03 Jun The Future of Authentication – Insights from ReBIT Webinar
India is one of the leading countries adopting technology and digitization across its industries. Both public and private sectors in India are going through rapid digital transformation by embracing automation and emerging technologies. The Covid-19 pandemic has accelerated the digital shift and now most of the consumers are accessing online services thus enhancing the digital payment market.
Recent research states that the current 160 million unique mobile payment users will multiply by 5 times to reach nearly 800 million by 2025. It also stated that the digital payments in India are expected to grow over three-fold to Rs 7,092 trillion by 2025 on account of government policies around financial inclusion and the growing digitization of merchants.
In light of this growing digital economy, the Reserve Bank of India (RBI) recently released the Master Direction on Payment Security Controls. The need for ensuring robust controls for the security of digital payment systems has been underscored in this directive. It also encourages innovation by urging regulated entities to consider alternatives to SMS-based OTP authentication. On 27th May 2021, ReBIT, in collaboration with the FIDO Alliance hosted a webinar to discuss the technology alternatives to SMS-OTP authentication.
In this blog, we have compiled the key takeaways from this ReBIT webinar – to explore alternatives to SMS-OTP, their benefits and limitations as well as practitioners’ insights from their implementation experience.
SMS- OTP authentication: Convenience VS Security
The most common and widely used authentication method in India is SMS-OTP. There is no doubt that this method of authentication comes along with its benefits and that is explicitly seen by its widespread adoption. The most compelling benefit for an application provider and the user of those services is that it is simple, and convenient with less provisional effort and cost.
But there is always a tension between convenience and security.
In the olden days, when phones didn’t have as many capabilities as we have today – most of the application interaction was done through laptop or desktop. So, typically there are two different channels involved during the authentication phase – 1) channel where the authenticator came to you and 2) the channel through which the user interacts with the application.
But in today’s scenario with the recent technology trends, strict separation of these two channels is getting blurred. In nutshell, SMS OTP is a convenient, simple, and widely used authentication method but they are less secure. And, it is now time for companies to seriously explore alternatives to SMS-OTP-based authentication.
What is FIDO and how does it work?
The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device, or pressing a button.
Now the authenticator can come in different forms: 1) Platform authenticator: ones that are integrated with a device and capable of capturing an authentication factor. Examples include Touch ID, Face ID, and Windows Hello where the respective features include being embedded with the device. (this is the case for most modern devices) 2) Roaming Authenticators: ones that can be connected to different smartphones or laptops using CTAP. In both categories, FIDO supports different modalities from a simple touch to the fingerprint reader, facial recognition, and voice authentication.
[Old way of authentication | FIDO method for authentication] side by side
Source: FIDO Alliance
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services.
- FIDO is based on public-key cryptography
- Keys stay on the device
- No server-side shared secrets
- No 3rd party in the protocol
- Biometric, if used, never leaves the user’s device
- No link-ability between services or accounts
Finally, the industry practitioners shared their insights on adopting FIDO and how it resulted in a passwordless experience for their customers with increased ROI and value realization.