Clif Boyer - Oct 03, 2023

How to Mitigate the Risks and High Costs of Data Breaches. Part 2

FIDO  PSD2  SCA

This is the second installment of a multi-part series on the actual costs of data breaches and possible solutions that can be leveraged to protect your organization's data and bottom line.

Why the European Union's PSD2's Strong Customer Authentication is a Great Deterrent for Fraud and Identity Thieves

Lets face it, if a company, business or organization is serious about protecting customer data and doing business outside the U.S., then they really must review the European Union's (EU) Revised Payment Services Directive, otherwise known as PSD2 and their Strong Customer Authentication (SCA) requirement.

PSD2 and SCA goes hand-in-hand with the EU's General Data Protection Regulation (GDPR). The GDPR set a bench mark in creating laws and regulations that protect consumer privacy and data where the latter was becoming a commodity at the expense of the consumer. And when the rise of open banking and e-commerce became normalized in Europe they were quick to understand that similar protections were needed to be in place for any company handling financial data of a customer and out of his SCA was created.

SCA is multi-factor authentication (MFA) where the methods of authentication are strictly defined for a payment transaction to be approved. Payments that trigger the SCA require two of the three authentication methods to be met before being approved: 1. Something the customer knows (PIN, secret answer); 2. Something only the customer has in their possession (phone, tablet); 3. Something only the customer is (fingerprint, facial recognition).

The benefit of SCA is already being seen in The Global Fraud and Payments Report 2022 by Cybersource, the Merchant Risk Council (MRC) and Verifi. Surveying the percent of revenue lost to fraud in the geographic areas of Europe, North America, Asia-Pacific and Latin America, Europe was the only region whose losses decreased from 3.2% in 2021 to 3.0% in 2022. All others went up with North America leading with an increase from 2.6% in 2021 to 3.6% in 2022.

Even with the proven benefit of SCA, it still gets knocked for adding additional layers of friction that could lead to customer frustration or the dreaded cart abandonment for online retailers. But what if there was an authentication method that met the requirements for SCA, eliminated passwords, and made a better user experience.

How FIDO Makes It Possible to Implement Frictionless SCA

FIDO stands for Fast IDentity Online. The protocols used by FIDO employ standard public key cryptography to provide the most secure "Strong Authentication" available on the market today. But just as important, FIDO provides a seamless user experience that makes first time registration and logins easier and quicker than other MFA schemes by using biometrics to authenticate a user. Logging in will be as simple as swiping the finger print scanner on their phone or laptop.

Here is a brief explanation of how FIDO works. There are two primary processes -- the first, registration, is a one-time event, per site, where a user with a specific authenticator registers a new key with a specific website. The second, Authentication, is performed each time the user authenticates to access the site.

A simple FIDO registration can be completed with the following steps:

1. The user is identified with a unique username at the website.

2. The FIDO server sends a randomly generated challenge to the user. 

3. The authenticator generates a pair of cryptographic keys: a public and a corresponding private key. If the web application is designed to take advantage of "Discoverable Credentials", the username does not need to be specified - the FIDO protocol will discover the username automatically most of the time.

4. The public key is returned to the website, along with digitally signed metadata and other optional content, thus completing the registration process.

After successful registration, Authentication with FIDO takes the following steps:

1. The user is identified by username at the website.

2. The FIDO server sends a randomly generated challenge to the user. 

3. Having received the challenge, and having passed the necessary validations, the authenticator digitally signs the challenge.

4. The signed response is returned to the website.

5. Upon verifying the signature with the previously stored public key, the user is authenticated. thus completing the process.

Another great feature of FIDO is it is designed to protect user privacy when not using a third-party Single Sign-On (SSO) provider in the middle. If the user decides to use biometric information for authentication, it never leaves the device.

StrongKey's enterprise-grade FIDO Certified ® Server (SKFS) provides Transaction Confirmation capability using the FIDO protocol. This is where a business transaction can be digitally signed with a unique "authentication code" by the user, and verified by SKFS before the business application needs to act on it. This feature was implemented in SKFS to support PSD2's SCA requirement.

FIDO can be used to meet PSD2's SCA requirement by leveraging two of the three requirements, something the customer has and something that the customer is, in very simple steps that won't leave the user frustrated by a long authentication process, taking too much time and ultimately eliminating vulnerable passwords.

Coming in the next part, the actual cost of implementing SCA using FIDO for 1 million customers using StrongKey's FIDO Certified© Open Source FIDO Server.