As we wrap up another year (and another decade), my thoughts are turning to 2020 and what we need to keep an eye out for next year as we put our plans together. 2019 has been one to remember from big data leaks like last week’sTrueDialogue blunder to groundbreaking new technology like the first-ever standards-based authentication for wearables.

The countless data leaks and breaches that plagued many during the past year will bring an increased interest in personal privacy as user data becomes more valuable than ever. With rising demand from consumers and regulatory bodies, organizations will need to evolve their authentication practices to stay afloat and succeed. Here are my top three “truths” for 2020 as we approach the next wave of reliance on strong authentication protocols.

Cyber policy and data privacy will receive double the airtime this election season vs. in ‘16

As we approach the 2020 election, candidates will more aggressively and thoroughly build data privacy and cybersecurity into their platforms alongside more traditional hot-button topics like healthcare, tax reform and more. In order to legitimize their candidacy, they will need to demonstrate a deep understanding of cyber and privacy that impact everyday citizens. Voters will scrutinize candidates on how equipped they are to tackle these pressing challenges and then cast their vote accordingly.

Value of data continues to rise, what was once silver is now platinum: The bounty on privacy will soar

As digitization continues in 2020, data will become more valuable than ever before. Information that may have previously seemed trivial to the everyday consumer will actually hold significant value for stakeholders and hackers across the spectrum. Adversaries or real-life “data bounty hunters” will hunt for new ways to exploit it, governments will seek better ways to access it, enterprises will adopt stronger security measures to protect it and end-users will demand better privacy to secure their personal information. Furthermore, with the rise of AI and machine learning, crucial data that impacts how medical decisions are made, where/how autonomous cars move, and more will become increasingly more mainstream — and increasingly more lucrative to threat actors pining for the information.

The entire globe will need to step up their authentication game

From first world countries pioneering digital transformation efforts to developing ones in the early stages of adoption, more and more people are transacting online and exposing their identities unwillingly. With every device in hand having the ability to access critical personal, financial and healthcare information, comes larger risks and the greater need for a global focus on authentication. European regulations such as PSD2 and GDPR are leading the charge, but 2020 will bring a more dire need for innovation in standards-based protocols and authentication. In order to strengthen security, enable more commerce and allow for widespread adoption of new technologies worldwide, new key sectors such as manufacturing, energy, healthcare and more will adopt robust authentication protocols to provide safety and security to the citizens relying on them.

While the authentication industry has made great strides in recent years, there is still a long way to go to ensuring that identities are truly secure. I believe that 2020 will bring great progress in this fight. I wish each and every one of you a very happy holiday season and a 2020 with much success.

Did you know the Payment Services Directive 2 (PSD2) directive (Directive2015/2366/EU) starts out with 113 introductory recitals?  You can check them out for yourself.

It includes such gems as:

#29: “‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials”

 #30: “‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”

#72: “the payment service provider is to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.”

And even; #100: “competent authorities are granted the necessary power, including the power to impose penalties, where the payment service provider does not comply with the rights and obligations laid down in this Directive, in particular if there is a risk of re-offending or another concern for collective consumer interests.”

The driving force behind PSD2, which is focused on governing electronic and non-cash payments, is a drive for Strong Customer Authentication (SCA) – a process that makes online payments more secure and reduces fraud while increasing authorization rates. 

3D Secure 2 (3DS2) provides an easy way to merchants to implement PSD2 SCA compliant flows when they make an online purchase. This allows the merchant to “authenticate” both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase

Because of this, merchants need to build additional authentication capabilities into their checkout flow in order to continue to process transactions once PSD2 goes into effect. And that date is coming fast. PSD2 was previously slated to start this month, September 2019, but has been pushed back to early 2020 to accommodate unprepared service providers – and likely – to get Brexit in the rear view mirror.

It’s a foregone conclusion that PSD2 is going to start impacting merchants very soon.  The questions now revolve around how many merchants will suffer, how seriously and what will happen to UK merchants once card issuers start declining payments that require SCA but which have not been authenticated via 3DS.

Feeling the pressure?  Here are three steps to take in Q4 2019 to be PSD2 ready in 2020.

Merchants need to simplify or build

Well the good news is that if you are able to operate on a major payment service provider like PayPal or Stripe, you are going to be compliant, as they already put in the engineering effort. The bad news is that most merchants with significant transaction volumes are not using those payment service providers (PSPs) for their full checkout process.  

Those merchants need to build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a different PSP, you’ll have to implement 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.

Banks need to capture the PSD2 disruption and turn it to their advantage

While PSD2 is ostensibly about authentication, it also provides a major challenge to the banking industry. Banks are now required to provide (non-bank) PSPs with direct connectivity to customer account data. While this seems to be a major step towards commoditization in the EU banking sector, it also opens potentially lucrative opportunities for banks to monetize insights from their proprietary data sets.  

A recent report from McKinsey suggest that fast moving banks “could retain their role as trusted financial anchor, as customers would not find it attractive to provide third parties access to their data or accounts.”

Banks that can provide a technology platform and SCA services to merchants and even other less sophisticated banks can stand out in the opportunities that drive in a post PSD2 world.

Merchants and Banks can accelerate their SCA compliance with FIDO

It may come as a surprise, but there is an easy button for PSD2 compliance. It’s called FIDO – the Fast Identity Online. FIDO is not a company, but an open industry standard for SCA compliance.

FIDO Authentication is available to any organization to implement freely, and once deployed, banks and PSPs may accept a variety of FIDO-compliant authenticators that meet the SCA requirements of PSD2. The FIDO architecture offers a true “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements.

With asymmetric cryptography, biometrics, and cryptographic privacy, the result is a single-gesture, multi-factor authentication event packaged for consumers in a very simple user experience that fulfills both merchant and banking needs for PSD2 SCA.

When, and where to turn for solutions?

PSD2 is on a 5+ year odyssey of bringing modern consumer authentication strategies and protections to European consumers. Delayed twice already, it’s unlikely to be delayed further. Banks and merchants who have not made appropriate investments need to move with precision to ensure they are compliant and not subject to fines.  

Fortunately, SCA  solutions can be tested and deployed in a timely manner at a reasonable price. Nok Nok Labs, a founder of the FIDO Alliance and holder of more than 100 patents in the space, provides a ready-to-deploy authentication system that delivers SCA compliance today. We look forward to sharing our process for rapid testing and deployment so you can reach your PSD2 objectives.

The Economic Times reported Wipro as saying “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign. Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

From the news so far, it seems the intent of the attackers was to use Wipro as a staging ground for attacks on Wipro’s customers, effectively entering through a trusted door. If the Verizon Data Breach Report is any indication the odds are better than 80% that the breach targeted employee and administrative credential compromise as the attack vector of choice.

Some of the most respected brands such as Wipro spend money on the best training for anti-phishing and attack detection in the misguided belief that this is an adequate measure. The fact is that security measures that rely on end-users to make the distinction on a legitimate request vs. a fraudulent one are doomed to failure. Too often, companies like Wipro and their service provider community rely on post-attack detection rather than investing in preventative measures such as phishing-proof authentication such as those based on the FIDO standards.

Ironically, earlier in April, the US National Counterintelligence and Security Center (NCSC) launched National Supply Chain Integrity Month to raise awareness about growing threats to the supply chains of the private sector and U.S. Government.

“Foreign intelligence entities and other adversaries are increasingly exploiting supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, and surveil our critical infrastructure,” said NCSC Director William R. Evanina.

“Bypassing our security perimeters, they’re infiltrating our trusted suppliers to target equipment, systems, and information used every day by the government, businesses, and individuals. The cost to our nation comes not only in lost U.S. innovation, jobs, and economic advantage, but also in reduced U.S. military readiness,” he added.

If we can learn anything from history, it would be that the Wipro attack is the tip of the iceberg. A few years ago, Google was attacked by “Operation Aurora”, a wide-ranging compromise of Google’s systems aimed at altering source-code, infiltrating administrative accounts with the goal of accessing accounts of dissident Chinese activists. Given the increasing reliance on cloud and infrastructure service providers, such attacks will continue to grow because they represent a “scalable” attack vector that involves a large payoff.

We strongly recommend both customers and service providers invest deeply in modern authentication that is phishing resistant, multi-factor, standards based and widely supported as well as proven at scale. The FIDO standards pioneering by Nok Nok Labs are one such essential building block of a preventative approach to security that is needed to mitigate the catastrophic consequences of attacks on providers like Wipro.

Today marks another significant milestone in replacing the universal reliance on passwords and Nok Nok Labs is proud to be one of the co-authors and designers of the WebAuthN specification with Google, Microsoft, PayPal and others.  Today’s significant achievement is the W3C Web Authentication specification reaching “Candidate Recommendation” (CR) status. This is a major milestone for transforming the way authentication works and one that we should pause to celebrate.

Web Authentication specifies a JavaScript API to be implemented by web browsers and will allow a website to trigger convenient and strong authentication using biometrics, tokens and other methods of authentication directly from the browser.  This milestone fulfills a key goal we set for ourselves when the founders of Nok Nok Labs created the FIDO Alliance in February of 2013 with a vision to change how authentication worked in the modern computing ecosystem.

Today’s milestone means that browser vendors will now start to deliver strong authentication, based on our work at the FIDO Alliance, that can be accessed through a standard JavaScript API across browsers and operating systems.  The final standard will work its way through the W3C this year with a focus on interoperability and stitching up any issues that emerge into a final W3C standard. This is the starting signal for browsers to deliver the FIDO way of doing strong authentication.  

We have provided our customers and partners early briefings and access to some of this work through our partnerships with Microsoft and Google. Our products support this emerging standard in addition to the other well established FIDO standards (UAF and U2F) allowing for the broadest coverage of use cases and security models, all delivered at web-scale and carrier-grade quality through the NNL S3 Authentication Suite.  As inventors and authors of the key ideas behind this standard we are able to provide trusted guidance to our community about how best to adapt these standards to use cases.

In future posts, we will start to detail what we designed this standard to achieve, the use cases it works best for and how we expect it to roll out over the next two years.

We’re enormously proud that our vision and ideas were accepted and shared by the broad community of browser and platform vendors who will be adopting this specification over the coming year.  As one of colleagues says “…some problems are too big for any one company, no matter how large or powerful to solve on their own – it requires an ecosystem that can agree on a common standard”.  Today’s CR is a huge step further in that direction.