MIXI, Inc. (hereafter MIXI) is one of Japan’s leading internet companies, best known for its popular mobile game MONSTER STRIKE, among other entertainment services, with tens of millions of users. The company has also expanded into sports and lifestyle businesses, providing services that enrich the daily lives of a broad range of generations.

The company’s MIXI ID serves as a common account platform enabling users to access multiple services seamlessly. In recent years, it has also been adopted by flagship titles, continuing to grow its user base.

The Business Challenge

From the outset, MIXI ID pursued a passwordless approach, adopting an email-based one-time password (OTP) method. However, this proved insufficient against the rising threat of real-time phishing attacks, while the flow of opening an email app, retrieving a code, and entering it was cumbersome for users. For services that involve payment functions in particular, there was a strong need for a mechanism that could deliver both high authentication strength and excellent user experience.

Internally, the company also faced the challenge of balancing enhanced security with operational efficiency, while accommodating shared PC usage and continuously evolving OS environments.

Decision to deploy Passkeys

To address these challenges, MIXI introduced FIDO2-compliant passkey authentication to MIXI ID in 2024. Leveraging the WebAuthn API offered by web applications and browsers, users can now log in smoothly and password-free using the biometric authentication built into their smartphones and PCs.

In addition, passkey authentication was made mandatory for administrative tools in the payment system, enabling stronger security operations without reliance on passwords.

MIXI also advanced its internal enterprise security environment by adopting YubiOn Portal, provided by SoftGiken (a FIDO Alliance member), together with YubiKey from Yubico (a FIDO Alliance board member). This strengthened physical security for shared PCs and logon authentication, creating a unified, cloud-managed two-factor authentication environment for both Windows and macOS. As a result, MIXI achieved both stronger authentication for shared terminal logons and greater operational efficiency.

Why FIDO was chosen

While the company also utilizes Apple and Google social logins, there were clear reasons for adopting FIDO authentication as one of its primary methods:

• Trust in security and interoperability based on international standards
• Smooth and practical user experience enabled by platform-provided Passkey Autofill
• Strong security with biometrics combined with the convenience of passwordless login

Impact of adoption

Currently, more than 25% of MIXI ID users have registered a passkey, and adoption is steadily expanding. Helpdesk enquiries caused by issues with OTPs —such as “delays/resending of authentication codes” and “input errors”—have decreased, helping to reduce support costs.

For users, the experience of being able to log in safely and quickly is spreading, further reinforcing trust in MIXI’s authentication infrastructure.

Within the enterprise environment, the introduction of YubiOn Portal enabled a shift from ledger-based authentication management to cloud-based management, ensuring real-time visibility into the latest authentication status. It also supports Windows Remote Desktop usage and has been highly praised by employees.

Overcoming Implementation Challenges

In some early deployments at other companies, confusing error messages such as “Passkey not found” created user difficulties. MIXI avoided this issue by timing its rollout to coincide with the point at which Passkey Autofill had become sufficiently mature across major OS platforms, successfully preventing user confusion.

The adoption of YubiOn Portal required detailed policy settings, but thanks to extensive documentation and f lexible configuration features, the IT team was able to implement and operate the system smoothly.

Looking ahead

MIXI expects passkey authentication to become widely adopted across services and evolve from its current optional status into a primary authentication method. The company intends to expand its use across more service areas, contributing to the realization of a passwordless society.

Finally, Ryo Ito of MIXI, who shared insights for this case study, commented:

“FIDO authentication delivers strong phishing resistance and high security, but there are still challenges such as account recovery from environments where passkeys are unavailable. It’s important to correctly recognize these issues and refer to the FIDO Alliance’s published design and implementation guidelines and checklists when adopting FIDO authentication.

As passkey authentication becomes more widespread, we are already seeing its positive impact with MIXI ID. FIDO/Passkeys are a rare technology that can simultaneously provide excellent UX and robust security at low cost. Going forward, we look forward to the evolution of the ecosystem to support an even wider variety of use cases.”

Founded in 1955, First Credit Union is a member-owned financial institution in New Zealand with over 60,000 members. The organization delivers secure and innovative digital banking experiences through its comprehensive online banking platform. Members access their accounts via mobile app and browser options to manage finances anytime, anywhere. The credit union has embraced cutting-edge authentication technology to enhance both security and user experience for its diverse membership base.

Executive Perspective

“Implementing FIDO authentication through Authsignal has been a game-changer for our members’ digital experience. It’s secure, seamless and sets a new standard for trust in online banking.” – Herb Wulff, Treasury and Agency Banking Manager, First Credit Union

The Business Challenge

As a progressive modern financial institution, First Credit Union has embraced a path toward digital transformation. As part of its journey, it identified several critical challenges impacting both security and user experience.

Those challenges include:

• Cybersecurity Risks. The organization wanted to reduce reliance on passwords, which is one of the most common attack vectors. First Credit Union sought phishing-resistant authentication methods to mitigate growing security threats.
• User Experience Friction. Traditional multi-factor authentication methods often create friction in the login process. The credit union aimed to make secure access feel seamless and intuitive for members with varying technical comfort levels.
• Cross-Platform Compatibility. Members access the platform across diverse devices and operating systems. First Credit Union needed a solution that worked consistently across mobile apps and web browsers.
• Integration Complexity. The new authentication solution had to integrate smoothly with existing infrastructure. This approach would minimize disruption to internal teams and members during deployment.

Why First Credit Union Chose Passkeys

First Credit Union conducted a thorough evaluation of several traditional and emerging authentication methods. The goal was to find the right balance between security, usability and accessibility for its diverse membership base.

Traditional Options Fell Short

The team explored multiple multi-factor authentication (MFA) methods but found significant drawbacks with each approach. Authenticator apps can enhance security but have vulnerabilities that can be exploited due to their reliance upon one-time codes. They also require members to install and manage a separate app, which added complexity and friction. Email magic links provided convenience but created usability challenges and vulnerability to phishing and email interception risks.

Device credentials delivered a more seamless experience but lacked the standards-based interoperability needed across platforms. The credit union also considered standalone biometric authentication, but these solutions lacked the robust security guarantees and cross-platform compatibility that FIDO standards provide.

A critical insight emerged: offering too many authentication options risked confusing members, especially given the wide range of technical comfort levels across their demographic. A fragmented experience could lead to frustration, support overhead and reduced adoption.

FIDO Delivered What Others Couldn’t

FIDO authentication stood apart from alternatives that still presented significant vulnerabilities to phishing and lacked seamless, standards-based interoperability. The technology offered compelling advantages:

Phishing resistance eliminates shared secrets like passwords or OTPs that attackers can intercept or steal. The passwordless experience reduces friction for members while making access to online banking quicker and more secure. FIDO2 specification ensures seamless authentication across a wide range of devices and platforms, supporting both their app and browser-based services.

The solution improved member trust and satisfaction through enhanced security and streamlined login processes. It also reduced support overhead from password resets and login issues, allowing the team to allocate resources more efficiently and improve overall service quality.

Implementation Overview

First Credit Union partnered with Authsignal to implement a FIDO Certified passkey infrastructure. The team followed a structured rollout approach:

Phase 1: Internal Testing and Validation

The organization conducted rigorous internal testing to validate passkey integration across mobile and browser platforms. This phase ensured technical stability and compatibility.

Phase 2: Member Education and Communication

First Credit Union launched a targeted communication campaign that included:

• Clear messaging about passkey benefits
• Step-by-step setup and usage guides
• Comprehensive support resources for onboarding

Phase 3: Gradual Branch Network Rollout

The team introduced passkeys in phases across the branch network. This approach allowed for performance monitoring, feedback collection and iterative improvements.

Phase 4: Monitoring and Optimization

Post-launch activities included tracking adoption metrics and authentication usage patterns. Member feedback drove user experience refinements.

Results and Impact

First Credit Union achieved impressive adoption and security outcomes since launching passkeys:

Adoption Metrics

• 58.4% of members adopted the new authentication experience
• 54.5% of all authentications now use passkeys
• Over 23,500 members enrolled in multi-factor authentication

Member Experience

Most members provided positive feedback citing ease of use and improved trust. Passkeys enabled simplified login through device-native biometrics like facial and fingerprint recognition. Members enjoy seamless experience across mobile and web platforms.

Operational Benefits

The organization reduced support overhead from password-related issues. First Credit Union enhanced its security posture with phishing-resistant authentication. The infrastructure now aligns with global standards for future readiness.

Future Vision

FIDO authentication serves as the cornerstone of First Credit Union’s long-term digital security strategy. The organization plans these expansions:

• Secure Transaction Authentication: Extending passkeys to high-risk actions like transaction approvals
• Internal Systems Access: Implementing FIDO-based authentication for staff systems
• Third-Party Integrations: Leveraging FIDO’s interoperability for future service integrations

Key Recommendations

First Credit Union offers these insights for organizations considering FIDO implementation:

1. Understand Your User Base: Assess members’ devices, digital habits and comfort levels to tailor the experience appropriately

2. Simplify the Experience: Avoid overwhelming users with too many authentication options

3. Choose the Right Partner: Work with trusted providers who offer expertise in passkey infrastructure

4. Communicate Clearly: Educate users early with clear messaging about benefits and simple setup guides

5. Test Thoroughly: Conduct comprehensive internal testing across platforms before member-facing deployment

Microsoft Account (MSA) powers consumer-facing experiences across services like Xbox, Microsoft 365, Copilot, and more. In 2023, Microsoft began rolling out passkey support across these services, allowing users to sign in with a face, fingerprint, or device PIN instead of a password. By integrating FIDO credentials, we made it easier, faster, and significantly more secure for over a billion users accessing their Microsoft accounts, by removing the need for passwords.

What were the challenges you were trying to overcome?

We set out to solve three major challenges:

Security: Passwords are inherently insecure and highly vulnerable to phishing and brute force attacks. In 2024, we observed more than 7,000 password attacks per second.

User experience: Passwords are frustrating—users forget them, reuse them, or mistype them. We wanted a sign-in experience that users could succeed at the first time, every time.

Adoption at scale: We needed a solution that could work across devices and platforms while meeting high usability expectations for a global user base.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

FIDO credentials offer the ideal combination of security, usability, and interoperability. They are resistant to phishing and credential theft, and they eliminate the need for shared secrets like passwords. FIDO credentials also enable seamless cross-device and cross-platform experiences—critical for consumer use cases. In testing, we found that passkeys delivered both improved security and a dramatically better user experience. 

Describe your roll out of FIDO authentication.

Microsoft took a phased approach. We started by enabling passkeys for MSA sign-ins across consumer services like Xbox and Copilot. From there, we made UX changes to prioritize passwordless options. New Microsoft Accounts are now passwordless by default, and existing users are guided to enroll a passkey during or after sign-in. Throughout this process, we have worked closely with platform partners like Apple and Google, and continued our long-standing collaboration with the FIDO Alliance to ensure our approach aligns with industry standards. For a more detailed look at our approach, refer to Convincing a billion users to love passkeys: UX design insights from Microsoft to boost adoption and security.

What data points can you share that show the impact FIDO authentication has had?

The impact has been significant:

• We now see over one million passkeys registered every day.
• Users signing in with passkeys are three times more successful (95% success rate vs. 30% for passwords).
• Passkey sign-ins are eight times faster than traditional password + MFA flows.
• Our passwordless-preferred UX has already reduced password use by over 20%.

These results confirm that FIDO authentication improves security, boosts user satisfaction, and reduces operational burdens like password resets and support calls.

Read more in the Microsoft blog.

Nikkei Inc. and the Nikkei Group pursues its mission “to be the most trusted, independent provider of quality journalism to a global community, helping our customers make better decisions.” We offer various media services, including the Nikkei, which serves as the cornerstone of our role as a news organization. The integrated ID platform supporting the Nikkei Group’s digital services, including our core service, the Nikkei Online Edition, is “Nikkei ID.”

Nikkei ID, which offers a wide range of services, has long faced the challenge of balancing security and usability. While we have implemented measures such as improving the login experience with OpenID Connect and introducing two-factor authentication and CAPTCHA (*1) to reduce the risk of unauthorized access, addressing security risks associated with password leaks and reuse, as well as countering increasingly sophisticated attacks, has been difficult.

(*1)A security authentication method to verify that a user is human.

In this context, as FIDO authentication has evolved and the threshold for introducing passkeys to services has lowered, Nikkei ID has proceeded with consideration and implementation with high expectations. Currently, we are expanding functionality to support not only web services but also mobile apps, and aiming to promote the adoption of passkeys through increased user awareness via internal and external blog posts, presentations, and guidance at the Nikkei ID Lounge Help Center.

What were the challenges you were trying to overcome?

The primary goal is to balance security and user experience. Many Nikkei ID users are not accustomed to digital services, so simply enhancing security is not enough. For example, while the introduction of CAPTCHA can prevent brute-force password attacks, it can also become a barrier for users who cannot pass the Turing test (*2), leading to increased support inquiries and added burden on customer service.

(*2) A test to determine whether something is ‘human-like’.

However, FIDO authentication (passkeys) achieves high security and user experience through integration with OS and platforms as a standard. This allows us to replace security measures that reduce risks associated with password authentication but negatively impact UX with passkeys.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

The following two options were considered as alternatives to FIDO authentication (passkeys):

• Mandatory implementation of two-factor authentication such as TOTP or email verification
• Social login using other ID platforms

As a result of comparing these options, we believe FIDO authentication (passkeys) offers the following advantages:

• It allows for gradual transition by adding authentication on top of existing password authentication 
• It enables the use of higher UX authentication methods such as biometric authentication 
• It fundamentally resolves the risks associated with passwords

When it came to actual implementation, the aspect of “additional authentication” was particularly significant. In other words, it allows for implementation in a loosely coupled and highly cohesive manner without disrupting the existing ID model. The WebAuthn specification provides simple interface libraries and APIs for both backend and frontend on each platform, making secure implementation easy. Additionally, since existing authentication methods can be retained, the advantage of not significantly increasing support workload was also substantial.

Describe your roll out of FIDO authentication.

We implemented our own solution using the open-source backend library WebAuthn4J for FIDO authentication. We chose WebAuthn4J not only for its clear data model but also because it passed the FIDO2 Test Tools provided by the FIDO Alliance. For the frontend, we developed our own implementation that directly interacts with the WebAuthn API. Additionally, we created a test library to emulate FIDO authentication, enabling 24-hour automated testing as a comprehensive test of these implementations.

The rollout of FIDO authentication (passkeys) was carried out in the following steps:

• Internal beta testing to gather feedback and monitor usage
• White-box and black-box testing by external security companies
• Public release to all users

What data points can you share that show the impact FIDO authentication has had?

Since it was just released in February this year, we cannot provide detailed numbers yet, but thousands of users are already using passkeys. Additionally, we have heard that there have been almost no inquiries about how to use passkeys at the support desk, and we recognize that passkeys are being used smoothly.

Resources

The test library that emulates FIDO authentication, mentioned in the implementation section, is publicly available as Nikkei’s open-source software. You can obtain it from the following https://github.com/Nikkei/nid-webauthn-emulator

For authorization after completing FIDO authentication (passkeys), we use Authlete, an OpenID Connect platform. In this case study, we express our enthusiasm for the introduction of FIDO authentication (passkeys). (At the time of this presentation in 2023, passkeys were still under consideration) https://www.authlete.com/ja/resources/videos/20231212/02/

Technical blog article during the consideration stage of implementation: https://hack.nikkei.com/blog/advent20241221/

Background: VicRoads

VicRoads is the vehicle registration and driver licensing authority in Victoria, Australia. It registers over six million vehicles annually and licenses more than five million drivers. 

Operating as a joint venture between the Victorian State Government, Aware Super, Australian Retirement Trust, and Macquarie Asset Management, VicRoads is a critical provider of public services in the state.

Challenge: seamless and cost-effective authentication for government services 

VicRoads aims to become Australia’s most trusted digital government service providers by delivering secure, frictionless services to millions of people. 

Given the importance of the data that VicRoads holds on behalf of its customers, security has always been a primary consideration. 

In the past, to support protection of customer data, VicRoads mandated multi-factor authentication (MFA) for all user accounts via SMS one-time passwords (OTPs) and authenticator apps. 

Passkeys leverage biometrics, facial recognition, a PIN or a swipe pattern in the sign-in process. Unlike traditional MFA, passkeys require both the device storing the private key and local authentication, meaning they are both phishing-resistant and cost-effective.

Solution: Corbado provides a no-risk, passkey-first solution with minimal integration effort

 VicRoads worked with passkey vendor Corbado, prioritizing a proven approach rather than building a solution from scratch.

Corbado’s deep understanding of both customer experience and the latest authentication technology gave VicRoads confidence that customers would find using passkeys easy.  

Corbado also provided in-depth technical guidance on passkey-specific challenges, including browser compatibility, recovery flows and user experience optimizations – further solidifying VicRoads’ confidence.

“We selected Corbado because it could integrate passkey functionality into our existing infrastructure without disruption to our customers and operations”, said Crispin Blackall, Chief Technology Officer, VicRoads.

Implementation: pre-built, passkey-optimized components & SDKs enable quick integration

Corbado Connect seamlessly integrated with VicRoads’ existing infrastructure and CIAM, which is deeply embedded within the organization’s enterprise stack. This passkey enablement was achieved without requiring a migration of user data or authentication methods, ensuring a smooth and efficient transition for millions of users.

By layering passkey functionality on top of VicRoads’ current authentication system, Corbado enabled a frictionless deployment while preserving all existing user credentials. This approach eliminated the disruption and risks often associated with introducing new technology.

To ensure a smooth transition, VicRoads implemented passkeys in a phased rollout, beginning with personal customers. This gradual deployment, supported by Corbado Connect’s rollout controls, enabled VicRoads to monitor performance, address potential issues and optimize the user experience before seamlessly extending passkey authentication to partner and business customers.

Results: customers love passkeys, with up to 80% passkey activation rate in the first weeks

Within the first weeks of deployment, passkey adoption significantly exceeded VicRoads’ expectations. Users embraced the phishing-resistant authentication method, benefiting from a frictionless login experience optimized for speed and security.

The exceptionally high passkey activation rate – peaking at 80% on mobile devices and over 50% across all platforms – led to 30% passkey login rate within the first seven weeks. Uptake continues to rise steadily, translating into measurable operational benefits, including:

• Reduced authentication-related support tickets
• Lower SMS OTP costs
• Improved user experience and security.

So far, VicRoads has successfully rolled out passkeys on its web portal. The next step is to integrate passkeys into its native apps – myVicRoads and myLearners – allowing users to leverage their existing passkeys without additional setup. Ultimately, once passkeys are fully implemented across all digital platforms, VicRoads aims to eliminate passwords entirely, maximizing security and fully embracing a passwordless future.

“Passkeys are easy to use, without compromising on security. We’re excited to give our customers a simpler, more secure way to handle their registration and licensing services,” said Crispin Blackall, Chief Technology Officer, VicRoads.

Opportunity: setting a new standard for government authentication 

With one of the largest public sector passkey deployments globally, VicRoads has established itself as a digital leader in authentication modernization for government applications. 

Achieving high adoption rates without disruption, VicRoads has proven that large-scale organisations can enhance security and improve user experience simultaneously. This success positions VicRoads as a benchmark for other government agencies looking to modernize their authentication strategies.

“Passkeys represent a paradigm shift in how we authenticate users to digital identity services,” said Andrew Shikiar, Chief Executive Officer of the FIDO Alliance. “VicRoads’ adoption of passkeys showcases how government agencies can leverage this industry-wide innovation to protect people’s data while simplifying access to critical services. This is a significant step towards a more secure and efficient digital future for Victoria and beyond.”

Next Steps: developing next generation authentication

VicRoads’ ongoing partnership with Corbado ensures it remains at the forefront of authentication innovation while maintaining a seamless user experience for its expanding digital service base. A key advantage of Corbado’s managed passkey service is its built-in adoption-enhancing optimisations, ensuring continuous improvements and seamless WebAuthn conformity with all future WebAuthn updates.

With this initiative, VicRoads has paved the way for broader adoption of passkeys in the government and public sector, proving that secure, frictionless authentication at scale is achievable.

About Corbado

Corbado is a leading provider of passkey solutions, enabling enterprises and government agencies to deploy passkey authentication seamlessly, without user migration. Corbado’s focus is on maximizing adoption in large-scale deployments. As a FIDO Alliance member, Corbado’s solutions ensure high adoption rates, enhanced security, and a frictionless user experience. Visit https://www.corbado.com/.

With over 55 apps across nearly every major business category, Zoho Corporation is one of the world’s most prolific technology companies. Headquartered in Chennai, India, Zoho is privately held and profitable, employing more than 18,000 people worldwide. Zoho is committed to user privacy and does not rely on an ad-revenue business model. The company owns and operates its data centres, providing full oversight of customer data privacy and security. Over 100 million users globally—across hundreds of thousands of companies—trust Zoho to run their businesses, including Zoho itself. For more information, visit zoho.com.

What were the challenges you were trying to overcome? 

Secure and easy log in instead of traditional authentication methods. 

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

Improved security, supporting documents and community.

Describe your roll out of FIDO authentication. 

We rolled it ourselves via our IAM team. 

We first rolled out passkey authentication for zoho.com (100mn + users)

Rolling out passkey management in our password manager Zoho Vault in May, 2025

What data points can you share that show the impact FIDO authentication has had?  

30% increase MoM in passkey adoption

10% drop in password reset queries 

Resources

• https://help.zoho.com/portal/en/kb/accounts/sign-in-za/articles/passkey
• https://www.zoho.com/vault/features/passkeys.html

Samsung Electronics’ Galaxy smartphones support fast and convenient logins through biometric authentication and FIDO protocols.

What were the challenges you were trying to overcome?

FIDO-based passkeys are transforming the way users access websites and apps by eliminating the need for traditional usernames and passwords. Instead of being stored on a server where they could be exposed, passkeys are securely stored on the Galaxy device, enabling quick and secure sign-ins using biometric authentication.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

FIDO enables secure authentication without transmitting users’ biometric data outside the device. Its ease of use, speed, compatibility across services, and status as an industry standard made it a compelling choice for Samsung Electronics.

Describe your roll out of FIDO authentication.

We have integrated FIDO authentication directly into our devices, enabling users to access it out-of-the-box. We continue to expand FIDO support across more Galaxy models and software updates.

Resources 

• https://www.samsung.com/levant/support/apps-services/how-to-create-and-use-a-passkey/
• https://www.samsung.com/ca/support/apps-services/how-to-create-and-use-a-passkey/
• https://news.samsung.com/in/the-knox-journals-the-passwordless-future-of-security

Our mobile banking app is our bank’s largest branch, serving over 1,200,000 customers each month. These customers require the best protection against identity theft attacks, and we provide the most robust and innovative solutions, always prioritizing the best user experience. ABANCA Key is a new identity verification service based on FIDO standards. It was launched after years of research by leading players to prevent identity theft attacks. Using passkeys, ABANCA Key provides the highest level of protection. It is impossible to guess or reuse them, so they protect our customers’ private information from attackers. 

What were the challenges you were trying to overcome?

On one hand, there’s the security challenge. The rise of phishing through calls and SMS messages in Spain has become a plague and a real problem for administrations, mobile operators, and financial institutions but on the other hand, there was the need to maintain the best user experience with the least friction. Passkeys give us a framework for interoperability and standardization, which provides us with ease of implementation and deployment. However, above all, and for the first time in the security industry, it provides a framework of homogeneity to achieve a frictionless user experience.

Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

We chose FIDO for many reasons: for its future strategy, as it allows us to follow many ways, including MFA and passwordless, for trust, as the FIDO Alliance includes leading players in security, operating systems, infrastructure, and mobile ecosystem; and for the standardization and homogenization what it give us, which reduces implementation, deployment and roll out times.

Describe your roll out of FIDO authentication.

To deliver the best user experience, we’re committed to having the deepest possible understanding of the technology. This enables us to effectively identify and resolve issues, and to better understand user behavior. We became our own partner by developing our own platform based on the FIDO standard and certifying it as if it were a provider.

We rolled out the deployment in phases. In under five months, we had the development of both server and  front-end (iOS and Android) ready, and we began the rollout in an initial phase with our employees, and subsequently to end customers in batches. In just seven months, we were already in a general roll out to all customers.

What data points can you share that show the impact FIDO authentication has had?

• More than 42% of our customers are already using ABANCA Key
• More than 11,000,000 high-risk transactions has been protected with ABANCA Key without technical or service incidents 
• Customer roll out ran without technical or service incidents, and most importantly, with our customer journey UX to sign in ABANCA Key and to use it, we’ve managed a Customer Effort Score (CES) of 4.7. 

Please provide any links or resources that you feel would be useful in developing this case study.

• https://comunicacion.abanca.com/es/noticias/abanca-primer-banco-espanol-en-implantar-la-tecnologia-de-llaves-de-acceso-en-la-banca-movil-para-reforzar-la-seguridad-de-sus-clientes/
• https://www.abanca.com/es/banca-a-distancia/llave-abanca/

The rapid proliferation of IoT devices and Edge computing across industries has brought with it unprecedented opportunities and challenges. By 2025, over 75 billion IoT devices are expected to be connected globally, increasing complexities in device management and widening the attack surface for malicious actors. Recent studies suggest nearly 57% of IoT devices are susceptible to medium or high-severity attacks.

Corporate Overview

ASRock Industrial, a global leader in industrial systems and motherboards, has become one of the first vendors to provide FDO-enabled compute solutions for industrial applications. The company offers industrial PC systems, motherboards, edge computers, and other products for industries such as automation, robotics, entertainment, and security, as well as cutting-edge systems for smart cities, energy firms, pharmaceuticals, automotive and more to customers around the world. ASRock Industrial is leading the way in the industrial IoT industry with its FDO certified solutions that make device onboarding more efficient, less vulnerable, and more scalable.

“FDO’s advanced security framework enables us to deliver unparalleled reliability and adaptability, empowering our clients to scale confidently in increasingly complex environments.” – Kenny Chang, Vice President of Product and Marketing Division, ASRock Industrial

On the Edge: The Challenges of Industrial IoT

ASRock Industrial’s customers, like many in the industry, face challenges when deploying IoT devices and edge computing solutions quickly and securely. 

• Security vulnerabilities: Traditional manual onboarding methods leave devices vulnerable to unauthorized access and data breaches. For example, a connected IoT device may still have the original manufacturer’s default password in place, which increases the risk of password-related device compromises. Manual processes also increase the risk of exposed, unmanaged devices on the network. In industries like energy and transportation, secure operations are vital to public safety and system reliability.
• Time and cost inefficiencies: Not only are manual processes time-consuming, hiring skilled installers is extremely expensive. When calculating the time and cost for a skilled engineer to manually onboard edge devices, it’s important to include not only the technical setup time but also the travel time to what potentially may be multiple sites. ASRock Industrial estimates that before FDO, users could spend up to $1,000 per device implementation*.  With FDO the installation is not only much faster and more secure, but it is also a task that can often be handled by existing on-site staff.
• Complexity and scalability: Legacy onboarding approaches are complex to deploy and manage. This complexity is only further exacerbated by the remote and high-risk environments many industrial applications are in. Sending skilled engineers to these environments not only creates bottlenecks and slows scalability, it introduces safety risks that further amplify costs.
• Lack of interoperability: The IoT space is very fragmented, with multiple proprietary platforms and operating systems. Existing “zero-touch” solutions are restricted in compatibility, making it hard to support clients across different sectors.

Creating an FDO Solution

To solve these challenges, ASRock Industrial turned to FIDO Device Onboard (FDO), and in doing so has become one of the market’s earliest adopters of this compelling technology. ASRock Industrial has integrated FDO into its flagship iEP-5010G series, a robust edge controller built for demanding industrial applications and harsh environments. The iEP-5010G series can operate within a wide temperature range of -40 to 70 degrees and supports 6-36VDC power inputs, 4G LTE, 5G, Wi-Fi 6E, and Bluetooth, and offers the most flexible I/Os and expansion options, making it a fit for industrial automation, robotics, transportation and more.

The ASRock Industrial FDO solution has been designed with FDO’s advanced features in mind. It delivers end-to-end FDO onboarding capabilities, encompassing all critical FDO functions: manufacturer, owner and rendezvous server. 

Rather than hard programming devices for each different operating system, the iEP-5010G series device controller can be deployed as one system without pre-installation of OS or additional programming. This simplifies manufacturing and provides a better customer experience with the flexibility to decide OS requirements later in the process.

The FDO standard and associated certification program ensure consistency and interoperability. Standardized onboarding means devices are consistently and correctly deployed every time, removing the risk of errors for ASRock Industrial’s customers. Most importantly, the open standards-based approach means it can work seamlessly with other partners in the industry and support players across the globe.

Results and Impact

While early implementation results are still being gathered, ASRock Industrial anticipates significant benefits for both the company and its customers.

One of ASRock Industrial’s earliest use cases lies in the smart city domain, where their FDO-enabled iEP-7020E series devices leverage FDO technology to automatically onboard hardware and software to connect electric vehicle (EV) charging points and related devices seamlessly. By enabling remote monitoring of charging stations across multiple locations, FDO has eliminated the need for engineers to visit sites physically. Its AI-driven analytics have dramatically enhanced operational efficiency, while remote surveillance has addressed key challenges such as charger hogging, vandalism, and unauthorized access. This capability ensures more efficient and timely incident management. As urban demands evolve, FDO serves as a robust foundation for scalable, secure deployments, delivering sustained benefits over time.

Looking Ahead

ASRock Industrial’s investment in FDO puts us in a prime position to meet the rigorous demands of Industry 4.0 advancements and provide customers with security levels that protect against the expanding edge threat landscape. In 2024, ASRock Industrial became one of the first to achieve FDO certification, passing the FIDO Alliance’s rigorous independent testing processes. The results of this testing demonstrate that ASRock Industrial’s products fully meet the FDO specification, meaning partners and clients can trust the security, interoperability and FDO functionality of these solutions.

FDO certification also plays an important role in differentiating ASRock Industrial by making their products more marketable in that they are capable of meeting the needs of a growing number of RFPs that call out FDO. Additionally, it reduces the company’s need to spend time and effort in intensive vendor bake-offs, allowing ASRock Industrial to spend more time innovating its product lines and value-added services.

“Deploying FDO has marked a pivotal shift for ASRock Industrial, establishing a new benchmark in secure, scalable onboarding for industrial edge AIoT solutions. This deployment cements ASRock Industrial’s leadership in industrial computing security and sets the stage for us to shape the future of Industry 4.0 with solutions that are both resilient and future-ready.”– Kenny Chang, Vice President of ASRock Industrial

Branch® is a cloud-native home and auto insurance company founded in 2020. Operating on a serverless architecture, Branch’s mission is to simplify the insurance purchasing experience for consumers and independent insurance agents.

“One of our key superpowers is making the insurance buying experience as easy as possible,” explained Arkadiy Goykhberg, Chief Information Security Officer at Branch.

Branch Authentication Challenges

Due to the sensitive nature of their market and the variety of stakeholders they served, Branch faced multiple authentication challenges:

• Legacy two-factor authentication. Branch has been relying on SMS-based two-factor authentication, which has multiple issues. Telco issues would prevent users from logging in. It’s also not phishing resistant and subject to risk associated with SIM swapping attacks.
• Customer support volume. There was a high volume of support tickets related to password resets and login issues.
• User-friendly approach. Branch needed a more secure and user-friendly authentication process to serve their 12,000+ independent insurance agents.
• Compliance. Another core challenge was the need to meet strict compliance requirements in the highly regulated insurance industry.

How Passkeys Addressed Branch’s Challenges

Branch identified passkeys as the solution to their authentication problems for several reasons.

Enhanced Security: Passkeys are inherently phishing-resistant, addressing the vulnerabilities associated with SMS-based authentication.

Improved User Experience: Passkeys eliminate the need for passwords, reducing friction during login and preventing issues related to forgotten passwords or typing errors.

Reduced Support Burden: By implementing passkeys, Branch saw a significant reduction in support tickets. John MaGee, Software Product Manager at Branch, noted, “We did see our support ticket volume drop by about half, which was the key business goal, outside of some of the user experience and security goals of the project.”

Regulatory Compliance: Passkeys provided a strong foundation for meeting current and future regulatory requirements in the insurance industry.

Compatibility with Existing Infrastructure: Passkeys integrated well with Branch’s cloud-native architecture, allowing for a smoother implementation process.

Implementation process and results

Branch adopted a phased approach to implementing passkeys.

The first phase involved internal testing. Branch first implemented passkeys for internal use, which helped build confidence and user acceptance. Branch then went through a vendor selection and development phase, contracting with Descope. Branch decided that it was a more efficient approach to engage with a service provider to help with passkey implementation.

The project roadmap included a two month vendor selection process, followed by a three-month development phase and a six-week end-user migration phase.

The final step was a phased user migration. Branch rolled out passkeys to its agents in waves, starting with a small group and gradually scaling up. The onboarding process involved multiple communication campaigns to prepare users for the new authentication experience. The user journey included prompting users to set up passkeys and providing a fallback option of email and OTP. The goal was to ensure a seamless transition and reduce support ticket volume by eliminating password resets. This approach allowed the company to refine the process based on feedback and minimize risks.

The results of the passkey implementation were impressive:

• 25% passkey adoption rate across the organization, exceeding internal goals.
• 50% reduction in support ticket volume related to authentication issues.
• Maintained steady login failure rates at 5%, despite the transition.
• Improved user experience, with fewer frustrations related to authentication.

One surprising benefit was the high compatibility of passkeys with existing hardware and software. Goykhberg said that he had initially expected that only approximately 60% of systems would support passkeys.

“That hypothesis was wrong. To my surprise, only a few devices across thousands of logins could not support passkeys,” he said.

Branch’s passkey success and future roadmap

Branch’s successful implementation of passkeys has not only addressed their current authentication challenges but also laid the groundwork for future improvements and expansions.

Goykhberg said:
“Descope’s flexible workflow made implementing passkeys and taking care of edge cases relatively straightforward. With conditional steps, we routed users to passkeys when their hardware or software were compatible, and routed them to fallback MFA options when passkeys couldn’t be supported. Visualizing the user journey as a workflow helps us audit and modify the registration
and authentication journey without making significant code changes, which sets us up well for the future.”

The company’s successful phased rollout approach, starting with internal adoption and then gradually expanding to their agent base, highlights the importance of incremental implementation and learning. This strategy will continue to inform their future authentication initiatives. Building on the initial success of 25% passkey adoption, Branch aims to increase this number through targeted experimentation and user education.

Branch’s successful implementation of passkeys demonstrates how this modern authentication method can significantly improve both security and user experience in the insurance industry. By addressing the vulnerabilities of traditional authentication methods,
reducing support burden and providing a seamless user experience, passkeys have proven to be a valuable solution for Branch’s authentication needs.

To ensure the safe and comfortable use of the various services provided by J:COM, customers need to register a J:COM Personal ID (phone number or email address), which is linked to multiple services and apps offered by the company. Since August 2019, J:COM has been considering a new J:COM Personal ID, aiming to follow the latest security measures while continuously and swiftly pursuing the convenience of easy ID registration and login, which are often contradictory goals.

Deployment of FIDO2

Previously, in addition to ID/password authentication, J:COM adopted multi-factor authentication by sending one-time passwords to phone numbers.

However, aiming for further convenience, J:COM decided to introduce passwordless authentication using biometric authentication available on customers’ everyday devices (smartphones, tablets).

For the implementation, J:COM used the FIDO-compliant authentication platform “Uni-ID Libra” provided by NRI Secure Technologies, Ltd. (NRI Secure).

Initially, there were challenges in guiding users through the initial setup of FIDO authentication due to differences in operation depending on the OS and browser specifications used by the users, such as fingerprint and facial recognition. However, these issues were resolved by improving screen displays and support site descriptions.

Effects of Implementation

As of August 29, 2024, the number of passkey (FIDO credentials) registrations has reached 16% of the total IDs, and the number of services that can use biometric authentication has reached 25. This implementation has not only improved convenience but also resulted in cost savings on SMS transmission fees, as the cost remained flat despite the increase in the number of users and authentications for the services provided by J:COM.

Passkey (FIDO credentials) registrations has reached 16% of the total IDs

Shiori Takagi from the Agile Development Department, IT Planning Promotion Division, Information Systems Department of JCOM Co., Ltd., commented on this case study:

“With the introduction of FIDO authentication, we believe we have made significant progress towards our goal of enabling customers to log in and use services more securely and easily. We believe that registration will expand further and service usage will be promoted in the future.”

This seamless experience is now possible thanks to HiTRUST’s latest collaboration with Taiwan’s leading travel platform, Colatour. Building on nearly a decade of trusted partnership, HiTRUST and Colatour have launched an innovative passwordless solution. Powered by global FIDO standards, it redefines the security of digital travel booking platforms.

Passkey Authentication On Colatour

Nowadays, in a fast-paced digital world, where real-time interactions and personalized travel experiences are a must; it’s essential for businesses to provide secure and user-friendly customer journeys. As cyber threats escalate, targeting personal and financial data, HiTRUST is leveraging the FIDO Alliance’s global standard for passwordless authentication, backed by industry giants like Apple, Google, and Microsoft.

Colatour users can now bid goodbye to passwords. HiTRUST’s FIDO-based solution replaces them with a more secure alternative: biometrics. Whether it’s a fingerprint or facial recognition, users can authenticate instantly without passwords into Colatour’s online platform. On the web version, this method is compatible with all major browsers, making it easy for users to access.

Supported by the FIDO Alliance and technology leaders like Apple, Google, and Microsoft, Passkeys transform online credential management by synchronizing devices within the same ecosystem, removing the need to re-register when upgrading or switching between devices. This ensures a simple, secure, and convenient user experience.

Registration Process

Passwordless Login Process

Mitigating Cyber Threats on Tourism Platforms

With HiTRUST’s passwordless authentication, Colatour’s users can enjoy a stress-free experience—no more complex passwords to remember or fear of account theft through phishing attacks. Instead, users authenticate securely using their unique individual biometrics, ensuring peace of mind across all devices.

For Colatour, FIDO secures customer accounts by preventing hacks and data leaks. With biometric authentication, it blocks fraudsters, lowers fraud risks, and builds stronger customer trust and safety.

On the other hand, Colatour users benefit from this advanced approach by replacing passwords with biometric authentication, providing a secure login and seamless experience. Users can easily log in to the website or app using facial recognition or fingerprint authentication, eliminating the hassle of entering account details while enhancing security. This creates a fast and safe digital tool for travelers, ensuring personal data and travel itineraries are protected from hackers and fraud.

Gaining a First-Mover Advantage with Passwordless Technology

Our partnership sets a new standard for secure, seamless user experiences in the travel industry. As more sectors adopt this innovative approach, Colatour leads the way. Not only can B2C members benefit from FIDO, but Colatour also offers B2B members access to biometric authentication on their website and app. Clients can easily log in with facial recognition or fingerprint authentication, ensuring a safer, worry-free travel experience and boosting customer engagement. By implementing advanced security measures like passwordless authentication, Colatour not only protects customers from potential fraud but also strengthens trust and loyalty. HiTRUST remains committed to delivering cutting-edge solutions, safeguarding Colatour and its travelers, and paving the way for a secure future in the travel industry.

About Colatour Travel Service CO., LTD.

Founded in 1978, Colatour Travel Service CO., LTD. is Taiwan’s largest travel agency in terms of group tours and a leading brand in the travel industry. With over 1,400 employees, Colatour operates one of the highest-traffic B2C websites and numerous physical stores. It is also the largest wholesale travel company in Taiwan. Over the past 40 years, Colatour has served more than 10 million outbound group travelers and issued hundreds of millions of airline tickets, earning numerous awards as a top partner from airlines, resorts, and hotels. The ColatourGroup includes Colatour Travel, Comfort Travel Service, and Polaris Travel Service.’

Discover more about how HiTRUST and Colatour are transforming the future of travel security:
TTN Media Article | 搶攻會員經濟可樂旅遊全新「可樂幣」回饋上線!

Wedding Park Co., Ltd. was founded in 2004 with the management philosophy of “Making marriage happier.” Celebrating its 20th anniversary in 2024, it started as a wedding review information site and has since expanded its operations. Utilizing a wealth of information, it operates several wedding-specialized media, including the wedding preparation review site Wedding Park. In addition, it runs various businesses in the realm of weddings combined with digital technology, such as internet advertising agency services, digital transformation (DX) support, and educational ventures.

Background and challenges leading to deployment

Wedding Park was faced with the challenges of strengthening the security of multiple cloud services that were being used for internal operations and the complexity of password management. As a way to address these issues, the company introduced an ID management service and consolidated them into a cloud service entrance with a single sign-on function.

The impetus for deploying FIDO authentication came from the fact that Salesforce, which is used for authentication for customer management, order and supply systems, and time and attendance management, announced that multi-factor authentication (MFA) was mandatory. However, if MFA is applied only to Salesforce and other cloud services continue to operate with password authentication, not only will the usability of users deteriorate, but the work of the IT management department will also become more complicated. In addition, due to the vulnerability of password-only authentication, the company decided to apply MFA to all cloud services, including Salesforce, in accordance with its policy to promote zero-trust security in February 2020.

Selection and verification of an authenticator

As an authentication method for MFA, the company considered one-time password authentication (OTP) and biometric authentication using smartphone applications, but ultimately decided to deploy passwordless authentication using FIDO for its unique ability to improve both security and user convenience.

In order to realize passwordless authentication using FIDO, a terminal equipped with a FIDO-compatible biometric authentication device is required. The majority of devices currently on the market support FIDO authentication, and with the exception of a few employees, the adoption of FIDO has been supported by the fact that all in-house devices are already equipped with Windows Hello and Touch ID. For some employees who use the devices not equipped with biometric features, a separate external authenticator has been installed.

A step-by-step changeover for each department

After examining the authenticators, the policy to deploy passwordless authentication company-wide in January 2022 was officially launched. The transition took place from February to March of the same year, and the smooth implementation in a short period of one month was made possible by the department-by-department implementation and the generous support provided by the IT management department. For this implementation, the company requested the support of CloudGate UNO, an identity management platform by International System Research Corporation (ISR) that the company has been using since 2012, because it supports passwordless authentication using FIDO2 and biometric authentication using a smartphone APP. 

The introduction of the system within the company began with the development department and gradually progressed to departments with a larger number of employees. First, at regular meetings for each department, the company communicated the purpose of why the system was being introduced and the benefits of “the deployment of the system will make daily authentication more convenient,” and gained the understanding across the company. The introduction of the system on a departmental basis had the advantage of not only limiting the number of people the IT management department had to deal with at one time, but also allowing the accumulation of QA as test cases and the smooth maintenance of manuals, since the system was introduced starting with the development department, which had high IT skills.

As a result of close follow-up by the IT management department, which not only prepared materials, but also checked the progress status on the administrator website as needed, and individually approached employees who had not yet registered their certifiers, the company was able to implement the system company-wide within the targeted time frame.

Effects of introduction

The number of login errors due to mistyping of passwords, which used to occur about 200 times a month, has been reduced to zero since the deployment of FIDO authentication. Many employees commented that the system has become very convenient, eliminating authentication failures due to forgotten passwords or typing errors. In addition, the number of periodic password reset requests has decreased, resulting in a reduction in man-hours for the administrator.

The passwordless authentication is smooth, and the authentication status retention period was shortened to further enhance security, but the system has continued to operate without problems since then.

Wedding Park’s future vision is to link all cloud services used within the company to “CloudGate UNO” and centrally manage them, including authentication, with “CloudGate UNO.

Akira Nishi, General Manager of the Corporate IT Office, who spoke with us about this case study, made the following comments.

“For those who are considering the deploying of a new authentication method, there is inevitably a concern that a change in authentication method will cause a large-scale login failure. In our case, in the early stages of the project, we held explanatory meetings for each department and repeatedly brushed up on explanatory materials and procedures, which was effective in minimizing confusion and anxiety within the company.

“After the switchover, we continued to check on the progress of the implementation and followed up with each department individually, but once the use of passkey (device-bound passkey) became standardized within the company, we felt that the scope of use, including various security measures, was expanding dramatically.”

The State of Michigan’s Department of Technology, Management &  Budget (DTMB) is a principal department of the state’s government  responsible for providing a wide range of support functions to other state  agencies.  

The department’s broad spectrum of responsibilities includes technology  services, labor market information, facilities management, financial  services, procurement, retirement services, real estate management, the  Michigan public safety communication system, fleet and records  management, and more. 

The DTMB also plays a crucial role in cybersecurity for the state,  providing resources and tools to protect against cyber threats and  manage the State’s IT infrastructure. One of the DTMB’s efforts is the  MiLogin digital identity solution, which enables over 10 million users to  access state government services securely and conveniently. 

DTMB was looking to secure MiLogin, Michigan’s application that allows  users to access multiple state applications and services with a single user  ID, with strong authentication that improves user experience and decided  to go with passkeys, based on FIDO authentication. 

Passkeys are a password replacement that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets.

Key Objectives 

The State of Michigan aimed to address several key objectives with the integration of passkeys:

Enhance the digital user experience.  

The goal was to streamline the digital user experience, particularly in providing users with seamless access to critical state  government services. DTMB aimed to simplify the login process, making it more user-friendly and efficient. 

Reduce help desk support dependency.  

Recognizing the strain on help desk resources due to login access issues, DTMB sought to reduce users’ need to access help desk support. By implementing changes to enhance the login process, the goal was to empower users to navigate.

Fortify security resilience.  

There is no shortage of risk and vulnerabilities associated with traditional username and password authentication. A key  objective was to fortify the system against security threats and phishing incidents, by adopting advanced FIDO strong  authentication to mitigate the risks commonly exploited by bad actors seeking unauthorized access.

The Importance of Open Standards and Interoperability 

Before deciding to implement passkeys, the DTMB explored a proprietary passwordless login solution offered by a cloud based identity-as-a-solution (IDaaS) provider. However, the solution lacked the interoperability required. 

The DTMB determined early on in its process that open standard and interoperability were critical and required  components of its strong authentication strategy.  

A standards-based approach provides interoperability across popular device types and web browsers, maintains vendor  neutrality, allows for cost savings through community adoption, and a pathway to adopt future innovations in the FIDO  ecosystem. 

The Solution: FIDO Drives Results 

Passkeys checked all the boxes for the DTMB, utilizing open standards and an interoperable approach for authentication.

The DTMB found that passkeys provide the following advantages:

• Passkeys are based on open standards, ensuring interoperability without  necessitating additional software for users to download. 
• Multiple vendor support for FIDO standards and the tech’s rapid  adoption promotes the long-term continuity of FIDO authentication as a  service. 
• FIDO standards accommodate various authenticator types (such as  biometric sensors, hardware keys, etc.) across desktop and mobile  devices, catering to the DTMB’s user base’s diverse authentication  requirements. 
• Prioritizing user and ecosystem partner security, passkeys provide strong  phishing resistance. 

MiLogin’s Path to Passkeys 

The DTMB’s passkey rollout involved a meticulous process to ensure a seamless, secure transition. 

Extensive research on passwordless authentication solutions was conducted, engaging the DTMB’s cybersecurity review  board in the evaluation process. Upon selecting passkeys for further exploration, the DTMB delved into the analysis of  various FIDO options and sought feedback from the National Institute of Standards and Technology (NIST). 

Working together with Deloitte, which is the DTMB’s trusted systems integrator for the State’s enterprise digital identity  solution, a comprehensive strategy was planned for the design, development, and implementation phases. 

In the design phase, insights from the FIDO Alliance’s usability study results were working into screen and workflow  designs. Findings from the DTMB’s MiLogin human-centered design usability study were also used to create a user  experience tailored to address the diverse needs of various personas.  

The development phase focused on integrating MiLogin with FIDO authentication methods, accompanied by the creation  of animated user help guides and tutorial videos to drive greater user adoption. 

Post-implementation, the DTMB monitored production metrics and gathered feedback from end-users, ensuring the  success of the implementation and identifying areas for functionality enhancements in future releases.

MiLogin’s Impressive Passwordless Results 

Within the first six months of release, MiLogin achieved impressive results for the State of Michigan:

• 100,000+ customer devices enrolled in passkeys 
• ~18,000 new passkey enrollments per month 
• Increased FIDO-based logins with zero reported issues 
• Decreased help desk initiated password resets with 1,300 fewer calls  related to password resets in a single month. 

“I am proud that our MiLogin team has brought passwordless authentication to our public  digital identities. Passwordless brings additional protections to our public digital identities, and  helps protect our systems from account takeover attempts such as brute force and password  spray attacks.”  

– Jayson Cavendish, Chief Security Officer, State of Michigan, DTMB 

The Road Ahead for Passwordless in the State of Michigan 

The State of Michigan anticipates a significant increase in passkey adoption, targeting over 10 million public users.  They also plan to implement passwordless authentication for their workforce, integrating with their state directory  services solution. 

FIDO authentication is a part of the State of Michigan’s Zero Trust Identity strategy to establish a secure identity in citizen  interactions with state services. It will also improve the user experience, generate cost savings for the state, and increase adoption of the State’s digital identity solution by diverse state agency partners. 

So what advice does the DTMB have for other other organizations? The State of Michigan recommends understanding  diverse user bases and use cases, prioritizing user experience, and incorporating usability studies, clear end-user messaging,  and a well-designed communication plan for a successful FIDO authentication implementation.

Motivation

Previously Mercari was using passwords and faced with real-time phishing attacks, added SMS OTPs as an authentication method to protect their users. While this improved their security, it did not completely eliminate real-time phishing attacks. Sending a high volume of SMS OTPs was also both expensive and not very user-friendly.

Mercari also had a new service Mercoin, a platform for buying and selling Bitcoin with the user’s available balance in Mercari, which had strong security requirements and passkeys met their needs.

Because passkeys are bound to a website or app’s identity, they’re safe from phishing attacks. The browser and operating system ensure that a passkey can only be used with the website or app that created them. This frees users from being responsible for signing in to the genuine website or app.

Requiring users to use extra authentication methods and perform additional action is an obstacle when what users actually want is to accomplish something else using the app.

Adding passkey authentication removes that additional step of SMS OTP and improves user experience while also providing better protection for users from real-time phishing attacks and reducing the cost associated with SMS OTPs.

Results

900,000 Mercari accounts have registered passkeys and the success rate of signing in with them is 82.5% compared to 67.7% success rate for signing in with SMS OTP.

Signing in with passkeys has also proved to be 3.9 times faster than signing in with SMS OTP–Mercari users on average take 4.4 seconds to sign in with passkeys, while it takes them 17 seconds to do the same with SMS OTP.

The higher the success rate of authentication and the shorter the authentication time, the better the user experience and Mercari has seen great success with implementing passkeys.

Learn more about Mercari’s implementation of passkeys

To learn more about how Mercari solved the challenges of making a phishing resistant environment with passkeys, read their blog on Mercari’s passkey adoption.

The Challenge/ Use Case

The initial use case for FIDO at Target was to help enable a secure login experience across applications at the company, as part of a broader platform modernization effort.

Target’s challenge was to provide a consistent and secure login experience across applications at Target, to provide a seamless experience to its users. 

“We had to reduce friction, wherever possible, be it in the authentication flow by reducing the dependencies on passwords, or in the onboarding process by making it easier for applications and business owners to easily consume the enterprise authentication services,” explained Nataraj Rao, Principal Engineer for Security Solutions at Target.

How Target Uses FIDO To Secure Its Users

Target initially integrated a FIDO server with its Single Sign On (SSO) platform to provide multi-factor strong authentication capabilities.

“Support for a wide variety of authenticators makes it possible for team members to choose from a wide variety of authenticators and avoids a scenario where they are not able to move forward, just because they did not have a specific authenticator at that time,” Rao said.

With a solid understanding of how FIDO works and how it can be integrated with Target’s systems there are multiple use cases where it can be deployed. Among those use cases is for providing additional verification, in a multi factor authentication flow. FIDO can be used as the primary authenticator and can completely eliminate passwords from the login equation. It can be used for native authentication to mobile applications, providing a very intuitive login experience for Target’s mobile users.

Benefits

FIDO2 in particular has been useful for Target as it’s integrated into most modern web browsers without the need for users to install any third-party software or plugin on their devices or browsers.

With FIDO, Target is able to provide a better authentication experience for its users and is taking steps toward enabling a passwordless future.

“We all know that it’s not easy to get rid of passwords immediately,” Rao said. “But let’s all take a step towards it.”

The Challenge/ Use Case:

With lots of students and educators that need access, SURF faces multiple challenges. 

Since 2007, SURF has been developing and using a service it calls SURFconext, which provides a national identity federation for research and higher education. SURFconext is an identity federation that consists of over 180 different identity providers and it provides a single sign-on (SSO) capability for SURF’s member institutions. SURFconext is based on the SAML 2.0 standard and makes use of OpenID Connect and is used by 1.7 million people across the Netherlands. 

Over the last decade, there have been increasingly sensitive workloads and growing security concerns with accessibility. Some member institutions were only enforcing access with basic password authentication and there was a need to introduce multi-factor strong authentication.

How SURF Uses FIDO To Secure Its Users

With multiple member organizations each using various technologies, SURF implemented an add-on service called SURFsecureID.

SURFsecureID is a hosted service that provides multi-factor authentication, with a step-up approach.

“The idea is that users authenticate at their home University using the password and before they are redirected to the service provider they are redirected to us where we require a second factor before sending them off to the service they initially requested,” explained Joost van Dijk, Technical Product Manager at SURF.

The step up authentication approach makes use of FIDO2 standards to help protect SURF’s users.

Benefits

With FIDO, SURF is now able to provide strong authentication to users across the Netherlands in an approach that helps to improve resiliency and security.

One particular risk that FIDO helps SURF to minimize is that of phishing attacks which has been a growing concern since at least the onset of the pandemic.
“Especially since the COVID crisis began, we’ve seen a lot of phishing campaigns launched against our users and we see FIDO2 as an excellent way to mitigate this threat,” commented Joost van Dijk, Technical Product Manager at SURF.

CZ.nic is a domain registry organization in the Czech Republic that has been in operation since 1998. The organization manages over 1.3 million domains and is operated as a not-for-profit entity.

In addition to the administration of domain names, CZ.nic is active in the development and deployment of internet technologies as well as identity services.

The Challenge/ Use Case:

One of the primary activities that the CZ.nic domain registry does is it needs to verify the identity of domain owners. CZ.nic has contact information on well over 800,00 domain owners and administrative contacts.

Verifying and authenticating the integrity of user identities is a key challenge that faces CZ.nic. The European Union has a regulation known as Network Information Security (NIS) version 2 (NIS2) that recommends that top level domain registries like CZ.nic have technology and policies in place to properly verify domain owners.

“There’s a common agreement that illegal content is usually linked to fake identities,” explained Jaromir Talir, technical fellow at CZ.NIC and member of eIDAS Technical subgroup. “In the case of domains, there is definitely the possibility to register fake identities as domain owners.”

To that end, CZ.nic developed the mojeID (my ID) service as a way to authenticate user identities. MojeID serves as a central identity service where an individual identity can be associated with a domain. 

MojeID also acts as an identity provider that ties into the European Union’s eIDAS (electronic identification and trust services) approach for an identity system that works across the EU.

How CZ.nic Uses FIDO To Secure Its Users

CZ.nic started out with just a username and password for authentication and realized over time that there was a clear need to have stronger authentication options for users.

In 2018, CZ.nic began evaluating the FIDO U2F specification as a solution for two factor authentication. In 2019, CZ.nic shifted its focus to using FIDO2/WebAuthn as it began to roll out the technology for production deployments. 

Benefits

The use of FIDO2 provides CZ.nic with an extensible framework that works across desktop and mobile operating systems and devices.

With FIDO, CZ.nic is able to provide its users with strong authentication for identity verification. FIDO2/WebAuthn is also a core element of the eIDAS enablement for MojeID, which requires the use of a FIDO authenticator, alongside username/password for access.

As of July 2021, CZ.nic had over 30,000 users with FIDO security keys.

As of Q2 2023, CVS Health is using passkeys for consumer logins to their mobile web service.

The Challenge/ Use Case

The key focus for CVS Health is to ensure integrity and confidentiality of customer data. The overall user experience also needs to be positive, to drive traffic to CVS’s digital assets. 

CVS Health is on a path to help make its consumer authentication experience not only secure, but easier to use. CVS Health is also on a path toward enabling password-less experiences for consumers wherever possible.

“For the external user, they would just simply walk away, if the user log in experience is cumbersome, in any way,” Cisa Kurian, senior security advisor at CVS Health commented. “Good security is always a balance between security and usability.”

How CVS Health Uses FIDO To Secure Its Users

CVS Health is building out an authentication platform to provide password-less authentication capabilities in its web, mobile, IoT and voice applications. Passwordless authentication is enabled with biometric authentication using FIDO standards

“Our goal is to increase friction for a potential threat actor, while enabling ease of use for the legitimate user,” Kurian said.

Benefits

By adopting a FIDO based approach, CVS Health is able to provide an easier authentication experience for its users. Making the login experience more seamless also helps to improve the overall user experience as well.

“We chose FIDO because the standards are open, and allow for simpler and stronger authentication that is based on public key cryptography,” Kurian said. “In other words, it’s easy to use and more secure, at the same time.”

The Challenge/ Use Case

As a financial services vendor in a space that is highly targeted by criminals, the need for strong authentication is paramount. 

Gemini’s security efforts are led by Chief Security Officer Dave Damato who is no stranger to the security industry and previously worked at security incident response firm Mandiant.

“So much of my career has been really focused on preventing and responding to incidents and strong two factor authentication is at the core preventing most of those attacks,” Damato said (in a session at the Authenticate Financial Services Summit). “It’s also why I’m so very enthusiastic about FIDO.”

How Gemini Uses FIDO To Secure Its Users

Gemini wanted to provide its users with the strongest level of security authentication to help minimize risk.

While using an SMS based two factor approach can be better than just a username and password, given the high value of a Gemini account, attackers might well go through the steps necessary to bypass SMS two factor. Beginning in 2019, Gemini began offering its customers the highest level of security possible and it did this by starting to support the FIDO2 authentication standard.

“FIDO2 is designed to overcome challenges and dramatically increase the cost for an attacker,” Damato said. “There’s no password that can be shared by our customers and that’s why FIDO2 is phishing resistant.”

Benefits

For Gemini, the use of FIDO2 provides a series of tangible risk mitigation benefits that helps to reduce the attack surface. Instead of needing to rely on a One-Time Password (OTP), SMS or backup codes, Gemini users can benefit from a more user-friendly FIDO2 powered experience.

Among the most common types of attack is credential stuffing, where an attacker makes use of passwords lost or stolen from one site, to re-use or ‘stuff’ into another. With FIDO, that risk is minimized for Gemini. Since FIDO strong authentication is based on cryptography and not a shared secret, even if a user reuses a password, the deployment of FIDO will minimize the risk significantly.

“The benefit to me as a company is that I don’t actually have to store, manage credentials or worry about other breaches, where credentials have been stolen,” Damato said.

Business Situation

Intuit is the global financial technology platform that powers prosperity for more than 100 million consumers and businesses around the world using TurboTax, Credit Karma, QuickBooks and Mailchimp. The company’s long- held commitment to Design for Delight principles has been a key ingredient of its success in fueling innovation across its products, services and customer touchpoints to create bold new AI and data-driven personalized experiences at scale.

To execute on a user-centric focus, Intuit’s customer authentication products team, led by Rakan Khalid, Intuit Group Product Manager, Identity, justifies and prioritizes development of new authentication capabilities based on user research, security trends and technology advancements in the industry. This has led to an overarching strategy that emphasizes secure and convenient authentication experiences on its platform.

Intuit saw the potential of the FIDO (Fast ID Online) Alliance early on and began a multi-year FIDO journey in 2018 to reduce customer friction and enhance security, at lower operating costs.

Business Challenges

Intuit set out to address several challenges when evolving its customer authentication strategy to serve a growing customer base across a diverse set of product offerings and user personas:

• Customers experienced friction when logging on, which negatively impacted key business metrics.

• Sign-in times (time to successful sign-in) were getting longer, and calls into customer care for account sign-in-related issues were increasing.
• Product teams were challenged to balance ease-of-use and convenience for users with appropriate levels of security.

Business Objectives

The team set out to achieve the following business objectives for customer authentication across Intuit’s product portfolio:

Results and Benefits

1. Deliver a delightful and seamless customer authentication experience that “just works” across multiple devices.
2. Push the envelope on customer authentication technology to further enhance the security posture of Intuit.
3. Build a resilient, scalable, durable customer authentication capability for its current and future business needs.

OVERVIEW

“As an early adopter of FIDO, we’ve seen
significant business benefits and are completely on board with continuing to leverage the latest FIDO innovations with our partner, Nok Nok.”

Rakan Khalid, Intuit Group Product Manager, Identity

Intuit was able to reduce customer friction, resulting in authentication success rates of 95% to 97% and 70% faster sign-in speeds.

FIDO Authentication Deployment – Measured Steps

Intuit implemented a FIDO-based customer authentication solution in line with the FIDO Alliance’s founding members’ goals. FIDO protocols are based on an asymmetric cryptographic authentication framework designed to enhance security, provide a better user experience (compared to traditional passwords) and reduce cost and complexity.

Although FIDO is an open standard, the expertise required to code and deploy a scalable FIDO solution for millions of consumer and small business customers led Intuit to license a FIDO authentication platform.

Intuit selected the Nok Nok^TM S3 Authentication Suite (S3 Suite) for its advanced FIDO features and capabilities; optional on-prem deployment model; and speed, scale, and resilience, which was validated by Nok Nok enterprise customers.

Intuit’s authentication team placed a high priority on working with a FIDO leader with deep and relevant experience in customer authentication and therefore well-equipped to keep pace with industry progress with this fast- evolving technology.

Build vs. Buy: Intuit recognized that the company would benefit from the expertise of a vendor with experience working with other major companies on its authentication journey, and enjoy access to innovative product enhancements along the way.

Progressive Deployment: Intuit opted to deploy Nok Nok’s customer authentication solution across multiple apps in a controlled and measurable manner:

• Intuit’s authentication team initially tested Nok Nok’s FIDO passwordless customer authentication on the mobile iOS version of an Intuit product with a small customer base.

• Over the next few months, the team rolled out Nok Nok’s FIDO passwordless solution on mobile iOS and Android platforms for a broader customer base on multiple Intuit products.

• The team added FIDO as an option to Intuit’s passwordless customer onboarding flow, which improved onboarding conversion rates and reduced subsequent sign-in times.
• Over the last 5 years, Intuit has grown its total FIDO registrations to over 77 million.

Authentication Solution Delivers on Business Objectives

Intuit has been able to achieve all of its business objectives, while simultaneously addressing new use cases for a growing customer base:

1. Delightful Customer Sign-in – FIDO-based multi-factor authentication (MFA) for customer sign-in dramatically improves and simplifies the user sign-in experience because it’s completed in a single user step. This reduces the need for a multi-step authentication process (e.g., password, texting one-time passcodes). Using FIDO, Intuit users are presented with a seamless, passwordless flow using device-based platform authenticators, such as biometrics with which they’re already comfortable.

Today, more than 85% of all customer authentications on Intuit’s mobile apps are now done using FIDO

2. Enhanced Customer Security – When FIDO authentication is used, it eliminates the passing of passwords and one-time tokens between apps and services, which can reduce the risk of interception attacks.
3. Global Scale – Since Nok Nok’s S3 platform is trusted by some of the largest banks, telcos and fintech brands across five continents and has been proven to scale across demanding customer environments, it’s given Intuit the confidence that it will continue to scale with the company’s future growth to match uptime and authentication speeds.

Business Results

By deploying a passwordless solution for customer authentication, Intuit was able to reduce customer friction, thereby reducing operating expenses. Users who adopted the FIDO passwordless authentication option experienced authentication success rates of 95% to 97% when compared to a baseline of 80% for legacy multi-factor authentication and 70% faster sign-in speeds over non-FIDO sign-ins.

Looking Ahead

Over the past several years, Intuit has experienced the power of FIDO customer authentication for its consumer and small business customers, and validated its benefits with its product, technology, security, user experience and customer care teams. Looking ahead, the company intends to explore multi-device passkey technology as the next frontier on its authentication journey.

Corporate overview and challenge

As the “CASE” trend is gaining ground in the automotive industry, Toyota Motor Corporation, a leader and evolving company in the industry, is changing its model from a “car company” to a “mobility company”. In the area of “C: Connected,” Toyota is working to realize its vision of “Mobility for All – Freedom and Enjoyment of Mobility for All People,” and is developing a number of new services, including a “digital key” that allows the use of smartphones as keys, as well as a website and smartphone applications, for a wide range of users.

The “TOYOTA/LEXUS common ID” (“common ID”), a customer authentication service for safe and comfortable use of various services provided by Toyota, plays an important role in the provision of a series of services. The 5 million TOYOTA common IDs are linked to about 40 different services, and the multiple smartphone applications provided to customers required the input of IDs/passwords for each application.

FIDO 2 deployment

Toyota Motor Corporation has decided to deploy FIDO authentication as an optional authentication function for the “Common ID,” the major advantage of which is that by registering FIDO authentication credentials in advance, users will no longer need to go through the process of entering their ID/password each time they use each smartphone application.

Prior to deploying FIDO authentication, Toyota Motor Corporation had been using one-time password authentication and backup code authentication as a means of multi-factor authentication for common IDs. The main reason for choosing FIDO as one of the new options for multi-factor authentication this time was the consideration of the robust security and usability of FIDO authentication. By utilizing FIDO, which is a multi-factor authentication that involves possession using biometrics on the smartphone used in everyday life, a high level of security was ensured, and it also contributed to an improved user experience.

NRI Secure Technologies, Inc. (NRI Secure), which manages common IDs, has an authentication infrastructure called “Uni-ID Libra” that is compliant with FIDO authentication, and we requested their cooperation for implementation.

Until the introduction of FIDO authentication for iOS and Android devices, the differences in behavior depending on the OS (whether or not Discoverable Credential (formerly known as Resident Key) is supported, explicit user interaction during key registration is required for Safari for iOS, etc.) The issue was the impact on the UX.In the end, we were able to absorb the differences in UX by modifying the authentication web screen, and this led to a solution.

With this implementation, Toyota Motor Corporation has also focused on the importance of designing the life cycle of FIDO authenticators together. In providing services, it is necessary to prepare not only for authentication, but also for registration, device switching, and account recovery in case of loss. If other companies that provide services to consumers consider FIDO authentication, they should have a method that can maintain security strength when switching devices or recovering accounts.

OVERVIEW
Toyota Motor Corporation, headquartered in Toyota City, Japan, is Japan’s largest automobile manufacturer.

C (Connected):
IoT for automobiles

A (Autonomous):
Automated driving

S (Shared & Services):
From ownership to sharing

E (Electric):
Electric vehicles

“With the expansion of the connected strategy, the number of operations that can be carried out on smartphone applications and websites has been increasing. While convenient, they can also lead to accidents if misused, so more security measures are required. We believe that FIDO authentication will contribute as one piece to continue providing convenient and safe mobility services to our customers.”

Finally, Masatoshi Hayashi, Toyota Motor Corporation’s Connected Company Value Chain Infrastructure Development Department, who spoke with us about this case study, made the following comments.

(*) To obtain a common ID and register FIDO credentials, please visit https://id.toyota

Why PNC Opted for FIDO

Security is of critical importance to PNC and its customers. PNC’s approach to provide digital services is founded on a strong commitment to privacy protection to those who use its services. Multi-factor authentication is a key component to protecting customer identities and data, and FIDO’s standard helped provide a roadmap to implementation. 

As a result, PNC has been able to provide customers authentication options that are easy to use but still afford consistency in terms of protection. This translates into high-quality identity assurance to verify and validate that the right customer is enrolled and minimize the risk of impersonation. 

“We needed to find a way to create a user-friendly mechanism to improve customer security without creating a burdensome process that required so many steps that it dissuaded customers from enrolling or engaging,” said Susan Koski, Chief Information Security Officer at PNC.

Benefits Realized

By using FIDO standards, PNC has been able to manage the authentication experience in such a way that it leverages the security features of a customer’s device, applying industry best practices for designing this identity protection mechanism. Ultimately, FIDO standards have been a core component to PNC’s cybersecurity strategy to minimize the risk of authorized access to customer credentials.

“We continue to identify ways to improve security for our customers, ultimately reducing the reliance on passwords and other phishable credentials from our ecosystem is a critical aspect to protecting our customers” Koski said.

OVERVIEW

PNC Financial Services is a coast-to-coast franchise with an extensive retail branch network and a presence in the country’s 30 largest markets. As one of the largest diversified financial services institutions in the United States and across four strategic international offices, PNC provides retail banking, corporate and institutional banking, and asset management. In a rapidly changing financial industry, PNC is focused on providing control and functionality that customers want – in a secure environment. To advance this goal, PNC has implemented FIDO authentication in specific use cases to help reduce security risks and improve user experience.

PNC Bank, National Association, is a member of The PNC Financial Services Group, Inc. (NYSE: PNC). PNC is one of the largest diversified financial services institutions in the United States, organized around its customers and communities for strong relationships and local delivery of retail and business banking including a full range of lending products; specialized services for corporations and government entities, including corporate banking, real estate finance and asset-based lending; wealth management and asset management. For information about PNC, visit www.pnc.com.

The Road to FIDO: Weighing PSD2-compliant options

Customer authentication procedures have become more complex in the EU due to the introduction of PSD2 and strong customer authentication (SCA). Under the regulation, processing via mobile devices guarantees compliance with the stricter requirements, while offering a better payment experience for consumers at the same time.

While many opted to use SMS OTPs, PLUSCARD prioritized security and usability from the beginning of their journey by initially opting for a proprietary mobile app in combination with biometrics. This met their needs for mobile-based users, but left a gap for customers who preferred or only had access to computers. To fill that gap, PLUSCARD concluded that FIDO2 Security Keys not only met regulations, but they weren’t tied to possession of a mobile device and excelled in both security and usability.

Yahoo Japan Corporation is an internet company offering more than 100 services, including search engine, auction, news, weather, sport, email and shopping to the more than 51 million active users on its platform.

For Yahoo! JAPAN, the act of signing in is the entry point to all of its services. This makes it critical that the experience at that entry point is a positive one for all users. At the same time, it’s equally critical that every user’s personal information is well protected.

To find the right balance between convenience and security, Yahoo! JAPAN turned to FIDO Authentication.

From Early Member to Early Adopter

Yahoo! JAPAN was one of the earliest members of the FIDO Alliance, joining in April 2014. In its role as a member, executives from Yahoo! JAPAN participated in user authentication specifications development, particularly the FIDO2 standards, and best practices for FIDO adoption for consumers via the Alliance’s Consumer Deployment Working Group. Yahoo! JAPAN was appointed to the FIDO Alliance board of directors in 2019.

During this time of actively contributing to the FIDO Alliance, Yahoo! JAPAN was evaluating FIDO for its own services. Yahoo! JAPAN had been offering SMS one-time passcodes for two-factor authentication but they weren’t quick, secure or easy enough for their users. By taking a standards-based approach with FIDO, specifically the FIDO2 standards, Yahoo! JAPAN learned it could provide strong authentication in a very simple way via on-device biometrics on billions of supported mobile, desktop and laptop devices.

Yahoo! JAPAN’s journey with FIDO deployment began in 2018 when the company became the first in Japan to certify a FIDO2 server, a necessary component to delivering FIDO Authentication to its users. After extensive internal testing and piloting, Yahoo! JAPAN unveiled its first deployment on Android Chrome in October 2018, the first deployment by a relying party. Today, the company now offers FIDO Authentication on Android and iOS both in the browser and for native applications (see figure 1 for the deployment journey). Next up, Yahoo! JAPAN plans to offer FIDO Authentication on desktop and laptop PCs.

Simultaneously with its FIDO deployment, Yahoo! JAPAN began offering its users the opportunity to disable passwords entirely, and register new accounts without having to establish a password.

For Yahoo! JAPAN users that have opted in to FIDO, sign in is very simple
(see figure 2):

1. The user inputs their user ID and clicks next
2. Their device prompts them for their biometric, such a fingerprint
3. The user presents their biometrics and is successful signed in

OVERVIEW

The FIDO protocols, including FIDO UAF and FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks. The protocols are also designed from the ground up to protect user privacy.

The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at login, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second- factor device or pressing a button.

For its deployment, Yahoo! JAPAN leveraged FIDO2 standards with biometric authenticators.

“Password disablement is the end goal for us for the overall security and usability of our platform, and we see FIDO as a key factor in helping us get there faster,” — Yumi Ashida, product manager at Yahoo! JAPAN

Yahoo! JAPAN also values its membership in the FIDO Alliance for its role in helping to easing deployment and increasing adoption. Membership provides a platform for the company to provide direct feedback to other stakeholders including the operating system platform providers and work directly with them on overcoming challenges they face. And, it allows them to work with other service providers working on deployments to share experiences and best practices.

“For others deploying FIDO Authentication in the consumer environment, it’s important to understand the time and resources that it will require. But considering the meaningful impact that FIDO brings — it’s well worth it,” — Yumi Ashida, product manager at Yahoo! JAPAN

Realizing the Benefits of FIDO

For users of FIDO to access Yahoo! JAPAN’s services, their sign in time has decreased dramatically — by 37% compared to other login methods. ”Because signing in is the entry point to all of our services, quicker and more successful sign ins means our users can access our services that more quickly — this makes a hugely positive impact on our users’ overall experience on our platform,” said Yumi Ashida, product manager at Yahoo! JAPAN.

To increase adoption and get more users to experience these benefits, Yahoo! JAPAN leverages many tactics, including email promotion and pop up notifications at login to invite users to enroll with FIDO. Key to this strategy is conveying the benefits of FIDO Authentication, including faster sign ins, more security and the ability to remove the password from the login flow. At the same time, Yahoo! JAPAN is continuously working to ensure its user experience with FIDO is optimized.

SBI Sumishin Net Bank is an Internet-focused bank jointly established in 2007 by SBI Holdings and Sumitomo Mitsui Trust Bank. In keeping with their aim to be recognized for innovation, the bank deployed FIDO Authentication in July 2020. We had an interview with the bank about the details of their deployment.

Q. Describe your service and how it’s using FIDO Authentication.

We have incorporated  FIDO-compliant authentication into our  existing “SBI Sumishin Net Bank” mobile application. Now, a single application is available to provide both banking and authentication functions to our customers. This eliminates the need for our customers to enter passwords and verification codes for each transaction. Instead, they can simply log in to the SBI Sumishin Net Bank App with biometric authentication. Even when transactions are made from a PC or other non-mobile application environments, the application will confirm and approve the transaction details before they are executed, preventing unauthorized transfers. Furthermore, when using the login approval function, only the registered smartphone can remove any control, which prevents unauthorized logins.

Q. What FIDO specification(s) did you implement? 

We have deployed a solution based on FIDO UAF, which uses biometrics (fingerprint and facial recognition) and PIN as the authentication methods.

Q. What other approaches did you consider before choosing FIDO? 

We looked at continuing with the existing smartphone application “Smart Authentication,” which is a separate application the customer would have to authenticate logins and bank transactions. However, we saw it as difficult to operate two applications separately and saw it as a burden for our customers to have to use two separate applications just to bank with us.

Q. Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

Although there are various types of authentication methods available, the fact that FIDO Authentication is a global standard developed by a global consortium FIDO Alliance, and that we have seen is increasingly being deployed in Japan and globally – were two factors that made it very appealing to us. 

Q. Why did you decide on a standards-based approach? 

There are two main reasons why we chose to take a FIDO standards-based approach.

First, FIDO Authentication provides stronger security. FIDO Authentication enables safe exchange of authentication results over the network, and the credential is stored only on the device that performs the authentication (in our case, the smartphone) and does not need to be transmitted over the network or stored on the server side. 

Second, FIDO improves convenience for our customers. By incorporating authentication into our existing banking app, we are making it possible to complete both banking and authentication functions in a single app, enabling smooth transactions without having to enter passwords or other information.

Q. What steps were involved in your roll out of FIDO Authentication? Did you work with a partner? 

We implemented the FIDO-compliant “SaAT Pokepass Authentication Service” provided by Net Move Corporation (“Net Move”), a wholly owned subsidiary of SBI Sumishin Net Bank. The new authentication function “Smart Authentication NEO” was deployed by incorporating the client SDK for this service into the bank application.

Q. What other data points can you share that show the impact FIDO authentication has had?

On July 31, 2020, we launched a new authentication feature, “Smart Authentication NEO.” On the quantitative side, the number of new registered customers has reached approximately 100,000 in just three weeks since its launch, and we expect this number to increase further in the future.

On the qualitative side, many customers have commented on the convenience of being able to use a single app for both banking and authentication functions.

Q. What advice would you give to other organizations considering rolling out FIDO authentication? 

Again, our company’s FIDO authentication uses Net Move’s “SaAT Pokepass Authentication Service.” By collaborating with Net Move, we were able to deployed the new authentication function “Smart Authentication NEO” in a short period of time.

In addition to FIDO authentication, Net Move already has an installed at more than 100 financial institutions, including “SaAT Netizen,” an anti-fraudulent remittance service, and we believe that Net Move can help to solve these issues.

Q. What role do you see FIDO Authentication playing for your company in the future?

The “Smart Authentication” service will be discontinued after January 2021, and we will move exclusively to the FIDO-enabled “Smart Authentication Neo” app. We see moving to the FIDO-enabled app  as the key authentication function will further allow us to provide secure and convenient experiences for our customers.

Q. If you are able, please provide a quote from an executive regarding this deployment and the impact FIDO has had for your organization.

Quote from the project manager of SBI Sumishin Net Bank:

“Our goal is to revolutionize financial services and make society more comfortable and convenient by utilizing the most advanced technology with a customer-centric approach. Security is an extremely important factor in achieving this goal, and we believe that the introduction of FIDO will make a significant contribution.”

Can you tell us about KDDI?

KDDI is a telecommunication service provider in Japan, offering both mobile and fixed-line communications. KDDI has a well-established base of over 40 million customers and offers mobile services and shopping through its “au” brand. KDDI is also expanding its services into the “Life Design” business, which includes e-commerce, fintech, nationwide electric power utility services, entertainment and education. With a 60-year history, KDDI is now focusing on creating smart infrastructure through IoT technologies and open innovation with partners and start-up companies in diverse industries. KDDI is accelerating the global growth of its telecommunications consumer business, with operations in Myanmar and Mongolia, and in the global ICT business with the “TELEHOUSE” brand. KDDI (TYO:9433) is listed on the Tokyo stock exchange. 

How are you using FIDO?

Today we are using FIDO authentication in a few different areas. The first, just launched on April 14, 2020, is our “au ID” platform, which is our service for our users to identify themselves and access our services; we have a huge number of active users. FIDO is one of the authentication methods available for “au ID.” We offer FIDO on web browsers and Android initially, and plan to support iOS in the future.

The other area where we offer FIDO is our Software-as-a-Service (SaaS) solution. This solution enables online service providers to deploy FIDO2 easily. As a network operator, we have experiences and the FIDO solution we offer is no exception.

It’s important that we can support online service providers along their customers’ entire authentication journey: onboarding, authentication and account recovery. So, we also offer customer identification services to fit in with our FIDO offering. There’s a gap in the customer journey with FIDO, which is account recovery. How do you recover your account if you lose your FIDO authenticator? We aim to fill this gap by providing identity verification of our large customer base. Thus, we’re supporting online service providers along the entire customer journey.

What specification(s) did you implement?

We implemented a FIDO2 server with biometric authentication.

Why did you choose FIDO standards? What were the challenges you were trying to overcome? 

There are several reasons why we chose FIDO. The first is security; FIDO is the best way to counter phishing attacks. The second is user experience; biometric authentication is much easier than passwords. The third is interoperability. With other approaches, developers have to implement authentication logic for each platform – iOS, Android and web. We wanted to design a “write once, work everywhere” system. FIDO helped us achieve that goal.   

Why did you choose FIDO authentication over other options? 

For us, the most important thing about adopting FIDO was that it was a web (W3C) standard. Again, this helped us to achieve our goal of “write once, work everywhere.”

What steps were involved in your roll out of FIDO authentication? Did you work with a partner?

We developed and implemented FIDO authenticator and server from scratch. We worked closely with the FIDO Japan Working Group through the development; I would like to thank them for their support. It was very exciting to work with them. 

What role do you see FIDO authentication playing for your company in the future?

We believe that FIDO will accelerate our identity business even further. It will also enhance the security of our internal systems.

What advice would you give to other organizations considering rolling out FIDO authentication?

Talk to other stakeholders; companies, such as KDDI, are offering turnkey solutions! 

Thank you for talking with us! Where can we learn more about KDDI?

You can find KDDI on the web at https://www.kddi.com/english/.

Security

One of the options for MFA GSA examined was SMS one-time passwords (SMS OTPs).

They found that SMS OTPs were a popular MFA option for users. Although convenient, SMS OTPs introduce avoidable security risks to users; this includes malware inadvertently downloaded onto a mobile phone that could monitor the user’s text messages. Additionally, GSA experienced a lot of issues with phishing, especially targeting accounts that were controlling bank information and personally identifiable information, including the user’s date of birth and Social Security Number. For login.gov, GSA wanted to offer a secure alternative to SMS OTPs that could prevent phishing, and began evaluation of FIDO2 authentication standards.

FIDO2 is a set of strong authentication standards that enables users to leverage common devices like on-device biometrics and FIDO security keys to authenticate to online services with phishing-resistant cryptographic security. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

After reviewing the FIDO Alliance’s FIDO2 standards, GSA found that FIDO2’s phishing resistance made it the most appropriate approach to address its security challenges.

INSIDE FIDO STANDARDS

The FIDO protocols, including the FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks.

The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device.

This is all balanced with a user-friendly and secure user experience through a simple action at log in, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.

Reduce Costs

In addition to security concerns, GSA found SMS OTPs quite expensive to manage. Without alternatives, those expenses would continue to escalate as more and more users are onboarded to login.gov.

With FIDO2, GSA could leverage a “bring your own FIDO security key” approach, making it more cost effective. The federal government does not sell or provision authenticators, but enables the use of authenticators previously provisioned.

Compliance

NIST’s Digital Identity Guidelines – Authentication and Lifecycle Management (Special Publication 800-63B) is the guidance that federal agencies must adhere to as it pertains to authenticating users to its networks. The 2017 guidance reclassified SMS OTPs as a “restricted” authentication technology. This means that agencies need to offer users at least one alternate authenticator that is not restricted. They also must provide users with meaningful information on the security risks of the restricted authenticator (SMS OTP) and availability of alternatives. FIDO standards provide a secure alternative that meets NIST guidelines for high assurance strong authentication.

FIDO2 Development

Prior to development, GSA utilized a Google developer resource on enabling strong authentication with FIDO2 WebAuthn on developers.google.com. To assist with server-side processing, GSA leveraged a WebAuthn-ruby gem on GitHub. That greatly benefited and expedited the development including backend processing. In addition, GSA used the W3C reference material for further clarification on any issues encountered.

All of GSA’s code for login.gov is on open source and it’s on GitHub under a repo 18F/ identity-idp. Because it is a standards-based authentication technology, implementing support for FIDO2 was extremely fast. It took a small team of three developers just two weeks to develop and move into production.

Deployment and User Experience with FIDO2

GSA rolled out authentication with FIDO2 in September 2018. login.gov supports FIDO2 through the use of FIDO security keys and built-in FIDO authenticators like Windows Hello biometrics. For users, these are all referred to as “security keys” during user onboarding. The process for setting up FIDO2 at login.gov works like this:

1. When a user is creating a login.gov account, they enter their email address and create a password. Login.gov will first send an auto-generated email for the new user to confirm their email address.
2. Then, they are instructed to select and set up MFA from a menu of options, including SMS OTP, FIDO2 security keys, and backup codes.
3. To set up FIDO2, the user will select the “Security Key” option.
4. The user can create a nickname for their security key.
5. They are prompted to either insert a hardware security key into their computer and touch it or, if their device has a supported built-in authenticator, be prompted to use it by looking into the camera or touching a biometric sensor (for two examples).
6. The user is presented with a “success screen” and then they can access their login.gov account.

Many users take advantage of the “Remember Device” option when signing in. For example, if the user is using a laptop and checks “Remember Device,” they will not need MFA on that laptop again for another 30 days.

Support of Non-FIDO2 Security Keys

During testing, the development team discovered that several hardware security keys were failing. They found that the majority of the failures were because they were not FIDO2-compliant. After considering to add support for nonFIDO2 security keys, the decision was made not to support them because it would have considerable time and effort than simply implementing WebAuthn. GSA plans to revisit support for non-FIDO2 keys at a later date. A listing of FIDO2 Certified authenticators can be found on the FIDO Alliance website.

FIDO User Adoption: On the Upswing

Initially, users registered about 2,000 new FIDO2 keys per month, which equates to about 0.2% of new users. In analyzing authentication statistics, GSA found that more users were choosing mobile/SMS OTP options for MFA more often. In May 2019, GSA began requiring new users to register a second MFA option to increase awareness and adoption of FIDO2. That change increased the number of new FIDO2 authenticators to 17,000 per month. This number increased to 27,000 just in the month of June and the adoption rate increased to about 3% of all new users, representing a significant increase from initial rollout. GSA is considering the same requirement for existing users, but is looking at doing so without hindering the user experience.

As of June 2019, login.gov onboards about one million new users per month and that is expected to grow as agencies continue to add additional services. GSA has high expectations for the use of built-in authenticators to increase adoption, because it does not require users to acquire a separate FIDO security key.

Future Improvements for Increased Adoption

One of the challenges login.gov has faced is user education. Specifically, informing users that they have the option to enroll with FIDO2 and educating them about what FIDO is and how to set it up. It can be a challenge to accomplish this without confusing the set of users who are not able to set up FIDO, either because they don’t have a FIDO2 security key or don’t have a built-in authenticator.

Another area that GSA is working on is the onboarding process and the use of the term “security key” for all FIDO authenticators. User research is currently underway as of September 2019 around prompting users to set-up whatever their device is named rather using the security key language. Preliminary findings indicate that it would help adoption to keep the security key option for users who have the physical security key and then adding additional options for users with built-in authenticators i.e. “use your Android phone,” or “use your Windows Hello device,” etc. This will help give users clarity around their options so they will be more likely to set it up.

Another enhancement under consideration is a feature called “MFA Checkup.” This is to address the real-world problem that occurs when users change their smartphone and lose their backup codes. Login.gov would display a screen informing the user of the methods available or provide the user with the option to replace a method.

Ultimately, GSA sees these actions to streamline user communications and make user authentication options more clear as key to increasing user adoption and help both GSA and end users realize the full security, usability and cost reduction benefits that FIDO Authentication provides. As one of the first governments to offer FIDO Authentication for login to e-government services, GSA strives to be a model for other governments to follow.

View the U.S. General Services Administration’s Rollout of FIDO2 on login.gov PDF here.

NTT DOCOMO, INC. is Japan’s largest mobile network operator with over 78 million subscriptions — and is responsible for protecting the data of each one.

To provide access to DOCOMO-branded services, partner services, and carrier billing payments, DOCOMO long allowed customers to log in and authenticate using passwords including a four-digit password. This created a number of challenges — particularly because passwords are frustrating to use, and it is difficult to have to remember multiple passwords.

DOCOMO needed to find a solution that may resolve their password-related issues.

The Best of Both Worlds with FIDO Authentication
After reviewing the different approaches to authentication available, DOCOMO settled on the FIDO authentication model as the best strategy for solving the current and future authentication needs of its customers. It found that by deploying cross-platform FIDOenabled, privacy-respecting biometric authentication, they could have a solution that is simultaneously more secure and convenient. It is worth noting that such biometric information never leaves their devices for their privacy.

FIDO-based biometric authentication relies on FIDO standards that use public key cryptography to protect users against a variety of attacks including phishing, brute force and man-in-the-middle attacks. Users register their on-device biometric with any online service that supports the protocol.

When considering a new authentication approach, DOCOMO found FIDO to be the best option because it allowed them to:
• Implement in a straightforward manner that aligns with the FIDO ecosystem for long term
sustainability and continuity of authentication as a service
• Utilize the standards in a way that allows different types of authenticators, such as
fingerprint sensors and iris scanners
• Protect the security of users and ecosystem partners with FIDO’s privacy policy that
states biometric data and private cryptographic keys will never leave the user’s device

NTT DOCOMO Overview

In May 2015, NTT DOCOMO began offering FIDO Authentication in four devices (including the world’s first iris scanner equipped smartphone) from multiple OEMs and a FIDOenabled server. With this, DOCOMO became the world’s first mobile network operator to deploy FIDO Authentication throughout its network, delivering simple, strong authentication for DOCOMO’s millions of customers across multiple services with d ACCOUNT, which is an OpenID based account for customers nationwide.

By eliminating passwords with FIDO standards, DOCOMO is able to deliver a superior end-user experience that includes enhanced security features. It is also able to introduce innovative new services and product offerings that can utilize standards-based platforms and devices.

NTT DOCOMO’s FIDO-based Solutions in Practice

Today, DOCOMO has shipped an impressive suite of more than 60 FIDO-enabled d ACCOUNT Authentication compliant Android devices. Of these, DOCOMO has shipped 36 FIDO UAF 1.0 Certified Android devices, while newer devices have been shipped with a pre-installed FIDO UAF 1.1 application to utilize Android’s built-in FIDO capabilities.

In addition, all Touch ID/Face ID-equipped iOS devices are also available for d ACCOUNT Authentication.

Using FIDO specifications, DOCOMO is enabling its customers to securely authenticate themselves with fingerprint or iris biometrics instead of a password with the DOCOMO d ACCOUNT app that incorporates FIDO Authentication. From there, they have secure access to DOCOMO account details, billing and services, including mobile gaming and music platforms d game and d music, and shopping sites such as d delivery and d shopping. DOCOMO also replaced carrier billing password authentication, allowing customers to approve their payments via biometrics built into their device.

In addition to DOCOMO-branded services at d market, various partner services are able to utilize FIDO Authentication through carrier billing payment and as a federated ID utilizing OpenID Connect without any modifications.

DOCOMO also provides FIDO Authentication at scale by allowing other relying parties to utilize its FIDO Certified ondevice biometrics. For example, Mizuho Bank, a major bank in Japan, uses DOCOMO’s FIDO Certified authenticator to allow its own customers to access their mobile banking app.

Enabling a More Secure Future
As a market leader with a clear strategic investment in the FIDO ecosystem, DOCOMO joined the FIDO Alliance as a Board Director in 2015 and has been contributing to the development of FIDO standards and best practices.

DOCOMO is responsible for establishing and chairing the FIDO Deployment-at-Scale Working Group (D@SWG), which was formed to accelerate overall deployments of FIDO solutions by bringing together online service providers and device manufacturers to share lessons learned, produce case studies, and establish industry best practices for deploying FIDO Authentication at internet scale. This group has since spun off three Deployment Working Groups for consumer, enterprise, and government, with DOCOMO chairing the FIDO Consumer Deployment Working Group (CDWG).

In addition, DOCOMO drove the formation of the FIDO Japan Working Group (FJWG) in 2016 and has taken a leadership role as Chair. The FJWG has been driving FIDO adoption in Japan by facilitating communication, cooperation and improved awareness of FIDO Alliance and FIDO Authentication in Japan.

View the NTT DOCOMO Deployment Case Study PDF document here.

With ID Intelligence, organization work through a single source to integrate a select set of identification and authentication solutions. These solutions fall into four categories:

• Authenticate with biometrics
• Authenticate with a photo ID and selfie
• Authenticate the data provided by the user (PII validation)
• Authenticate the device data (trusted vs. suspicious)

There is a wide variety of biometric platform providers in the market today. For ID intelligence, Visa partnered with Daon to deliver FIDO-compliant biometrics capabilities. Daon offers both a FIDO-compliant and non-FIDO solution, but only the FIDO-compliant solution is part of the ID Intelligence suite. The appeal of the FIDO protocol came from its alignment with Visa’s approach to authentication which prioritizes how best to protect user data, leverage available data to make better decision, devaluing data when it is compromised and empowering the customer.

Implementation requires an integration of the SDK with the client’s mobile application, which is typically a six to twelve month process, along with on premises hosting of the FIDO server. And while Visa is looking to extend the range of authentication solutions it offers as part of the ID Intelligence suite, the FIDO-compliant biometrics capability is available today.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The organization decided the Internet was going to be how it managed communications. It made security a priority and leveraged public key infrastructure (PKI). Originally used for communications between the HK government and traders, the technology was eventually opened up to the banking industry.

Since that time, Tradelink’s approach to authentication has continued to evolve leading the organization to FIDO. At first there was a trend to move away from the digital certificates and towards one-time passwords. And approximately four years ago, they began to explore biometrics as a solution in partnership with the banking industry, which helped fund the effort. After examining different technologies and standards worldwide, Tradelink decided to use FIDO-based authetication starting in 2016.

In their estimation, adoption by banks has been strong because no information about the user is sent from mobile devices. And whoever is the service provider, whether the banks or Tradelink, doesn’t need to transmit or store the biometric data which is important to the stringent requirement on data privacy protection in Hong Kong. This together with the adoption of the Public Key Cryptography as the backbone for the FIDO Standard were the other major factors driving banks to rapidly adopt the FIDO standard.

In fact, the appeal of this biometric approach has resonated extremely well in Hong Kong. As evidence, the Hong Kong Government will launch a new initiative for electronic ID in 2020 that will leverage FIDO to authenticate citizens online.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.

Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company,  there has not been a successful phishing attack against their 85,000+ employees  since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other  notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.

Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.

With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.

Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

Challenge:

There are 65 million subscribers who use mobile banking services in Korea – most of whom use password-based authentication. Also, there are 37 million people who have been issued accredited certificates in Korea. For account transfers, subscribers generate digital signatures of transaction through an accredited certificate and verify it in their bank for user authentication, integrity and non-repudiation

Like many consumers around the world, Korean mobile banking subscribers who must remember their unique password feel uncomfortable for many reasons.  This includes the fact that inputting a password in mobile device is very difficult and time consuming – and also because passwords are highly susceptible to theft and misuse (such as for account hijacking). Additionally, many Koreans feel uncomfortable using passwords when they use an accredited certificate based on National PKI(NPKI) for digital signing.

As a result, many banks in Korea have sought to implement easy and secure user authentication technology in their online mobile banking service for subscribers, with biometric authentication approaches being a preferred model. However, many banks have hesitated to implement biometric authentication systems that rely upon server-side storage and matching of biometric templates as they present a risk to subscribers of having biometric credentials stolen – which unlike passwords cannot be changed.

Case Study: Kookmin Bank

Kookmin Bank (or KB) is Korea’s leading bank in total assets (2018) and National Customer Satisfaction Index (NCSI) (2017). KB has provided a mobile banking service named ‘KBStar Banking’ since 2003. KBStar Banking supports a variety of authentication mechanisms, but almost subscribers have used password-based authentication and accredited certification in NPKI. Accredited certification has especially been used for digital signing for account transfers and loan applications.

Kookmin Bank has been seeking simpler, stronger authentication for their mobile service due to the fact that many subscribers have expressed displeasure and discomfort with the password-based approach. KB has also needed a solution for accredited certification in NPKI that does not require a password at account transfer or loan application or similar services.

In November of 2016, CrossCert implemented the CrossCertFIDO® FIDO client and authenticator which supports fingerprint, iris and voice biometric authentication in the KBStar mobile banking app. CrossCert also set up the CrossCertFIDO® server in CrossCert’s global secure datacenter which has passed ISMS and Web Trust Audit, and it has connected and operated a relying server in Kookmin Bank.

KB and CrossCert have also provided subscribers with K-FIDO based authentication and digital signing – which eliminates the need for passwords for loan applications, account transfers and similar services. The net outcome is that subscribers no longer need to remember and input a password.

The Result:

There are now about 3.5 million subscribers who are leveraging simpler, stronger FIDO-based authentication across various KBStar mobile banking apps (KBStar banking, KBStar Mini, Liiv, KB Real Estate, KBStar alarm, KB my money, Liiv TTok TTok). In total there are 16 million FIDO transactions per month and there have been over 260 million total FIDO transactions since the launch of the services (as of October 2018).

Many Korean banks (in addition to KB) have implemented FIDO  authentication in their mobile banking apps to provide their subscribers with stronger and more user-friendly authentication. The positive user experiences in banking have set the stage for similar adoption in other industries – e.g., insurance, education and government services.

Overview

Customer

Aetna is a leading health care organization serving about 37.9 million people.

Challenge

Better authentication for Aetna’s online services customers, partners, and employees. Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and avoid costly fines and lawsuits due to data exposure.

Solutions

Aetna has adopted the FIDO standard for user authentication, using biometrics to verify customers and its next-generation authentication process (behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app).

Results

• Within two weeks of app usage, Aetna was able to set user baselines for behavior.
• Aetna is using the behavioral data to help protect users, feeding it into the FIDO NGA risk engine that continuously inputs data, then ultimately discarding it. The risk engine is protected with six layers of security controls.

The FIDO Solution

Aetna needed user authentication integrated within the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that their data is safe. Aetna is proud to be using the FIDO standard for user authentication, biometrics, and next-generation authentication.

FIDO Delivers

The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

“The FIDO Alliance develops user authentication based on open standards so companies like Aetna can adopt the best modern technologies without being tied into their proprietary offerings,” said Brett McDowell, executive director, The FIDO Alliance, “Standards-based architectures can evolve with the market, are less costly to operate and reduce the risk of operating and maintaining end-of-life systems.”

The Details

Challenge

Health care organizations are seeking to evolve user authentication for a new era of risks and threats. Health care data is highly valued by cybercriminals, because it provides rich personal, financial and medical data that can be used for multiple types of fraud, including insurance claims, health savings accounts, flexible savings accounts and more.

Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and to avoid costly fines and lawsuits due to data exposure.

Health care security leaders also want to avoid account takeovers, where cybercriminals use the personal demographic information to bypass password reset functions. After several major data breaches, including Anthem, Equifax, Yahoo and others, cybercriminals are able to assemble rich profiles they can use to impersonate users at scale. “The reality is that the industry is getting more and more account takeover attempts,” said Jim Routh of Aetna, who serves as the health care company’s chief security officer (CSO). “Binary authentication [using passwords] has reached obsolescence today.”

Creating Phishing-Resistant Security in the Health Care Industry

Solution: Routh wanted to find a better way to authenticate the customers, partners and employees who use Aetna’s online services. The company is rolling out next-generation authentication (NGA) across its mobile and web platforms, taking a two-phased approach to improving the security and usability of its online services.

First, Aetna has adopted the FIDO standard for user authentication, using biometrics, rather than passwords, to verify customers. Biometric capabilities are evolving rapidly and Aetna wanted to empower consumers with choice while using a standard interface across software and devices. In addition, standards-based architectures cost less to operate versus non- standards-based architectures.

FIDO Authentication Future-Proofs and Simplifies User Authentication

“Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process,” says Routh. “FIDO insulates us from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer, so regardless of the configuration of mobile carrier, device maker or online service, we can authenticate every time. More importantly, a member’s biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.”

Developing user authentication based on open standards also “future- proofs” solutions, so that companies like Aetna can adopt the best modern technologies without being tied into a vendor’s proprietary offerings.

Standards-based architectures can evolve and scale with the market, are less costly to operate than proprietary architectures and also reduce the risk of operating and maintaining systems.

Aetna Uses Up to 60 Behaviors to Authenticate Users During Online Sessions

In the second phase of the program, Aetna rolled out its next-generation authentication process: behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app. Aetna continuously reviews 30 to 60 different behaviors, such as location, time of access, thumbprint and keystroke style, to ensure that the user remains constant. Thus, for example, if an individual handed a phone to a friend, the app would recognize the new user and ask for another form of authentication.

Setting a New Standard for Security with FIDO

The FIDO standard supports the continuous input of behavioral data into the NGA risk engine. It took Aetna one to two weeks of app usage to set user baselines for behavior. Aetna is using the behavioral data solely to help protect users, feeding it into a risk engine and then ultimately discarding it. The risk engine is protected with six layers of security controls.

Aetna understands that user authentication can be part of the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that Aetna takes protecting their data seriously. Numerous analysts have stated that exceptional information risk management capabilities and practices (which includes multi-factor authentication) can help differentiate a company in an era of constant hacks and data breaches.

“We have an opportunity to improve security, while also significantly improving the way Aetna joins consumers by eliminating the need to remember passwords,” said Routh.

As mobile payment usage increases, mobile service providers are looking for more secure authentication measures for their users. BC Card’s mobile payment app, paybooc, offers both online and offline payment services through registration with a single ID and login using FIDO-based biometric authentication.

Customer

BC Card is the largest payment processing company in South Korea. BC Card’s mobile payment app, paybooc, offers both online and offline payment services through registration with a single ID and login using FIDO-based biometric authentication.

Challenge

BC Card wanted a more secure way to authenticate their paybooc users that had a positive impact on the user experience.

Solution

BC Card adopted FIDO Authentication using fingerprint, facial and voice biometrics for paybooc login.

Results

More than 1.2 million users have registered in paybooc using FIDO Authentication, making over 1 million transactions monthly.

THE FIDO SOLUTION

FIDO Authentication is proven to provide simpler, stronger authentication. BC Card’s use of the FIDO standards is helping to ensure their paybooc customers can simply log in with a single gesture with stronger security.

The Details

The Challenge: Security that Doesn’t Compromise Usability

Many online payments services rely on password-based logins, which are the most insecure of authentication methods. Passwords have been cited as the root cause for the vast majority of data breaches in recent years and are often frustrating for consumers because they can be complex and hard-to-remember.

With the rise in biometric authentication services, consumers are coming to realize the convenience of using this method for easy login. Recognizing the opportunity to leverage existing smartphone features such as cameras, BC Card set forward to integrate biometrics into the paybooc application.

The Solution

BC Card wanted to find a better way to authenticate paybooc users for an easier and more secure payment experience. After considering a number of authentication methods, the company launched FIDO-based fingerprint, voice and facial biometric authentication methods for paybooc users.

paybooc was the first system among Korean financial institutions to provide FIDO® Certified voice and facial recognition.

The FIDO-based voice authentication system is built to identify distinct features of the user’s voice, and is able to distinguish between a recording and an authentic voice. The FIDO-based facial authentication system recognizes the user’s facial features through the mobile device camera. Both systems utilize on-device cryptographic credentials and biometric data to protect from remote spoof and other attacks (i.e. the use of sounds, pictures and videos to mimic the user).

Verifying customers has become an important issue for the mobile payments industry, and biometric capabilities are rapidly evolving to create a safer and more reliable service for users. BC Card chose FIDO Authentication as a way for consumers to have secure logins with the ease of standards-based, interoperable authentication utilizing biometrics.

The Result: 1.2 Million Registered Users, 1 Million Monthly Transactions

As of May 2018, over 1.2 million users have registered in paybooc using biometric authentication, making over 1 million transactions monthly. This number is on a steady increase, as users recognize the ease of using biometrics as authentication as well as the extra security FIDO standards provide users. In the payments industry, mobile transactions are on the rise, and paybooc’s FIDO biometric authentication can adapt to any device.

Why FIDO?

BC Card’s decision to adopt the FIDO standard for authentication with biometrics was prompted by a need for stronger authentication for its mobile payments services, but also a seamless user experience. FIDO provides interoperability, ensuring that users can be authenticated on a wide array of device choices regardless of mobile carrier, device maker or online service. FIDO Authentication is a fast and convenient alternative to solutions like passwords, which are often difficult to remember, because it requires only a single gesture to log on.

BC Card also chose FIDO as a safeguard against fraud. Spoofing, phishing and other attacks are a direct concern for any payments service looking to best authenticate users. The FIDO protocols use of on-device cryptographic credentials and biometric data cut out third-party and man-in-the-middle involvement and significantly reduce the chance for hacks or phishing.

This assurance, along with the standards-based architectures that can evolve, scale and change with the market make FIDO Authentication a secure, cost-effective, and simple choice for BC Card paybooc. Many biometric authentication services, including Samsung Pay, are FIDO-based, and the quickly spreading FIDO2 standard is well-known throughout Korea.

FIDO Alliance: Why did Shinhan Bank decide to offer fingerprint authentication to the Sunny Bank application? What problem were you trying to solve?
Hyoung Woo Kim: Shinhan Bank was looking for a trusted biometric solution to add value for their customers using the Sunny Bank app. We chose this because FIDO has been developed as a biometric standard specifically for the mobile online environment, and biometric-based identity authentication systems through FIDO has been proven to be a secure infrastructure to provide a convenient and strong authentication service. It is used as a second-factor authentication or an easy alternative login of the app (ID/password) in conjunction with the existing banking app.

FIDO Alliance: Please tell us more about Shinhan Bank.
Hyoung Woo Kim: Shinhan Bank was founded in 1897 and operates banking, foreign exchange operations, and trust-services businesses. Its capitalization is 8 trillion KRW ($6.7 billion USD), and the corporation has a turnover of 14.8 trillion KRW ($12.3 billion USD). It has roughly 15,000 employees.

FIDO Alliance: Please describe the new service.
Hyoung Woo Kim: Shinhan Bank has introduced the first FIDO-based biometric authentication technology in the domestic banking services market. This service is a specialized mobile banking platform for Shinhan Bank called ‘Sunny Bank’. By introducing the first non-face-to-face personal identity authentication system, it makes possible a variety of traditional banking services such as opening a new account, deposit and withdrawal inquiry, currency exchange services, MyCar loan applications, and so forth without visiting a bank branch.

FIDO-based fingerprint authentication services with OnePass replace the existing certificate verification system so that the Shinhan Bank app service increases security as well as convenience for its customers in the financial services sector.

FIDO Alliance: Why did Shinhan Bank choose to use FIDO standards for this service?
Hyoung Woo Kim: With the explosive growth in mobile and online banking services, coupled with mandatory regulations changes related to banking and finance security, the need for a new secure authentication method that is also convenient for mobile users was very pressing.

Furthermore, the FIDO protocol is built around the secure storage of biometric information on the local device, with no transmission of the information necessary for authentication. The FIDO system locally verifies the user on his or her own device and then authorizes an encrypted authentication response to the server.

In order to satisfy both security concerns as well as customers’ requirements, building a convenient and secure authentication service that combines identity services with secure authentication is a real challenge. For Shinhan, the FIDO-based OnePass system was a clear choice to answer that challenge.

FIDO Alliance: What partners worked with you to enable FIDO authentication for the service?
Hyoung Woo Kim: FIDO authentication for the service has been built with Raonsecure, which is a leading FIDO-based biometric solution, mobile security, and PKI security technology provider. Raonsecure was one of the first companies to earn FIDO certification and is a leading FIDO authentication technology provider in Korea. Based on strong financial services management know-how, Raonsecure offers a range of technologies for clear understanding and meeting the requirements of Shinhan Bank.

FIDO Alliance: How many customers are now using the Shinhan Bank service and has Shinhan Bank seen any other positive results?
Hyoung Woo Kim: Shinhan Bank serves approximately 23 million customer accounts, which is roughly half the total population of the Republic of Korea (excluding duplicate customers in 2014).

FIDO Alliance: What role do you see FIDO-based authentication playing for Shinhan Bank in the future?
We are currently providing FIDO-based fingerprint authentication login services with enhanced security to an existing simple login method for customers using the Sunny Bank app, and as an additional authentication method. Currently, it is provided for Android and iOS Smartphone devices with the fingerprint authentication function.

Login, signup products, and funds transaction services provided with existing certificate verification will be gradually changed to the FIDO-based biometric solution, such as fingerprint authentication services via the smartphone application. It will maximize security in financial services and customer convenience simultaneously. Other means of authentication are also being planned in order to expand the variety of other authenticator types, such as iris scan and facial recognition-based authentication.