FIDO Alliance Announces New Authentication Specification Effort with EMVCo to Bring Added Security and Convenience to Mobile Payments

October 24, 2016 at 12:00 PM EDT
The new effort builds on FIDO's existing partnership with W3C to provide a standard way for mobile wallet providers and payment application developers to support on-device cardholder verification (CDCVM) with biometrics or other authenticators

LAS VEGAS, NV -- (Marketwired) -- 10/24/16 -- MONEY20/20 - FIDO Alliance, the industry consortium developing open, interoperable authentication standards, announced today that it will work with EMVCo to add convenience and security to in-store and in-app EMV®-compliant mobile payments.

The FIDO Alliance will develop a new technical specification into its FIDO authentication suite to fulfill use cases provided by EMVCo. The specification will provide a standard way for mobile wallet providers and payment application developers to support Consumer Device Cardholder Verification Method (CDCVM)1, enabling consumers to conveniently use on-device FIDO® Certified authenticators -- such as a fingerprint or "selfie" biometrics -- to securely verify their presence when making an in-store or in-app mobile payment.

To enable this capability, the new FIDO Alliance specification will be developed as an extension specification to the Web Authentication specification already in development by the World Wide Web Consortium (W3C). The Web Authentication specification, based on three technical specifications submitted by the FIDO Alliance last year, will define a standard web API to enable web applications to move beyond passwords and offer FIDO strong authentication across all web browsers and related web platform infrastructure. With this new specification, the same FIDO-compliant devices used to authenticate users on the web will also be able to fulfill payment networks' CDCVM requirements for mobile payment, giving device manufacturers yet another reason to ship their devices with support for FIDO authentication.

For mobile wallet providers and payment application developers, the development of this specification intends to greatly simplify the development and support for CDCVM across mobile devices and other platforms.

"Today, mobile wallet providers and payment application developers need to custom-build support for CDCVM across mobile devices. This is a huge challenge given the fragmentation in the mobile ecosystem -- there are more than a thousand manufacturers for Android alone," said Brett McDowell, executive director of the FIDO Alliance. "This new specification will enable mobile payment stakeholders to FIDO-enable their applications and get the added benefit of built-in support for CDCVM on every FIDO-compliant mobile device. The mobile industry is rapidly adopting FIDO authentication, with FIDO Certified solutions already available on flagship mobile devices from six of the top 10 mobile handset manufacturers."

The new FIDO specification will also add another layer of convenience to the consumer mobile payment experience by providing mobile payment applications with additional risk management information, ultimately reducing the number of times that a consumer needs to authenticate themselves in order to approve a payment within a given time period. For example, when the mobile payment application calls the FIDO authenticator, it can check the last time the user was verified by the authenticator. If that falls within the requirements for CDCVM, the payment will be authorized without any additional interaction with the user. The FIDO Alliance also sees the potential for this capability to be extended to use cases beyond payments, including for VPN access, rights managements and workflow management.

W3C Strategy Lead Wendy Seltzer commented, "W3C is pleased to support this FIDO Alliance extension as yet another example of the growing and vibrant authentication ecosystem enabled through our Web Authentication API, currently under development by the WebAuthn Working Group."

Brett McDowell made this announcement this morning at Money20/20, being held this week through Oct. 26 in Las Vegas. Attendees looking to learn more about the FIDO Alliance's efforts to help the financial services industry deploy stronger, simpler authentication should stop by the FIDO Ecosystem Pavilion on the show floor, booth #2843.

Editor note:
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo.

About The FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

The FIDO Alliance Board of Directors includes leading global organizations: Aetna, Inc. (NYSE: AET); Alibaba Holdings (NYSE: BABA); American Express (NYSE: AXP); ARM Holdings plc (LSE: ARM) (NASDAQ: ARMH); Bank of America Corporation (NYSE: BAC); BC Card; CrucialTec (KOSDAQ: 114120); Daon; Egis; Feitian Technologies (XSHE: 300386); Google (NASDAQ: GOOG); Intel (NASDAQ: INTC); ING (NYSE: ING); Infineon Technologies AG (FSE: IFX) (OTCQX: IFNNY); Lenovo (NASDAQ: LNVGY); MasterCard (NYSE: MA); Microsoft (NASDAQ: MSFT); Nok Nok Labs, Inc.; NTT DOCOMO, INC. (NYSE: DCM); NXP Semiconductors N.V. (NASDAQ: NXPI); Oberthur Technologies OT; PayPal (NASDAQ: PYPL); Qualcomm, Inc. (NASDAQ: QCOM); RSA®; Samsung Electronics, Ltd (KSE: SECL); Synaptics (NASDAQ: SYNA); USAA; VASCO Data Security International, Inc. (NASDAQ: VDSI); Visa Inc. (NYSE: V); Yubico.

1 Consumer Device Cardholder Verification Method (CDCVM) is a type of consumer verification method (CVM) supported by the card networks that is captured and verified on the cardholder's mobile device (e.g. biometric, passcode).

Contact:
Megan Shamas
Montner tech PR
Email Contact
203-226-9290

Source: The FIDO Alliance