As technology evolves, policy needs to evolve with it.
The global market is bursting with innovation around authentication technology – but some solutions are better equipped to meet the security and usability needs in government.
Through its working groups and member public policy leads, the FIDO Alliance engages in meaningful discussion with policymakers around the world on how FIDO specifications offer newer, better options for strong authentication, and recommends associated policy updates.
FIDO Alliance’s key points for policymakers include:
- Two-factor authentication no longer brings higher burdens or cost. While this statement was true of older traditional MFA technology, FIDO specifically addresses these cost and usability issues and enables simpler, stronger authentication capabilities that governments, businesses and consumers can easily adopt at scale
- Technology is now mature enough to enable two secure, distinct authentication factors in a single device. The evolution of mobile devices – in particular, hardware architectures that offer highly robust and isolated execution environments (such as TEE, SE and TPM) – has allowed these devices to achieve high-grade security without the need for a physically distinct token. This has already been recognized by the U.S. government and the European Banking Authority (EBA)
- As governments promote or require strong authentication, make sure it is the “right” authentication. Governments should not build rules around “old” authentication technologies that can hinder adoption by imposing significant costs and burdens on the user, nor should they build rules around authentication technologies that have security and privacy issues that put users at risk
Policymakers working on authentication requirements can request a briefing from the FIDO Alliance by filling out the form here.
Governments all around the world are deploying FIDO. Learn about them on the FIDO Government Deployments page.
FIDO Alliance Public Policy Submissions
FIDO Alliance Input to BRSA (January 2024): In this input document, the FIDO Alliance comments to Turkish Banking Regulation and Supervision Agency’s (BRSA) Circular 2023/1.
FIDO Alliance Input to NIST (January 2024): In this input document, the FIDO Alliance comments to NIST SP 800-171r3: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.
FIDO Alliance Input to the USG Proposed FAR Clauses for Contractors (November 2023): In this input document, the FIDO Alliance comments to FAR Case 2021–019: Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.
FIDO Alliance Input to the New York Department of Financial Services (DFS) (August 2023):
In this input document, the FIDO Alliance comments to DFS – Revised Proposed 2nd Amendment to Regulation 23 NYCRR 500 –Cybersecurity Requirements for Financial Services Companies.
FIDO Alliance Input to NIST (June 2023):
In this input document, the FIDO Alliance comments to NIST – Identity and Access Management Roadmap (Draft).
FIDO Alliance Input to CFPB (January 2023):
In this input document, the FIDO Alliance comments to the CFPB – Small Business Advisory Review Panel on Required Rulemaking on Personal Financial Date Rights.
FIDO Alliance Input to DFS (January 2023):
In this input document, the FIDO Alliance comments to the DFS – Proposed Cybersecurity Requirements for Financial Services Companies – 23 NYCRR Part 500.
FIDO Alliance Input to DFS (August 2022):
In this input document, the FIDO Alliance comments to the DFS – Proposed Cybersecurity Requirements for Financial Services Companies.
FIDO Alliance Input to SEC (April 2022):
In this input document, the FIDO Alliance comments to the SEC – Proposed Cybersecurity Risk Management Rules for Investment Advisers, Registered Investment Companies, and Business Development Companies.
FIDO Alliance Input to FCC (November 2021):
In this input document, the FIDO Alliance comments to the FCC – NPRM on Rules to Prevent SIM Swapping and Port-Out Fraud.
FIDO Alliance Input to NIST (October 2021):
In this input document, the FIDO Alliance comments on NIST’s Consumer Labeling for IoT Devices.
FIDO Alliance Input to the European Commission (October 2021):
In this input document, the FIDO Alliance comments on the European Commission – using FIDO Standards in eIDAS 2.0.
FIDO Alliance Input to CISA (October 2021):
In this input document, the FIDO Alliance comments on the Draft Zero Trust Maturity Model and Cloud Security Technical Reference Architecture.
FIDO Alliance Input to OMB (September 2021):
In this input document, the FIDO Alliance comments on the Draft Federal Zero Trust Strategy published by the White House Office of Management and Budget (OMB).
FIDO Alliance Input to NIST (February 2021):
In this input document, the FIDO Alliance comments on NIST’s Draft Guidance for Federal Agencies and IoT Device Manufacturers.
FIDO Alliance Input to the Consumer Financial Protection Bureau (February 2021):
In this input document, the FIDO Alliance comments to the Consumer Financial Protection Bureau (CFPB) on Consumer Access to Financial Records.
FIDO Alliance Input to NIST (October 2020):
In this input document, the FIDO Alliance comments on the NIST’s draft on Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management.
FIDO Alliance Input to the European Commission (September 2020):
In this input document, the FIDO Alliance comments on the European Commission’s (EC) Inception Impact Assessment regarding the future of eIDAS. FIDO Alliance comments in four areas for the EC’s consideration: 1. With regard to authentication – the EC should ensure that any LOA High solutions require high assurance authentication. 2. Extension of eIDAS to the private sector under Option 2 would be well-received by many companies. 3. All Europeans could benefit by creating new options for creating digital versions of physical identity documents. 4. Mutual recognition and re-use of pre-approved ID products.
FIDO Alliance Input to the National Institute of Standards and Technology (NIST) (August 2020):
In this input document, the FIDO Alliance comments on NIST’s Pre-Draft Call for Comments on Digital Identity Guidelines. FIDO Alliance offers comments in three areas for the NIST’s consideration: 1. Recognize changes in both threat and technology since the publication of SP 800-63-3. 2. AAL3 – explore new paths. 3. Reference to FIDO standards.
FIDO Alliance Input to the Drug Enforcement Administration (DEA) (June 2020):
In this input document, the FIDO Alliance comments on Docket No. DEA-218I, the Drug Enforcement Administration’s (DEA) Request for Comments on the Interim Final Rule for Electronic Prescriptions for Controlled Substances (EPCS). FIDO Alliance comments in four parts and are largely focused on the portions of the request for comment that focus on authentication requirements in the interim final rule: 1. Observations on current regulations and how technology has evolved over the last ten years. 2. An introduction to FIDO Authentication and FIDO Alliance certification programs. 3. Answers to specific DEA questions from the Request for Comments. 4. Suggestions on ways DEA can ensure revised EPCS regulations stay current as technology and threat evolve.
How FIDO Standards Meet PSD2’s Regulatory Technical Standards Requirements On Strong Customer Authentication (December 2018):
This document provides a detailed review of the security requirements listed in the Regulatory Technical Standards For Strong Customer Authentication and Common and Secure Open Standards Of Communication under PSD2 (the RTS) and describes how the FIDO standards meet such requirements.
FAQ on FIDO relevance for the GDPR (September 2018):
This document provides answers to questions on authentication, user consent, use of biometrics…in the context of the European General Data Protection Regulation. It shows how FIDO authentication can help service providers comply with the regulation.
FIDO Alliance Letter Regarding Payment Services Directive 2 (August 2017):
FIDO Alliance’s letter to European Commission and European Parliament on whether screen scraping should be allowed as a fallback option under PSD2
FIDO Alliance Input to the National Institute of Standards and Technology (NIST): Request for Information (RFI) on the Framework for Improving Critical Infrastructure Cybersecurity (April 2017):
In its input to NIST on the proposed changes to the Cybersecurity Framework, the FIDO Alliance recommends that NIST clarify their language and explicitly require MFA in the next update to the Framework. The Alliance urges NIST to add a new “authentication” sub-category to the Framework core with the recommendation that: “authentication of authorized users is protected by multiple factors.” Explicitly addressing MFA with this language is necessary to help government and industry address growing risks caused by weak authentication, and should be part of any proper update of the Framework.
Response to the European Banking Authority (EBA) Discussion Paper on Future Draft Regulatory Technical Standards on Strong Customer Authentication and Secure Communication Under the Revised Payment Services Directive (PSD2)
In this response to the EBA, the FIDO Alliance details how FIDO-compliant implementations that follow security best practices are ideal examples of what the EBA regulations for “strong customer authentication” under PSD2 are striving to foster: simpler, stronger authentication capabilities that merchants and consumers will adopt at scale. The response also describes how the EBA’s acceptance of FIDO’s public key cryptographic architecture, especially when combined with on-device biometrics, will reduce the vulnerability surface of their payment service providers — and presumably also reduce online fraud rates as a result — and accelerate overall online payment volume through reduced friction in the user experience.
FIDO Privacy: FIDO Alliance White Paper
This white paper describes how privacy has been taken into account in the design of the FIDO protocols, and how they can help meet privacy requirements from certain regulatory authorities.