NIST Publishes Guide for E-Commerce MFA w/ FIDO Standards

Last week the NIST Cybersecurity Center of Excellence (NCCoE) published a guide for strong authentication for E-Commerce applications. This is a significant milestone for the Identity & Access Management (IAM) space because the publication is one of the first NIST guidances for leveraging the FIDO specification.

This guide comes two years after NIST deprecated SMS One Time Passwords as a method of authentication due to numerous security risks and SMS bypass attacks that require little effort. The SMS problem is so prevalent that Germany recently passed legislation to stop using the SMS OTP method altogether. 

Below is an overview of the guide as well as some of my thoughts around the feasibility and security of what’s covered. 

The publication covers how the commerce industry has added stronger methods of authentication for in-person purchases by requiring chip based credit cards. However, in the e-commerce space, the high ATO fraud persists due to shared secrets such as credit card numbers and passwords being used to make purchases. By requiring MFA that doesn’t rely on shared secrets, we can stop ATO by requiring the user to present a token of a private key that is in their possession at all time. This approach offers a similar level of protection for e-commerce transactions as we currently see for in-store purchases using the EMV chip method of payment. When we force the hackers to have physical access to a user’s device in order to take over their account, we fundamentally change the economics of the attack and help businesses eliminate e-commerce fraud.

Are All FIDO Implementations the Same?

The short answer is No. HYPR has been a part of the FIDO alliance for several years and if there’s one thing that we’ve learned is that not all FIDO is the same. Many implementations are purely technical exercises that do little to improve the user experience. Others are comprehensive and pass conformance testing but are anything but trivial to implement and deploy – causing friction for the enterprise trying to secure their users. 

The most concerning part is that most implementations are still using FIDO as a tactical Band-Aid rather than providing a strategic solution. These tactical implementations make FIDO – the winning authentication standard – a sub-component of a broader MFA platform. In doing so the organization ends up cutting corners on user experience and reducing security by allowing users to fall back to a far less secure method of authentication that relies on shared secrets. 

Previous attempts at stronger authentication have failed because of one main reason: cart abandonment. Many e-commerce stores are willing to take on a certain amount of fraud if it means the user won’t abandon the cart and go to Amazon. However, we live in an era of the big bang breach where tens of millions of shared secrets (passwords, OTP seeds) are stolen at one fell swoop and where attackers can leverage tools like SNIPR to weaponize them against e-commerce stores with a trivial amount of effort. 

The NIST publication mostly discusses the use of U2F security keys to act as the strong authenticator which is absolutely correct but presents significant cart abandonment because now users have to carry another thing on their keychain, plug it into their laptop, and then perform an authentication. That’s a lot of time to think things through as you’re making an impulse buy. I’d be interested in seeing how adoption of FIDO2 specs will outpace the recommended use of a U2F token . The new FIDO2 specification that allows shoppers to leverage platform authenticators built into the laptop/desktop/iPhone/Android device themselves will allow the user to authenticate with the same level of security but without having to type in a password or plug anything into the computer itself.

The NIST guide did a proof of concept implementation with the Magento e-commerce product. This is a step in the right direction because the majority of e-commerce stores aren’t Amazon and therefore do not have thousands of software engineers to create complex profiles of fraudulent behavior. Now we just need the businesses to adopt this approach. The path forward is to provide a strong authenticator enrollment into popular e-commerce providers (Magento, Shopify, BigCommerce, Squarespace, etc…) so that businesses can push the “easy button” when it comes to providing a strong FIDO authentication experience for their customers.