A standard has been released that could end the need for passwords to online banking.
The specification, called WebAuthn, provides a common way for browsers to accept fingerprint, facial and other forms of biometric authentication from a smartphone, desktop or USB-connected hardware. It was developed by the FIDO Alliance, a consortium of tech, financial and other companies.
Using it, consumers and business people could log in to online banking the way many people log into mobile banking today — by touching their finger to a fingerprint sensor or taking a quick picture of their face.
And banks could mitigate man-in-the-middle attacks, in which malware redirects the user to a fake website that looks just like the bank's to capture login and account information.
Stronger authentication for online banking is sorely needed, according to Al Pascual, senior vice president, research and head of fraud and security at Javelin Strategy & Research.
“We’ve gotten to the point where the mobile channel is safer than the online channel,” Pascual said. “While mobile is arguably the most popular channel, we still do a lot of serious banking online, especially people who have and make more money and businesses.”
This disparity in security between the two channels has forced criminals to focus on online, where the targets are bigger and more vulnerable.
“In the near future, you’ll start to see the largest banks, many of whom are on the board of the FIDO Alliance or are relying parties, start to take advantage of WebAuthn,” Pascual said. “It will take time, and there’s going to have to be education for consumers who are less technology oriented. It’s a work in progress.”
How it works
WebAuthn is the latest authentication standard from the alliance, and it is sometimes called FIDO2. It was recently accepted by the World Wide Web Consortium into the “candidate recommendation” phase that prefaces final approval of a web standard. This is about as close to an official blessing as an authentication standard can get.
As with the original FIDO spec, banks (and other companies) can implement it as they like. They will most likely use it to do what they do today on mobile devices: Let the user use a fingerprint or a selfie as an alternative to typing in a password, using a smartphone or a biometric sensor built into the computer or plugged in via USB. Commercial customers could use a key fob the way many do today.
“Because of this standard, users can have the user experience they’ve already grown to love and trust in mobile apps on their websites,” said Brett McDowell, executive director of the FIDO Alliance.
To support WebAuthn, banks can FIDO-enable their existing online banking application servers, ask their vendors to do this for them, or buy a FIDO appliance built for this purpose that handles the authentication requests.
The FIDO Alliance runs a certification program so banks can find vendors on its website that have FIDO-certified servers.
Pascual noted that banks will also need to support biometric authentication.
“They’re going to have to choose whether they want to support one type of authenticator over another and how they treat those authenticators — they may have some they trust more or less,” he said. “So it’s not just flipping a switch; you’ve got to have an authentication strategy. That’s going to take time and effort and guidance.”
But once they do that, the authentication methods they choose will work will all browsers, so their integration work will be done.
Google is committed to supporting WebAuthn in its Chrome browser. Microsoft has committed to supporting it with its Edge browser, but not yet in Internet Explorer. Mozilla will support the standard in Firefox.
The engineers at Apple who works on Apple’s Safari browser are part of the WebAuthn working group, though Apple has made no public commitment about implementing the standard.
How it beats hackers
The new standard mitigates traditional man-in-the-middle attacks and attacks on account credentials that involve a modern web browser, McDowell said.
“Instead of using your old password as an authenticator or password and passcode, with WebAuthn now at least one of those factors is going to be a strongly bound public key cryptographic authentication factor — a private key that’s bound to one of my devices, never shared, and never goes over the internet,” he said.
Transport layer security and token binding are used to protect encrypted information passing between the bank’s website and the client side device from falling into the hands of a third-party man-in-the-middle attack.
“That means you won’t be able to be socially engineered to give away your credential,” McDowell said. “An attacker is not going to be able to get my private key.”
Nor will an attacker be able to trick a user into signing for a transaction on a fake website.
The WebAuthn approach has security and usability advantages over the one-time passcodes many banks use today, McDowell said.
Where one-time passcodes can be bypassed by attacks that temporarily take over a mobile account, WebAuthn eliminates this risk with its on-device user verification requirement and its public and private key matching.
And touching a button or looking at a camera is easier than typing in a password.
“A lot of banks introduced support for fingerprint authentication because of user demand for it,” McDowell said. “The banks have already learned that users want that one-gesture experience.”
Pascual agreed that consumers have been well trained on biometric options.
“Fingerprint by and large is preferred, by ease of use and perceived effectiveness,” he said.
Online might be a little different, he acknowledged, because there is a broader range of customers, so there might be more of a learning curve for some.
In reality, most banks will likely phase in this new standard. They will not shut off the ability to log in with a username and password for some time, so it will still be possible for hackers to game the system. Once WebAuthn becomes the only way to access an account, the stronger protection should kick in.
Account takeover will also still be possible as long as banks offer a password recovery option.
“If all I have to do is get a hold of your email account, which is less protected than your bank account is, take over your email account, push an account recovery flow and get into your bank account, there’s a back door,” McDowell.
Here again, once consumers become more used to using WebAuthn, banks will be able to shut that door.
“WebAuthn puts you on the path to changing the risk model around account takeover and shutting down all the currently well-known ways of doing an account takeover,” McDowell said.
The new spec does not address identity verification. So a dedicated identity thief could potentially establish an account using another person’s identity information.
Old versions of web browsers will still be vulnerable to hackers and a security worry for online banking, as they are today.
“If you’re on an old browser, many financial institutions will prompt you to update your browser, because old web browsers are full of vulnerabilities,” McDowell said.
But overall Pascual agrees WebAuthn should make online banking safer.
“Authentication, whether it’s misuse of credentials or social engineering of consumers to glean credentials, is the most prevalent avenue of attack,” he said. “So when you harden that channel, that security, you raise the wall on that. It will force [hackers] to go elsewhere and at the same time it will diminish the rate at which we see online banking fraud.”
Editor at Large Penny Crosman welcomes feedback at email@example.com.