The Future of Authentication: Exploring the impacts of FIDO
How to provide a cross-device Strong Customer Authentication solution to your users?
Introduction
80% of hacking security breaches result from weak or compromised passwords.
Years ago, the most commonly used authentication method was passwords. This practice has led to security problems: 59% of people use the same password across multiple accounts and 80% of hacking security breaches result from weak or compromised passwords (Future of Authentication, 2020). Since then, the market has evolved: European regulations (e.g. PSD2 and SCA) have been put in place to protect users, online activities have increased sharply and biometric factors for authentication have become the new every day way of verifying identity.
It is, without a doubt, a changing environment. Nowadays, the main challenge is the need for inclusion and offering a secure and adaptable authentication solution. According to OSMP, 80% of SCA is done on mobile. Unfortunately, the usage of smartphones will not include everyone. On the contrary, it will exclude people who don’t have a smartphone or people who will find themselves lost in a complex user journey.
In 2013, the FIDO Alliance was created with the aim of eliminating passwords and offering a browserbased authentication solution. This whitepaper aims to highlight the role of FIDO as well as the use cases and impact on financial institutions and merchants. Furthermore, it will underscore Worldline’s role and ongoing initiatives.
The FIDO Alliance and its purpose
The FIDO (Fast IDentity Online) Alliance is an industry organisation established in 2013 to develop open standards for strong and convenient online authentication. The FIDO Alliance has over 300 members, including global technology leaders in enterprise, payments, telecommunications, government and healthcare. Leading companies such as Microsoft, Google, Apple, Amazon, Facebook, Mastercard, American Express, VISA, and PayPal have board-level memberships. Worldline, as a company providing authentication solutions to financial institutions, is a member of the FIDO Alliance.
This organisation aims to replace traditional passwords, which can be easily compromised, with more secure and adapted authentication methods such as the use of hardware security keys or biometric methods. The FIDO standards developed by the Alliance are based on modern cryptographic technologies and are designed to be interoperable between different platforms and devices.
- FIDO2 Authenticator, is a hardware device, such as a USB security key, a smart card or an on-device module, which contains a cryptographic private key. This private key is used to verify the user’s identity during the authentication process.
- Relying Party (RP), is the entity that requests user authentication. The RP uses WebAuthn to communicate with the FIDO authenticator and manage interactions with the user during the authentication process. To enable RP to request user authentication, the users must first go through an RP registration process to link their account to their FIDO Authenticator.
- FIDO Server, stores the public keys and metadata.
However, it is important to note that all the components of the FIDO2 standard need to be compatible with the browser and operating system used.
Currently, most modern browsers support FIDO2. Discover the current used browsers and their compatibility with FIDO2 in tables 1 and 2 of the appendix.
In addition to browser version support, FIDO2 also depends on the operating system in use. For example:
- On Windows, you need Windows 10 version 1809 or higher (including Windows Hello),
- On MacOS, you need McOS version 10.15.4 or higher
- On Android smartphones, you need Android 7.0 or higher,
This can be highlighted as a main challenge posed by FIDO2. Compatibility with the browser and operating system used is essential to provide a convenient authentication for your users. Once you have the compatibility with FIDO2, a question arises: what are the possible use cases and how will they impact the user experience?
Impacts of FIDO2 on businesses
The main advantage of FIDO is its ability to provide a secure and convenient authentication solution across various industries and sectors.
Currently, the majority of Strong Customer Authentication, approximately 80% (Source: OSMP, 2022) is done via mobile native apps. Indeed, this device is already wellestablished in the market. However, this leads to the exclusion of some users: 30% of the population remains unequipped with smartphones (source: Future of Authentication). As a result, certain categories of users are excluded from online services, such as elderly people and people with disabilities. This exclusion poses a significant challenge for current and future digital identity eco-systems especially in the public sector which must provide all citizens with a secure, convenient and inclusive digital identity solution.
FIDO represents an innovative approach that combines security and convenience by providing web authentication. In this section, we will highlight different use cases with FIDO2 and discuss the impact on users, banks and merchants.
a) Banking use cases.
In today’s e-commerce transactions, particularly those using the 3D-Secure protocol, users often need to authenticate on the Access Control Server (ACS) of their bank. This authentication process typically relies on the Out-Of-Band (OOB) method, which involves an automatic redirection from the merchant site to the user’s mobile banking application, regardless of the device being used. For example, if a user is accessing a merchant site from their computer, they will be redirected to their mobile banking application through OOB. This raises two problems: the risk of losing the user during the authentication process and the exclusion of users who do not have smartphones.
Implementing a FIDO2 solution in this use case will enable a seamless, web-only journey for users. Authentication will still be carried out by the bank, but will be fully integrated into the merchant journey.
Secure Payment Confirmation (SPC):
The redirection to the Access Control Server during the 3DS authentication process leads to ergonomic problems that Secure Payment Confirmation (SPC) can solve.
Service Payment Confirmation (SPC) is a Web API designed by the World Wide Web Consortium (W3C) that performs FIDO2-based authentication for browser based e-commerce transactions. It means no redirection from the merchant app to the ACS page and no redirection from the ACS page to the mobile banking app. Moreover, the authentication dialogue is displayed within the merchant’s environment. SPC leverages FIDO2- compatible authentication on both mobile and desktop devices (except Apple) to reduce cart abandonment and to fight fraud.
Illustration of SPC use case.
Step 1. Validate your payment on merchant page.
Step 2. The browser secured prompt describes the transaction context. The cardholder can click on “verify” to start the authentication.
Step 3. Request of authentication by FIDO WebAuthn secured prompt.
Step 4: After performing his or her authentication (here by scan of the fingerprint), the cardholder is correctly authenticated.
Step 5. The order is confirmed on merchant side.
This use case is introduced by EMVCo 3DS 2.3.1.1 and aims to optimise the user experience. It enables users to undergo strong authentication directly from the merchant’s page, with approval from the issuer’s end. As a result, it reduces the risk of users dropping out during the online payment process, thereby lowering the abandonment rate.
b) Merchants use cases.
Usually, for Card-Non-Present (CNP) transactions, authentication is performed by the card issuer, which bears liability for fraud. However, one possible use case is delegated authentication, where the responsibility shifts to the merchant or the payment scheme instead of the issuer. Several initiatives have been put in place by schemes.
Delegated Authentication is an initiative promoted by schemes with two programmes:
- Visa Delegated Authentication Programme (DAF + VDAP) for VISA,
- Token Authentication Framework (TAF programme) for Mastercard.
These programmes allow a third party, such as the acquirer or the PSP, to conduct the authentication of the cardholder. Their objective is to streamline the online payment process for consumers, ultimately reducing the abandonment rate. To achieve this, the acquirer or the PSP will use an “external” authentication method, which must be accredited by VISA and Mastercard for their respective programmes.
Under the DAF VDAP programme (VISA), FIDO is a mandatory accreditation for authentication. However, under the TAF programme (Mastercard), other external authentication solutions are accepted, including FIDO.
Emerging programmes, such as Digital Token Authentication Service (DTAS) for Mastercard, transfer cardholder authentication to the Payment Scheme itself, enabling the application of SCA methods like FIDO-based biometrics. In this case, FIDO becomes the systematic authentication solution used by the Payment scheme. It offers an easily adoptable solution for both issuer and merchant with minimal implementation complexity.
These programme are designed to streamline the online payment process for consumer leading to a reduction in the abandonment rate. While this use case is currently in a relatively early stage of development, it has the potential to grow in the coming years. FIDO offers the flexibility needed to manage liability, contributing to a smoother user experience.
FIDO trends
In the previous section, our aim was to highlight possible current use cases. However, FIDO Alliance with the collaboration of W3C, constantly works on the improvement of the user experience. Worldline also expores user experience enhancement by trying to extend SPC to new use cases.
a) The road to Passkey.
FIDO and WebAuthn standards propose strong and easyto-deploy authentication mechanisms as alternatives to passwords on the web. Despite these benefits, FIDObased authentication has not yet gained widespread adoption in the consumer space.
Passwords, particularly when paired with a password manager solution, possess features that users are attached to. For example, they offer credential portability between the user’s devices and the ability to recover the passwords in case of a change of device.
Passkey is an evolution of the FIDO platform authenticator implementation, which now allows the import and export of the FIDO credential private key.
Thanks to this evolution, the various platform authenticator providers can offer synchronisation ecosystems that facilitate credential backup, access restoration on new devices and synchronisation across a user’s devices within the ecosystem.
Passkey also comes with a way to authenticate across ecosystems using a mobile as a Bluetooth roaming authenticator. For example, this allows a user who wants to access a website from an Apple or Microsoft computer to use their Android mobile to authenticate on the site.
Figure 4. Source: Everybody Is Invited: How FIDO Addresses a Full Range of Use Cases (fidoalliance.org)
Passkey is a FIDO credential and inherits FIDO’s advantages, including native and web support, resistance to phishing and the flexibility for users to choose their preferred unlock mechanisms on their platform authenticators. Moreover, Passkey’s crossdevice and cross-ecosystem capabilities offer a consistent user experience across platforms and allow recovery in case of device loss. However, it is important to note that Passkey has a weaker security profile than a “traditional” FIDO device-bound credential since the private key is no longer tied to the device and can be exported. The security of Passkeys relies on the level of security implemented in the synchronisation architecture by various platform ecosystems.
As a result, Passkey represents a promising evolution towards achieving mass adoption of FIDO-based authentication in place of password-based authentication. However, in regulated environments where a higher level of key protection is expected, a “traditional” FIDO credential with a device-bound key may be a better option.
Passkey represents a promising evolution towards achieving mass adoption of FIDO-based authentication in place of password-based authentication.
b) SPC for new use cases.
Service Payment Confirmation is evolving and ongoing work will allow it to cover more use cases such as:
SPC for cards other than one shot.
Currently, SPC is designed for one-shot card payments. However, many service providers and merchants process recurring or instalment-type transactions. These transactions require specific information to be presented to the user to obtain their consent. SPC could have the capability to support such transactions. W3C and EMVCo are already collaborating on the implementation of these use cases.
SPC for PSD2 APIs and A2A payment.
With the introduction of PSD2 and the rise of SEPA payments, there is a growing usage of account-toaccount payments. Some of these new payment methods rely on payment initiatives APIs (PISP),while others embed authentication or implement out-of-band authentication.
Most APIs rely on a redirection to the ASPSP website to process the user authentication. This workflow is very similar to the 3D Secure card process. Worldline believes that SPC could also be applied in this setting to streamline payment by avoiding redirects.
Consent management.
Consent management plays a key role in account-toaccount payments. SPC should handle time-bound consent and consent on a range of amounts. Taking it a step further, SPC could be extended to manage consent for accessing account information.
c) FIDO/WebAuthn for European Digital Identity Wallet.
In 2014, the electronic IDentification Authentication and trust Service (eIDAS) was published with the goal of defining digital identification and trust services for the electronic transactions, including electronic signature and digital identity. However, following this initial version, a lack of maturity and of interoperability was observed at the European level. This led to the proposal of an amendment to establish a European digital identity framework based on a European Digital Identity Wallet. This eIDAS 2.0 has been voted on at the end of October 2022 for implementation before the end of 2024.
The eIDAS 2.0 regulation places the European Digital Identity Wallet (EU DI Wallet) at the heart of the ecosystem. European wallets will be made available to citizens for use cases requiring attestation of “strong” identities – driving licences, passports and ID card, etc.
With the appropriate level of certification, FIDO2 can be used as an authentication standard in this ecosystem by identifying verification providers, cloud-based wallet providers or relying parties (Figure 5).
d) Post-quantum security for FIDO2.
Quantum computing is a rapidly advancing field with the potential to compromise many existing cryptographic protocols. Quantum computers can solve certain mathematical problems much faster than classic computers, raising concerns about the security of many commonly used cryptographic algorithms.
This could have serious implications for the security of digital infrastructures, including financial transactions, government communications and personal data protection. Therefore, developing quantum-resistant cryptographic techniques is essential for ensuring the long-term security of our digital systems and protecting against potential threats from future quantum computers.
One question that arises is whether the FIDO2 protocol is “quantum-ready”. Large quantum computers have the capacity to break public-key algorithms, necessitating the adoption of alternative algorithms. While post-quantum computers are relatively new, current FIDO2 specifications appear to be on track for post-quantum migration.
Indeed, FIDO2 cryptographic protocols can be extended to accommodate a mix of traditional and post quantum algorithms for Key Encapsulation Mechanism and signature schemes. One potential approach to updating FIDO2 for quantum computing security is to transition from using standard public key cryptography algorithms, such as RSA or elliptic curve cryptography, to methods resilient against post-quantum attacks. Another approach could be to employ hybrid cryptography, where FIDO2 combines both standard and post-quantum cryptography to maximise security.
Worldline and FIDO authentication
It is essential to understand Worldline’s involvement in the realm of FIDO authentication.
In a first step, Worldline integrated FIDO protocols into its Customer Identity and Access Management (CIAM) solution, ID-CENTER starting from U2F version. The objective was to offer FIDO hardware tokens for access management (like G&D, Feitian and Yubikey). The latest version of ID-CENTER is now fully compatible with FIDO2, and provides FIDO2 keys featuring biometrics and fingerprint recognition for ID-CENTER’s customers such as healthcare and pharmaceuticals (see table below).
The above-mentioned devices serve as example of the devices ID CENTER customers have started evaluating and using. ID-CENTER, as a FIDO2 compliant authentication platform naturally supports all kinds of different brands and models of FIDO2 and FIDOU2F tokens.
ID-CENTER goes beyond web-application authentication; it extends its capabilities to standard client software and legacy applications through its desktop Single Sign-On (SSO) solution, «EasyLogin.» The ID-CENTER administration portal facilitates application-specific authentication policies, manages the lifecycle of authenticators, and offers user-friendly processes for enrolling FIDO authenticators for end-users across different industries.
In the banking sector, where user numbers are substantially higher, it becomes too costly to deploy FIDO tokens for all users, even with inclusion in mind. Consequently, Worldline is diligently working on a version of the FIDO2 protocol that allows end-user devices, such as computers with Windows Hello or smartphones, to be used.
FIDO2 (U2F) Local Protection.
ID Center FIDO support in the IDC V5.4+ is FIDO2 (downward compliant U2F) based; the local protection criterium has to be enrolled using the manufacturer’s tools
In July 2023, Worldline received FIDO Server certification. This means Worldline is able to offer FIDO2 authentication, enhancing user experiences while maintaining robust security standards. This certification is linked to Worldline’s Strong Customer Authentication solution, Trusted Authentication. Trusted Authentication is a SCA solution available on all devices for different use cases.
In practice, for FIDO2 applications within the banking sector, specific controls and features must be implemented at the FIDO server or relying party level to ensure full compliance with the PSD2 regulation. Some interesting points that are (or about to be) integrated within our extended FIDO2 services include:
- Enabling a security policy to accept or reject Passkeys (which may not be PSD2- compliant yet as every device should be enrolled) or filtering accepted FIDO2 authenticator or factors for a relying party
- Integrating the CTAP protocol for cross-device authentication (where user is on a computer but the FIDO2 credentials are registered on a smartphone), or offering a QR-Code-based fallback mechanism for scanning planned on browsers.
- Managing the lifecycle of FIDO2 authentication factors (to comply with regulations like PSD2 or eiDAS, which require an expiration date managed by the relying party)
- Providing a tool to analyse all the transactions in case of reclamation or for customer support.
Conclusion
This whitepaper underlines the interest and vision of the FIDO Alliance in eliminating passwords and providing, through FIDO2, a web-browser authentication solution that caters to different needs. Nevertheless, its use requires a number of adjustments, with compatibility with the various browsers being the main concern.
The great advantage of FIDO2 is the introduction of new use cases that enable seamless authentication for users. In the case of financial institutions, this means having an available alternative to replace the OOB method and redirections. It also opens the door to simplified authentication thanks to SPC and FIDO WebAuthn pop-ups.
For merchants looking to offer a more controlled user experience, delegated Authentication with FIDO technologies become a viable option.
Payments schemes such as VISA and Mastercard are leading the charge in accommodating everyone’s needs and wishes to add flexibility to their authentication programmes.
FIDO does not stop there and continues to work on new projects and use cases such as Passkeys, SPC tailored to other use cases, the EU DI Wallet and post quantum security.
Worldline provides SCA through its Trusted Authentication, which handles more than half a billion transactions every year. This solutionoffers a solution on mobile, on browser, and thanks to FIDO to meet all the needs of the market. In practice, as previously mentioned, integrating controls and features on the FIDO server is essential for full compliance with PSD2 regulation.
In June 2023, the revision of PSD2 was published with a very important objective in terms of SCA: to provide alternative to smartphones and prevent the exclusion of individuals not equipped with smartphones. As emphasised, FIDO can offer a solution. More information can be found in this infographic on inclusion or in this latest article highlighting the connection between FIDO and inclusion (Making authentication more accessible).
Would you like to learn more?
Simply fill in a few details and our experts will get in touch.
Appendix
Figure 1. Passwordless experience (UAF standards).
Figure 2. Second factor experience (U2F standards).
Table 1. Compatibility FIDO on desktop browsers:
| Browser | Chrome | Safari | Firefox | Internet Explorer | Edge |
| Version supported | 83.0.4103.106 + | 13.1 (15609.1.20.111.8) + | 77.0.1 + | Not supported | 83.0.478.56 + |
| macOS Catalina (Touch ID) | • | n/a | |||
| macOS Catalina (Security Key) | • | • | • | n/a | • |
| Windows (Windows Hello) | (Windows 10v. 1903+) | n/a | • | • | • (Windows 10 v. 1809+) |
| Windows (Security Key) | (Windows 10v. 1903+) | n/a | • | • | • (Windows 10 v. 1809+) |
Table 2. Compatibility FIDO on mobile browsers:
| Browser | Chrome | Safari | Firefox | Edge |
| Version supported | 98.0.4758.97 + | 15.3.1 + | 98.0 + | 99.0.1150.38 + |
| iOS (Face ID) | • | • | • | • |
| iOS (NFC Security Key | • | • | • | • |
| Android (Fingerprint) | • | n/a | • | • |
| Android (Security Key) | • | n/a | • | • |