Digital Transactions Authoritative, insightful and timely information for payments professionals
With financial institutions, merchants, and software application developers all looking for better online security than that afforded by the traditional, static user name and password, the Fast IDentity Online (FIDO) Alliance’s brand of authentication products is starting to get traction.
The Mountain View, Calif.-based industry consortium reported Monday that 150 products that use biometric or so-called second-factor authentication are FIDO certified, up 50% in just the quarter ended March 31. The Alliance was founded in February 2013 and issued version 1.0 of its specification near the end of 2014.
“FIDO’s authentication solution is hitting the market at the time we’re at our greatest need for moving beyond password-based authentication security,” says executive director Brett McDowell, a former security executive at PayPal Holdings Inc., one of the Alliance’s founding companies.
The organization’s goal is to replace passwords with open standards that recognize not only the device used in a payment or online transaction, such as a smart phone or computer, and the device’s legitimate user. This is done by using public key cryptology systems involving a so-called public key and a private key, which is on the device.
FIDO Alliance’s so-called Universal Authentication Framework (UAF) specification uses biometrics, mostly commonly fingerprint scans, but irises are gaining in popularity, McDowell says. Most of the world’s leading smart-phone makers, the notable exception being Apple Inc., are using FIDO-certified fingerprint authentication, including Samsung, LG, Huawei, Sharp, Fujitsu and Sony, according to McDowell.
While Apple’s iPhone (and iPad tablet) employ non-FIDO-certified Touch ID fingerprint-based security, Bank of America Corp. has built FIDO-certified technology into its mobile-banking app, so that a BoA customer with an iPhone will be using it once he or she registers the device, says McDowell.
In some cases where biometrics are not employed and a user name and password system remains, FIDO’s universal second-factor protocol, or U2F, in which a dongle is inserted into a USB port, can be brought in for extra security. Users include Google and Dropbox, a popular cloud-based online storage service.
The U2F system can’t be “phished,” according to McDowell. That means a fraudster couldn’t gain access to an e-mail account or online system even if he obtained the user name and password. Despite efforts to stamp it out, phishing scams remain a huge problem, a recent study found.
About half the companies with FIDO-certified products, and the servers that support them, are consumer-electronics companies based in Asia, and the others are spread around the world, according to McDowell.
