Financial Companies to Provide Stronger Authentication Methods; How FIDO Works

Financial services companies have the most urgent need for safer payment methods as their clients demand privacy, security and convenience in all transactions, according to FIDO (Fast IDentity Online) Alliance, which groups more than 200 companies and government agencies, including financial institutions such as Wells Fargo, Goldman Sachs and JP Morgan Chase, among others.

Bank clients may experience safer transactions as more financial companies, now including ING Bank of the Netherlands and USAA, join the FIDO (Fast IDentity Online) Alliance, to solve problems users face in creating and remembering multiple usernames and passwords.

FIDO protocols are based on public key cryptography and strongly resist phishing. Users register their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic or entering a PIN. Once registered, they simply repeat the local authentication action to authenticate to the service. The user no longer needs to enter a password when authenticating from that device. The Universal Authentication Framework also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.

The second factor FIDO experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password, as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords, such as a 4-digit PIN, without compromising security.

The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information never leaves the user’s device, according to FIDO’s specifications overview.

The FIDO Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and change the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords.