Online payment authorization on smart phone concept

You’ve Probably Heard About FIDO, but What Is FIDO?

By Matthew Gulosh, Director of Strategic Product Management and Delivery, CardinalCommerce, a Visa Solution

It goes without saying the world has changed since 2020 and the height of the pandemic.

Digital commerce shopping has ramped up. Global e-commerce grew in 2021 as economies began to rebound from the impact of the COVID-19 pandemic, posting $5.3 trillion in transactions, a 14% increase from 2020.

Consumer behaviors have shifted, and growth is projected to remain strong. E-commerce volume is projected to pass $8.3 trillion in 2025 – with more than half of e-commerce spending to be transacted via mobile devices.

With all the increase in digital commerce volume and sales, right behind it comes an increase in fraud and identity fraud losses. In 2020, there was $17.5B in ID fraud losses in the EU alone.

But here’s the real kicker. The tools we have in place aren’t working for consumers. Passwords, one-time passcodes (OTPs), knowledge-based questions – consumers have had enough of trying to keep track and setting and resetting. Their confidence levels in passwords have fallen. And for good reason – passwords are the root cause of over 80% of data breaches. Only 45% of consumers feel passwords are secure. And even more alarming – 1/3 of online purchases are abandoned due to forgotten passwords. Think about your business – what would losing 1/3 of your sales because of a forgotten password do to your bottom line?

With all the growth and changing consumer behavior, combined with password challenges, consumers are looking for – and need – an easier way to authenticate during online shopping.

Enter FIDO
Fast Identity Online (FIDO) is a standardized authentication protocol used to authenticate a cardholder on their device, without relying on passwords or OTPs. FIDO can be used with EMV® 3-D Secure and Delegated Authentication (DA) to provide a solution that helps to meet requirements for PSD2’s strong customer authentication (SCA). Unlike password databases, with FIDO, if biometric information is used, it never leaves the device.

FIDO and the Payment Space
In the context of payments, FIDO is used to associate an authenticated cardholder and their payment credential(s) to a FIDO compatible device. The cardholder is bound to their device and payment credentials to provide a faster and more secure checkout in the future. Once this association has been established, the cardholder can simply authenticate their subsequent online purchases with participating merchants by using their device’s embedded capabilities such as biometrics. Meaning, once registration is completed, authentication can be as easy as a swipe of a fingerprint for your customers.

Meet FIDO

Why Is FIDO So Important for Everyone in the Ecosystem?

How Does FIDO Work?

Registration:

  • The user is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
  • The user unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN, or other method.
  • The user’s device creates a new public/private key pair unique for the local device, online service, and user’s account.
  • The public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.

Authentication:

  • The online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
  • The user unlocks the FIDO authenticator using the same method as at registration time.
  • The device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
  • The client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

It’s important to note that once registration and authentication is complete, FIDO provides a user-friendly experience for the customer. After initial registration customers can shop with merchants participating in the model with just a swipe of the fingertip or a facial scan (or other method available on the customer’s registered device), and it provides a more seamless and consistent experience overall.

About the Author
Matthew Gulosh is an industry product leader focusing on delivering, and continually advancing, trustworthy and innovative digital payment solutions to the market. Matt and his team are focused on regional and global initiatives that bring together merchants and issuers so that they can effectively and securely share data to fight fraud and provide a better payment experience.

Matt has held a number of roles on Cardinal’s global product team, managing Cardinal’s EMV 3DS authentication programs.

Prior to joining Cardinal and Visa, Matt served in the US Navy as a helicopter pilot. He holds a B.S. in Computer Science from the United States Naval Academy and a Master‘s Degree in Human Relations from the University of Oklahoma.

Categories
CONTACTLESSEMVLEG+REGMOBILE+TECHOPINIONSSECURITYTRENDS

WEEKLY NEWSLETTER

Check out ETA’s weekly recap on innovations and policies shaping payments. Written by industry experts, get insights on payments like nowhere else. View weekly newsletter archives here.

Tags

Back to Top