StrongKey Blog

FIDO2 for PSD2 SCA

Written by A. Khedron de León | May 21, 2021 3:42:50 PM

This article is part 6 of 7 in the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).

The following criteria are used for comparison:

  • Equipment and infrastructure: Costs and benefits
  • Ease of deployment: Portability, proprietary limitations, and distribution considerations 
  • Ease of loss replacement: Steps needed for a user to begin anew
  • Vulnerabilities: Process, hardware, or software weaknesses
  • Convenience/speed: The time it takes and ease of the user experience; reports range from as low as 7s to 15s of a user’s experience to determine whether or not they remain in the purchase, so every second counts

Fast Identity Online v2 (FIDO2) for PSD2 SCA

SCENARIO: Your $10 FIDO Authenticator is already plugged into your computer and registered with your favorite shopping site. All you have to do to authorize a payment is touch the contact on the FIDO Authenticator and your payment is resolved. The experience is analogous to that of the smart phone using biometrics, but the analogy stops there.

ANALYSIS: Deployment is subject to business needs: a single FIDO server has the flexibility to allow the Authenticator to be each employee’s phone, or to mesh with new or existing PKI smart cards so there is no overlap, making the minimum deployment cost as inexpensive as two single-tenant servers. For a purely FIDO deployment, each user would be granted FIDO Authenticators (fobs), which could also be FIDO Certified® smart cards from a new or pre-existing PKI deployment. Perhaps most interesting is that FIDO can be deployed on top of legacy PKI infrastructures to defer costs and enable passwordless authentication without purchasing a whole new toybox.

When using personal devices as the FIDO Authenticator, replacement costs are deferred to the user—even if it was initially purchased at company expense. Because FIDO2 is a standard and not proprietary, the FIDO Authenticator fob will function uniquely in other capacities outside of the workplace on all FIDO Certified® devices and applications. Currently 77% of all browsers handle FIDO2 requests, thereby eliminating the need to purchase software for deployment on other devices. Physical replacement becomes the only instance where a new identity must be created; passwords are no more, which means they cannot be forgotten, lost, mistyped, or stolen. In 2020 The Wirecutter named the Yubico YubiKey 5 Series as the Authenticator with the best value and effectiveness, and it’s only $20. Once a user has their replacement Authenticator, it must still be re-enrolled to accounts.

Vulnerabilities are few. NIST names FIDO2 the highest level of authentication security available today. No shared secrets means no MITM and replay attacks. Phishing fails against FIDO2, as there is no sensitive information tied to the login. If a FIDO Authenticator is lost or stolen, just replace it and register the new one, removing the old; just possessing the old Authenticator isn’t enough to do damage when considering one or more other Authentication factors are needed. The only remaining vulnerabilities have the high difficulty bar of needing to directly tamper with or replace browser code on a device.

FIDO usage is as little as 1s, requiring a registered FIDO Certified® Authenticator and a gesture, or solely a gesture on a registered FIDO Certified® device such as an Android or iPhone.

  • Equipment and infrastructure: $; FIDO® Certified Authenticators
  • Ease of deployment: Easy: Software + FIDO® Certified Authenticators
  • Ease of loss/replacement: Easy:  FIDO Certified Authenticators are inexpensive;
    if a 2nd key is registered at affected sites, this is even easier
  • Vulnerabilities: Highest level authentication acc. to NIST
  • Convenience/speed:  ~1s if already registered (requires pre-registration)
Up next Tuesday: Conclusions for PSD2 SCA.

StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.