Merry Consent and Happy New Trust, Merry Identification and Happy New Authentication

2018 was a truly game-changing year, bringing significant improvements and new opportunities globally in areas closely associated with providing customer privacy, information security, and financial technologies. Let’s think back briefly about all that happened during this incredible year.

On January 13th, the directives Open Banking in UK and Payment Services (PSD2) in EU entered into force. They mandate financial institutions to provide secure access to customers’ banking accounts by Application Programming Interface (API). We know that a year earlier, the US—represented by The Consumer Financial Protection Bureau (CFPB) and the National Automated Clearing House Association (NACHA)—outlined principles for customer-authorized access to data as an alternative for screen scraping and formed an API industry working group with more than 100 banks, associations and consultancy firms, with the goal of defining an API standard for sharing account information, payment initiation, fraud prevention and more.

On May 25th, General Data Protection Regulation (GDPR) entered into force. The goals of the directive are protecting the rights, privacy and freedoms of natural persons in the EU and reducing barriers to business by facilitating the free movement of data throughout the EU. The regulation mandates organizations who control personally identifiable information (PII) of EU citizens independently—whether they are located inside the EU or outside—to provide privacy in accordance with the regulation rules. The European Commission recognised the US as providing adequate protection in GDPR scope on the date of enforcing the regulation.

On August 1st, the US Treasury Department published a report aimed at fostering innovation in the lending, payments and wealth management areas, which includes guidance on open banking as it relates to sharing customers’ financial data.

If we add the fact that other countries and markets like Japan, Canada, Australia, Brazil, New Zealand, Israel, Hong Kong, etc. also accelerate adapting their law to requirements of acts mentioned above, the global scope of the chosen strategy for digital transformation becomes clear.

New ecosystems based on consent and trust (in accordance with terminology from these acts) suggest modern architectural approaches and tools, particularly in terms of information security - security-by-design, privacy-by-design. In this area, there were some other important events in this year.

On August 7th, the FIDO Alliance and the World Wide Web Consortium (W3C) achieved a major standards milestone (the Candidate Recommendation stage) in the global effort to bring simpler yet stronger web authentication to users around the world. The WebAuthn and Fast IDentity Online 2.0 (FIDO2) project enables an external authenticator, such as a security key or a mobile phone to communicate strong authentication credentials locally over USB, Bluetooth or NFC to the user’s internet access device (PC or mobile phone).

On September 26th, the FIDO Alliance announced that the first FIDO2-certified products are now available. Google Chrome, Microsoft Edge and Mozilla Firefox browsers now support FIDO2. Any website can leverage FIDO2 strong authentication protocols from the W3C and FIDO Alliance to replace passwords with cryptographically secure logins using convenient alternatives like on-device biometrics and FIDO Security Keys.

On November 26th, Microsoft indicated that it is possible to use devices based on the FIDO2 protocol with a Microsoft account and Windows 10 version 1809 to verify user access, obviating the need for a password.

The ability of a FIDO2 authenticator to provide strong authentication even with a single factor only and an ability to store multiple credentials for accessing different resources worldwide make it possible to use FIDO2 authentication with and be very relevant for the aforementioned new class of financial ecosystems and also to eliminate the need to have a unique authenticator for every single resource.

Completing our walkthrough of the significant events of 2018, we just want to note that the future is fascinating! So, Merry Consent and Happy New Trust, Merry Identification and Happy New Authentication for all of us in 2019!!!