While more people are shopping online, they are increasingly concerned about their digital security. Might passkeys be the answer? Quintin Stephen believes they will help.
Stephen is the global business lead and director of authentication for Giesecke and Devrient (G+D), a global security tech company based in Munich. He said his customers are seeing significant increases in fraud, and it’s becoming more sophisticated.
When the European Union issued the Revised Directive on Payment Services (PSD2), they required payment service providers within the European Economic Area to provide robust and secure customer authentication. Those requirements are being adopted across the globe.
That means multi-factor authentication, which involves a combination of something you know (passwords, PINs), something you have (physical objects like phones) and something you are, such as verifiable human biometrics.
How fraud is evolving
Stephen is seeing more sophisticated fraud campaigns that exhibit geographical differences. In India, call centers are staffed with people spending their days calling people and pretending to be law enforcement officers discussing a harassment suit filed against them. If they send payment, the case goes away.
In the United Kingdom, people might get calls from someone claiming to be from their bank. In both the Indian and U.K. cases, scammers build rapport with their targets.
Indian fraudsters also build false websites that closely mimic a company’s real website. The domain name may be a letter off, but it’s official enough that people transact with it. In the case of banks, the fake website gets the login credentials and can clean out bank accounts.
Stephen sees more instances where criminal organizations from credit bureaus to build profiles of people. They go from bank to bank, attempting to open accounts and get credit cards. Once they get through, they max out the card and disappear.
How AI helps the passkey push
The pandemic was an obvious push for digitization. Stephen believes fraudsters have worked out the vulnerabilities that digitization has provided and are beginning to capitalize on them.
Artificial Intelligence (AI) has brought good and bad. It allows fraudsters to more quickly identify system vulnerabilities.
But companies can do the same thing to protect themselves. Rules-based engines use AI to figure out the rules and trends faster so vulnerabilities get fixed.
“From an AI perspective, obviously, the smarter we get in authentication, the less risk of being compromised,” Stephen said. “If we get away from passwords, if we get away from data that can be vulnerable, obviously, that reduces the risk.”
Passkeys explained
One way to reduce risk is through the use of passkeys. Stephen said they’re not new. The FIDO Alliance, an open industry association whose goal is to reduce reliance on passwords, has used the term for a while. Their main strategy is to promote compliance with standards for authentication and device attestation.
After 75 years or so, Stephen said it’s time to bid passwords adieu.
“It’s a technology that probably started in the 50s,” he noted. “It’s something that we’ve carried along with us. But if you look at where we are today, with scalable attacks on databases, and the fact that people recycle passwords, all this leads to creating environments that introduce risk into the system.
Passkeys involve securely storing a biometric identifier such as a fingerprint or face image on a device in a trusted environment. When that device is accessed, the user displays a fingerprint or takes a picture of their face that is compared against the stored biometric.
A biometric can be securely stored as a private key on the user’s device, with a public key stored on a backend server, say, with a merchant. Identities are locally verified but authenticated against those servers.
Different passkey security options
A user’s passkey can also be pushed to other devices, so if that user switches from a phone to a laptop, they don’t have to re-register.
“That is a big step forward from a specialist perspective,” Stephen said. “That public key… there’s nothing you could really do with it. And it’s an enormous amount of convenience. If I don’t go onto a website often, I don’t have to remember the password. All my devices would have that single passkey.”
That tactic might not suffice in jurisdictions that require stronger (usually two-factor) authentication. The first factor can be that stored biometric, but the second is either something you know or something you have, like your device.
That second ingredient, the device-bound passkey, is popular with banks because it meets compliance standards in more stringent countries.
“There is absolutely no difference to the customer,” Stephen said. “The only difference is if I register on my phone, I can’t then go on to my iPad and use the passkey. I need to have a second passkey on my iPad.”
The FIDO Alliance promotes passkey use
That combats some common account takeover strategies. Fraudsters often register second devices. If they get your username and password, they download it, log into your account and engineer an account takeover.
Fraud prevention is a continuous cat-and-mouse game. Just as the good side catches up, the bad one pivots. As computing power increases, this cycle will only accelerate, bringing with it increased risk.
“That’s the benefit of the FIDO Alliance,” Stephen said. “You have the smartest people working on this authentication challenge continuously. You’ve got the Googles, Microsofts, Apples, Master Cards, Visas, Samsungs, all of them in there.”