1. The document discusses how KeyBank and Capital One are securing customer and employee digital identities and defeating fraud through modern FIDO authentication. 2. It describes both companies' strategies of using strong credentials to access resources and migrating customers to new authentication systems, driven by increases in account takeovers. 3. The document provides details on each company's implementation of FIDO2 authentication, including KeyBank accelerating deployment of FIDO2 authenticators on their commercial banking platform and Capital One separating authentication into desktop, VPN, and web app elements while enhancing employee verification.

1. © 2022 Yubico
1
KeyBank and ADP building secure
digital customer journeys
yubico
Perraju Nadakuduty
Distinguished Engineer,
Capital One
KeyBank and Capital One:
Securing identities and defeating fraud
with modern FIDO authentication
Christopher Nygard
Sr Information Security
Architect, KeyBank
Jerrod Chong
Chief Solutions
Officer, Yubico

2. © 2022 Yubico
2
Protect commercial client digital
journeys against account
takeovers using FIDO2 phishing-
resistant MFA
Secure enterprise user access to
all applications and data with
FIDO2 phishing-resistant
passwordless authentication
The Vision

3. © 2022 Yubico
3
Strategy: Use strong credentials to
access enterprise resources, and
reduce password usage
Strategy: Migrate commercial
customers to new authentication
orchestration system
The Driver: Uptick in account takeovers
1. VMware Modern Bank Heists 5.0, 2022
63%
of financial institutions
experienced an increase in
destructive attacks in 2022,
an increase of 17%
from 202111

4. 4
4
Aug 11 - Consumer Financial Protection Bureau states
MFA that provides insufficient protection against
credential phishing can trigger liability
“MFA solutions that protect
against credential phishing,
such as those using the Web
Authentication (FIDO)
standard supported by web
browsers, are especially
important.
Why FIDO?

5. Journey to phishing-resistant FIDO authentication
5
Initially rolled out MFA using multi-protocol support
tokens that supported FIDO, for future initiatives
As FIDO matured, management decided to move
forward with FIDO2/WebAuthn for passwordless
authentication
Decision to use documentation-based identity
proofing with FIDO for strong credentialing
KeyBank was in process of integrating a new
authentication orchestration system into
commercial banking platform
FIDO-based authenticators were already on
long-term roadmap
Accelerated deployment of FIDO2
authenticators due to fraud patterns, to protect
clients against this growing threat

6. 6
Capital One: Designing the right approach
6
Image Source: https://www.capitalone.com/about/corporate-information/
Separated journey into three elements:
Desktop, Network VPN, Web apps
Enhance employee verification (IDV) for
employee workforce
Evolve privileged access management
administration using FIDO2 for shared
secrets
Implement FIDO2 biometric authentication
for user agent access to PII and sensitive
data for regulatory compliance

7. © 2022 Yubico
Capital One: Designing the right approach
On-premises
Services
Web
Applications
VPN & Network Access
Critical Infrastructure
Elements (CLI etc.)
Privileged Access
Management
Application
Login
Maintain high assurance
for backup and recovery
+
Strong Binding
Employee ID
Proofing/Verification
Register FIDO
security key or
platform resident key

8. 8
KeyBank: Designing the right approach
8
Image Source: https://www.key.com/businesses-institutions/business-expertise/articles/avoid-being-duped-by-deepfakes.html
Impact to clients
Impact to contact center
Timeline for adoption
FIDO benefits against phishing
Opt-in or mandatory?

9. 9
Capital One: Recommendations
Have the right
documentation for
internal rollout
Internal users are fairly technically
savvy, reducing need for extensive
education and training, but the right
documentation helps
Design for
portability
Users use multiple systems and
devices, so build portability
mechanisms for FIDO credentials to
be used on multiple devices
Factor in compliance
requirements
Build technology reviews and audits
into project timelines. FIDO was
seen as a material tech change,
which called for higher scrutiny
Reuse existing
technology stacks
Leverage client-facing identity
verification processes internally
before issuing strong credentials
FIDO can solve
multiple business
problems
Strong identity verification and high
assurance of FIDO credentials can
solve multiple business scenarios—
easy password recovery, simplifies
privileged access management
Existing technology
stacks may need to be
refreshed
Work with partners and vendors to
upgrade existing technology stacks
to support FIDO

10. 10
KeyBank: Lessons learned and recommendations
10
Offer user
flexibility
There is no one size fits all.
Offer multiple FIDO options
such as security keys and
platform authenticators
Prepare for
resistance
Develop clear opt-out
process. Add mitigating
controls and additional fraud
monitoring
Choose a partner,
not just a product
Vendor should change
and improve based on
customer feedback
Prepare clients
Use multi-channel
communications, not
everyone reads email
Be prepared to
troubleshoot
FIDO is great when it works, but
not all scenarios are seamless
and can require troubleshooting
Don’t underestimate
education & training
Prepare client-facing resources.
Understand and document
support issues
Secure all FIDO
touchpoints
Ensure strong security for FIDO
registration and recovery flows
since that is where attackers
will go next

11. Thank you!
11