March 18, 2020

Financial Action Task Force Guidance Points to FIDO as Preferred Approach to Combat Authentication Vulnerabilities

This month, the Financial Action Task Force (FATF) released its final “Guidance on Digital Identity” for financial services regulators. FATF is a standards-making body composed of financial regulators from around the world who are charged with ensuring that the financial system is not used for money laundering, terrorist financing, or other illicit activities. Historically, FATF has focused on traditional banking, but as more and more financial services go digital, they have started focusing on digital identity as a key enabler of safe financial systems.

FATF Recommendations are the recognized standards for  global anti-money laundering (AML) and counter-terrorist financing (CFT). That’s why it’s so important the final guidance recognizes FIDO Authentication in several places as an example of a best authentication practice. 

The first important aspect to note is that the guidance incorporated authentication as an element of the customer due diligence (CDD) process, particularly when banks open new accounts for people with pre-existing digital identity credentials. This is the first time FATF has explicitly included authentication as part of CDD, which also speaks to broader market awareness of the imperative for sound user authentication. Secondly, FIDO is not only recognized as an acceptable form of authentication – it’s called out as a preferred approach vs. legacy authentication methods. Per the guidance:

Passwords or passcodes, which are supposed to be “shared secret” knowledge authenticators, are vulnerable to brute-force login attacks, phishing attacks, and massive online data breaches, and are very easily defeated. Stolen, weak or default passwords are behind 81 percent of data breaches.  Multi-factor authentication (MFA) solutions, such as SMS one-time codes texted to the subscriber’s phone, add another layer of security to passwords/passcodes but they can also be vulnerable to phishing and other attacks.

Phishing-resistant authenticators where at least one factor relies on public key encryption (e.g., authenticators built off PKI certificates or the FIDO standard) can help combat these vulnerabilities.

This is significant recognition of not only the importance of authentication, but the weaknesses (i.e., phishability) of some legacy MFA technologies – and how these risks can be mitigated through the use of FIDO as high assurance authentication. It’s an important distinction that we hope banking regulators strongly evaluate  when they are looking to craft new or updated rules on digital identity and authentication. 

Read the full FATF Recommendations here

MORE Announcements

FIDO Alliance Announces Authenticate 2023 Conference

Premier authentication conference returns for fourth year; call-for-speakers open CARLSBAD,...

February 23, 2023

FIDO Alliance Awards Winner and Top Finalists of Developer Challenge – India

By Joon Hyuk Lee, APAC Market Development Director, FIDO Alliance...

February 6, 2023

Videos: FIDO Alliance Public Seminar in Korea

On December 6, 2022, the FIDO Alliance Public Seminar in...

December 19, 2022

Momentum for FIDO in Japan Grows as Major Companies Commit to Passwordless Sign-ins with Passkeys

Yahoo! JAPAN, KDDI and NTT DOCOMO have adopted or committed...

December 8, 2022
Download Authn Specs
Sign up for updates!Get news from FIDO Alliance in your inbox.

By submitting this form, you are consenting to receive communications from: FIDO Alliance, 3855 SW 153rd Drive, Beaverton, OR 97003, US, You can revoke your consent to receive emails at any time by using the unsubscribe link found at the bottom of every email.