This month, the Financial Action Task Force (FATF) released its final “Guidance on Digital Identity” for financial services regulators. FATF is a standards-making body composed of financial regulators from around the world who are charged with ensuring that the financial system is not used for money laundering, terrorist financing, or other illicit activities. Historically, FATF has focused on traditional banking, but as more and more financial services go digital, they have started focusing on digital identity as a key enabler of safe financial systems.
FATF Recommendations are the recognized standards for global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice.
The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:
“Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches. Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.
Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.”
This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate when they are looking to craft new or updated rules on digital identity and authentication.
