TL;DR: Why “Buy” Beats “Build”

Passkeys Deliver on Their Promise

Passkeys eliminate fraud and most importantly reduce user friction during sign-up and sign-in, driving engagement and retention.

Proper Implementation is Key

The benefits of passkeys are only realized when implemented correctly, ensuring a seamless user experience.

Building passkeys is Hard and Costly

Building passkeys on your own is extremely challenging. Each platform (browsers and OS) implements passkeys differently, requiring significant effort to bridge the gaps. Additionally, these platforms are constantly evolving, meaning you’ll need to stay on top of this, perform frequent regression testing and apply fixes regularly.

The Takeaway

Buying a turnkey solution from a specialized passkey provider accelerates your time-to-market, reduces risks and allows your team to focus on core business priorities while ensuring your passkeys deliver the intended value.

The Case for Passkeys: Transforming Authentication

Best-in-Class User Experience

Passkeys do more than just provide increased security; they drive engagement by removing the friction involved in signing up and signing in:

• Frictionless Sign-Up: Passkeys eliminate the need to create a password that meets complex rules.
• Fast Sign-In: Passkeys reduce sign-in time by 88.4% compared to the traditional password + MFA authentication.
• High Sign-In Success Rate: According to Microsoft, passkeys can result in a 98% sign-in success rate.

With passkeys, businesses can achieve the rare combination of security and simplicity that will drive engagement and retention.

Enhanced Security

Passkeys provide unparalleled security by eliminating the vulnerabilities inherent in traditional passwords:

• Phishing Resistant: Based on public key cryptography, passkeys render phishing attacks ineffective. A research from CVS health demonstrated that passkeys reduced mobile ATO fraud by 98%. In April 2024, NIST published a supplement stating that passkeys, if implemented correctly, are considered Authentication Assurance Level 2 (AAL2) compliant.
• No Credential Stuffing: 2023 IBM Cost of a Data Breach Report highlights an average breach cost of $4.45 million, much of which can be attributed to stolen credentials. Because passkeys are unique to each service, hackers cannot reuse stolen credentials across multiple platforms thus eliminating credential stuffing.

The Challenges of Building Passkeys In-House

Passkeys hold great promise but only if implemented correctly and properly maintained. This can be challenging if they are not a core focus of your business.

Technical Limitations

Passkeys can face technical challenges because of strict privacy standards they adhere to and the secure platforms where they operate.”

• Challenging Passkey Discovery: To protect user privacy, browsers do not allow websites to check if a passkey exists on a device. Synced passkeys complicate this further, often leading to scenarios where users are mistakenly prompted to sign in with a passkey that isn’t on their device or asked to use other factors despite a passkey being available. To ensure a better user experience, passkey authentication must be thoughtfully designed, leveraging side-channel information to guide these interactions effectively.
• Limited Diagnostic Clarity: Error messages for failed passkey authentications are intentionally vague to protect user privacy, making it difficult to determine the cause of failure — for example, whether it’s due to a biometric mismatch or user cancellation. This lack of clarity makes debugging authentication issues challenging and time-consuming. Similar to passkey discovery, leveraging side-channel information can help bridge the gaps left by insufficient error messaging.

Frequent Updates and Maintenance

• Platform Updates: Passkey technology evolves rapidly, with continuous updates to operating systems, browsers and password managers. Bugs in these platforms can cause passkeys to become temporarily unavailable, leading to user lockouts. These updates are beyond the relying party’s control, but their impact can be mitigated through proactive regression testing and timely fixes. To address these issues effectively, engineering teams must frequently run thousands of test cases, requiring significant resource dedication.
• FIDO Standards Compliance: Passkeys are built on the FIDO2 standard and rely on implementation specifications like WebAuthn, both of which are frequently updated. Ensuring compliance requires ongoing maintenance, testing and resource allocation to keep up with these evolving standards and ensure a seamless user experience.

Cost and Resource Demands

Building and maintaining passkeys in-house requires substantial time, effort and expertise:

• Development Time: Creating a basic passkey system takes months, but addressing edge cases and resolving user experience challenges from imperfect implementations can take years.
• Specialized Talent: Passkeys demand hard-to-find expertise in both security principles and user experience design. Additionally, their implementation requires platform-specific development skills due to varying functionality across iOS, Android and web environments.
• Long-Term Maintenance: Ongoing monitoring, frequent updates and bug fixes quickly escalate costs. Managing synthetic testing and ensuring compatibility with evolving platforms place a heavy burden on engineering teams, often pulling resources away from core business priorities.

Proper Implementation is Key

The true value of passkeys lies in their ability to eliminate fraud prevention and a frictionless user experience. Poor implementation, however, risks:

• User Confusion: Misaligned user flows frustrate users, undermining adoption.
• Missed Business Opportunities: Failure to optimize for ease of use and security can hurt engagement and retention.
• Security Gaps: Incomplete or incorrect implementations can introduce vulnerabilities.

Ensuring proper implementation is essential to reap the benefits of passkeys.

About LoginID

At LoginID, we provide a turnkey solution for passkeys, eliminating the complexity so you can focus on your core business. Our solution saves you from dedicating resources to building and maintaining passkeys as the technology evolves.

We offer flexible deployment options, including SaaS and on-premise software licensing. Our on-premise model features flat-rate pricing, reducing your effective cost per user as adoption grows.

With LoginID, you gain a trusted partner to accelerate time-to-market and deliver seamless, secure authentication experiences.

This blog was originally posted at Passkeys for Execs and Decision Makers. For more blogs, please visit our content hub. To join the LoginID community, simply register on our developer forum and explore the topics of passkey development.

In recent reports Invezz stated that phishing is on the rise by 215% for crypto trading in damages, while importantly, having fewer victims. This is in reality nothing new as over the last few years we have seen slow decline in phishing, but sharp increase in spear phishing, which is genuinely worrying. Let me explain why.

What is phishing?

Phishing is a type of online scam where someone tries to trick you into giving them your personal information, like passwords or credit card details. They often pretend to be a trusted organization, like your bank or a well-known company, by sending fake emails, messages, or websites that look real but are designed to steal your data.

Think of it this way: if an attacker can create a bank website that looks completely real and convinces you to enter your username, password, and even an SMS code, there’s nothing stopping them from taking over your account. This is a fundamental issue with the existing authentication methods, as they are not in any way phishing resistant.

Historically there were attempts at making phishing resistant authentication solutions, but all them had failed due to complexity in deployment, or bad user experience.

The Rise of Spear Phishing: A Growing Threat

Spear phishing is a more targeted form of phishing, where attackers research individuals to craft personalized, credible emails. These messages often imitate trusted people, using specific details to deceive high-value targets like executives or IT admins, leading to severe breaches.

The threat has grown with deepfakes and large language models (LLMs). Deepfakes allow attackers to convincingly mimic voices or appearances, while LLMs create sophisticated, automated, personalised messages. You may spent months talking to a bot, have your guard slowly lowered. This makes spear phishing highly effective.

Passkeys for the win!

Passkeys are the ultimate solution for phishing-resistant authentication. They use public key cryptography to keep your login credentials secure, and they’re bound to the specific website where they were created. Here’s how it works:

Imagine John, a regular consumer, wants to buy a new phone from “example.com.” When he creates an account, he typically sets up a password. But if an attacker creates a fake website, “evil.com,” they could trick John into entering his password, giving them access to his account.

With passkeys, instead of creating a password, John generates a passkey, which is specifically linked to “example.com.” If an attacker tries to trick John logging into “evil.com,” the passkey won’t work because it’s tied only to “example.com,” making phishing attacks ineffective.

Here are some other things passkeys are great at:

1. Phishing Protection: Since passkeys don’t require you to type or send a password, phishing attacks (where attackers trick you into giving them your password) are much harder. You can’t be tricked into giving away something you never type.

2. Outstanding user experience: Passkeys have the best authentication experience in all authentication options.

3. Cross device just works: No need to worry about hideous re-authentication. Once created passkey on one device, it will work seamlessly on all other devices within same ecosystem. I.e. Register on iPad, login on iPhone.

4. Simplified account recovery: Users would have less issue with account recovery, as they only need to get access to their platform account. Once they recovered the access to their iPhone, or Android phone, they are back in business.

Passkeys make logging in easier and more secure by combining strong cryptography with user-friendly authentication methods like biometrics or device verification.

LoginID for the win.

LoginID’s focus on passkeys directly addresses the phishing problem, making it nearly impossible for attackers to intercept credentials or trick users. By replacing passwords with biometric-based authentication, LoginID improves both security and the overall user experience — users no longer need to remember passwords or worry about phishing attempts.

Transactions become seamless and trustworthy, creating confidence for both consumers and businesses. Our expert team has designed LoginID to integrate effortlessly into various platforms, ensuring security is built into every user interaction without compromising convenience.

Interested to try? Schedule demo by emailing sales@loginid.io

https://loginid.io/

Try LoginID’s FIDO2 Passwordless Authentication Platform for Free or reach out to sales@loginid.io for more information.

Every financial institution should, if not already, aim to improve customer retention and customer experience by reducing account takeovers. Strong authentication bound to strong identity verification protects customer data while giving assurances around customer authenticity. This helps eliminate account takeovers and helps banks, brokerage firms, investment companies, insurance companies and more boost customer retention while proving themselves to be a secure and trustworthy institution.

Solutions such as LoginID help financial institutions, banks and card issues to integrate strong authentication and identity verification.

Identity Theft: A Growing Threat

The United States has a growing concern: identity theft. Reported identity theft cases increased over 113% from 650,000 in 2019 to 1,388,000 in 2020.

Some of the most common types of identity fraud are credit card fraud, government document fraud, loan and lease fraud, government benefits fraud, employment or tax-related fraud, bank fraud, and phone or utilities fraud, among others.

Even though a lot of reported identity theft cases involve credit card misuse, the biggest concern is account takeovers via identity spoofing — this has much deeper implications.

Identity theft, when it happens, puts banks, card issuers, and any kind of financial institution in a negative light; identity theft implications stretch beyond financial losses, all the way to consumer mistrust. Banks, card issuers, insurance companies and other financial institutions can mitigate mistrust and financial loss risks by enabling identity management and digital verification through secure identity solutions.

The best-in-class digital onboarding solutions conduct end user identity verification by digitally scanning the end user’s identification document, or ID, performing a liveliness check or liveliness detection, and using biometrics to match the end user to their scanned ID document as a way to prove that the end user really is who they say they are.

With the rise of digital services, online automatic identity verification solutions are also more common; apart from secure identity verification, these services also enable secure account recovery without human intervention. This helps reduce the time and cost implications of helping users recover access to their accounts.

Tech giants like Apple are, in fact, coming up with their own identity verification solutions, specifically allowing users to store ID cards on their mobile devices. While financial issuers might think this might help them, the risk is the loss of a direct to consumer relationship by handing this function to a tech giant or a big tech player.

Reducing account takeovers involve a strong binding of authentication and identity. Banks, credit card issuers and other financial providers need to ensure they enable end users to securely verify themselves, even if their primary device is lost. Solutions like FIDO provide financial institutions with the additional trust levels required to eliminate phishing and account takeover risks.

FIDO authentication is the de-facto authentication standard, proven to protect against phishing, account takeovers and other credential-based attacks. If a user loses access to their primary FIDO authentication device, the FIDO-protected account access can still be recovered with a high level of assurance. FIDO binding has additional use cases, such as in the account onboarding process; it helps financial institutions meet Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.

FIDO Authentication is the de-facto authentication standard that has been proven to offer protection against account takeovers from phishing and other such credential-based attacks. If a user ends up losing their primary FIDO authentication device or if the device gets stolen, then recovering access to the FIDO-protected account can still be done with a high level of assurance. FIDO binding has additional use cases such as in the account onboarding processes, as it helps the organization meet Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements.

How LoginID and FIDO help financial institutions

LoginID’s FIDO2 multi-factor authentication (MFA) solution is highly secure, and very simple to integrate, helping reduce onboarding friction. LoginID’s FIDO2 solution enables banks, card issuers and all kinds of financial institutions offer their customers and end users strong authentication and identity verification across desktop and mobile.
LoginID’s FIDO2 solution is compliant with regulations such as the GDPR and the PSD2.

With LoginID’s FIDO2 solution, financial institutions, banks and card issuers get:

• A FIDO2 / FIDO UAF certified biometric authentication and identity verification solution
• Extensive SDKs and APIs available for integration such as Android, iOS, Web SDK and more
• Detailed and thorough documentation created for developers, by developers
• A scalable business model that grows with the bank, card issuer, insurance provider or any financial institution
• Startup support with a free to start ‘OpenSaaS’
• Transaction Confirmation with Digital Signature — a tool for financial institutions, banks and card issues that provides a proof of users’ biometric authentication receipt for transactions

Financial institutions, banks and card issuers can get started by contacting our sales team on enterprise.sales@loginid.io.

To learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, click here.

FIDO2 101: Fast Identity Online — A Crash Course

Try the FIDO2 Passwordless Authentication Platform by LoginID for Free or reach out to sales@loginid.io for more information.

What is FIDO2?

An abbreviation for Fast Identity Online, FIDO2 was designed as a solution to the global password problem. Currently, passwords are still the primary method for logging into apps or websites. Passwords, however, are weak, and are ineffective when it comes to fraud prevention.

Apart from their vulnerability, passwords are very inconvenient for users. In fact, over 80% of data breaches are directly linked to passwords, amounting to an average loss of $3.9 million.

Not only insecure, passwords can prove to be costly to businesses, with the average price of contacting the help desk to reset a password sitting at $70.

In addition to security and cost, passwords have a negative impact on conversion rates, with online merchants seeing a cart abandonment rate of around 30%.

The FIDO2 protocols were created by the FIDO Alliance with privacy as the main addressable concern. FIDO2 protocols ensure that third parties can never use any PII data to follow users across services. Any biometric information used within the FIDO2 protocol securely remain on the user’s device — not stored on any server.

The FIDO2 standard is particularly effective due to broad adoption and cooperation across industries.

FIDO2 standards have been implemented by internet browsers, device manufacturers (such as Apple and Android), all the way down to chip makers (such as Intel). There are over 5 billion devices that support FIDO2 globally, with implementations continually growing.

FIDO2 is currently compatible with all the most popular web browsers and operating systems, making it easy for end users to authenticate themselves without having to download additional apps or purchase additional hardware.

—

Why FIDO2?

End User Benefits

• No Passwords: Most users have to remember around 100 passwords for all their online accounts. FIDO2 passwordless authentication allows apps and websites to cut passwords out altogether.
• Familiar and Convenient Experience: By using a device’s native biometric authentication mechanism, FIDO2 incorporates a very familiar user experience, i.e. the same actions a user would make to unlock a device, or make a payment (a face scan, a biometric scan, Face ID or TouchID).
• Fraud Prevention and Improved Security: Going back to the fact that most users have to remember around 100 passwords, this is next to impossible, which leads to users recycling passwords. 50% of all online users utilize the same password across all their online accounts, and many only use a few passwords. This means that a compromised password on one account can lead to a breach of all other accounts that use the same password.

Business Benefits

• Improved Usage and Conversion: A recent survey by McKinsey found that a passwordless authentication flow that prioritizes convenience can result in a 20% increase in overall usage. Users authenticating themsleves with FIDO2 show 3 — 5x higher activity than users who login in with a traditional password.
• Lower Support Costs: A password reset request costs a company’s help desk around $70 to resolve. Implementing FIDO2 passwordless authentication eliminates this cost, freeing up company resources to address more critical issues.
• Enhanced Fraud Prevention: FIDO2 passwordless authentication is a powerful fraud prevention tool that eliminates both man-in-the-middle and phishing attacks. Apart from fraud caused by data breaches (mostly due to compromised passwords), account takeover fraud is also increasing in significant financial impact on companies. Implementing FIDO2 empowers companies to potentially eliminate all kinds of authentication related fraud.

How Does FIDO2 Work?

Think about the very familiar way you unlock your device; with an iPhone you might use Face ID to unlock your device, with an Android device you might use the fingerprint scanner, and on a Windows Hello device, you might use a non-biometric PIN. FIDO2 passwordless authentication works in the same way, with a process that is already very familiar to consumers.

FIDO2 uses what is called the customary public key cryptography methodology. How this works is, a public/private key pair is generated by the end user’s device upon registration. The private key remains securely on the end user’s device and never leaves. As an example, iPhones would use the secure enclave to store private keys.

The public key is what gets registered with the particular online service that the end user is trying to register for. It is signed with an attestation certificate which is unique to the end user’s device and model, and is built into the end user’s device upon manufacturing. Attestation is often the term used to denote a FIDO2 credential registration.

Once a device is registered, the FIDO2 credentials are used to log the user in. First, the end user’s application pushes an authentication request to the user. The server then issues a challenge which is signed by the authenticator using the unique public/private key pair. Assertion is often the term used to denote a FIDO2 authentication event.

Image Courtesy of FIDO Alliance

FIDO2 Keys to Success

• Strong Fraud Prevention Measures: FIDO2 protocols provide a powerful fraud prevention tool, specifically against man-in-the-middle and phishing attacks. FIDO2 nearly eliminates account takeover risks as well. FIDO2 passwordless authentication creates unique credentials for every site, which means a compromise on one account or website will not have a cascading effect on other accounts or websites.
• Multi-factor Authentication: While FIDO2 passwordless authentication may seem to be a simple single authentication action, it is, in fact, a combination of two authentication factors. One authentication factor is the action initiated by the user, i.e. scanning their face, scanning their fingerprint, or entering their PIN. The other authentication factor is the authentication request, or the assertion.
• Device Bound Biometrics: Despite biometrics not being a FIDO2 passwordless authentication protocol requirement, using them is common practice. What makes registering your biometrics with FIDO2 safe is the fact that no biometric data is ever stored on a server. The only thing stored on the server is the public key, which does not contain any sensitive data. FIDO2 addresses a number of problems related to server-side biometric authentication while ensuring that any biometric usage is limited to device verification and assertion.
• Unique Domain Credentials: When the end user registers with a particular domain, FIDO2 passwordless authentication ensures that the particular credential that is registered is bound to that domain, and that domain alone. This means that a FIDO credential registered loginid cannot be used on loginid-example.

About LoginID

LoginID offers a FIDO2-certified passwordless authentication solution that can be easily integrated, with just a few lines of code, into any website or app. Created with developers and enterprises in mind, LoginID adheres to PSD2 regulations and can enhance your site’s fraud prevention methods with strong customer authentication.

Integrate FIDO2-certified passwordless authentication into your site. Click here for documentation on LoginID’s SDKs and APIs.

Unauthorized account access made up 43% of successful American business data breaches in 2020, making authentication an extremely important security concern for companies that do business online. In 2020, consumer losses due to identity fraud amounted to $56 billion. What’s more, 53% of American local, state and federal government bureaus saw an increase in account takeover fraud in the past few years.

Digital wallets and cryptocurrency exchanges tend to attract a ton of fraud, thereby requiring secure authentication to protect their platforms from cybercriminals. In 2020, bad actors made off with around $300 million from crypto accounts through phoney crypto exchanges, phone number hijacking and phishing scams. What’s worse is the fact that crypto exchanges are nearly entirely unregulated; however, as the threats of fraud increase, exchanges are gaining regulatory scrutiny.

Crypto monitoring by regulatory agencies is fuelled by exchanges’ parts in money laundering and cybercrime. Identified transactions from and to illicit or illegal accounts, while 50% lower last year, still amounted to $10 billion, with scams representing 26% of that amount. Ransomware payments increased by 311%; even though the number is already fairly high, ransomware scams usually go unreported and the actual percentage increase may likely be higher.

Financial regulators worldwide have attacked the growth in cyber fraud by cracking down on digital wallets and crypto exchanges with insufficient anti-money laundering (AML) and know-your-customer (KYC) processes.

Binance in the UK was blocked from regulated operations after declining to register with the Financial Conduct Authority (FCA). As a result, Santander and Barclays additional banned its customers from transacting with Binance.

On the flip side, Kraken enhanced its US-based accounts KYC requirements for margin trading in order to be more aligned with the Securities and Exchange Commission (SEC) regulations. Coinbase continually monitors changes in authentication requirements and regulations in the digital wallet and crypto space, making changes accordingly.

The strong customer authentication (SCA) directive by the European Banking Authority (EBA) has shaken up the financial sector ever since its inclusion in the revised Payment Services Directive (PSD2).

These strong customer authentication regulations mandate payment service providers (PSPs) to use multi-factor authentication (MFA) as a way of protecting card-based online payments and digital transactions. EBA released a report recently that demonstrated the significant advancements in strong customer authentication; it revealed that 99% of EU merchants support strong customer authentication, and 94% of EU payment cards are strong customer authentication qualified.

Bringing all this over to the FinTech side, digital wallets and crypto exchanges can meet strong customer authentication requirements by implementing FIDO2. FIDO2-certified passwordless authentication providers, such as LoginID, offer payment authentication and passwordless authentication tools ideal for the crypto space.

With only a few lines of code, digital wallets and crypto exchanges can implement LoginID’s strong customer authentication quickly, easily and at no cost. LoginID”s powerful fraud prevention tool pairs end users with their biometrics (facial scan or fingerprint scan) and creates a private key/public key pair. The private key is stored safely on the user’s device, and no additional app is required.

Once a user registers, all they need to do is scan their face or finger to access their digital wallet. This is a better experience for the user, and also allows the exchange to meet multi-factor authentication standards.

As an added security layer, digital wallet providers can even take advantage of LoginID’s biometric digital signature API and transaction confirmation to provide their users with payment authentication. Then customers want to transfer or trade their crypto, they will be prompted to scan their biometrics, which will authenticate the payment and create a digital receipt.

With this dual fraud prevention approach investors can rest assured that their account is protected against fraud.

With the EU planning to institute a digital identity verification framework, a convenient way for digital wallets and crypto exchanges to prepare themselves is to utilize LoginID and authID’s digital identity verification solution. This solution recognizes and verifies over 9,000 documents from hundreds of countries, thereby simplifying the digital identity verification process. The solution is mobile compatible, allowing for simplified mobile identity verification.

Cryptocurrency is still making a global impact, not only attracting investors but also regulators who are scrutinizing the industry in an attempt to curb illicit activity.

Digital wallets and crypto exchanges need to create a strong infrastructure to cope with the increasing regulations in the space. Utilizing LoginID’s suite of strong customer authentication solutions allows digital wallets and crypto exchanges to forge ahead in their fraud prevention attempts.

LoginID Offers Authentication Solutions for the Crypto Space, Free to Try!

This article is an adaptation from PYMNTS.

It is thought that banks, since they can write fraud losses off as deductions, do not actually care about fraud. The ability to write fraud losses off gives the impression that banks are not motivated to prevent loss, since it has no effect on their bottom line. However, this belief is a myth.

Banks do care about fraud; complacence in fraud management would erode faith in the banking system. KYC, AML and regulations enforce fraud consciousness among banks, with serious penalties in place for non-compliance. Apart from this, the bank in question also faces reputational damage that can be hard to recover from.

It’s true that banks are willing to write fraud losses off, however it’s not for the tax incentive. Rather, it’s because less than 25% of fraud losses are recovered. The high cost and low recovery rate often make writing the loss off a more viable option for banks, albeit a rather undesirable approach.

Banks all over the world have cited data breaches and cyber fraud as their primary concern. With the rise of phishing, account takeovers, identity theft, identity impersonation fraud and various other kinds of cyber breaches all rising in the financial industry, many banks are making large investments in fraud prediction and prevention.

Current fraud management mechanisms are not enough; there is a need for additional preventative measures. One consideration is evaluating using strong authentication to help provide assurance around the validity and integrity of user interactions.

Visa recently reported that 86% of their customers demand biometrics to be a part of their payment experience. Not only do they want secure payment experiences, they also want an easy passwordless experience. This is good news for banks, as passwords are expensive to manage; up to 40% of call center requests are related to password resets.

LoginID’s suite of FIDO-certified biometric authentication solutions provide banks a way to combat cyber fraud while ensuring a smooth user experience. Banks can, through LoginID’s solutions ranging from passwordless login, transaction confirmation/digital receipts with digital signatures, and identity verification, fight cyber fraud before it occurs. LoginID enables developers to integrate quickly through a highly scalable SaaS platform, thanks to its developer-centric SDKs and APIs.

About LoginID

LoginID is disrupting the Consumer Identity and Authentication market; LoginID is a FIDO-certified passwordless authentication solutions provider, offering SaaS-based Strong Customer Authentication Solution coupled with Digital Onboarding, Identity Verification and eKYC solutions. Backed by serial fintech entrepreneurs and strategic partners such as Visa, LoginID is a strong global team based in San Mateo, California and Toronto, Canada, who are experts in security, encryption and tokenization.

LoginID’s advantages include:

• A FIDO2 / FIDO UAF certified biometric authentication solution
• Extensive APIs and SDKs available for integration
• Documentation created by developers for developers
• A scalable business model that grows with your business
• An OpenSaaS plan to support start-ups
• Transaction Confirmation with Digital Signature Service

Register for a free account, or check out the demo here.

Learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication here.

Many investors are drawn to the crypto space because of the promise of anonymity, decentralization, and return on investment, sparking an explosion in the number of crypto investors over the past few years. However, these same appeals make the space vulnerable to fraudsters who exploit even seasoned crypto veterans. The influx of capital into the crypto market has, in turn, led to a rapid growth in fraud and potentially other illicit activities.

According to the Federal Trade Commission (FTC), October 2020 to June 2021 saw consumers reporting losses of $80m due to crypto-investment fraud, and one has to imagine that number drastically underrepresents reality by some margin.

So, what does this mean for crypto investors? It means, regulation is coming.

In December last year, the Treasury Department proposed a new rule that would require users who want to move more than $3,000 in crypto from an exchange to their private wallet, or to another user, to provide detailed Know-Your-Customer (KYC) information. In addition to users providing KYC information, exchanges would be required to report single transactions, or groups of transitions, that add up to $10,000 or greater to the Financial Crimes Enforcement Network.

However, not all countries are adopting an approach around regulations. In May of this year, for example, China cracked down on Bitcoin trading and mining, causing a sharp selloff in the global crypto market. While China has not outright outlawed crypto trading on the consumer level, Chinese financial institutions are banned from trading in crypto. Why did this happen? It’s because Chinese officials sighted concerns around the ease of money laundering as a key factor in the crackdown.

While the US and Europe’s response might not be as draconian as that of China, the wild west days of the mainstream crypto space are numbered, as more and more KYC rules become requirements. KYC is not unheard of in the crypto world and, in fact, popular exchanges all over the world already require their users to submit KYC documentation which, after being verified by the crypto exchange, allows the user to purchase crypto through their credit card or bank account. One can expect KYC to become more pervasive as the space continues to grow and lagging regulators play catch up.

Does KYC actually help?

KYC can actually help solve additional issues beyond fraud and money laundering, such as problems with account recovery and lost keys. Without identifying information tying a user to their wallet, it can be next to impossible for a user to recover access to their wallet if they are unfortunately locked out. Tying KYC to a crypto wallet would eliminate this problem by allowing users to recover their wallet by verifying their ID instead of trying to remember a lost long string of characters, or access a document where this string of characters is, quite possibly vulnerably, stored.

What are the downsides?

One complaint that has been relatively pervasive has been the slow KYC verification process from crypto wallet support teams. Manually verifying individuals is a time consuming and expensive process. Not only does this cost the crypto wallet providers time and money, it frustrates the end user.

Is there a solution to this?

Luckily, there are providers that take this load off exchanges, offering them the speed and security of integrating de facto standards around authentication and verification, while saving the exchange time, money and manpower. LoginID, an API-based FIDO-certified passwordless authentication and transaction confirmation provider, is one such solution. With exchanges offering a service like LoginID, a user would be able to securely transfer crypto from their wallet, sign and hash the transaction with biometric verification such as a fingerprint or FaceID scan already available on their device. LoginID, along with their partner AuthID, take this one step further, by offering a simple to implement, consumer friendly, accurate, and economical KYC for crypto wallets and exchanges.

About LoginID

LoginID is a San Mateo/Toronto based company focused on bridging the gap around authenticating users and securing their information. This is facilitated through its FIDO2 and UAF certified strong customer authentication, privacy and tokenization platform. The team is composed of seasoned executives with decades of experience, across global brands, helping commercialize products around security, cryptography, payments and mobile.

With LoginID You Get:

• FIDO2 / FIDO UAF certified biometric authentication solution
• Extensive APIs and SDKs available for integration such as OpenID Connect, iOS, Android, and Web
• Detailed and thorough documentation created by developers for developers
• A scalable business model that grows with your business
• An Open SaaS plan to support start-ups

Get started by registering for a free account, or by checking out the demo here.

If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, you can do so here.

Enterprises are facing heightened scrutiny from governments and regulatory bodies with regards to security and protection of customer information. Therefore it is important for Enterprises to meet or exceed best practices related to protecting customer interactions. The following document will go over LoginID’s FIDO certified strong customer authentication products versus proprietary biometric solutions.

Proprietary Biometrics

To help us better understand proprietary biometric solutions and the gaps between their offerings and what enterprises need, we explored three main criteria: compliance, authentication, and vulnerabilities.

Compliance

Proprietary biometrics do not comply with regulatory requirements and prominent regulatory bodies.

Increasing regulatory requirements from the GDPR, CCPA, UU PDP, and PSD2 are mandating strong customer authentication (SCA) solutions and prohibiting the use of SMS authentication/verification, which makes FIDO the most optimal and secure solution on the market.

Taking the PSD2 requirements as an example, we see that proprietary biometrics could arguably be considered as one-factor authentication, thereby needing to be supplemented with an additional factor in order to meet the directive. In contrast, FIDO authentication is inherently a 2-factor authentication (2FA) and explicitly PSD2 compliant.

All major banks, mobile operators, government entities, and crypto exchanges such as Coinbase and Kraken, have started adopting FIDO protocols in one form or another. Southeast Asia, as an example, is currently the largest market for FIDO users, with an estimated five hundred million users adopting it. Other companies that leverage FIDO protocols include Line, NTT Docomo, SKTelecom, Alibaba, Industrial, and Commercial Bank of China.

Local Authentication vs Remote Authentication

User Authentication has two authentication mechanisms; one which connects the device to an external server (Remote), and one which uses the device by itself (Local). Proprietary biometrics inherently are local on-chip authentications as opposed to being remote where cryptographic signature data (no biometrics specific data) is transmitted to the backend server for verification and therefore providing proof of claimed identity.

There is no out of the box remote authentication capability with proprietary biometrics.

Given the local nature of proprietary biometric authentication, there are numerous vulnerabilities worth mentioning.

Vulnerabilities

There are multiple ways to implement proprietary biometric solutions, from using APIs local to the operation system and cached credentials, all the way to using long-lived refresh tokens. Regardless of which implementation an application employs, inherent risks include:

• No phishing resistance
• No ability to perform transaction confirmation
• Hard to manage revocation of the long-living refresh token

FIDO Biometric Strong Customer Authentication

The FIDO protocol is a phishing-proof authentication protocol with strong attention to the user experience. It was developed by the FIDO Alliance, a consortium of 300+ companies that work to make commerce more secure, frictionless, and phishing free. There are now more than 4 billion devices that support the FIDO standard, with millions of new devices being added monthly. More and more large enterprises have recognized the significant benefits of adopting this protocol.

Google has experienced zero successful internal phishing attacks since they moved their employees to FIDO 1

LoginID currently supports FIDO UAF and FIDO2 protocols:

• UAF is mobile-centric. It has usernameless, passwordless modes as well as transaction confirmation
• FIDO2 is web-oriented, developed as a joint project between W3C and the FIDO Alliance

FIDO UAF

FIDO UAF introduces additional security such as:

• No credentials are stored
• All authentications are done via FIDO and are protected by an asymmetric digital signature, which makes it impossible for an attacker to forge
• Stolen cookies pose little threat, as any high value operations are protected by transaction confirmation
• No refresh token or static secrets, which reduces attack surfaces significantly

FIDO2

FIDO2 is a web-centric passwordless authentication protocol. It was developed in cooperation between the FIDO Alliance and W3C (World Wide Web Consortium) and is now supported by all major browsers and platforms. It is the successor of the FIDO U2F protocol. New features and functions include:

• Web-friendly
• Easy JS API
• Provides 2FA (Username/Password + FIDO2), Passwordless (Username + FIDO2) and Usernameless (Just press login) experiences
• Supported by all major browsers (Chrome, Firefox, Edge, and Safari)
• Users don’t need to buy additional or external security keys, as platform authenticators are available in Windows 10, and Android 7+, with iOS and macOS coming soon
• Enterprise-friendly and works with Windows Hello

LoginID’s Unique Proposition

In addition to the enhanced security features listed above, LoginID’s clients will also be able to benefit from the following capabilities:

Compliant Authentication: Lower Upfront Cost and Time-to-Market

Leverage our pre-compliant solution to achieve local and remote authentication; meet current security and compliance requirements and those soon to come. When you integrate with our SDKs, our backend takes care of the server authentication flows, freeing your team from designing, testing, and maintaining an in-house solution. In addition, your team will benefit from our rapid deployment, updates, new features, and ongoing maintenance of the LoginID solution.

FIDO UAF Out-of-the-Box Advantages

• Replay attack prevention
• Privacy protection
• Passwordless and usernameless modes

Expanded Privacy Feature

FIDO meets the key aspect of the GDPR, protection/privacy-by-design, which mandates that any implementation of data processing must implement data protection by design i.e. the protection is not reactive but proactively built into the solution.

FIDO is recognized by the GDPR

Below are the 6 key factors of FIDO protocol that contributing to its by-design fit with the GDPR 2:

• Based on public keys cryptography — no private keys are shared between device and server
• Keys are not provisioned and are generated and stored on the device
• No server side shared secrets
• Biometric data never leaves the device
• No linkability from device and the server

By turning each of the users’ devices into their own certificate authorities, each application will get its own certificate, ensuring no way to correlate those credentials.

Transaction Specific Digital Signatures

Real digital signatures refer to the process of confirmation of sensitive actions such as trade executions, withdrawals, and so on. FIDO provides transaction confirmation via hardware signatures, proving the presence of the user and application at specific times, which can then be used as proof and non-repudiation on transactions.

The FIDO standard is recognized by the electronic identification and trust services (eIDAS) and has strong support from the Open Banking community.

Customizable Authentication Flows

Depending on your environment and security needs, your team can leverage multiple authentication standards within FIDO for:

• FIDO as a second factor to the username and password for easier adoption
• Passwordless authentication approach with a simple touch of a finger for an amazing user experience
• Usernameless experience for real future ‘one button’ authentication

Other non-security benefits

• Usage of FIDO Certified logo for marketing materials.
• Consistent standard across all major platforms: iOS, Android, Windows, Mac OS, and all major web browsers

Conclusion

The founding principles of the FIDO specification are privacy, security, and credential scaling, which have proven to be beneficial for maximizing authentication capabilities. Multiple industries are consolidating towards open banking, requiring a greater need for comprehensive solutions that adhere to FIDO standards.

FIDO’s open standard applies to all platforms (Web, iOS, Android, etc). This allows organizations to leverage it at scale, eliminating the need to download special applications or special extensions.

Finally, by utilizing FIDO solutions, organizations will benefit from leveraging the industry momentum around the FIDO standard and reducing their compliance efforts significantly.

About LoginID

LoginID is a San Mateo/Toronto based company focused on bridging the gap around authenticating users and securing their information. This is facilitated through its FIDO2 and UAF certified strong customer authentication, privacy and tokenization platform. The team is composed of seasoned executives with decades of experience, across global brands, helping commercialize products around security, cryptography, payments and mobile.

With LoginID You Get:

• FIDO2 / FIDO UAF certified biometric authentication solution
• Extensive APIs and SDKs available for integration such as OpenID Connect, iOS, Android, and Web
• Detailed and thorough documentation created by developers for developers
• A scalable business model that grows with your business
• An Open SaaS plan to support start-ups

Get started by registering for a free account, or by checking out the demo here.

If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, you can do so here.

References

1. https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
2. https://fidoalliance.org/fido-authentication-for-gdpr-video/

LoginID helps secure IoT interactions by hosting the first FDO Rendezvous Server for Developers

FIDO Device Onboarding support is a new component of LoginID’s mission to protect privacy through industry standards and secure internet experiences.

San Mateo, CA, July 12, 2021. — LoginID, a FIDO-certified authentication and identity solution provider, recently announced the deployment of the first FIDO Device Onboarding (FDO) Rendezvous server for early developers to experiment with the recently released FIDO Alliance FDO Proposed Standard. FDO will be key in helping secure IoT devices, projected to cross 30 billion by 2025.

“LoginID’s release of the FDO Rendezvous Server, is an important milestone for the future of FDO”, said LoginID’s VP Authentication and Identity, Bill Leddy. FDO is designed to provide end-to-end IoT ecosystem security, and the LoginID Rendezvous Server would work with LoginID’s onboarding service plus other FDO services.

Collaboration and strong partnerships are required in order to build a secure FDO standard-based end-to-end IoT ecosystem, with a combination of device manufacturers, supply chain vendors, and internet service providers.

LoginID is looking for early partners and developers who want to be a part of building this secure IoT future. Developers can learn more about LoginID’s FDO support by visiting fdo.loginid.io or by contacting fdo@loginid.io. For developers who want to get started right away, please view our SDK documentation.

LoginID has the fastest implementation time in the market; its commitment to accelerate passwordless authentication adoption is supported by a plethora of integration options, empowering organizations to quickly and easily integrate, and scale, strong authentication at low costs while at the same time ensuring compliance with the PSD2 directive, GDPR regulations, and other international data privacy laws.

About LoginID

LoginID is a San Mateo/Toronto based company focused on bridging the gap around authenticating users and securing their information. This is facilitated through its FIDO2 and UAF certified strong customer authentication, privacy and tokenization platform. The team is composed of seasoned executives with decades of experience, across global brands, helping commercialize products around security, cryptography, payments and mobile.

For more details about LoginID’s support of FDO please visit fdo.loginid.io or contact fdo@loginid.io.

White House Executive Order for Cyber Security requiring MFA and how LoginID can help organizations comply quickly

On May 12th, 2021 the President of the United States, Joe Biden, signed a Cyber Security focused Executive Order (EO) into existence. This broad and far reaching order serves to strengthen security for Federal networks, plus any organizations which intend to do business with the Federal government. It requires federal agencies, IT providers, IT security providers, and any organization that sells software to federal agencies to utilize multi-factor authentication (MFA) and to comply with the cloud-service governance framework set by the Director of CISA within 60 days of the order date, with an evaluation of the sensitivity and types of data carried out within 90 days of the order date.

2020 and 2021 has rattled the global security landscape, with businesses seeing a rise in unprecedented cyber attacks. The attacks have originated from numerous groups that range from small-time criminals seeking a ‘quick buck’, all the way up to more sophisticated Nation State backed Active Persistent Threat (APT) groups seeking to achieve more sinister outcomes. The result of these malicious activities prompted the signing of the Executive Order; the Executive Order is grounded in statute, giving it legal weight. The Executive Order states that multi-factor authentication and data encryption needs to be adopted within 60 days of the order date, and within 180 days of the order date for data at rest and in transit, with agencies providing progress reports every 60 days until full adoption of multi-factor authentication. Agencies that are unable to meet the requirements would need to provide a documented rationale to the Secretary of Homeland Security, following which a cybersecurity framework would be established.

How does Multi Factor Authentication (MFA) tie into all this?

As related to requirements for any agencies, the objective of the Federal Government is to modernize its approach to cybersecurity. . There are 3 main aspects as related to this objective:

1. Push cloud adoption — modernize cyber security by getting off legacy data centre environments to cloud SaaS.
2. Adopt a Zero Trust Architecture — which limits access to only what is needed and utilizes constant verification All cases are risks.
3. Use of MFA — recognizing that MFA is one of the strongest methods evidentially to battle cyber attacks

The most common form of authentication is the traditional password, which brings with it a few security risks:

1. Many people are still using passwords that are easily guessable. Typically these are created by the user based on something familiar to them. Take “K!ttyName2016” as an example. If you create a password using words found in the dictionary and then add some numbers and characters in it with the aim of creating a strong password, then you are mistaken. Hacking tools, and multiple other methods cyber criminals are using to gain illegal access to accounts, have come a long way. But even if users take guess-work algorithms out of the picture, traditional passwords face an additional problem — social engineering.
2. People tend to reuse passwords across multiple websites and applications. A Google survey found a 69% reuse rate. While intended to be easier to remember, if a user’s password is compromised on one site, then all places they have reused it are now at risk of being compromised. This is a common tactic that hackers use, known as credential stuffing. Passwords are often sent through the internet and authenticated remotely on servers ‘in the cloud’. This has many inherent issues which all boil down to being authenticated outside of your devices and control. Another common form of cyber crime is phishing, where a user might be tricked into clicking a link to a copy-cat website run by cyber criminals who are seeking to capture your login details, and then they use these on the real site.

What can help combat a majority of cyber crimes is, in fact, multi-factor authentication, or MFA.

What is Multi-Factor Authentication (MFA)?

MFA is a form of authentication that requires you to ‘prove’ your identity using additional means, or factors, beyond a single factor such as the traditional compromisable password. MFA defines 2 or more factors to assert, or prove, your identity, such as something you have (possession), something you are (inheritance) or something you know (knowledge). There are multiple candidate factors (such as one-time password, phone message, email, FIDO factors, etc) each having their specific security levels. One time password, SMS, email, voice are proven factors with multiple security concerns which make them prone to phishing, account takeovers, and more.The most secure solution to meet the EO MFA requirements, in a timely manner, is to augment or use FIDO based solution provider such as LoginID.

What is FIDO?

FIDO or Fast Identity Online is a consortium of the world’s leading technology companies changing the way online authentication is done. FIDO has established technical standards that provide interoperable mechanisms that are far more secure and easier to use than passwords from biometrics such as fingerprints and facial scans to second factor authentication devices.

With 80% of all password breaches attributed to weak passwords, FIDO Authentication, using public key cryptography, is the answer to the world’s password problem. We won’t go into the specifics of FIDO in this article, for further information we encourage you to read our FIDO 101 article for a thorough introduction to FIDO and why it is crucial to integrate as a standard part of your business.

So, what does FIDO have to do with the Executive Order and MFA? FIDO authentication is inherently a 2-factor authentication. This is why FIDO is the preferred method for MFA:

• Supported by 4 billion devices globally
• No downloads are required by end users
• Eliminates account takeovers, man in the middle attacks, SIM swaps, etc.
• Eliminates the password reuse problem, since there are no passwords to reuse
• Reduces abandoned transactions. People abandon purchases ⅓ of the time if they can’t remember their passwords.

The FIDO specification consists of 2 components: WebAuthn and CTAP (Client to Authenticator Protocol). WebAuthn is the web API which allows users to use security keys and biometrics, while CTAP is the components’ browser used to communicate with authenticators on the device or plugged into the device.

This is how FIDO works:

FIDO leverages asymmetric public-key cryptography. So instead of putting a password on a server, FIDO authentication uses a key pair (private and public keys). The private key sits on the user device and the public key sits on a FIDO server. Unlike a password, the public key has no material value. In other words, if hackers steal a whole list of public keys, the hacker can not perform any malicious attack.

Once a user sets up a FIDO account, the user unlocks the device by basically activating the private key on the device. The user can do this by biometric or pin or any other method of verifying their device. The authentication is unique to the user and then that key pair can be matched. There’s a lot of data exchange in that interchange that is unique to the website, and to the private key, to ensure only the user with that specific device can log into the site.

Step 1 — FIDO-certified Platform Authenticator or Remote Key verifies that the site, app or service is a registered and trusted service. This eliminates the phishing problem.

Step 2 — FIDO then requests identity assertion on the device, not through the internet, to unlock the secure enclave or security system so that the private key and public key on the website, app or service can be compared (Factor 1). One of the more common methods to authenticate to the device is using Biometrics, such as Fingerprint or Facial Recognition but it could very well be a PIN code, or an external key that is FIDO enabled.

Step 3 — FIDO then exchanges the keys, which are extremely complex encryption keys, between the services. These sort of work as your ‘passwords’ but are unique to the device. In Step 2 this assertion process is unique to you.

Step 4 — When everything checks out you are authenticated with the website, app or service. All this takes place behind the scenes; from the user perspective they only have to touch their device biometric sensor or look at their phones.

FIDO is the simplest, most secure form of MFA being adopted by organizations today. FIDO allows public and private sector organizations to comply with this Executive Order and do so in a way that makes it easy for end users to adopt. We already see the explosive adoption of biometric authentication now on devices. Any phone sold today will typically have FIDO compliant biometric support out of the box.

How Does LoginID Help?

Integrating FIDO from scratch is quite complex and requires extensive knowledge of the standard, scalable server resources, plus in-house skills with many programming languages and platforms such as WordPress.

LoginID was founded to remove these barriers for developers and organizations. FIDO is simple for the end user; we wanted it to be simple for the developers and integrators as well. Our mission is to make FIDO technology available to the entire world and we knew this can only happen if it was painless. We made it painless.

With LoginID You Get:

• FIDO2 / FIDO UAF certified biometric authentication solution
• Extensive APIs and SDKs available for integration such as OpenID Connect, iOS, Android, and Web
• Detailed and thorough documentation created by developers for developers
• A scalable business model that grows with your business
• An Open SaaS plan to support start-ups

Get started by registering for a free account, or by checking out the demo here.

If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, you can do so here.