NIST Publishes Guide for E-Commerce MFA With FIDO Standards
Last week the NIST Cybersecurity Center of Excellence (NCCoE) published a guide for strong authentication for E-Commerce applications. This is a significant milestone for the Identity & Access Management (IAM) space because the publication is one of the first NIST guidances for leveraging the FIDO specification.
This guide comes two years after NIST deprecated SMS One Time Passwords as a method of authentication due to numerous security risks and SMS bypass attacks that require little effort. The SMS problem is so prevalent that Germany recently passed legislation to stop using the SMS OTP method altogether.
Below is an overview of the guide as well as some of my thoughts around the feasibility and security of what’s covered.
Using FIDO to Stop Account Takeover (ATO) Fraud is Similar to What EMV did for Credit Card Payments
The publication covers how the commerce industry has added stronger methods of authentication for in-person purchases by requiring chip based credit cards. However, in the e-commerce space, the high ATO fraud persists due to shared secrets such as credit card numbers and passwords being used to make purchases. By requiring MFA that doesn’t rely on shared secrets, we can stop ATO by requiring the user to present a token of a private key that is in their possession at all time. This approach offers a similar level of protection for e-commerce transactions as we currently see for in-store purchases using the EMV chip method of payment. When we force the hackers to have physical access to a user’s device in order to take over their account, we fundamentally change the economics of the attack and help businesses eliminate e-commerce fraud.
Are All FIDO Implementations the Same?
The short answer is No. HYPR has been a part of the FIDO alliance for several years and if there’s one thing that we’ve learned is that not all FIDO is the same. Many implementations are purely technical exercises that do little to improve the user experience. Others are comprehensive and pass conformance testing but are anything but trivial to implement and deploy – causing friction for the enterprise trying to secure their users.
The most concerning part is that most implementations are still using FIDO as a tactical Band-Aid rather than providing a strategic solution. These tactical implementations make FIDO – the winning authentication standard – a sub-component of a broader MFA platform. In doing so the organization ends up cutting corners on user experience and reducing security by allowing users to fall back to a far less secure method of authentication that relies on shared secrets.
Flawless User Experience Is No Longer Optional
Previous attempts at stronger authentication have failed because of one main reason: cart abandonment. Many e-commerce stores are willing to take on a certain amount of fraud if it means the user won’t abandon the cart and go to Amazon. However, we live in an era of the big bang breach where tens of millions of shared secrets (passwords, OTP seeds) are stolen at one fell swoop and where attackers can leverage tools like SNIPR to weaponize them against e-commerce stores with a trivial amount of effort.
The NIST publication mostly discusses the use of U2F security keys to act as the strong authenticator which is absolutely correct but presents significant cart abandonment because now users have to carry another thing on their keychain, plug it into their laptop, and then perform an authentication. That’s a lot of time to think things through as you’re making an impulse buy. I’d be interested in seeing how adoption of FIDO2 specs will outpace the recommended use of a U2F token . The new FIDO2 specification that allows shoppers to leverage platform authenticators built into the laptop/desktop/iPhone/Android device themselves will allow the user to authenticate with the same level of security but without having to type in a password or plug anything into the computer itself.
NIST Guidance May Be the Door, But Private Sector Adoption is the Key
The NIST guide did a proof of concept implementation with the Magento e-commerce product. This is a step in the right direction because the majority of e-commerce stores aren’t Amazon and therefore do not have thousands of software engineers to create complex profiles of fraudulent behavior. Now we just need the businesses to adopt this approach. The path forward is to provide a strong authenticator enrollment into popular e-commerce providers (Magento, Shopify, BigCommerce, Squarespace, etc…) so that businesses can push the “easy button” when it comes to providing a strong FIDO authentication experience for their customers.
Co Founder and CTO, HYPR Corp
Lani Leuthvilay Director of Product Marketing, HYPR HYPR was recognized by Gartner in its 2020 Market Guide for User Authentication, authored by Ant Allan, Tricia Phillips, Kaoru Yano, and David Mahdi (Gartner subscription required). The report details the market...
Suby RamanSenior Product Manager, HYPR At WWDC, Apple announced upcoming native support for Web Authentication in iOS and MacOS, which will allow for passwordless authentication to web applications with Touch ID and Face ID. Apple joined the FIDO Alliance earlier this...
Roman Kadinsky,COO & Head of Product Prior to smartphones, there was an almost universal positive attitude toward our uncomplicated, feature-deprived mobile phones. We traded in our beepers for a late 1990s Motorola Razor “dumb” flip phone and had one...