Author: Pedro Martinez

In my previous blog posts I took you through the last 30 years of digital banking security and how it has evolved to what we know and use today. In my cliff hanger I mentioned FIDO and passkeys and how they will change the landscape – it’s time to dig deeper and discover how this technology will mark a new era for Strong Customer Authentication (SCA).

FIDO Alliance

In 2013 FIDO Alliance was founded as an open industry organisation with a very focused mission: to build authentication standards to help reduce the world’s over-reliance on passwords. To do so, FIDO Alliance has released a set of new specifications and protocols for SCA based on the combination of biometrics as the first factor, and possession as the second factor. In short, no knowledge factor and no passwords.

FIDO Strong Customer Authentication

What FIDO Alliance does, for a given user and service, is generate an authenticator consisting on a cryptographic key pair, on-board a FIDO enabled device; the private key, remains on the device , while the other key is sent to the service provider’s FIDO Authentication Server. Once an authenticator has been generated and registered, it can be used to securely authenticate the user on that device. The user will then present biometrics that are checked locally on the device and upon successful validation of biometrics, it will trigger the cryptographic exchange between the device and the authentication server to validate the device.

FIDO native support on devices

An impressive list of companies have joined FIDO Alliance over time, including chip makers, computer and smartphone manufacturers, payment schemes and banks. But, most importantly, Microsoft, Apple and Google all joined and pledged to support FIDO at OS level on Windows, Mac OS, Android and iOS. That pretty much grants native FIDO support to all laptops, PC computers, tablets and smartphones.

With that level of ubiquity and underlying “plumbing”, FIDO have big chances to succeed in becoming the next mainstream SCA technology. As of January 2022, according to FIDO Alliance, more than 4 billion commercial devices with native support for FIDO, were already deployed worldwide. That is a big deal as OATH has been the dominant standard for strong customer authentication for 30 years, and we never enjoyed native support for it on PCs, laptops or phones.

What is WebAuthn?

FIDO Alliance have gone one step further – they reached out to W3C, the standards body for all things internet, and worked together to define a new standard API, published by W3C under the name of WebAuthn. As its name hints, the purpose of WebAuthn is to enable any web service to call the OS of the device where it is running to request FIDO based authentication. Never before has it been possible for web services to directly integrate strong customer authentication – the best we could do was initiate an out-of -band push from the web service to a mobile app in the user´s smartphone, where we could have SCA implemented via an SDK. Now, with WebAuthn, a user with a FIDO enabled laptop and a WebAuthn enabled browser, can register, store and use a FIDO authenticator for that service on that device, with a user experience as sleek as simply presenting biometrics on the device. WebAuthn was published by W3C in 2018 and is today supported by all major web browsers, including Microsoft Edge, Google Chrome, Apple Safari and Mozilla Firefox.

FIDO is everywhere

So, in summary, as of January 2022, current OS versions used by every single smartphone, tablet, PC and laptop are already FIDO enabled – and every major browser is also ready to use FIDO thanks to WebAuthn.

Now, if only service providers and end users would know about it …

The future is passkeys

On May 5, 2022, Apple, Google and Microsoft issued a joint PR what appears to be a first, and the only joint PR I can find on record. This PR, in essence, is a very strong pledge to kill passwords.

The first paragraph sums it all up:

“In a joint effort to make the web more secure and usable for all, Apple, Google, and Microsoft today announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms”

They also gave a name to the technology for end users to refer to moving forward, “passkeys”.

The media impact of the announcement was immediate, with lots of articles and commentaries. In the weeks that followed, Google & Apple unveiled their specific plans for passkeys during their annual developer’s conferences: Google I/O and Apple WWDC. Apple announced that passkeys would be deployed commercially on iOS 16 and Mac OS Ventura, set for release after the summer. Google and Microsoft also deployed resources for developers that enable them to start building passkeys to support web services.

What can we expect next for authentication?

So we have a name, we have documentation for developers to do the work and we have all the OS and browser support we need. Now it’s just a matter of time before we begin to see services supporting passkeys more and more. Users are going to love it. Service providers, including financial institutions are going to love it… There is not a single cloud in the sky… or?

In my next blog post, I will look in detail at passkeys, how they differ from FIDO Authenticators as we knew them, their unique benefits, and the unique concerns they raise to some FIs.

I will also speak on this topic at the FIDO authenticate conference in Seattle on October 18.

For further reading, visit:

• The Evolution of Digital Banking Authentication – Part 1
• The Evolution of Digital Banking Authentication – Part 2 – The Digital Banking Revolution
• How our payment habits are changing: three major trends that are here to stay
• Deploying a Modern Card Program

The post The Evolution of Digital Banking Authentication – Part 3 – FIDO and Passkeys will rock the digital world appeared first on Cybersecurity Insiders.

2009 was the year that changed banking forever. It was the year we saw Apple launch the iPhone and in no time, feature phones were a thing of the past. Smartphones were everywhere, bringing with them mobile apps which went on to pave the way for the digital banking revolution that we know and use today.

In my last blog we delved into the evolution of remote financial services, exploring the steps that led us up to this point in 2009. But even since then, in just 13 years, the digital banking landscape has evolved even further, and continues to do so. So how did the smartphone era impact digital banking?

The rise of soft-tokens

The first use case from the banking industry, among others, of mobile apps brought us “soft-tokens”. Soft-tokens were the software version of a hardware OTP token turned into a mobile app. The user would still access the banking server through a PC or laptop presenting password as a first authentication factor. But now they would open a dedicated “authenticator” app, issued by the bank (or a bank´s trusted 3^rd party) to get an OTP on their smartphone. Switching from a tamperproof offline device to a software token generator running on a multipurpose, and very much online device was, again, a major concession of security in the name of better UX whilst lowering costs. The innovation was received reluctantly… yet quickly embraced by more and more banks. The phone, whether through apps or through SMS OTP, became mainstream as a possession authenticator during the 2010’s.

But smartphones had an even bigger impact than that. They became not just an authenticator, but a channel. Banks started to replicate their digital web services in the form of mobile apps. Mobile banking (m-banking) was born as an alternative to internet banking (e-banking) and users were fast to embrace both the UX offered through apps and above all the “anytime, anywhere” access to digital banking services.

Integration of Software Development Kits

Mobile banking apps also needed to be protected with SCA, and so they started to incorporate OTP generation capabilities, often by integrating Software Development Kits (SDKs) from security specialists like, Thales. These SDKs evolved to implement many software security features to protect the sensible OTP generation process, and even add over

all protection to the m-banking app – so, overtime, security of the apps improved.

But the improvement on UX was even higher. The mobile app could now generate an OTP and send it silently to the authentication backend to validate the possession factor, in real time and transparently to the end user.

Biometrics become mainstream

In 2013 Apple launched Touch ID on the iPhone 5S, and in 2017, Face ID on the iPhone X. The smartphone industry quickly followed suit, and along the second half of the 2010’s, biometrics became mainstream on mobile devices. For mobile banking, biometrics quickly came to replace knowledge as the “first” authentication factor of choice for end users – a solution fully compliant with the most demanding banking regulations, such as PSD2 in Europe.

Out of band

The security, and especially the UX, offered by mobile banking apps got so good, that banks wanted to leverage them to offer better access experience through all other channels available to their users. Mainly, of course, e-banking via PC/laptop, but also other channels such as voice calls or even ATM. For example, to start e-banking on a PC/laptop, where biometric support adoption was not as fast as on mobile, in 2020 a user is still asked to enter username and password. But thanks to out of band, there is no need to type an OTP anymore. Instead, when the user clicks enter, the banking server will trigger a push notification to wake up the bank’s mobile app on the user´s smartphone. The user will open the app and the app will silently generate an OTP and will send it to the backend as proof of possession. “Out of Band” (OOB) refers to the fact that the authenticator is a different device than the one used to access the service. This on itself brings in enhanced security. As for the UX, the OOB implies more friction than what we achieve for m-banking, but it is significantly better than having to type in an OTP.

Banking today

This long journey has brought us to where we stand today. We have started the 2020’s with all the different legacy authentication methods mentioned above still in use by banks all over the world. But the state of the art SCA in banking at the start of the 2020s can be summarised as:

• Biometrics + in band mobile app OTP for m-banking
• Password + OOB mobile app OTP for e-banking and any other channel

Technology advances have allowed us to greatly improve both UX and security over time. Not always in a straight line. For over a decade we faced a compromise between security and UX, and FIs had to accept degrading one in order to improve the other. But with the arrival of smartphones we have been able to leverage the connectivity and power of these devices to improve both UX and security to where we stand today.

The future of banking

While FIs were implementing all these changes on their banking services, and users were being exposed to them, something else has been going on behind the scenes over the last 8 years. Something that was revealed to the grand public in the summer of 2022, but that will change the way we access digital services over the next decade.

We are indeed on the brink of a major paradigm shift for authentication to digital services.

The arrival of FIDO Passkeys

Experience from the past tells us that the arrival of FIDO Passkeys is likely to drive financial institutions to address end user demand for an even better UX, as well as associated legitimate security and service continuity concerns.

This October (18th), I will speak at the FIDO authenticate conference in Seattle about the evolution of security and UX in financial services – along with the technology solutions that have helped this to grow.

Stay tuned for my next blog post where we will look at what FIDO, WebAuthn and Passkeys are, and what impact they will have on digital banking services in the coming years.

For further reading, visit:

• The Evolution of Digital Banking Authentication – Part 1
• How our payment habits are changing: three major trends that are here to stay
• Deploying a Modern Card Program

The post The Evolution of Digital Banking Authentication – Part 2 – The Digital Banking Revolution appeared first on Cybersecurity Insiders.