A new set of specifications that could strengthen security for websites and mobile apps is receiving strong support from payments and technology heavyweights. If they are commonly adopted, many banks may drop their reliance on usernames and passwords when identifying users in favor of such alternatives as fingerprint scans and voice and face recognition.
On Monday, Samsung and PayPal announced that the new Samsung Galaxy S5 smartphone will use the FIDO standard (it stands for Fast IDentity Online) to activate and confirm PayPal payments using the Samsung S5's fingerprint sensor.
On Tuesday, Bank of America (BAC) signaled its support for improved standards when it became the latest financial services firm to join the FIDO Alliance. The others are Discover Financial Services (DFS), MasterCard (MA) and Goldman Sachs (GS).
"Providing our customers with a convenient, secure digital banking experience is a top priority for us," said Dave Godsman, digital banking solutions and operations executive at Bank of America, in a press release. "As the world rapidly changes, our involvement in the FIDO Alliance will help ensure we continue to provide the convenient and secure solutions our customers want."
Some observers expect the banking industry to rally around the new FIDO standards, which essentially spell out a common way for users, their mobile devices, and mobile apps and websites to communicate with one another.
"If getting the technology into the hands of end users creates order from the chaos that is user authentication, FIDO will have a powerful argument and educational message for bankers and regulators to get onboard," says Alphonse Pascual, a senior analyst at Javelin Strategy & Research. "Other initiatives are a bit behind the curve."
The password is dead
The model websites use today for usernames and passwords is essentially the same as the one IBM time-sharing mainframes were using in the mid-1960s, says Michael Barrett, the president of the FIDO Alliance. "You type your name and password into a dumb terminal, the dumb terminal captures that and sends it up to the mainframe, which checks it," he says. "That precise model is what all password-based e-commerce is based on today, despite the fact that a smartphone is more powerful than the first mainframes.
"Password authentication is badly broken, we need a new model and it needs to be standards based," he adds. "That's essentially what the FIDO specs allow."
Though many believe that the password as a means of verifying the identity of online and mobile banking users is outdated it's too easy to guess and hard to remember what it should be replaced with has not been clear. A hodgepodge of authentication technologies, including iris scanning, device identity, fingerprint matching and voice prints, have been floated in various pilots within and outside of banks, but none have attracted enough committed adopters to become widely used.
Under the FIDO specifications, published Feb. 11, a bank could rebuild its apps and websites once, and be able to connect with many different authentication technologies.
For Dominic Venturo at U.S. Bancorp (USB), which has been piloting the use of voice biometrics to verify mobile banking users, the idea of having an industrywide standard for authenticating customers is appealing.
"In the absence of standards, there have been a host of solutions for authentication and that has driven some poor customer experience in terms of expectations of what's required site to site or entity to entity," says Venturo, the chief innovation officer for U.S. Bank Payment Services. "There's an opportunity to align on standards for digital identity in the web space."
But he also points out that there are other standards initiatives in the works.
For instance, under a program run by the National Institute of Standards and Technology, the government is pursuing a digital identity management standard called the National Standard for Trusted Entities. On Monday, a pilot program was announced that will test using the Department of Motor Vehicles' in-person identity proofing services to create a digital credential; it will be supported by technology from phone-based authentication provider Authentify.
"Which one ultimately wins, we don't know yet," Venturo says. "It's an important space and we're actively monitoring it."
He also points out that the devil is always in the details. "We'll have to review the [FIDO] standard that was just published," he says. "There are always technology hurdles. The industry needs to align around the standard it's going to support, then the level of uncertainty or risk goes down. When everyone is working in the same direction, they're less likely to have multiple incompatible solutions."
Nuance Communications, a provider of voice biometrics used by many large banks, including U.S. Bank and Wells Fargo (WFC), also hasn't committed to the FIDO standard but is looking at it. "We're in active discussions with FIDO and supportive of the work they're doing, as well as other industry standards in the authentication space," says Brett Beranek, solutions marketing manager, enterprise division at Nuance. "And there are a handful. We believe any security protocol that enhances or facilitates use of voice biometrics by companies is positive."
What the standard does
The lack of standards has hindered the use of sophisticated authentication technology, according to Barrett, who used to be chief information security officer at PayPal. "I can tell you flat-out, as the guy who used to run the authentication portfolio for a large online payments company, that the proprietary cost of authenticating with different entities has been a major barrier to adoption. Every time I'd authenticate to one vendor I'd have to spend millions to make that happen. Then to integrate with the next vendor would cost a few more million. FIDO may cost money, but you only do it once, that gives you access to every authentication type on the planet."
One group of FIDO specifications, known as U2F or universal second factor, is meant to make passwords more secure by adding another authentication factor, such as a hardware token.
The second, UAF family of specifications imagines a post-password world and offers standards for letting consumers and enterprise employees authenticate without using a password. It's meant to accommodate all models of non-password authentication, including biometrics, tokenization and near-field communication.
In the FIDO model, a user authenticates himself on his device then the device authenticates itself to the website or mobile app being accessed. The organization at the other end, such as a bank hosting an online banking site or mobile app, is referred to as a "relying party."
Under the FIDO specs, the relying parties will have to use three new HTML tags that will let them interrogate and FIDO-enable those authenticators. "We just have to change our websites to manage those tags," Barrett says.
Vendors will offer server software for relying parties to use on their sites. One company, Nok Nok Labs, a founder of the FIDO Alliance, already offers FIDO-ready software.
The FIDO standard also lets companies set up rules-based risk policies. For instance, if they're letting people access a blogging site, they may require little or no authentication. If they're facilitating a $25,000 wire transfer, they are likely to require strong levels of authentication. Eventually, the FIDO Alliance will certify authentication providers at different levels of trustworthiness.
The specifications are open for comment and are expected to be rolled out later this year.