ITU – Time to eliminate the password: New report on next-generation authentication for digital financial services

“We don’t want digital financial services to be built on the wrong foundation, which is the password,” says Abbie Barbir, Rapporteur for ITU standardization work on ‘Identity management architecture and mechanisms’ (Q10/17).

Over 3 billion usernames and passwords were stolen in 2016, and the number of data breaches in 2017 rose 44.7 per cent higher than that recorded in 2016.

“We are moving away from the ‘shared secret’ model of authentication,” says digital ID strategist and standards expert, Andrew Hughes of InTurn Consulting, referring principally to the username-password model of authentication.

“Considering the prevalence of data breaches, there are no secrets anymore,” says Hughes.

Designed to overcome the limitations of passwords, specifications developed by the FIDO Alliance (‘Fast Identity Online’) enable users to authenticate locally to their device using biometrics, with the device then authenticating the user online with public key cryptography.

This model is not susceptible to phishing, man-in-the-middle attacks or other forms of attacks targeting user credentials.

“This is the biggest transformation we have seen in authentication in 20 years,” says Jeremy Grant, Managing Director of Technology Business Strategy at Venable.

“Google, Microsoft and Apple are among the companies now baking FIDO specs into their products,” says Grant. “These specs are shipping out in most devices and browsers in use today.”

FIGI’s work on next-generation authentication has been influential in ushering FIDO specifications into the ITU standardization process. The December 2018 approval of FIDO specifications as ITU international standards ITU X.1277 and ITU X.1278 is expected to stimulate their adoption globally.

FIGI – the Financial Inclusion Global Initiative – is a three-year programme of collective action led by ITU, the World Bank Group and the Committee on Payments and Market Infrastructures, with support from the Bill & Melinda Gates Foundation. It aims to advance research in digital finance and accelerate financial inclusion in developing countries.

Last week’s FIGI Symposium in Cairo introduced participants to a new report on next-generation authentication technologies that has emerged from the FIGI Working Group on ‘security, infrastructure and trust’.

The group is inviting feedback on the report.

The report describes use cases of strong authentication in digital financial services, in particular the enrollment of a customer opening an account and the authentication of a returning customer. It details the technologies available to support these use cases, and offers related guidance to regulators as well as authentication providers and providers of digital financial services.

“We have delivered a solid reference document,” says Hughes. “You can use it to convince your partners that strong authentication needs to be done, and that it can and has been done.”

The report also offers a guide to standards relevant to authentication, providing a categorization of these standards and considerations relevant to their implementation.

“Standards give us the foundation for knowing the level of assurance, the strength of the proofing process, and actually managing the credentials,” says Barbir.

The report aims to influence ongoing and future standardization initiatives.

“More work is needed on standardization for interoperability,” says Hughes. “If you authenticate with thumbprint biometrics using one set of technologies, that should translate into an ability to authenticate through a different set of technologies implemented at your bank, for example.”

The password problem has been solved, says Hughes.

“The problem is now adoption and implementation. It’s time to get the standards going, get the products rolling and make sure that they work together.”

Learn more about FIGI from the video playlist of the FIGI Symposium 2019 in Cairo.

To read more