Financial Action Task Force Guidance Points to FIDO as Preferred Approach to Combat Authentication Vulnerabilities
This month, the Financial Action Task Force (FATF) released its final “Guidance on Digital Identity” for financial services regulators. FATF is a standards-making body composed of financial regulators from around the world who are charged with ensuring that the financial system is not used for money laundering, terrorist financing, or other illicit activities. Historically, FATF has focused on traditional banking, but as more and more financial services go digital, they have started focusing on digital identity as a key enabler of safe financial systems.
FATF Recommendations are the recognized standards for global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice.
The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:
“Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches. Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.
Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.”
This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate when they are looking to craft new or updated rules on digital identity and authentication.
Read the full FATF Recommendations here.
Authenticate Virtual Summit: The Imperative for Strong Authentication for Government Services
Authentication plays an increasingly important role in how governments are...September 24, 2021
FIDO Alliance Announces Speakers for Authenticate Virtual Summit, “The Imperative for Strong Authentication for Government Services”
September 23 event features executives from Akamai, GSA, IRS, NHS,...August 31, 2021
Amazon is Giving Free FIDO Security Keys to AWS Customers to Encourage Better Account Security
By Andrew Shikiar, Executive Director & CMO, FIDO Alliance Leaders...August 30, 2021