayPal, to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. At the FIDO Alliance, we are changing the nature of online authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online and mobile services.

Previously I spent several years at PayPal where, as Head of Ecosystem Security, I was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and its customers. I spearheaded authentication strategy, including working with global policy makers to evolve best practices in strong authentication regulation. Prior to joining PayPal I spent several years as Executive Director of industry standards organizations, including Liberty Alliance and Kantara Initiative, which produced standards and accreditation programs in the field of digital identity.

At the FIDO Alliance, our mission is tightly scoped to producing open standards and industry adoption programs that enable implementers to change the nature of online authentication by improving user experience while simultaneously providing better security in a very privacy-respecting manner. We just released the final FIDO 1.0 specifications at the end of 2014.

 

Why did you feel standards were needed relating to strong authentication, and how does this differ from traditional authentication?

 

clip_image004So, “traditional” is an interesting word in the context of strong authentication, as the concept has not gotten a tremendous amount of adoption, especially not from consumers. Before FIDO authentication, if you were an online service provider, in order to authenticate your users, you would typically use username and password. If you wanted more security you had to add another authentication factor from a set of options that were not necessarily designed for ease-of-use. The “historic” approach to multi-factor authentication, or “strong authentication” as it is often called, combines “something you know” (like a password or other form of “shared secret”) with another factor, such as “something you are” (a biometric for instance) or “something you have” (such as a token or physical device). The industry norm in 2011-2012, before FIDO authentication was announced, was username and password as the ubiquitous first-factor, and the second factor, if there was one, was typically a 6-digit one-time-use passcode. You’d get the second factor through an SMS to your mobile device or create it on a specialised hardware device or copy it from a code-generating mobile app on your smartphone. This 6 digit number- the one-time password (OTP) - is called a security token.

The first problem with OTP -- and one of the many issues that FIDO authentication inherently addresses -- is usability. The first word in FIDO is fast, and it helps to explain why FIDO technologies became so disruptive so quickly. We are not about bolting on extra security that puts the burden on the user. We are about delivering an end-to-end innovative approach to authentication through a new, open, online cryptographic protocol that enables best-of-breed device-centric authentication to be used for online access.

 

How does the FIDO UAF Architecture enable online services and websites to leverage native security features of devices and what problem does this address?

 

From the payments perspective our standards enable a better user experience – faster, more secure, privacy respecting and easier-to-use. An example is, Samsung has enabled a number of payments applications using FIDO to allow a user to simply swipe a finger across a sensor on their smartphone or tablet. This is arguably easier than everything else in the market, certainly easier than passwords.

Although the concept of strong authentication has been around for a while and pretty well adopted by pockets of the enterprise market, it has not achieved widespread adoption beyond the enterprise because it has lacked the means to achieve interoperability among systems and devices; FIDO authentication standards enable any strong authentication method, what we call “authenticators”, to interoperate with any online service, independent of solution vendor or device.

Without interoperable strong authentication, you are left with the classic “token necklace” problem; wearing specialized security tokens, often around your neck with your security badge at work, for each online service that requires strong authentication because you cannot use any one of them to authentication into the other online applications. This is because “traditional” strong authentication relied on proprietary centralized servers (closed systems) connecting authenticators in the hands of users to proprietary server side functionality. Limited in both reach and function, strong authentication solutions have been neither open nor interoperable, until FIDO UAF and U2F 1.0 standards , which have opened the door for ubiquitous strong authentication through “net effects” that only emerge from an open ecosystem.

 

Is this interoperability issue something you address through UAF and U2F?

 

Yes, both UAF and U2F protocols, applied to devices, client software and online servers, produce entirely interoperable strong authentication. What the FIDO Alliance founders introduced first was the Universal Authentication Framework (UAF) protocol. This solves pain points around first-factor authentication because it is designed to replace the password, usually (but not exclusively) with a biometric factor that is retained only locally on the user device, never shared centrally or in the cloud. FIDO UAF is a strong authentication framework that enables online services and websites, whether on the open Internet or within enterprises, to transparently leverage native security features of end-user computing devices. In a FIDO ecosystem online service providers can easily achieve strong user authentication, and free users from creating and remembering more online credentials, simply by leveraging existing FIDO devices to authenticate at their sites and to use their services, such as mobile payments where UAF has seen early industry adoption.

If you are going to offer a replacement for passwords, you need a robust mechanism that isn’t based on the same “what you know” shared secret security design that has been the bane of password systems of late. We decided upon asymmetric public key cryptography, which uses a private key paired with a public key for each authenticator registration. However, we knew that putting the private key in the server could create vulnerability and undesired externalities in the case of a breach. We wanted to get to a model that would have no secrets on the server side. With FIDO authentication, the server holds a public key, but the private key is held only by the individual’s personal device, such as a mobile phone, and is never shared outside of that device. We saw the opportunity to make 1st factor authentication both easy & more secure by relying upon existing device-specific user verification methods being embedded in smartphones, tablets and PC’s. FIDO UAF then enables those local device authentication methods to be used securely online.

We found that before FIDO authentication, existing strong authentication options had very low user acceptance rates, sometimes less than 3% of users choosing to register for strong authentication when it was available as an option. The user acceptance of natural authentication methods that don’t tax the user’s memory or require extra steps in the process have been far more successful as seen by the increased number of people opting to lock their phone with gesture locks, 4 digit pin codes, and now biometric sensors like fingerprint sensors. However, under FIDO UAF, fingerprints are just one of many biometric options supported by the protocol- iris scanning, voice recognition, and behavioural sensors from wearable devices, are all supported in FIDO UAF.

We wanted a standard that could support any future authentication method, and support the industry in its drive to continuously innovate. Proprietary innovation happens between the device and user; this is where the industry can compete with differentiating solutions. FIDO standards come into play in the implementation between the device and the online service.

Another question is how online Payment Service Providers (PSPs) would know that the technique between device and user is trustworthy? FIDO standards incorporate the ability for online services like PSPs to set their own security policy defining the devices or device characteristics they want to trust. The members of the FIDO Alliance wanted a solution set that enabled trust between all devices and all services, but didn’t mandate it. They want a solution to be flexible enough to leave the trust decision in the hands of the online service provider who is in the position of making the risk decision related to any authenticated transaction.

 

We have discussed UAF in some detail. What then is U2F and where does it fit in the FIDO ecosystem?

 

FIDO U2F authentication addresses a totally different use case. FIDO UAF provides a simpler, stronger 1st factor authenticator where U2F provides a simpler, stronger 2nd factor authenticator. FIDO U2F does not replace the password but instead replaces the second factor and enables a simpler form of password, like a short PIN number, because the security burden can now be placed on the FIDO U2F authenticator and not the password. FIDO U2F has already been deployed by Google Accounts and now ships in all Google Chrome browsers.

So far the implementations of FIDO U2F authenticators are in the form of external specialized devices, but these capabilities could be embedded directly in handsets or other form factors in the future. What separates FIDO U2F security tokens from the OTP tokens discussed previously is that one device will work with any FIDO U2F server, regardless of vendor solution or device manufacturer. Another key differentiator is the phishing resistance inherent in the FIDO U2F standard. A FIDO U2F user cannot be tricked into giving a secret to a fraudster the way they can in a OTP use case.

Yubico and Plug-up are the two primary providers of U2F-enabled devices today, which work by being inserted into a USB slot. NFC and BLE support for U2F tokens is coming soon and will accommodate U2F devices for use with devices that don’t have USB slots.

To learn more about all the UAF and U2F FIDO Ready™ implementations please visit our website where they are all listed along with the profiles they support.

 

This is very interesting and thanks for helping to make our online experiences easier as well as more secure. Do you have any final message for us?

 

One thing I’d like to emphasize is the relationship between authentication and payments. Payments is just another application that requires strong user authentication. FIDO standards can be used for a whole variety of use cases that require strong online authentication… for healthcare applications, airline bookings, gaming, banking, enterprise use cases and anything that requires a user to authenticate online. The reason we saw the first adoption in mobile payments is because that industry segment had the greatest amount of pent-up demand for faster, easier strong authentication from mobile devices where typing passwords was the least convenient option.

The second topic I would like to emphasize is the relationship between FIDO standards and government regulation around strong authentication. Sticking with the payments example, you recently asked me about how FIDO UAF could be used to meet the criteria developed by regulatory regimes such as the EBA Guidelines. Though an analysis of exactly how a FIDO UAF implementation could meet the requirements of this specific regulation is beyond the scope of this interview, most multi-factor regulatory regimes are looking for two or more of a “what you know”, “what you are”, or “what you have” authentication factors. In just the example we see in the market already on Samsung Galaxy® devices, it may appear there is only a single “what you are” factor being offered by the fingerprint sensor, but there is also a “what you have” factor due to the secure protection of the private keys on the device, resulting in a multi-factor authentication event from a single user gesture. The Privacy and Public Policy Working Group in FIDO Alliance is going to make a concerted effort to educate regulators across various industries and geographical regions in 2015 to help them understand how to apply FIDO authentication to the markets they oversee.

 

Thanks Brett and I wish you the very best for all the further innovation that you plan in this very important space!


image

Brett McDowell currently serves as Executive Director of the Fast IDentity Online (FIDO) Alliance, the organization Brett helped establish in 2012 to remove the world's dependency on passwords through open standards for strong authentication. Brett is also an advisor to Agari and the Bitcoin Foundation.

Previously, Brett spent several years at PayPal where, as Head of Ecosystem Security, he was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and their customers.

 


Charmaine Oak

Author of The Digital Money Game, co-author Virtual Currencies – From Secrecy to Safety

DMGCovervcbookcover

http://www.linkedin.com/in/charmaineoak

Join me on Twitter @ShiftThoughtDM and The Digital Money Group on LinkedIn

How Apple Play affects The Digital Money Game

 

Apple has made their play: iPhone 6, iPhone6 Plus, Apple Pay and a wearable Apple Watch. Now that Apple Pay is here, how does this potentially affect retail transactions, e-commerce in general, and the projects in your pipeline.

 

We are at the cusp of the creation of a new ecosystem. But will Apple Pay fare better than Google Wallet did when it first launched in May 2011? There is a feeling of Déjà vu and Let’s Wait and See but also a sense of optimism and expectation of improved retail experience. In the near term iPhone 6 and iPhone6 Plus will be the real winners for Apple revenue, but in the long term Apple Pay will play an increasingly important role in generating revenue from previously untapped sources. As far as the role of Apple Watch itself is concerned, it’s revenue impact in the near term is uncertain but could become more significant as developers bring out apps and its role evolves.

Let us take a look at Apple Pay, as a prerequisite for starting to answer the myriad questions - Is this going to ignite mobile payments? Will it make digital payments more secure? How do the opportunities now stack up? How are the mobile operators likely to react? We all know Verizon, AT&T and T-Mobile were not cheer leaders for the Google Wallet. Softcard (rebranded from ISIS) is readying its own offer. What is PayPal thinking and how does this fit with the Braintree One-Tap announcements? How will Walmart react, and where does this fit with respect to MCX?

 

So why is this important?

The major factor for any new payment service is adoption. Offline retail payments have been sought to be addressed through a variety of methods from PayPal, Google and others, and so far by Apple using iBeacon functionality, BLE and other technologies. So far adoption of NFC has been a 10-year war between the banks and the mobile operators and has struggled to gain traction. It was important for the industry to know Apple’s position with respect to NFC as a standard for mobile payments.

We would all agree that in the current retail and e-commerce arenas one of the most pressing needs is security. The Apple announcement certainly seems to go a long way in addressing this need. For example the combination of its biometric sensors in its devices with the contactless transmission of one-time card number combined with the fact that Apple creates a device-only account number that they store in the secure element, provides a basic foundation for enhanced security. Furthermore as far as customer perspective is concerned, the fact that one can find the phone more easily and take action if it is lost goes a long way towards addressing concerns.

 

image

Back in 2011 we had the entry of the Google wallet, and each of the card schemes announced their own wallets as well. Still consumers and merchants failed to adopt. While contactless cards gradually crept into use, paying at retail POS by phone continued to prove elusive, for a variety of reasons. For the longest time, one of the main reasons was claimed to be lack of handsets. However, customer security concerns and more importantly business model were arguably even greater challenges.

And what about adoption?

One of the major challenges in creating a successful service is the ability to bring a large customer base on board rapidly. At the retail level this translates to satisfying consumers both on convenience and trust. In this respect Apple has 800 million customers from their iTune stores as ‘card on file’. However there is a separate step involved to get consumers to start to use Apple Pay for contactless payments as it launches shortly in the US.

This is where the convenience and trust come into play and is something for which we’ll need to wait and watch.

Additionally the Apple API will be available to developers and this is an exciting space to watch. We saw how millions of apps became available for the iPad and iPhone – now Apple Watch is here, and although tethered to the iPhones for the present, it presents a new frontier of innovation. For the present the watch offers an opportunity to integrate a variety of health and fitness related services – something I think we will hear a lot more about shortly.

Merchant support has already been announced: McDonalds, Integration with Uber, a food app from Panera, Major League Baseball's app to order tickets from your phone, and Open Table to pay your bill from your iPhone 6 or iPhone 6 Plus. Apple API is to be offered in iOS 8 to allow app developers to integrate Apple Pay into their applications.

 

So how will mobile operators react?

Apple has a following, and is not overly dependent on mobile operators to push their phones, however operator subsidies that could be as high as $500 considerably help make them affordable. The rapid adoption of smartphones across the world has changed the balance of power. Certainly in the US, Apple is Top Dog as a smartphone manufacturer, with 42.1% OEM market share as of June 2014 according to comScore reports.

Some news is in already as to how mobile operators view this. Softcard (formerly ISIS) have made a statement that they see Apple’s support to NFC as a significant step that sets the stage for rapid scale adoption of mobile commerce.

However while in the US and Europe Samsung and Apple dominate, the share of both providers has been dropping in emerging markets where we see an emerging fragmentation. In urban China, Xiaomi with its affordable RedMi model continues to go from strength to strength, securing a 27% share of smartphone sales in the important China market in the second quarter of 2014, compared with 21.1% for Samsung. And payments by watch + iPhone cannot be a top priority for the masses in emerging markets, although urban, higher income Chinese consumers do seem to be quite interested. 

 

What about the others?

As we describe in great detail in our book, payments has become a hotly contested space. Another fairly late entrant is Amazon.  Just take a look at the Amazon Fire Phone, the first smartphone designed by Amazon. Amazon has vowed to create a whole new shopping experience and until December 31, 2014 the fire phone comes with 800 Amazon Coins to spend on apps, games and more as well as 10% discounted purchase for more Coins. They also offer other benefits including a year of Prime Benefits (Video, Delivery, Books and more).

Such bundles of value are what the customer is increasingly coming to expect, and the whole Apple offer will need to evolve to meet the competition.

 

Too little, too late?

Without doubt, Apple is a late starter where contactless payments are concerned. Like a swan, the movement seemed to be more ‘under-water’, as news of patents obtained for motion based payments got out back in January 2013. For instance, Apple obtained a US Patent for a digital wallet and virtual currency. It described a system of managing credits via a mobile device. Mobile users would be able to receive credits or coupons stored in their accounts. Check out Patently Apple for the background on Apple patents for payments.

Yet, little happened until now.

  • Back in June 2013 Apple released its first mobile commerce platform, called the iCloud Keychain: consumers could store passwords and financial details for use across several Apple devices and they could log into websites or make purchases online. But the platform did not support NFC and existed as an application rather than a physical device.
  • Earlier in June 2012, the Apple bar-code-based Passbook mobile wallet was launched, as a basic mobile wallet without payment functions, using barcodes to store and represent multiple boarding passes, store cards, and movie tickets. It had location-enabled alerts, and real-time updates and it displayed passes based on a specific time or location. When consumers walk into a participating shop the loyalty card appears and can be scanned to pay or check balance. It was expected that this could evolve into a mobile payment service by linking the Passbook to customer credit cards and iTunes accounts.

Effect of Apple Play on the Digital Money Game

The contactless payments that Apple Pay now propose to offer come as a reinforcement to the Digital Money Game of some players, but a threat to others.

And it is no longer enough to offer just mobile payments. To gain adoption, Apple must be able to offer a range of ways to pay, across the web and other channels including TV, now being hotly talked about in emerging markets. And they must get the interoperability story right, and rapidly prove the concept beyond the US market.

 

Read all about this, and work out your own strategy with our recently published, highly acclaimed book, The Digital Money Game. Also, if you would like to discuss immediate ramifications on your projects just drop me a line at coak@shiftthought.com.

 

LIDMGCover

Digital Money in Retail –3 years on, where are the digital wallets now?–Blog 1

In mid 2011 we saw the launch/announcements regarding digital wallets from Google, Visa, MasterCard, American Express and many more. Would this mean the end of PayPal’s 10 year domination of this space? 3 years down the line let’s take a look at how these digital wallets fared.

 

image

In Mid-2011, led by Google Wallet, digital wallets became the new kid on the block. Shift Thought defines these as customer accounts that can hold stored value and allow users to make electronic commerce transactions.

It was recently reported that Google has no intention of giving up on its slow-growing wallet service or mobile payments, and amusingly it was reported “We have been doing this for a while ..And we’ll continue to keep doing this for a long while.”. By “this” I am sure they do not mean growing the wallet slowly. This piqued my curiosity. Where are the digital wallets now? What are the gains and losses?

In March 2014 Eat24, a restaurant delivery app which integrated with Google end November 2013, reported customers spend an average of 11% more when paying with Google Wallet. Subway was one of the first to accept the Google Wallet, offering the option in 5 markets since 2011. Jack in the Box also started testing Google Wallet in 35 of its restaurants in the Los Angeles and San Francisco markets in November 2011.

Now Google is reportedly changing the way they support contactless payments on the newest versions of Androids. This seems a good time to share our research on how each of the different digital wallets announced in mid-2011 have fared since then.

I’d like to share a bit about the landscape at the time when they launched, as a backdrop for discussing how this has changed, and the main initiatives we see today. In 2011, I created the figure below to explain in one page what the Digital Money ecosystem looked like then.image

There were 7 billion consumers making payments in the world at the time, which included payments between each other (P2P), to and from governments (P2G/G2P) and corporates (P2B/B2P). The figure shows the main industries and players that supported such payments.

In that year banks and money transfer operators were joined by new entrants to create a vastly different competitive market for payments. Alipay and Paypal led the world at the time, but expectations were high for the new Google wallet which offered a business model based on ‘Google Offers’, a targeted sales mechanism that sent promotions to smartphones. This was a scheme by which consumers and merchants benefited, but it raised concerns about personal data.

In the next blog posts I will look in more detail at each of the industries in this figure to see how they have moved on since 2011.