As scams, ransomware, account takeovers, and old-fashioned data breaches persist in our personal and business lives, we are all pondering how to get ahead in the cat-and-mouse game that global fraud rings seemingly have mastered.
With this episode, we’re setting the stage for a series of discussions on authentication and identity, the critical components of tackling this pervasive issue. We’re embarking on a journey of perspective gathering from some of the industry’s leaders in risk management, authentication, and digital identity with this 2015 “from the vault” episode of Payments on Fire. Listen as Philip Andreae converses with George Peabody about the FIDO Alliance and its mission to bolster and streamline authentication.
As you listen to this episode, consider the progress made since 2015 — have we come far enough, fast enough?
Yvette Bohanan: Hello, I’m Yvette Bohanan, a partner at Glenbrook and your host for this episode of Payments on Fire. At Glenbrook, we are often asked to opine on the top risks in the payments industry. Unfortunately, we are spoiled with choices. Are we talking about credit risk, liquidity risk, automation risk, vendor risk, legal risk, or something else?
Usually, the most common questions are actually about fraud, where the absence of effective controls for one or more risks has led to criminal financial gain. And inevitably, the follow up question is, what should we be doing to stop this? The first thing to remember is that a successful fraud scheme requires access to a funding account and oftentimes some level of trust between the fraudster and the victim.
The risks that need to be controlled to mitigate the chances of a successful fraud scheme fall into two broad categories. Those that can be mitigated with technology, and those that cannot. There are some good solutions in the first group. The use of password vaults, pass keys, and tokenization are all helping to mitigate the risk of unauthorized account access.
The second group, those that cannot, often have deceit or scams underpinning them. It’s much harder to protect people from being scammed. When the scams can be convincing enough for someone to voluntarily share their credentials, or worse, their money, then all of the technology evaporates. So how can we protect people from scams?
Can we move scams into the category of risks that technology can mitigate? We’re beginning a series of conversations to explore the industry’s progress in two areas. Eliminating shared credentials, and verifying someone’s identity. To kick things off, we’ve pulled Episode 28 from our library. Recorded over 200 episodes ago in 2015, George Peabody sat down with Philip Andreae to discuss the FIDO Alliance and the framework that is the foundation for the passkeys we are seeing today.
I hope you enjoy this one and keep listening as we continue on our journey to discuss progress, priorities, and problems around authorization and identification in payments.
George Peabody: Welcome back to another Payments on Fire podcast. I’m George Peabody and I’ve got Philip Andreae back with me to carry on another conversation. Philip, welcome.
Philip Andreae: Good to talk to you again, George.
George Peabody: So Philip Andreae is with Oberthur Technologies and he’s speaking with us today in the capacity of another role, he’s on the board of directors of the FIDO Alliance. And I’m going to let Philip describe FIDO’s mission and its components. FIDO has been all around strengthening and making authentication simpler. If you’ve got an elevator pitch on what FIDO does, why don’t you give us that as a place to start.
Philip Andreae: Okay, well, let’s start with the mission of FIDO, and I’m going to almost read straight off of their website to make sure that I stay consistent with the corporate message of the FIDO Alliance. Our mission is basically to drive to replace the username and password experience, to create a password-less experience.
And the second piece was to also create a second factor experience. So if we think about those two worlds and we think about the various websites and the various kinds of transactions we do in this digital environment that the internet has enabled, we have classically relied on username password as the security to access the account, be it accessing your Facebook account or your bank account or your monster.com.
And then the other piece of the experience is that from a security point of view, we’ve always talked about this concept of multi factor authentication.
And when we talk about multi factor, what we typically talk about is something you have, a card, a secure element, a mobile phone with an embedded secure element in it, a USB token, some physical thing that is singular, unique, and can be authenticated digitally. That’s the first piece of the puzzle.
And then the second piece of the puzzle could be a password. It could be a biometric. It could be some other piece of information, a secret, a password, a PIN, or a biometric, your fingerprint, your iris, your face.
George Peabody: Okay, so some of those are what you know. The PIN and the password. And then the biometric is what you are, right?
Philip Andreae: Absolutely. Yeah. And you put two or three of those together. So what you have, the physical, what you know, the secret, and what you are, the biometric. And if you want really, really, really strong security, you put all three together. If you want a weaker level of security, you put two of them together.
If you only need a modicum of security, then you may only select one.
George Peabody: One of the key things here about authentication, and it’s one of the things I appreciate about the FIDO design, is that the party who is granting the authentication, granting the access to the resource, whatever it is, they’re the one who is basically on the hook.
They’re the ones who have to take the risk. So in classic authentication is that they get to decide what level of authentication is required to grant access to that resource. And what I understand about FIDO is that, FIDO provides the ability for the relying party, the one that’s takes the risk to say, I need a known device and a strong biometric before I’m going to grant access to the resource. How does that actually work?
Philip Andreae: Let’s back up to, again, what FIDO was trying to do. So FIDO wanted to develop, and it has developed, a set of technical specifications that the various stakeholders who enable this security infrastructure can go off and develop against, knowing that their components will work with everybody else’s components.
And then it’s developed a certification regime and a security regime to assure that what you built was built to the specification. It adhered to the security principles and practices and then gave you the necessary seal of approval so that you could then go out and make money, sell your product, enable your solution.
What you stressed at the very beginning is that FIDO is not about identification. Identification is assumed to be the responsibility of the relying party. So your bank that you want to gain access to, your Facebook account that you want to call yourself Mickey Mouse on, your Google account that you’re going to call yourself JP Buddy on.
That’s down to the relying party. What FIDO does is it says, okay, once you’ve made sure that the person who is presenting themselves over the internet is who they claim to be, then allow them to register their authenticator, their FIDO authenticator, to that website. And every time they present that FIDO authenticator, you know that it is a unique FIDO authenticator.
Yes, you have to deal with the fact that it might have gotten stolen, and therefore you may need two factor authentication because of the risk associated with the kinds of transactions you’re doing. Or maybe you’re not so worried about that because you know they’re going to call you when they lost their phone because their mobile phone is their authenticator.
And when we think about some of the people who sit around the FIDO table, and we think about the current chairman, Microsoft, the current vice president, Google, the current treasurer, Lenovo, the current secretary, PayPal. Bank of America, ourselves at OT, NXP, Docomo coming out of Japan, RSA. You’ve got some major, major players sitting around the table driving the conversation. And then when we look at the membership, you’ve got a membership that is growing at a beautiful rate. At one point when I joined, which is probably about a year ago, we were at 150. We’re pushing 250 already.
George Peabody: A lot of that growth is coming internationally, and I believe some government membership has taken place.
Philip Andreae: Yes, absolutely. In May, when we had our plenary in Dublin, we, Created a new class of membership and we’ve already accepted membership from NIST here in the United States.
And the UK government has already joined and there are other governments that I can’t talk about at this point in time who are looking at and considering and trying to figure out which division, which department shall represent themselves in the organization. The other interesting thing that’s important to note is when the White House held the Cybersecurity Summit in Stanford, February 13th.
In development of that conversation, key people at the White House wanted to make sure that people from FIDO representing what FIDO was doing would be in the room talking about what FIDO was doing. We then should probably talk about Apple for a second. And while Apple is not a member, what I’m encouraged by, and this is Philip speaking, not the FIDO Alliance,
I’m encouraged by the fact that what they’re doing resembles FIDO. Just like Safari resembles what the W3C consortium, who manages the browser specification, does. Apple has this kind of, we’re Apple. But we’re happy to embrace anything, any standard that makes sense. So we’re seeing compatibility between what they’ve done with Touch ID and what we’re doing with various implementations of our membership and those people who have embraced the standard.
George Peabody: Philip, are we seeing any, are mobile phone users in the U.S. starting to interact with FIDO-enabled relying parties?
Philip Andreae: PayPal was the first to deploy, and PayPal has a significant number of users now using their mobile phone, using what’s called the UAF standard, to authenticate themselves to their PayPal account.
Google was an early adopter. Google took the, what we call the U2F, the second factor experience, and was targeting people like, I should stay away from people’s names, but generals who are Gmail users and other people who use various Google services that want strong authentication to access their account.
So Google was in there. So
Docomo, who just joined, and I think this is probably the most interesting of what’s happening right now. So Docomo joined in May. When they joined, they came already equipped with solutions that they had deployed in the Japanese market with YouTube videos in Japanese that were showing facial recognition and fingerprint recognition and all kinds of FIDO-esque solutions where the underlining technology was based on the FIDO standard. And we have very recently created another working group which is focusing on deployment at scale, where all of the board members and other members of the alliance are working,
assembling to figure out, how do we move this out? And I think key to, and I know there’s people who sit there and go, has FIDO lost its way? We need to reflect on the fact that FIDO is very young when it comes to a standards body. FIDO within the first 18 months had published two completed works.
The UAF specification, the U2F specification, and it’s currently in the final throes of producing what we call FIDO 2.0. It brings all of that together, and as Microsoft has announced, is part of what they’re doing with Windows 10. And let’s remember, Windows 10 is in multiple browser environments, multiple establishments.
So they’re looking, and if you see the Windows 10 advertisement where the baby smiles, that’s a FIDO gesture.
George Peabody: So it sounds like we have a lot to look forward to with FIDO here. I am also suspecting then that for relying parties, we have this classical chicken and egg problem that for the relying parties to believe that there are enough participants out there or enough devices and applications to connect to, connect to them using the FIDO standard before they will commit to it.
Are you seeing that problem at all?
Philip Andreae: That’s what the deployment at scale working group is now addressing. If you think again about when did these standards come to life, if I go back to early 2015, the first two standards became public. Moved out of that, let’s make sure IP, et cetera, et cetera, is addressed,
protected, and made public. So intellect intellectual property. So so those two standards became public beginning of this year. The Fido 2.0 specification will become public, I can’t give you a date, but it’s imminent. It’s going to happen in a reasonable period of time. Now we get into the deployment phase.
And now you’ve got organizations, let’s pick some of the people at the board, Bank of America, American Express, Discover, Visa, Mastercard, who are all thinking about FIDO and how they’re going to deal with it. You’ve got people at the associate and sponsor level, Wells Fargo, you’ve got USAA who’s a board member now, you’ve got ING, you’ve got large financial institutions, who are trying to figure it out, trying to work through it, working inside the deployment at scale working groups to work through what are the licensing issues, and what are the compatibility issues, and how do we grade, etc.,
and make this thing commercially available? And then you turn around to Docomo, large telecommunications entity, very focused, driving, actually took and is chairing the deployment at scale working group, who’s busy out there trying to figure it out. You take Lenovo, has made major announcements about the use of FIDO.
So you’ve got large organizations, Microsoft, Windows 10.
George Peabody: Yeah, and the key point here that, of course, we’re most interested in the financial services aspect, but given those members and the roles of authentication, the folks who are interested in authentication go well beyond just payment applications, enterprise access, access to enterprise resources obviously being a huge one and just the corporate use of authentication
based on risk is a big application.
Philip Andreae: Right. And FIDO is really, it’s focus is not payment. I mean, it is one of the use cases. It’s focus is on accessing your Google Gmail account. Right. It’s focus is on accessing your mobile banking. account. Its focus is on accessing your PC.
George Peabody: And making that all straightforward and easier than the user ID and particularly password mess that we continue to find ourselves in.
Philip Andreae: Right. And then you go through the membership and you go, what’s Goldman Sachs going to do? And you kind of go, that could be rather interesting as I think about the stock markets and the bond markets and the commodities markets and what they may want to see happen with this thing.
You think about ING, what are they going to do? You think about Visa, where is it going to go? SK Telecom, where are they going to go? And I’m just looking now at the sponsor level. BlackBerry.
George Peabody: That’s right.
They’re hanging their hat on a more secure device. So that makes sense.
Philip Andreae: If we look at hardware vendors, Dell’s there, Lenovo’s there.
George Peabody: I think there’s a lot of good news here that besides the payment industry starting to get it’s security act together with EMV, with both encryption of card data and tokenization of card data, two ways, both for security tokens that get stored on behalf of a merchant, as well as payment tokens with the new EMV code spec.
Not only that, but now we’ve got the stronger wrapper, if you will, of authentication and a broader set of authentication tools. So I don’t think we’re going to be having the same kind of conversation in three to five years, Philip, that we’ve had recently. That’s good news.
Philip Andreae: The other one that I’m looking at and I’m thinking about is Netflix, where are they going to go?
I now see OSD. The German entities coming into this whole thing, so you’ve got some major, major players. You mentioned in the earlier conversation, this concept of NSTIC, the desire of the federal government to create this kind of concept called federated standards.
I’m sitting there going, well, part of the NSTIC problem is what’s the authenticator and you could easily take a FIDO authenticator in a federated identity environment and you now establish a relying party that somebody else trusts. And the fact that the relying party has established a relationship with my authenticator means that that relying party can extend that trust and that authenticator to somebody else.
George Peabody: And that’s a whole other kettle of fish in terms of folks being willing to make that step to basically outsource their trust to a third party, which I think for NSTIC, that’s the National Strategy for Trusted Identity in Cyberspace, that outsourcing of trust from the relying parties to an identity service provider, for example, that’s been sort of a bridge too far.
But what I appreciate about the FIDO approach or what the path that FIDO, and as you say Apple, enables is that we have more of a component, ground up based approach where as we get used to using new authentication tools at the edge of the network, where relying parties have the ability to choose which tools they will accept and won’t use, that out of that environment, we’re going to have a collection of brokers who actually may be able to fill in that role and occupy that role as trusted identity providers.
So, interesting stuff. Philip, thank you very much. It’s important to stay abreast of what’s going on with FIDO and specifically in authentication in general. So, really appreciate your thoughts on this. So thanks for joining us.
Philip Andreae: It’s always a pleasure.
George Peabody: All right, Philip. Thank you.