With 63% of all data breaches resulting from stolen, weak or default passwords, and recent compromises targeting millions of stored passwords, Fast Identity Online Alliance members say the time is now for device manufacturers and e-commerce merchants to embrace new authorization technology.
In just a year since establishing Fast Identity Online testing and certification for device authorization methods, the three-year-old FIDO Alliance has more than 200 certified solutions available that eliminate traditional passwords.
In accomplishing that type of production, the cross-industry led FIDO Alliance believes it has developed more secure specifications and certifications for hardware, mobile and biometrics-based devices. Now it's a matter of getting others to follow the lead of those using FIDO authentication, such as Google, PayPal, Dropbox, Github and Bank of America, as well as advancing FIDO certification beyond devices and into payments channels.
Earlier this year, eBay became the first e-commerce company to become a FIDO-certified member of the alliance.
The reason FIDO authorization is catching on is "this is a fundamentally different way to log in for everything in the consumer space," said Brett McDowell, executive director of FIDO Alliance. "Before it was a password or a single-use passcode."
Those passwords or "secrets" are vulnerable, mostly because they can be shared with others or easily stolen, McDowell said. Instead, FIDO members develop fingerprint, facial or iris biometric recognition, or other methods to store cryptographic keys on devices, even if it is a PIN.
"If a device manufacturer still uses a password to authenticate, then it should be looking for at least two authentication factors from all of the options now available," McDowell added.
The option of "something you know," such as a password, should fall out of favor, mostly because so many passwords are available on the black market, McDowell said. "We don't even know how these stolen passwords are being monetized or how many more are being used in data breaches."
It is far more secure to protect the device in hand without the use of "secrets" and instead authorizing the user through the sensors and cameras available on the devices, McDowell said.
One-touch biometrics, out-of-band authentication and measures to address friendly fraud remain the focus of what FIDO is seeking to accomplish.
Nok Nok Labs, in the forefront of FIDO technology development, has been providing new mobile and omnichannel security measures for further protections to support platforms like iOS and Android Marshmallow.
These developments support FIDO's mission that protection of the devices consumers use to initiate payments or provide personal information will give merchants and service providers the assurance that the person conducting transactions on their sites is indeed the person who owns that device.
Beyond that, e-commerce merchants have to begin incorporating FIDO-enabled authorization methods on their own sites, said Philip Andreae, vice president of field market for Oberthur Technologies, a FIDO member.
FIDO authorization comes into play when a consumer establishes an ongoing relationship with a merchant that would result in regular site visits and transactions, Andreae said. Conversely, if a consumer is simply visiting a site for a one-time, single transaction, FIDO solutions don't become a factor.
"If the merchant is like Amazon, Netflix, the New York Times, or Macy's and a consumer has engaged to the point to create a relationship, then FIDO absolutely can become the mechanism to provide positive authentication and replace the need for passwords," Andreae added.
Many major e-commerce engines are implementing FIDO authentication, so it boils down to why others are not at this time, Andreae said.
"When you create a relationship with someone like Amazon, you agree to register payment credentials, and when I touch my authenticator on my device or their site, they know it is me," Andreae added. "They will know I have authenticated through a biometric or a token, or whatever. The technology and devices exist now, and the reference implementations and competitive implementations are present."
As retail and e-commerce begin to merge in omnichannel settings, biometrics and other authorization methods that replace passwords will be even more critical, said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
"When you start thinking about what is coming down the line, it starts to cloud the picture a little bit because there is a new version of 3D Secure coming for e-commerce merchants, and MasterCard has been working on facial and fingerprint identification, all of which FIDO can help with," Pascual said.
3D Secure was one of the first security measures that card brands put into place to protect card-not-present transactions, but its initial model was cumbersome with pop-ups and security questions that resulted in consumers leaving sites before completing transactions. Newer versions have streamlined the process.
Situations in which a consumer has to use a fingerprint scan to open a mobile banking app, but has a purchase with that bank card on an e-commerce site going through 3D Secure, opens a door for FIDO to help on the merchant side of the equation, Pascual added. Biometrics and other advancements may translate to mobile Web at some point, but will take longer to embed in laptops or desktops for e-commerce transactions, a project that W3C is working on with FIDO, he said.
One of FIDO's most recent developments, in certifying authorizations through Bluetooth low energy technology, could be a future game-changer for adopting new technology to replace passwords on computers and even in advancing the Internet of Things, Pascual added.
"When your appliances are ordering needed supplies for themselves, any way to authenticate that process will be good," Pascual said.
As authenticators such as TouchID and other biometrics advance, consumers and merchants alike will understand what FIDO has been promoting all along — that security can be convenient.
Many devices are FIDO enabled for authentication and it is up to relying parties to take advantage, Oberthur's Andreae said.
"Let the consumer use it, and if they are not, promote that they go out and get one in their next phone upgrade," he added. "The consumer will do that for security if he can replace every password with one thing."