Thanks to the FIDO2 standards, customers can finally authenticate themselves with biometric features on the Web. In our article, the IT consulting firm highlights adorsys why FIDO2 is the authentication standard of the future and why fiddling with passwords and TANs will no longer be necessary in the future – regardless of the device.
adorsys offers Plug & Play solutions for all companies that want to earn money with Open Banking business models. Banks and third-party providers using adorsys solutions not only save a lot of testing and development costs, but can also be sure that all interfaces follow the specifics of the Berlin Group. This leaves them time for the icing on the cake: developing and driving an exciting open banking business model.
In order to make Open Banking solutions as customer-friendly as possible, adorsys will soon provide a new add-on, namely the integration of the FIDO2 standards for simple authentication of the end customer. FIDO stands for Fast Identity Online and greatly improves the security and user-friendliness of online and mobile banking.
What is FIDO2 exactly?
In principle, the areas of application for FIDO2 go far beyond banking and payment transactions. FIDO2 is an open and fairly new authentication standard on the web (WebAuthn), backed by an alliance of tech giants including Apple, Microsoft, Google, Amazon, PayPal, Mastercard and VISA. That’s why FIDO2 is now an integral part of Android, iOS, Windows and macOS as well as all web browsers and can already be used on around 80% of all end devices.
One member of this international alliance is Hanko.io, the first European provider of a certified FIDO solution and cooperation partner of adorsys. Hanko.io founder Felix Magedanz: “We offer a technology that allows biometrics to be used on websites as well. We want to make it possible for every online service to no longer make the security of user accounts dependent on passwords or annoying 2-factor procedures.”
Biometric methods such as Touch ID and Face ID have long since become established for apps on smartphones and tablets. Only in the browser, on websites, portals, SaaS tools and online shops this convenient and secure way of authentication was not technically possible until now. But that is changing now.
Why do we need simple authentication procedures?
When PSD2 came into force, most banks had to adapt their procedures for securing account access to the requirements of Strong Customer Authentication (SCA). While transactions already had to be secured with a second factor such as a TAN before, login to online banking is now only permitted if the customer strongly authenticates himself with two factors.
So far, the first factor at all banks consists of a password/PIN, the second factor differs significantly depending on the bank. From the customer’s point of view – and therefore from the conversion point of view – this is not optimal. Customers want uniform, convenient procedures for identifying themselves on the Internet. But even otherwise it makes little sense to maintain separate procedures, if only because banks have to maintain staff and service providers for their respective solutions.
In mobile banking, many banks already use the biometric processes of iOS and Android in conjunction with the “device binding” factor as a second factor, which leads to significantly more user-friendliness and lower abandonment rates, as authentication from the customer’s point of view takes place in just a single step. Until now, this was not possible on the Web – and this is where the FIDO2 standard comes into play: thanks to the new protocol, customers can now also authenticate themselves quickly and securely in the browser; here, too, the combination of biometrics and “device binding” ensures a secure and seamless authentication process.
The FIDO2 protocol allows for completely media break-free 2-factor authentication; logging into separate apps or fiddling around with SMS TANs is completely eliminated. In the near future, the protocol will also be included in the Berlin Group specifications.
The two biggest advantages of FIDO2 are:
- More security: The FIDO2 web standard brings the “ownership” factor to users’ devices, through a standardized infrastructure for asymmetric cryptography and in conjunction with the devices’ biometric sensors.
- More user-friendliness: No more passwords, but Touch-ID or Face-ID, which many customers already know and which has been proven to lead to a better conversion rate.
Online banking login can therefore be significantly improved, simplified and made more secure with FIDO or with the support of the W3C WebAuthn API. Instead of password and TAN, the customer uses biometric interfaces for a PSD2-compliant and completely password-free login. In order to be able to implement the FIDO2 standards, banks must have a FIDO server ready – these servers are provided, for example, by providers such as Hanko.io.
Another advantage of FIDO2: The standard is currently the only effective protection against phishing, because the respective customer key is bound to the URL under which it was created. A use on “fake pages” is therefore technically not possible. This allows customers to sit back and relax, while banks save themselves all internal training and processes on the subject of phishing.
FIDO2: Much more than online banking and payments
The FIDO2 standard also ensures secure, convenient processes beyond online banking or payment approval. Think of loan renewals that can be done completely digitally through seamless 2-factor authentication, closing construction loans, accessing security-relevant documents, or e-commerce payment transactions. In the age of Covid-19, it’s more important than ever to be able to offer completely digital processes without risking declining conversion rates due to cumbersome authentication processes.
2-factor authentication as standard for all digital applications
In the coming months and years, we’ll see 2-factor authentication take hold wherever people need to digitally prove they are who they say they are. According to recent studies, the international identity and access management market size was USD 11.82 billion in 2019 and is expected to reach USD 29.79 billion by 2027. From applying for an ID card to registering vaccinations to unlocking your car, it’s high time for businesses to make 2-factor authentication as consistent and convenient as possible. FIDO2 has set the standard for this.
If you want to see how easy authentication with FIDO2 works or are interested in Open Banking business models, you can directly contact Stefan Hamm or via the adorsys website contact with the team via the adorsys website.
PS: adorsys has established itself among the best management consultants in the category “digitalization” in a survey by “brand eins” and “Statista”.
