March 18, 2020

Financial Action Task Force Guidance Points to FIDO as Preferred Approach to Combat Authentication Vulnerabilities

This month, the Financial Action Task Force (FATF) released its final “Guidance on Digital Identity” for financial services regulators. FATF is a standards-making body composed of financial regulators from around the world who are charged with ensuring that the financial system is not used for money laundering, terrorist financing, or other illicit activities. Historically, FATF has focused on traditional banking, but as more and more financial services go digital, they have started focusing on digital identity as a key enabler of safe financial systems.

FATF Recommendations are the recognized standards for  global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice. 

The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:

Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches.  Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.

Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.

This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate  when they are looking to craft new or updated rules on digital identity and authentication. 

Read the full FATF Recommendations here

MORE Announcements


The IoT Security Foundation and FIDO Alliance Announce Collaboration to Eliminate Passwords in IoT

Release Date: January 5th 2021 Today, the IoT Security Foundation...

January 12, 2021

FIDO Certified Servers: Updates for Processing Current Metadata Statements

Yuriy Ackermann, Certification Technical Manager, FIDO Alliance With the advancement...

December 22, 2020

2020 FIDO Hackathon in Korea: Introducing the Top 5 Winners

Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance Editor’s...

December 17, 2020

E-Commerce Magazine: More than one out of two French people give up on their online purchase because of passwords

According to the latest report by the FIDO Alliance, consumer...

December 10, 2020
Download Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, http://www.fidoalliance.org. You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.