This month, the Financial Action Task Force (FATF) released its final “Guidance on Digital Identity” for financial services regulators. FATF is a standards-making body composed of financial regulators from around the world who are charged with ensuring that the financial system is not used for money laundering, terrorist financing, or other illicit activities. Historically, FATF has focused on traditional banking, but as more and more financial services go digital, they have started focusing on digital identity as a key enabler of safe financial systems.

FATF Recommendations are the recognized standards for  global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice. 

The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:

Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches.  Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.

Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.

This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate  when they are looking to craft new or updated rules on digital identity and authentication. 

Read the full FATF Recommendations here


More

Recap: Virtual Summit: Demystifying Passkey Implementations

By: FIDO staff Passkeys hold the promise of enabling simpler, strong authentication. But first organizations,…

Read More →

EMVCo and FIDO Alliance Provide Essential Guidance on Use of FIDO with EMV 3DS

As leaders in authentication and payments spaces respectively, the FIDO Alliance and EMVCo collaborate to…

Read More →

FIDO Alliance Announces Call for Speakers and Sponsors for FIDO APAC Summit 2024

February 21, 2024 The FIDO Alliance is excited to announce the return of the FIDO…

Read More →


12361 Next