This article is part 7 of 7 in the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).
The following MFA methods were evaluated:
The following criteria were used for comparison:
SMS+OTP, while technically MFA in some cases, is too vulnerable to satisfy SCA, so let’s eliminate it out of the gate.
Equipment and infrastructure: Costs are highest with hybrid PKI systems (Hardware OTP, EMV Readers, and Phone Biometrics) and lowest with FIDO when the user foots the bill for the authenticating device. Even if the company is buying fobs, the costs of a PKI and its proprietary fobs are in stark contrast to the minimal infrastructure of an existing browser standard, a small server, and the same number of fobs which are as likely to already be in an employee’s possession as not—or even none at all if usage of personal phones is allowed.
Ease of deployment: This generally aligns with infrastructure. Proprietary and portability don’t mix. Proprietary PKI fobs are unlikely to be very portable, and are the issuing company’s responsibility to track and replace; FIDO is not proprietary but offers equal if not better security.
Ease of loss/replacement: If a FIDO fob is lost, though, it can be replaced easily, but the cost in time to re-register that fob at different sites is borne by the user, versus being borne by the company in the case of PKI-based solutions. The cost in convenience is comparable, but it is distributed personally instead of centralized to a single location. Unlike pure biometrics, FIDO authenticators can be replaced, versus when one’s biometric data (read: images) are publicly available and will never go bad. To add impetus to that notion is the fact that Microsoft urges users to get away from phone-based MFA, and to use a token authenticator instead.
Vulnerabilities: We have DQ’d SMS OTP already. Real-time hardware OTP is open to phishing and MITM attacks, and is algorithmically predictable; hard-coded hardware OTP is quite secure, but still bears exorbitant costs. EMV readers are limited to personal transactions, can never be wholly software-based without exposure, are a chore to replace for everyone involved, and bear the infrastructural costs of a PKI. Smartphone biometrics are secure enough, but still bear the cost of PKI to issue; plus, if a biometric image is stolen, the onus for hardware replacement is on you. FIDO vulnerabilities only occur if a browser has been tampered with at the code level or with a plugin.
Convenience/speed: The OTP group loses out at >8s; PKI-based solutions, if biometric sensors take on the first try and the fob doesn’t have its own PIN...if you get the NFC action to take the very first try, could be as low as 1s, but is frequently nebulously more time for the above-stated reasons; FIDO offers the same speed and caveats as PKI at 1s per transaction, but with a much lower cost.
For good reasons FIDO has the distinction of being named the highest level of authentication available in the world today, according to NIST. It is backed by an increasing number of industry movers and marks a rare confluence of security and convenience.
StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.