Webinar Recording

Fighting Fraud With Strong Authentication


Log in and watch the full video!

Strong authentication is one cornerstone of web security. However, account enrollment and account recovery processes are leaving gaps in the credential management lifecycle that allow bad actors to perform account takeover and get into our networks. Increasingly, these bad actors aren’t even real. Stolen identity information that is used to create new fake IDs, known as synthetic identity fraud, is a fast-growing form of fraud.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good morning. Good afternoon. Thanks for joining today's webinar where our topic is fighting fraud with strong authentication. I'm John Tolbert lead Analyst at Cooper Cole. And today I'm joined by Andrew Shakar, executive director and chief marketing officer for the Fido Alliance. So a little bit about us before we begin keeping our goal is a global Analyst firm and we focus on three major subject areas, identity and access management, cybersecurity and AI. So we do research. We publish research, we do events, conferences, web like this one. We also do advisory projects, which are high level consulting kinds of engagements, where we help clients with roadmaps in, in RFPs and things like that.
We've recently launched a new platform for searching and using our research. We call it KC plus it makes it easier to search for content and grab just the information that you need. And you can for 800 euros a year, you get full access to the entire library, including our leadership compass documents, which are our comparative reports. So regarding events, we've got AI impact coming up in Munich next week. And our flagship event is EIC the European identity and cloud conference, which is in Munich in may and then cybernetics world coming next fall in November more details coming soon.
So for the webinar everyone's muted, there's no need to mute or unmute yourself. We are recording the webinar and both the webcast and the slides will be available by tomorrow and we'll have a Q and a session at the end. So there's a control panel and a blank for questions. Feel free to enter your questions as we go. And we'll take those questions at the end. So I'll start off and talk about an overview of the fraud types and the trends and different mitigation techniques. And then I'll turn it over to Andrew who will talk about Fido and KYC, and then we'll take those questions at the end.
So let's start off with looking at the different techniques that fraudsters used and what the trends are. Unfortunately, cyber crime is a growth industry. It was estimated to be about 3 trillion worth of drain on the global economy in 2015, and projected to be up to $6 trillion worth of drain on the global economy by 21. So which industries are targets well, like you might expect banks, financial institutions, various payment services of course are very hardly hit, but then also retail, you know, retail sites commonly targeted by fraudsters. Same thing with gaming, you know, gaming site operators not only have to deal with fraud in terms of, you know, credit card kinds of fraud, but also in game items that may have value. And then also DDoS attacks. So lots of different kinds of tax on gaming sites.
Insurance can be pretty highly targeted as well. And I'll, I'll dive into that just a bit more telecommunications, you know, in, in various countries around the world, telecom providers often facilitate payments. So they're, they're quite often attacked healthcare. This is both healthcare providers, hospitals, health records, maintenance organizations, and then health insurance, because there's a lot of valuable PII, personally identifiable information in health records that you don't necessarily find in places like retail sites or even banks. The travel and hospitality industry has really been targeted a lot in the last couple of years. Anything that can be convertible into cash like rewards programs, frequent flyer miles, for example, and real estate as well. The real estate escrow misdirection attack is, is still happening.
So at a high level, we wanna talk about, you know, the various forms of fraud that we see the most common ones, there's new account fraud, account takeover, fraud, insider, and ATM transaction skimming, or payment, any payment skimming. That's not really in scope for what I wanna address today, but here are the three that we'll we'll look at in more detail. Are there methods that are used banking overlays, think of this as like a malicious mobile app that grabs credentials over the top of a, a legitimate mobile banking app travel site overlays. Same thing. You'll notice the common theme here on this screen is grabbing legitimate user credentials. So screen scraping. This is a technique that unfortunately, a lot of real sites still use, cuz they're not using more modern technology for getting information off web forms and posting it key loggers. This could be a root kit, you know, on, on a PC or key loggers for mobile, again, designed to capture usernames and passwords crypto jackers.
You know, this started off kind of as a legitimate thing, you know, in order to pay for running a site, you know, you might run ask your visitors to mine, a little cryptocurrency while they're on your site, but it didn't take long for bad guys to figure out that you could do this and, and have people mine in cryptocurrency all the time. Usually in the narrow, in this case, and this has gone down a little bit in popularity in the last month or two. So that's, that's a good thing, but you know, here it's using somebody else's resources to mine, your cryptocurrency real estate, escrow misdirection. This is where, you know, take over or a real estate agent or escrow agent's account, send some last minute instructions where to send the final down payment. And once it's transferred, it can't be reclaimed. So pretty bad attack there. And then fraudulent insurance claims. One of the reasons why insurance brokers or agents credentials are so valuable is they can approve fraudulent insurance claims.
So new account fraud, excuse me. In this case, malicious actors like to get ahold of things like email addresses, the phone numbers, names, physical addresses, social security number dates of birth. And this is another reason why things like healthcare records or government records are valuable because they often collect this more sensitive kind of information that's used in the proofing process. When setting up new accounts for fraudulent activities, malicious actors are, are doing it for financial fraud to create mule accounts, being able to move money around that maybe they've gotten, you know, as cryptocurrency and they need to convert the, they can use it for opening credit cards or other kinds of lines of credit.
Why would they do that? Well, it takes a little more effort to start that, but once, once you have a, a new synthetic account, it's a bit easier for them to steal stuff than it is with just using credit card numbers that they might have bought online on the dark web. So mitigation techniques here, a lot of this is perpetrated by bots. So bot Intel bot management, better identity vetting and proofing. And then in some cases, credit freezes and fraud alerts can help to help out here account takeover, fraud, fraud. This is where, you know, most commonly as you know, so many password databases have been breached. They're available on the dark web. So they'll bad. Guys will use this for credential stuffing attacks. They'll go get, use their names, password combos, and try them against other sites. Also used for financial fraud, but it's, you know, it's a much broader kind of attack base.
It's not just banks and financial institutions, but can be pension accounts, 401ks insurance, medical, here's where frequent flyer programs can often be targeted. Especially if people use the same password, you know, on multiple sites, any kind of rewards program or anything that's convertible to cash or of value is at risk for account takeover. And here we say things like multifactor authentication, risk, adaptive authentication. These are important mitigation techniques for account takeover. And it's always best if it's powered by fraud and threat intelligence. And this is why we also tell people don't reuse passwords between sites, but ideally we wouldn't be using passwords at all there much better mechanisms. And Andrew will tell you about that with Fido in a few minutes,
Then we have insider fraud. This can be used for financial transfers, but also things like stealing company, intellectual property or customer data. Of course, this is done by disgruntled employees or people who have other financial problems. Mitigations here can be, you know, using privileged account management, segregation of duties and risk-based authentication as well. Don't give them, don't give any user any more access than they need on the inside. And then lastly having an insider threat program as well, so strong authentication for fraud reduction, you know, the least common denominator seems to be used in KBA knowledge based authentication or security questions. You know, this can be mother's maiden name. What school did you go to? What was your mascot? What was your first car? You know, so much of this information is widely available online, you know, even in nice unprotected places like social media, I just grabbed a couple of shots here of, you know, trying to get information about what your kid's name or your, your mother's middle name. So, you know, this information is out there. This is not good to be using this for authentication or password reset or account recovery at all.
Fortunately, we see a lot of companies moving away from passwords, you know, in, in year after year, we hear from places like the Verizon data breach report, you know, at least 80% of all attacks involve compromised passwords. So getting away from passwords is the right the right direction to be moving, you know, and there are other mechanisms. So there's starting with say a social login and being able to do some risk adaptive authentication on top of that, or increasingly the mobile sector as well. So the mobile device is a second factor. People are more inclined to use multifactor authentication on anything. That's perceived to have some value like, like bank sites or insurance now. And it's not just moving away from username and password, but moving to what we call more of a continuous authentication model. So that various factors are being checked in the background all the time.
So why mobile is important? Well, it kind of hits two of the three requirements for strong authentication. You know, we commonly define strong authentication as something, you have something, you know, something you are in the case of using a mobile device. That's that second channel. So a mobile with a biometric is a combination of something you have and something you are. And then, you know, entering a pin in a mobile application is something you have and something, you know, so risk adaptive, authentication, that's performing risk analysis, looking at a variety of factors. It can be things like environmental attributes. Where, what time, what network did you come from? Do we think this is perpetrated by bots or influenced by malware? It can include information about the device. We'll look at all these in more detail in a minute, but you know, device Intel history, health, and then attributes about the user as well as user behavioral analysis. And then this is the risk adaptive part comes in where we're looking at these various factors at transaction time or run time, being able to determine whether or not maybe step up authentication needs to happen or some sort of out ofAnd authorization pop up.
So other fraud reduction techniques beyond strong authentication or multifactor authentication include things like identity proofing and vetting credential intelligence, device intelligence bot, Intel bot management, and the use of behavioral or passive biometrics as well as user behavioral analysis. And I'll go into a little bit about each one of these here. So bots, you know, a lot of the background activity on the web is as a result of various bot activities and not all bots are bad. A lot of it's, you know, very useful things like web crawling search engines. Some companies allow other companies to do inventory crawling and figuring out, you know, what they have if they're resellers. So there's, there's lots of real business use cases for bots, but a lot of bots can be bad too. And there are various techniques that are used to figure out which ones are good and bad.
So like malware, there are signatures that some bots have that can, you know, it's a collection of activities. Bot intelligence programs can look at incoming activity, compare it to signatures of known bot activity and be able to reject it if needed some solutions involve using embedded pixels on screens, but more commonly we see using JavaScript drop from the site on the browser to do things like behavioral or passive biometrics over here. We'll get into that too. Then. It's really important to look at large volumes of data, to be able to figure out what's legitimate, what's not, and then apply, you know, machine learning or deep learning algorithms to determine what's normal human user behavior versus bot behavior. And then again, the behavioral or passive biometrics is another good indicator of human activity instead of bots.
And I put this up just because this, this comes from a game, I forget which game, but this is like the mouse activity. And you can see one's a little bit more colored in, but essentially the patterns are very similar. So even, even bots can be randomized to try to look like human behavior. And in order to evade detection, the people who are writing bots are, are constantly trying to defeat bot signature detection methodologies. So we call it bot management rather than just, you know, bot Intel or, you know, rejecting all. Because like I said, there are many good bots out there that are necessary for business, but there are, you know, a lot of bad ones. And then some that you're not really sure about. So gray bots in that case, what we do there is challenge the bots. I'm sure we've all seen captures.
Those are trying to figure out if it's a real human behind the, the site or a bot IPS can be blacklisted or whitelisted, but this is where threat intelligence is really important. Cuz simply locking out an IP doesn't really work given that IPS changed so frequently and even, you know, malicious actors move around their, their bots to different IPS really quickly and the order of minutes sometimes, and then different ways of handling them can be throttling. It let's say you've got a legitimate bot, but you know, you don't want it to interfere with your real user business. You can, you can allocate a certain amount of bandwidth for that. You can send them to a cash and maybe even temporarily redirect.
So what is behavioral or passive biometrics? It can be things like keystroke or mouse analysis. You know how you're using the mouse time, the flight time dwell time as you're typing. Those can be good indicators of whether or not it's the same registered user. Of course that's coming from a PC. If it's, you know, coming from a mobile device, we talk about swipe analysis, how you, how you interact with the screen, how hard you press, even gyroscopic analysis phones have gyroscopes in 'em users tend to hold and interact within the same way. Gesture recognition, which networks or wifi SSIDs are you commonly in connection with, you know, maybe appearing on a, an unusual one, maybe in connection with being on an unusual mobile network coming from a different geolocation. Maybe that's something that should set off a red flag. There are other kinds of passive biometrics, but you know, taking all together, this could be a, a pretty interesting and rich set of information upon which to make authentication or, you know, continuous authentication or authorization decisions. But again, it takes, you know, pretty large volume of data to be able to determine a baseline for a given user.
So user behavioral analysis, some identity or consumer identity platforms integrates with social media. So you can get a feel for, you know, what the user's doing online. Also, you know, a lot of these things you might call identity analytics, frequency, time to logins, failed log attempts for banks or retail sites. There's lots of emphasis on things like transaction types, amount, frequency, what the patterns are over a long period of time. You know, we usually tell people it takes at least six months worth of data up to a year, you know, to get a really good baseline for this, to be able to properly alert adjustments for known travel, say you are going on vacation or a business trip. You don't wanna be interrupted by the, you know, say your credit card provider. So being able to corroborate some of the information about known travel can improve the user experience and, and you know, again, machine learning AI gets a lot of hype these days, but this is an area where it's, it's real necessity to be able to pull out machine learning algorithms to these data sets because they are so large human Analyst just, you know, wouldn't have the time to do the device.
Intel includes things like, you know, IP network, IP reputation, has it been used in a text before geolocation geo velocity. Sometimes we call geo velocity impossible journey. This would be, you know, logging in from, you know, Bolivia and then trying to log in from Japan an hour later, we know that's not possible. Then various things about the device itself, the ID, the type, you know, is an Android versus iOS fingerprint here. I don't mean the fingerprint reader on the device, but you know, collecting a variety of attributes to sort of give it its own unique signature reputation, health assessment, you know, does it have some sort of anti malware what's the OS level OS patch level? Can you get information from the mobile network operator about the, I M E I number, figure out if SIM swaps have occurred and then other things that may be installed there has the device been jail broken or rooted.
And then again, we're dealing with such large volumes of data that the only practical way to do this is to utilize machine learning algorithms, to detect anomalies for credential intelligence. You know, a lot of providers will use their own in-network information. So let's say you're a big identity provider or a telecom network, maybe. So you've got information about all your customers and whether or not, you know, they've been logging in legitimately or they have a lot of failed or suspicious logins. That information kind of can be shared throughout their network, a little less commonly, but you know, just as important as to be able to get this information from third parties. So being able to consume feeds of compromise credential Intel, or make API queries against third party compromise credential sources is a good distinguishing factor to look for. And then again, all this feeds into the risk analysis decision process, you know, you've also have to look at how current this information is. You know, if you look at like, have I been PED, you'll see things that may be just a little bit out of date. Somebody might have fixed their account. Can it be corroborated across multiple sources that might tend to raise the risk level too?
And then last major topic here for me, identity proofing, this is important really is a sort of a cornerstone method for reducing fraud. I think it's, it's about validating a person against authoritative. Usually government issued documents it's to comply with anti-money laundering laws and know your customer regulations, very commonly receive people using either passwords or passports or driver's licenses. And the goal here is to increase identity assurance. So an example might be, you know, in the olden days or, you know, even yesterday, I'm sure people did this user wants to create a bank account. So they have to go to a bank. They have to present one of these official documents. A bank employee will look at them, look at the documents, decide, okay, this is the person let's let them open the account.
But you know, we see some app providers, mobile banks, mobile banking apps, allowing maybe a little bit more modern tech where instead of going to the bank to create the account, the user can use a mobile device, do some sort of selfie photo verification against the authoritative document. Maybe use NFC to read, you know, chips inside document and then get the account without having to go in, in a person and do this. You know, banks are interested in this because the process can be kind of labor intensive. It costs a lot of money, but I wouldn't say that this is a panacea because there are obviously different kinds of attacks that could be instigated against this kind of scheme. So with that, I will turn it over to Andrew to talk about KYC and Fido in more detail specifically around this identity and authentication.
Great. Thank you, John. And thank you all for attending today. It's really good to be here to talk about, you know, preventing fraud of strong authentication and the role of identity verification therein. So my name's Andrew Shikha again, I'm the executive director and chief marketing officer at Fido Alliance. For those of you not familiar with Fido, I'm gonna give a little background on, on who we are and what our focus is. And I wanna look at two key steps that we see that you can take to help prevent fraud, leveraging phyto standards and, and some emerging work that we're doing with phyto Alliance. So the first step is to, you know, strengthen defense against fishing using phyto authentication. And so we look at point of login and this has been our goal since the very beginning phyto Alliance was launched in 2013 to address the password problem.
Right? We see, you know, passwords as the cause of many data breaches as John referenced, I see that presents significant usability challenges and it presents, you know, very significant security challenges, right? And so the traditional approaches of authentication have been passwords, which have, you know, very poor security of course, and also poor usability. At least if you're, you know, if you're gonna remember those passwords, they're gonna be very reasonable, which makes them less secure Fido of course, is not the only approach to multifactor authentication, you know, preexisting Fido where things like OTP, tokens, SMS, OTP, other other, other forms of, you know, one time passwords, whether it's a T OTP or SMS OTP, those certainly are more secure than passwords alone. Right? So to be clear, anything on top of password is better the password alone, but they still have gaps. They certainly have usability gaps in the sense of, you know, the traditional kind of token key chain problem.
Or if you're looking at an SMS OTP, you know, delivery reliability or the requirement to type in a code from a, from a device to a PC, but perhaps more important, you know, there's still not Bulletproof, right? They still have significant security gaps that can be packed into technically or social engineered. Right? Cause ultimately what we're trying to change is not just passwords, but shared secrets, right? Secrets that sit on a server where anyone can hack into them or where they can be easily replayed or phished. That is true. Whether it's a password or an OTP and OTP is a shared secret just for a much shorter period of time. So what we're trying to do to address this is introduce open standards that leverage public cryptography and require single gesture and, and ultimately result in phishing, unable multifactor authentication. But it's really the blend of simplicity and security is really important because if things are too difficult, uptake and adoption will drop off.
So as I mentioned, Fido has been around since 2013, the logos you see here, this is our board of directors. It it's really the right set of players that need to have sitting around the table to address the password problem. Right? So it's companies who create the devices that you use every day that are literally in your fingertips. So we're talking about groups like the platform providers like Microsoft and Intel and Qualcomm and arm device manufacturers like Samsung. We have security specialists, experts in biometrics and security, and then last but not least the service providers whose businesses are dependent upon their ability to, to deliver high assurance services to users worldwide. So they, they are dependent on stronger authentication and reducing fraud. They bring the use cases into Fido and organization. The Alliance builds specifications and related outputs to help address those challenges.
So lemme back up a little bit to explain how Fido works at a very high level by looking first at how old authentication works, right? So this goes back to the shared secret problem that I mentioned. Traditionally, there's a direct connection between a, a user and, and a server using some sort of sort of device, but ultimately there's a shared, there's a secret on the server. And then I, I validate who I am by entering in that secret, the problems there are are rampant as we've already discussed. So I don't need to go into those more detail. What Fidos introduced is a concept called the phyto authenticator. So the authenticator is both a concept and it's also a physical construct as well as I'll get into. So rather than me or the user authenticating themselves directly to the, the server, you know, the authenticator serves almost as an intermediary, you know, so the, the user verifies themselves with the authenticator and the authenticator handles the authentication process with the server the way this works.
When I, when I go to first enroll myself, my, my pH credentials with an account, a unique key pair is established right with a public key sitting on the server and a private key sitting on the authenticator note that the core difference here is instead of a shared secret sitting on the server that has material value. There's a public key, which has no material value, right? So whereas someone, someone steals my secret, they could try to stuff it on another site, which is very often the source for fraud. The public key cannot be reused for other sites or anything, anything outside of this, this unique key pair. When I go to authenticate, there's a, a challenge response dialogue between the authenticator and the public key note. The authenticator can only be activated if you will. After I, I verify myself with the user gesture, right?
So whether that is using a biometric or using a say security key to, to validate presence, you know, that's what initiates this authentication process between the authenticator and the server. So key thing to understand again, is that, you know, we're taking, moving from a centralized model of shared secrets where everyone authenticates to central server to one that's more decentralized, we're authenticating locally to your device using single gesture, user verification. Now, another important thing to understand is, you know, so why is this UN fishable? And so in this challenge, response dialogue between the authenticator and the server, you know, between the key pair, basically, there's a lot of unique attributes about that key pair that needs to fit just so for authentication to, to, to happen. There's also a lot of metadata exchanged between the authenticator and the server that adds added value on top of the authentication process.
So metadata, for example, carries a lot of certification information, right? So if you're the service provider, this gives you more flexibility in determining, you know, who's authenticated under, under which circumstances. And I'll talk a little bit more in a couple minutes about our security level certification program, but it's made that metadata helps ensure performance and interoperability. It enables policy based on the authenticator security level. So John was talking earlier, you know, about, you know, risk based authentication, ultimately, you know, Fido, you know, feeds into risk engines, right? So authentication is always an exercise of, of, of balancing risk versus granting assets of services. And so Fido helps feed into these risk engines. And the metadata that comes during the authentication process is really a really critical ingredient for those risk risk scores. So for example, if you have a, a policy that requires someone to have what we'll call an L two certified Fido authenticator, if they don't have that, you have a couple choices, right? You can start triggering this a process where maybe they need to do a step up authentication or some other form of authentication, or they're just rejected, right? So this policy is ultimately dependent on each organization's requirements and each organization's view on user authentication.
So common question we get, you know, so when going back to the authenticator, the authenticator, you know, find authentication like any sort of multi multifactor authentication, you know, it looks at, you know, one of three things, right? It's, it's a, the three truths of authentication authentication can be what, you know, so a password, what you have so proof of possession of the device or who you are, you know, your, your biometric, basically something verifying you individually. And so when we look at, and so, so final can work in multiple ways. So it can, it can function as a second factor using security keys on top of password. So these have been popular lives by companies like Yubico UBI keys, where you're simply, you know, tapping a inserting, say a USB key or touching it using Bluetooth or NFC, whatever it is, you're verifying presence. In that case, the biometrics you're verifying yourself, you're leveraging the biometric and the presence by, you know, obviously being in possession of that device.
So the biometric front, we get often get questions that well what's pH doing. That's unique to say touch ID or face ID or the device API. And I think it's really important, important to understand that, you know, these things are not created equal. So with Fido, you're implementing the architecture that I showed before, the high level architecture where you're, you know, moving away from passwords and implementing asymmetric public iconography, where you're, you know, eventually moving beyond your password based database and replacing those passwords of public keys. A lot of times when you just leverage a device API, all you're doing is masking the password. The password's still being sent. You're still, you know, you still have the, the password liability on the server side. It's not really protecting the user. It's just adding a better user experience. More convenience for the user certainly is important, but it's not preventing you against a lot of the, the, the fraud risks that John has talked about earlier in the presentation.
Whereas when you're using Fido, you are, you know, providing the better user experience, the simpler aspect of that's so important to adoption a strong user authentication, but were also implementing all the goodness that comes with bio authentication. So you're, you can move beyond passwords. You can truly move beyond passwords by having a public key database, rather than a password database. It has the metadata benefits associated with that and all the other, you know, kind of side benefits of, of working with kind of a standards based architecture, you know, as we move forward with the latest set of specifications fi oh two, which I'll talk about momentarily, you know, and, and kind of this, as people work on their path for list journey, you can start with the native first say architecture using a pH server on the back end, and whether you're using a native app or using mobile web, that same architecture that you've implemented could then be extended to support authentication on websites as well.
It also allows you to work with, you know, heterogeneous vendor ecosystem that all have, you know, certified products. So it's very important to understand this, you know, to delineate between the simple device API is the password, you know, password replacement on the, on the service user side, only to one that really frees the service provider from passwords and brings added open standards benefits. So fi had two initial specifications focused on second factor authentication called U two F and biometric authentication called UAF universal authentication framework. Most recently we released was called Fido two fi oh two extends both a second factor use case, but also introduces pH to the web. And the key thing that key element of Fido, two, something called web a or web authentication. This is a specification that came out at w three C. That is the standard. Now for user authentication on the web pH brought this specification to w three C as we realized, have to gain scale.
We needed to, to, you know, hit platforms and with the web being, you know, the most notable platform, all of all. So we contributed our APIs, two W3C that that began the web piece. And so that is essentially 5 0 2 is the web spec, plus our own second factor spec called CTAP client two authenticator protocol, which allows you to again, use the second factor token, or now your handset as a second factor to authenticate to your desktop. What's very important though, about Fido two is that, you know, this is ushering in the next phase of Fido authentication. So for those of you on the line who are wondering, well, this all sounds good, but you know, how many people can I reach Fido two is bringing, you know, massive endpoint reach and end user reach in, in way that we couldn't before. So some examples of this, just this year, we've seen both Android and windows become five, two certified platforms. This means that any user, any of your customers who are on a, a Android seven later handset or windows 10 desktop, can leverage the built in biometrics as a pH authenticator, right? So if you're service, if your web website, as a pH two server or influence web, which is implementing web authentic, it's an open JavaScript API. You can, you know, move beyond passwords such that these users can authenticate with their, you know, without having to be dependent on passwords.
The browser support is, is quite deep. So when, when one of the benefits of working with W3C is that you have a lot of built in support for your specification NASA's launched. So we came at launch with support from edge Chrome, Firefox that the breadth of support there is, has, has grown significantly across device types and environments, and perhaps most significant in 2019, we've seen added support for 5 0 2 in safari and in the Mac environments, right? So in safari 13 on Mac OS that now supports 5 0 2 security keys, and we're seeing support for 5 0 2 and beta on iOS, a 13, three beta. And we anticipate that going live at some point, I think before the end of the year, once 13 three, the 13 three update goes live. So the key message here is that yes, your users can support vital authentication, right? And that's been a big focus of what's been working on in 2019, this plus the web oth JavaScript API, you know, allows us to look at both the service consumption side, but with web OPN, also the service creation and delivery side of things as well. So certification is a big part of what Fido does. You know, we, we create open standards for strong authentication, but standards without certification, they really have limited reach, right? So we certify all of our specifications, any products that support our specifications to verify that yes, they conform those specifications, but also that they interoperate, right? This allows you to have an ecosystem of products that, that all work together. So as you're looking to implement, I would suggest you look through phyto certified products,
Very, to today's topic. Is there cert security certification levels? So we have implemented this program most recently working with third party labs to, you know, really answer the question, you know, how well is the private key protected? So how well is that authenticator that stores a private key? How well is authenticator protecting the private key I'll touch. I'll get more detail on this in a second and another certification program, which also you helps prevent fraud is the biometric certification program. This is something that we launched this year that looks at creating an industry grade test to assess how well biometric components performing against, you know, common biometric metrics. So the three key things we look at are false accept rate, false reject rate, and presentation, account detection. So spoof detection. And so what we've done is establish a baseline set performance against that, and, and companies can submit their devices or their device components against those.
And if they pass they pass. And so one of the first devices that were biometric certified are, are Samsung, you know, flagship handsets, which had their biometric components pH biometric certified. So this is kind of a drill down on the authenticator security levels. There's three key categories, L one L two L three with kind of a plus added, added nuance with each level. But L one is your basic phyto implementation is any device hardware, software it's, you know, conforms to the phyto specifications. It prevents against, you know, large scale tax, right? All the goodness of Fido, but these products have also gone through the vendors, have gone through an added vendor questionnaire. In addition to just being conformant to the specifications, L two, you know, it has requirements that, you know, the device must support what we call a restricted operating environment. So I could secure element for example, or, or B one and the L two certifications perfect against protect against device operating system compromise.
So malware attacks, software attacks against the authenticator L three starts to integrate our biometric requirements that is protect against hardware attacks. So either circuit board attacks on captured devices or actual chip level attacks on captured devices. Again, this is working with third party certifications, third party programs, such as those from global platform that helps help us certify these devices. So these are the requirements that one can implement to, as we look at how to prevent fraud at the point of authentication, going back to what I was talking about earlier about setting policy, based on the metadata that one receives the, you know, as part of the attestation process, the, the authenticator share registers information, shares its information at, at point of login. And that could again feed into the relying parties or the service providers authentication process and whether or not to accept or, or reject or ask for more information when authenticating a user and all this work we've done has certainly been noticed and, and frankly embraced by the regulatory space, right?
So phyto plays very well with, with key regulatory trends in the market. So in Europe, we just did a webinar with KuppingerCole, I think last month, talking about phyto and regulations, I'd recommend you look for that archive on how Fido fits with PSC two and GDPR, but it's a little surprised you have lots of governments taking part in Fido as well. So the German government, the UK government, us government, several in Asia as well, and, and they help help with our standardization inputs, but also we see them adopting Fido. So we, we list here some, some government deployments in the us, UK, Canada, Korea, Taiwan, also the Thai government is doing work with Fido and several others that we're aware of too. So I think, you know, a key message here is that, you know, Fido's approach user authentication. Isn't just being driven and adopted by industry, but we're seeing regulatory and government embrace as well.
So that's, you know, looking at user authentication, right? And, and so, you know, we've launched data points at that point to the efficacy of phyto authentication for users. We say it's phishing resistant. One could say, it's, unfishable, there's a great case study on our website that looks at how Google deployed security keys across, I think 60,000 employees longitudinal study over two years and they wanted to see, and how effective they were. This was earlier days on early days and security keys. And what they found was security keys. Didn't just reduce, help desk costs and password resets, and in increase employee happiness and, and productivity, but not one employee was successfully fished over that two year timeframe. And Google employees are, you know, high, high value targets for just kind of your general fishing schemes and spear fishing. So not one fishing attempt that successful. So again, that attests to, you know, the strength of the approach of asymmetric public cryptography and the phyto standards that supports that, however, that alone is not enough, right?
So just because we've made the point of login unofficial doesn't mean that hackers are gonna give up and, and do something more beneficial to society. Instead, the look at adjacent spaces, and that's something we realized that these spaces need to be addressed in order for our mission of reducing reliance on passwords to be fully realized. So two spaces we're looking at that fi is now taking on one is identity verification. And, and, and so John already talked about KBA challenges, and I have another side to talk about KBA pitfalls, and then the other spaces IOT you. So IOT is well known, well documented space with, with some kind of high publicized hacks that ultimately result from passwords being bound to devices as we're working to take the password out out of IOT. But what really wanna talk today about is of course, identity verification and how that ties into preventing fraud.
So, first of all, here's how we're addressing these new spaces. So, whereas Fido initially only focused on news authentication. We're now expanding this scope to know strengthen identity verification assurance through this new I identity verification work, and also UMT. So taking the password out of IOT and also enabling faster device onboarding. But so, you know, we get the question, you know, why is, and this was work that we announced back in gene. So we get the question, you know, why is phyto looking at, at verification? Ultimately, this is being driven by a common use case, a common challenge we've seen in vital deployments, which is account recovery, right? So what happens if I lose my pH authenticator? Right? So it's all, you know, we think the benefits of doing local authentication is good versus service side authentication, but this is one challenge, right? If you lose your breath indicator.
And so, you know, what we've found is that, you know, for accounts protected with vital authentication, this account recovery process, how this account recovery is done is absolutely critical to maintaining the integrity of the user's account in the sense that, you know, we have our own recommendations for account recovery, right? So the best way to, to prevent an account recovery problem is to have multiple authenticators, right? So two security keys. That's what a lot of companies give their employees. One to stick one year drawer, one in your key chain, that way you have some redundancy. We're also looking at new ways of account recovery doing bootstrapping and things like that. However, you know, if these things are not an option, our own recommendation is to rerun yet onboarding identity proofing process.
Unfortunately, you know, since we're still in this kind of transitory state in the marketplace, more often than not, you know, account onboarding or re-enrollment may fall back to passwords or may fall back to KBA or any, any sort of things with shared secrets that ultimately, you know, opens the door for, you know, targeted accounts, targeted account takeover, and erodes the value of the fight of implementation. So we need to strengthen this account account recovery process. And the way they're gonna do this is by we've already looked at KBA stats by focused on what, what John was talking about, focusing on the identity proofing and the identity verification process. So through, through stronger identity proofing, through stronger identity verification, we can enable safer account recovery. So we have a new working group inside of Fido. That's, that's focused on primarily this, this remote identity proofing process and creating testing standards.
The first, the first work we're doing is create testing standards for the vendors who do this remote identity proofing service. So there's called document authentication vendors. They have a very complex task, which is to assess the, say the veracity of a government issued ID and matching that against a, a selfie. And so we are gonna be creating a best technical best practice for how that process runs testing against that. And then that sets the foundation for us to do further work with that verified identity associating that associating that with the, with the public key and, and enabling easier account recovery. So this work is just starting, it's being rapidly, embraced by many companies inside the Alliance. And, and you'll see some outputs from this group heading into 2020. So lemme pause there and bring it back to John and then open things up to questions.
So, yeah, let's go ahead and we'll start taking some questions, you know, I, I did wanna say, you know, when we look at the different kinds of fraud out there that, you know, we recommend, or we tell people that, you know, multifactor strong multifactor authentication is the best way of preventing like account takeover fraud. And, you know, I think photos are a great mechanism for making that happen. So let's see. First question we have is how is phyto managing its security certification and biometric certification program? Who's rounding it.
Yeah. So wanna take that. So fi you know, we, we invest quite significantly in certification. So we have, we have a certification program. We have a certification team in house. We also have a number of third party labs. So we spend a lot of time spinning up labs in, in all geographies that allows companies that wish to submit a authenticator for advanced certification to work with those labs, to perform the testing, both for the L two and L three certification, as well as the biometric certification test and all the information on how to engage there is available on the PTO website.
You know, I think that's, that's a great addition and something to really highlight. I mean, you know, especially in the security certification side, you know, partnering up with global platform, I, think's a great idea. And, you know, I think prior to you, Fido getting involved, the idea of biometric certification was kind of a, a weak spot, you know, different vendors could produce authenticators, but you never really could be sure about those various statistics, like the, the false acceptance rate or false rejection rate. So having, having an independent body look at that, I think adds a lot of quality assurance for customers that are out there looking for these kinds of solutions.
Yeah, I'd agree. And that's, that's, that is why we started it. You know, so one, there's, there's a wrinkle to this, which is actually quite interesting, you know, the biometric certification testing's actually completely independent of our, our core authentication specifications, right? So this is really an independent program, just looking at biometric performance. And it was done largely because the, the members in the organization wanted us to do it. And they were finding like, say, large banks didn't know how to, you know, whether or not to believe the claims of different vendors coming to them. And so they wanted to have a, a testing program, you know, that was for the industry by the industry and just to do some baseline testing. That's what we're doing right now. So we have baseline standards, you know, for the key metrics, we talked about F Arrr and, and spoof detection. And over time, you know, those will be raised, you know, as we rev the requirements for the biometric tests
Is how does phyto consider privacy?
Okay, interesting.
So, you know, phyto specs were built with, you know, privacy by design. We actually have these privacy principles that were created when, when vital would launch and I think 2012 or 2013, and they haven't changed one bit. And it's all about protecting user privacy. And, and a lot of that comes from this kind of decentralized approach to user authentication. So in Europe, for example, GDPR, one, one data point here with a GDPR looks at biometrics as sensitive information, right? And, and it's data sensitive data that needs to be handled, you know, in a, in a protected way, preferably not on a centralized server on bias. And that's what we do. And that is both a privacy factor and also a very anti it's, a fraud management approach as well. But other things that PDO does protect privacy, there's no account linking. There's no kind of third party in the middle. There's no phyto network. You're authenticating only if to your device and the device, again, essentially authenticates you to the server. There's no central service that knows that can track you between sites, cookie, you, nothing like that. So phyto protects user privacy in multiple ways.
Yeah. You know, I think that's a real advantage when you consider, let's say server side biometric sample matching. I mean, not only is it privacy preserving by doing it locally, but it, it also improves security. And, you know, one of the other things I like about the phyto and privacy is this fact that each connection between a client and a relying party involves generating a new key pair. So it makes it so that information isn't shared between different relying parties, even if you you're using your, the same phyto authenticator for multiple sites, there's no leakage of information between those sites.
Yeah, absolutely.
So another question here, what's the difference between Fido two UAF and U two F
Okay. Yeah, we didn't get that deep into the specs. We only really talked about fi oh two, but I did mention it briefly, you know, when Fido first came out, we first opened for business. If you will, in 2013, we're looking at two use cases to reduce reliance on passwords. One is a second factor use case where you'd be supplementing a password with a, with a second factor device that was U two F. And we looked at a kind of password replacement use case, or a re authentication use case using biometrics, which is fi UAF or uni universal authentication framework. Those were our initial specs. We saw rapid adoption, a lot of great implementations, you know, support for those from companies like Google and PayPal, Dropbox, you know, many, many more apps and services, I'd say the key difference between those and those, those both use cases are now being brought forward into 5 0 2.
Right? The difference I think is what is hitting on before? You know, those are kind of siloed, you know, leading edge, very important, early adoptions, but they were siloed or independent. And I think that with 5 0 2, as we're hitting the platforms with 5 0 2, and you're seeing this built in support into desktop and device platforms, as well as the web platform, we'll see much greater scale with 5 0 2, that being said, of course you can use both the, you know, what we see a lot of companies doing is taking this kind of path through this journey. If they have a native first use case, if they wanna lead with native native apps or mobile first, they could start with a native say UAF app, but using a universal server on the back end, they could again, leverage that investment, leverage that, leverage it architecture to then move forward to the web and to the desktop with, with five, two.
Yeah. You know, the UAF U two F have been great, but you know, I think we've reached the critical mass of support now where, you know, so many vendors are supporting or have the ability to support 5 0 2 natively in the operating system and in the browser that's, that's, that's gonna really drive adoption.
Yeah, we think so.
So we have reached so wanted to thank everyone for attending and remind everybody that this is being recorded. It'll be available tomorrow. Slides will be available also, and to thank Andrew and Fido for coming along today and talking about fighting fraud with strong authentication.
Thank you, John.
Okay. Thanks everyone. And that concludes today's webinar.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00