The Right Mix: Intuit’s Journey with FIDO Authentication

Millions of Intuit customers place their trust in Intuit to protect their sensitive information, and Intuit takes this responsibility very seriously. Insecure password-only authentication is a common practice in the industry; however, Intuit wanted to provide additional layers of security to protect their customers’ data that also wouldn’t add friction to the user experience. But as everyone in the security community knows, it is hard to come across a solution that can do both.

Intuit applied the best of both worlds working with Nok Nok Labs to deploy FIDO Authentication. Today, Intuit’s users sign into its portfolio of mobile apps seamlessly with unique biometric identifiers like their fingerprint or facial recognition patterns, or even your phone’s passcode. And Intuit’s login process isn’t just more convenient. It offers another level of security – thanks to FIDO Authentication.

Intuit’s Authentication Priorities

On its mission to implement a mobile authentication solution, Intuit identified three fundamental priorities:

1. User experience. Signing in on a mobile device using a password can be frustrating – it’s easy to make mistakes when typing on a mobile device. Intuit wanted the experience of signing in to the app to be frictionless for users.
   
   
2. Security. In today’s threat landscape, there are so many ways a hacker can take advantage of poor security in mobile devices and apps. While infrequent sign-ins are common, Intuit wanted to make the process so easy they could regularly sign users out and invalidate their tokens to help prevent unauthorized access to accounts without negatively impacting the user experience.
   
   
3. Account Takeover. Intuit is constantly using technology and techniques to minimize account takeover, and needed a solution that would help decrease these types of opportunities for hackers.

Finding the Right Security and Usability Balance

With standards already at the center of Intuit’s overall model for managing identity, FIDO Authentication fit right into that strategy. The company ultimately decided on the FIDO UAF biometrics standard for a passwordless authentication experience on mobile devices.

The FIDO protocols, including FIDO UAF, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometric information never leaves the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at log in, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.

After making the decision to move forward with FIDO standards, Intuit evaluated vendors, educated internal customers, built out user experiences, migrated away from existing sign-in solutions and made adjustments to improve sign-in flow.

First, Intuit evaluated vendors based on criteria related to security, platform readiness, customer references and cost. The company decided to use Nok Nok Labs’s S3 Platform to implement their FIDO solution, then built a service on top of this and exposed it to internal customers using a mobile SDK for iOS and Android.

On the security side, the company reports that successful phishing attempts have greatly decreased since it’s rollout of FIDO Authentication. It has also seen notable improvements in usability with a significant 20% reduction in the time it takes a user to sign in on its mobile apps, and a 6% increase in login success rates – a huge gain in a space where moving the needle by a single point is very hard.

Because of its simpler user experience, FIDO also created opportunities for Intuit to enhance other security features. This includes asking the user to sign in more frequently, shortening the life of the authentication tokens and dramatically decreasing the potential attack surface. 

With such strong reports of success, Intuit has ingrained FIDO into its authentication roadmap and plans to implement another FIDO protocol, FIDO2, for sign-in experiences on the web. The company also plans to enhance a number of step up flows, tests of user presence, and others such as phone push notifications with FIDO Authentication.

Intuit Insights: Advice for Rolling out FIDO Authentication

1. Consider outsourcing components of the solution as needed. If outsourcing, evaluate vendors based on criteria related to security, platform readiness, customer references and cost
   
   
2. Have clear, well-defined goals in terms of reduction in abuse and improvements in user experience
   
   
3. Consider the implications on your current analytics frameworks, and how a FIDO passwordless sign in will change the way you measure conversion
   
   
4. Have a careful plan to migrate mobile apps from a local PIN or biometric challenge to unlock the app to FIDO to sign in 
   
   
5. Educate product managers, engineers, customer care agents and others within your organization on what FIDO Authentication is, how it is different from using biometric challenges to unlock an app, the potential benefits for security, user experience and conversion
   
   
6. Consider a progressive approach to registration; that is, build registration flows where people provide their biometric challenge in a way that can be presented after subsequent sign- ins to minimize friction
   
   
7. Plan a simulation or pre-launch of the new registration and sign in process to work out any kinks before rolling out to your wider customer base
   
   
8. Pair your FIDO implementation with a plan to shorten security token lifetimes to realize the full security benefits 
   
   
9. Plan for scalability, high availability and disaster recovery, especially if you are moving the service to the cloud

View the Intuit Deployment Case Study PDF document here.