U.S. merchants, banks and consumers took a big step toward increased security and fraud protection in 2014 with the move to the newer, embedded chip credit cards (EMV cards) system. The chips store transactional and identity verification data that is more difficult to steal or counterfeit.
However, some concerns remain. For one thing, the U.S. has not adopted the chip-and-PIN standard used elsewhere throughout the world, in which the cardholder must supply a secret PIN to use the card, making card theft virtually useless. We instead still use signature verification, a system rife with vulnerabilities.
Another problem deals with card-not-present (CNP) transactions such as online purchases, in which the embedded chip adds no value. CNP fraud increased after EMV cards were introduced.
Now, in a new white paper, the Identity Council of the Smart Card Alliance discusses adoption of advanced security technology using protocols developed by the Fast Identity Online (FIDO) Alliance for an online authentication system to secure smart cards.
EMV credit cards are a type of smart card, in that their chips support authentication, data storage, personal identification and application processing.
FIDO specifications are meant to provide a guide for the adoption of standardized security, privacy and authentication solutions for various devices, including smart cards. A central idea behind the protocols is "proof of intent," meaning a person's physical presence activates the protocol. Basically, the EMV chips would store secret, encrypted data that is never exposed to the cloud.
The EMV chips would be used to generate unique key pairs for the card and each online service, such as the online authentication service at a point of sale (POS) terminal in a grocery store.
These unique key pairs, which would be randomly generated by the smart card for each local device, user's account and online service, consist of a public key established at the time you first use the card at a particular store or website (the registration phase), and a private encrypted key that remains a secret stored on the smart card chip.
You would initiate registration by some secure method, such as typing in a PIN, pressing a button on a secondary device or submitting a biometric reading (a fingerprint, voice sample, retina scan, etc.). In this way, each key pair is unique when associated with your account at the online service, ensuring that your authentication data for "Store A" is different from that for "Store B".
During the authentication phase, the key pair is verified for validity by the store or website before or during a transaction. Even if "Store A" data was stolen, it wouldn't compromise any other locations in which you use the card.
2 different FIDO protocols exist:
1. Universal Second Factor (U2F)
A system in which a simple-to-use token, such as a PIN, constitutes a second authentication factor. When prompted (after you go online), you supply the token (type in the PIN, tap your smartphone, push a button on a USB device, etc.) to authenticate your usage of the smart card.
2. Universal Authentication Framework (UAF)
A system to augment password protection using biometrics or other factors to authenticate a user to a secure local device before going online.
Google Chrome was the first web browser to support the U2F protocol.
The FIDO protocols can also be used to secure mobile-wallet transactions, such as those generated by Apple Pay and Google Wallet.