Government & Public Policy
As technology evolves, policy needs to evolve with it.
The global market is bursting with innovation around authentication technology – but some solutions are better equipped to meet the security and usability needs in government.
Through its working groups and member public policy leads, the FIDO Alliance engages in meaningful discussion with policymakers around the world on how FIDO specifications offer newer, better options for strong authentication, and recommends associated policy updates.
FIDO Alliance’s key points for policymakers include:
- Two-factor authentication no longer brings higher burdens or cost. While this statement was true of older traditional MFA technology, FIDO specifically addresses these cost and usability issues and enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale
- Technology is now mature enough to enable two secure, distinct authentication factors in a single device. The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token. This has already been recognized by the U.S. government and the European Banking Authority (EBA)
- As governments promote or require strong authentication, make sure it is the “right” authentication. Governments should not build rules around “old” authentication technologies that can hinder adoption by imposing significant costs and burdens on the user, nor should they build rules around authentication technologies that have security and privacy issues that put users at risk
Policymakers working on authentication requirements can request a briefing from the FIDO Alliance by filling out the form here.
FIDO Alliance Policy Documents
FIDO Alliance Input to the European Commission (September 2020):
In this input document, the FIDO Alliance comments on the European Commission’s (EC) Inception Impact Assessment regarding the future of eIDAS. FIDO Alliance comments in four areas for the EC’s consideration: 1. With regard to authentication – the EC should ensure that any LOA High solutions require high assurance authentication. 2. Extension of eIDAS to the private sector under Option 2 would be well-received by many companies. 3. All Europeans could benefit by creating new options for creating digital versions of physical identity documents. 4. Mutual recognition and re-use of pre-approved ID products.
FIDO Alliance Input to the National Institute of Standards and Technology (NIST) (August 2020):
In this input document, the FIDO Alliance comments on NIST’s Pre-Draft Call for Comments on Digital Identity Guidelines. FIDO Alliance offers comments in three areas for the NIST’s consideration: 1. Recognize changes in both threat and technology since the publication of SP 800-63-3. 2. AAL3 – explore new paths. 3. Reference to FIDO standards.
FIDO Alliance Input to the Drug Enforcement Administration (DEA) (June 2020):
In this input document, the FIDO Alliance comments on Docket No. DEA-218I, the Drug Enforcement Administration’s (DEA) Request for Comments on the Interim Final Rule for Electronic Prescriptions for Controlled Substances (EPCS). FIDO Alliance comments in four parts and are largely focused on the portions of the request for comment that focus on authentication requirements in the interim final rule: 1. Observations on current regulations and how technology has evolved over the last ten years. 2. An introduction to FIDO Authentication and FIDO Alliance certification programs. 3. Answers to specific DEA questions from the Request for Comments. 4. Suggestions on ways DEA can ensure revised EPCS regulations stay current as technology and threat evolve.
How FIDO Standards Meet PSD2’s Regulatory Technical Standards Requirements On Strong Customer Authentication (December 2018):
This document provides a detailed review of the security requirements listed in the Regulatory Technical Standards For Strong Customer Authentication and Common and Secure Open Standards Of Communication under PSD2 (the RTS) and describes how the FIDO standards meet such requirements.
FAQ on FIDO relevance for the GDPR (September 2018):
This document provides answers to questions on authentication, user consent, use of biometrics…in the context of the European General Data Protection Regulation. It shows how FIDO authentication can help service providers comply with the regulation.
FIDO Alliance Letter Regarding Payment Services Directive 2 (August 2017):
FIDO Alliance’s letter to European Commission and European Parliament on whether screen scraping should be allowed as a fallback option under PSD2
FIDO Alliance Input to the National Institute of Standards and Technology (NIST): Request for Information (RFI) on the Framework for Improving Critical Infrastructure Cybersecurity (April 2017):
In its input to NIST on the proposed changes to the Cybersecurity Framework, the FIDO Alliance recommends that NIST clarify their language and explicitly require MFA in the next update to the Framework. The Alliance urges NIST to add a new “authentication” sub-category to the Framework core with the recommendation that: “authentication of authorized users is protected by multiple factors.” Explicitly addressing MFA with this language is necessary to help government and industry address growing risks caused by weak authentication, and should be part of any proper update of the Framework.
Response to the European Banking Authority (EBA) Discussion Paper on Future Draft Regulatory Technical Standards on Strong Customer Authentication and Secure Communication Under the Revised Payment Services Directive (PSD2)
In this response to the EBA, the FIDO Alliance details how FIDO-compliant implementations that follow security best practices are ideal examples of what the EBA regulations for “strong customer authentication” under PSD2 are striving to foster: simpler, stronger authentication capabilities that merchants and consumers will adopt at scale. The response also describes how the EBA’s acceptance of FIDO’s public key cryptographic architecture, especially when combined with on-device biometrics, will reduce the vulnerability surface of their payment service providers — and presumably also reduce online fraud rates as a result — and accelerate overall online payment volume through reduced friction in the user experience.
Input to the Commission on Enhancing National Cybersecurity
In this input document, the FIDO Alliance makes three recommendations to the U.S. government for addressing cyberthreats: 1. Make it a national priority to replace passwords and other “shared secret” authentication approaches with more secure solutions. 2. Promote the use of new authentication standards such as FIDO as a best practice for authentication and 3. Accelerate the adoption of strong authentication through actions that will help create demand for these solutions.
FIDO Privacy: FIDO Alliance White Paper
This white paper describes how privacy has been taken into account in the design of the FIDO protocols, and how they can help meet privacy requirements from certain regulatory authorities.