The FIDO Alliance will develop a new technical specification into its FIDO authentication suite to fulfill use cases provided by EMVCo. The specification will provide a standard way for mobile wallet providers and payment application developers to support Consumer Device Cardholder Verification Method (CDCVM), enabling consumers to conveniently use on-device FIDO Certified authenticators — such as a fingerprint or “selfie” biometrics — to securely verify their presence when making an in-store or in-app mobile payment.
To enable this capability, the new FIDO Alliance specification will be developed as an extension specification to the Web Authentication specification already in development by the World Wide Web Consortium (W3C). The Web Authentication specification, based on three technical specifications submitted by the FIDO Alliance last year, will define a standard web API to enable web applications to move beyond passwords and offer FIDO strong authentication across all web browsers and related web platform infrastructure. With this new specification, the same FIDO-compliant devices used to authenticate users on the web will also be able to fulfill payment networks’ CDCVM requirements for mobile payment, giving device manufacturers yet another reason to ship their devices with support for FIDO authentication.
For mobile wallet providers and payment application developers, the development of this specification intends to greatly simplify the development and support for CDCVM across mobile devices and other platforms.
“Today, mobile wallet providers and payment application developers need to custom-build support for CDCVM across mobile devices. This is a huge challenge given the fragmentation in the mobile ecosystem — there are more than a thousand manufacturers for Android alone,” said Brett McDowell, executive director of the FIDO Alliance. “This new specification will enable mobile payment stakeholders to FIDO-enable their applications and get the added benefit of built-in support for CDCVM on every FIDO-compliant mobile device. The mobile industry is rapidly adopting FIDO authentication, with FIDO Certified solutions already available on flagship mobile devices from six of the top 10 mobile handset manufacturers.”
The new FIDO specification will also add another layer of convenience to the consumer mobile payment experience by providing mobile payment applications with additional risk management information, ultimately reducing the number of times that a consumer needs to authenticate themselves in order to approve a payment within a given time period. For example, when the mobile payment application calls the FIDO authenticator, it can check the last time the user was verified by the authenticator. If that falls within the requirements for CDCVM, the payment will be authorized without any additional interaction with the user. The FIDO Alliance also sees the potential for this capability to be extended to use cases beyond payments, including for VPN access, rights managements and workflow management.
W3C Strategy Lead Wendy Seltzer commented, “W3C is pleased to support this FIDO Alliance extension as yet another example of the growing and vibrant authentication ecosystem enabled through our Web Authentication API, currently under development by the WebAuthn Working Group.”
Brett McDowell made this announcement this morning at Money20/20, being held this week through Oct. 26 in Las Vegas. Attendees looking to learn more about the FIDO Alliance’s efforts to help the financial services industry deploy stronger, simpler authentication should stop by the FIDO Ecosystem Pavilion on the show floor, booth #2843.