FIDO standards provide secure, user-friendly way for European payments industry to meet PSD2 strong authentication requirements
The FIDO Alliance’s authentication standards provide a scalable way for the European financial ecosystem to meet PSD2 requirements for strong authentication of user logins and cryptographically signed transactions — while also meeting organisational and consumer demand for transaction convenience.
Authentication is based on open standards that are supported by an interoperable ecosystem of 350+ FIDO Certified solutions. Banks and payment services providers (PSPs) can select from many leading vendors of modern authentication solutions and/or they can develop and test their own FIDO-based PSD2 solutions. Once deployed, banks and PSPs may accept a variety of certified, interoperable FIDO-compliant authenticators in the market, including those in mobile devices and PCs, and hardware-backed security keys. The end result is a low-friction approach for user authentication that exceeds the European Banking Authority’s (EBA) PSD2 requirements.
The FIDO architecture offers a truly “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements as defined in the EBA’s final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA).
– With asymmetric cryptography at the heart of the security model, FIDO addresses the RTS security requirement designed to mitigate theft of payment service credentials by all known attacks that successfully harvest “shared secret” credentials like passwords, effectively mitigating the techniques that are behind 95% of all web app attacks that lead to data breaches
– With easy-to-use biometrics and security keys being used for the “what you are” and “what you have” authentication factors, respectively, FIDO is addressing increased market demand for greater user convenience than anything used for online payments before
– FIDO privacy requirements ensure biometric data, when used, is never shared, addressing requirements by data protection authorities and consumer concerns about sharing biometric information online