4. 4
4
Aug 11 - Consumer Financial Protection Bureau states
MFA that provides insufficient protection against
credential phishing can trigger liability
“MFA solutions that protect
against credential phishing,
such as those using the Web
Authentication (FIDO)
standard supported by web
browsers, are especially
important.
Why FIDO?
5. Journey to phishing-resistant FIDO authentication
5
Initially rolled out MFA using multi-protocol support
tokens that supported FIDO, for future initiatives
As FIDO matured, management decided to move
forward with FIDO2/WebAuthn for passwordless
authentication
Decision to use documentation-based identity
proofing with FIDO for strong credentialing
KeyBank was in process of integrating a new
authentication orchestration system into
commercial banking platform
FIDO-based authenticators were already on
long-term roadmap
Accelerated deployment of FIDO2
authenticators due to fraud patterns, to protect
clients against this growing threat
6. 6
Capital One: Designing the right approach
6
Image Source: https://www.capitalone.com/about/corporate-information/
Separated journey into three elements:
Desktop, Network VPN, Web apps
Enhance employee verification (IDV) for
employee workforce
Evolve privileged access management
administration using FIDO2 for shared
secrets
Implement FIDO2 biometric authentication
for user agent access to PII and sensitive
data for regulatory compliance
8. 8
KeyBank: Designing the right approach
8
Image Source: https://www.key.com/businesses-institutions/business-expertise/articles/avoid-being-duped-by-deepfakes.html
Impact to clients
Impact to contact center
Timeline for adoption
FIDO benefits against phishing
Opt-in or mandatory?
9. 9
Capital One: Recommendations
Have the right
documentation for
internal rollout
Internal users are fairly technically
savvy, reducing need for extensive
education and training, but the right
documentation helps
Design for
portability
Users use multiple systems and
devices, so build portability
mechanisms for FIDO credentials to
be used on multiple devices
Factor in compliance
requirements
Build technology reviews and audits
into project timelines. FIDO was
seen as a material tech change,
which called for higher scrutiny
Reuse existing
technology stacks
Leverage client-facing identity
verification processes internally
before issuing strong credentials
FIDO can solve
multiple business
problems
Strong identity verification and high
assurance of FIDO credentials can
solve multiple business scenarios—
easy password recovery, simplifies
privileged access management
Existing technology
stacks may need to be
refreshed
Work with partners and vendors to
upgrade existing technology stacks
to support FIDO
10. 10
KeyBank: Lessons learned and recommendations
10
Offer user
flexibility
There is no one size fits all.
Offer multiple FIDO options
such as security keys and
platform authenticators
Prepare for
resistance
Develop clear opt-out
process. Add mitigating
controls and additional fraud
monitoring
Choose a partner,
not just a product
Vendor should change
and improve based on
customer feedback
Prepare clients
Use multi-channel
communications, not
everyone reads email
Be prepared to
troubleshoot
FIDO is great when it works, but
not all scenarios are seamless
and can require troubleshooting
Don’t underestimate
education & training
Prepare client-facing resources.
Understand and document
support issues
Secure all FIDO
touchpoints
Ensure strong security for FIDO
registration and recovery flows
since that is where attackers
will go next
Enhance IDV from consumer process to their employee lifecyle
Question
You can register the platform built-in after IDV, as the first FIDO credential, but when you have to bootstrap the next platform built-in authenticator (another laptop for example), how would you do this without a portable security key?