Passkey authentication helps combat fraud

Since its inception, the guiding rule of the internet has been to protect the user’s privacy and anonymity. This has been critical to its explosive success from the beginning. But, as online use expanded, and use cases with it, an issue has arisen: how does anyone prove their identity online? Relatedly, how does that person authenticate their identity?

If the distinction isn’t clear, let an expert spell it out. “‘Who am I, and how do I prove it to other people?’ That is the first question, which is the issue of identity,” said Quintin Stephen, Global Business Lead Authentication, at G+D Netcetera. “The second equally important question is, ‘How do I continuously reconfirm that this person, this person online, is me?’ That is authentication.” 

As Stephen pointed out, identity and authentication take place at every step of our lives, not just online. When a police officer asks for your license, he’s authenticating you are who you say you are. This process is ubiquitous, but the nature of the online world and the explosion of threats makes coming up with dynamic solutions imperative.

There is a financial cost to these threats. A recent study forecast global e-commerce fraud to exceed $107 billion by 2029.¹ As our online footprint has expanded, so have the things we pay for there. Indeed, very little happens online without some form of payment. Today the risk of having information stolen or passwords is the highest. The future in tackling these threats lies in the widespread adoption of biometrics, dynamic cryptography, and public-private Passkey infrastructure that is available to everyone, without compromising on data privacy. “This is all within G+D’s area of expertise,” smiled Stephen. 

But to understand why they are required, let’s consider why what came before is no longer enough.

The problem with passwords

The problem is quite simple: how do we secure identities in the digital world, and authenticate them? “Fraudsters at the moment are really leveraging this weakness and attacking it, either through hacks, attacking the infrastructure to get to critical information, or scamming people to share information, willingly or unwillingly,” said Stephen. 

Bad actors target other people’s information so they can replicate or otherwise use their identities fraudulently. The internet’s first authentication protocol was a username and password. Unfortunately, repeating or recycling passwords is just human nature. (Using your pet’s name as a password really isn’t enough!) The fraudster needs to see a password only once, before attempting to use it across other platforms. They don’t need to find a way through the most secure environment, for example a bank’s system. They target the weakest link, the customer’s password itself. They may use the same password for an online shop portal as for their bank. From there to taking over that person’s bank accounts is just one step away. 

Think of the steps you take to secure your identity as knowledge factors, said Stephen. “A password was the internet’s first knowledge factor. Then, passwords got stronger, but computing power kept pace. The second knowledge factor was an OTP. But that can be phished too, through rogue applications and the like. The issue is that both passwords and OTPS are very phishable pieces of information.”

Fresh phish every day

Broadly speaking, there are three kinds of authentication factors in use today. Used in combinations, they constitute multi-factor authentication (MFA). These are:

1. Something you know, (password).
2. Biometrics, which cannot be easily hacked.
3. Something you own, a possession factor like a mobile device, protected by passkeys.

While the first factor in this system is fully phishable, as we have seen, the new direction in MFA is driving towards factors that cannot be phished or otherwise compromised. What this means in real terms is moving away from a human-readable knowledge factor to a possession factor and a biometric factor.

The goal is to be phishing-resistant, Stephen pointed out. Get rid of passwords and OTPs completely. Phishing is the most prevalent attack vector, and it is becoming more sophisticated and harder to recognize.

“With advances in technology, especially generative AI, it is becoming very difficult to identify a phishing attack. How an email is addressed, how a website looks, or even AI-generated fake voices : it is incredibly sophisticated now,” said Stephen. In fact, a recent survey found over 50% of its respondents reported both a growth in suspicious communications, and more sophisticated attempts to phish their data.²

How can the average user identify a phishing attempt? “In general, there are still some telltale signs,” said Stephen.

• The communication is not addressed to the user personally.
• the massage is vague in personal details i.e. account number or other identifiable personal informaitonIt creates a sense of urgency.
• It promises something that is too good to be true.

An industry-wide alliance

Recent regulatory trends are hastening adoption of more secure authentication practices within the finance industry. In Europe, regulations like Payment Services Directive 2 (PSD2, and soon, PSD3) are moving to protect users by making banks and other financial service providers liable for losses through fraudulent attacks which is already the case in Germany unless the customer acted in a negligent way.

“A bank’s customers are used to usernames and passwords and an OTP. Changing that behavior takes time. But it’s worth the effort,” said Stephen. It helps when banks and other institutions come together to tackle such threats together, pooling their knowledge and resources. 

The FIDO Alliance spans entities with an interest in authentication, including financial institutions, big data players, payments leaders, and original equipment manufacturers. Members include Meta, Amazon, Visa and Mastercard, PayPal, Apple, and Google, leading banks from around the world, governmental stakeholders from countries like the USA and Germany and G+D is also a long standing member. The Alliance is committed to setting new technical specifications that reduce reliance on passwords in authentication. Specifically, it focuses on the use of Passkeys as a phishing-resistant measure. 

Device cure

“Think of the public and private keys that comprise a passkey as a lock and key,” explained Quintin. “A transaction only works when they’re both used together.” The passkeys are bound to a particular device, which is the possession factor. (Another cloud-based variant also exists.)

No transaction will work unless both keys slot together. From a data privacy standpoint, stressed Quintin, the user is safe, as the biometric template isn’t on a database in some remote location. It is on their phone, and nowhere else. The private key is stored in the device as well in a secure environment provided by the mobile device operating system, whether iOS or Android.

When the user wants to transact, they might be asked for a biometric verification, whether a fingerprint or a face scan. There are multiple steps to authentication, but they take milliseconds. All the user sees is the prompt to authenticate themselves biometrically. The entire experience is as easy as logging into their phone. 

This scenario may seem weighted towards making the user experience as frictionless as possible. However, banks also have to navigate a regulatory environment where they are increasingly liable for losses due to fraudulent activity. It is clear that all parties must be protected from attack and fraud. 

Security by design is of the essence. Equally, the user experience must be as painless as possible. 

Finding the sweet spot between all these imperatives requires experience and expertise. Finding the right partner is critical. With its unmatched background and track record across SecurityTech, in payments and authentication, G+D is well placed to be that partner.