The FIDO Alliance is working with EMVCo to add convenience and security to in-store and in-app EMV-compliant mobile payments.
FIDO will develop a new technical specification into its authentication suite to fulfill use cases provided by EMVCo. The specification will provide a standardized way for mobile wallet providers and payment application developers to support Consumer Device Cardholder Verification Method, enabling consumers to use on-device FIDO Certified authenticators — such as a fingerprint or “selfie” biometrics — to securely verify their presence when making an in-store or in-app mobile payment.
To enable this capability, the new FIDO Alliance specification will be developed as an extension specification to the Web Authentication specification already in development by the World Wide Web Consortium (W3C). The Web Authentication specification, based on three technical specifications submitted by the FIDO Alliance last year, will define a standard web API to enable web applications to move beyond passwords and offer FIDO authentication across all web browsers and related web platform infrastructure.
With this new specification, the same FIDO-compliant devices used to authenticate users on the web will also be able to fulfill payment networks’ Consumer Device Cardholder Verification Method requirements for mobile payment, giving device manufacturers another reason to ship their devices with support for FIDO authentication.
For mobile wallet providers and payment application developers, the development of this specification intends to simplify the development and support for Consumer Device Cardholder Verification Method across mobile devices and other platforms.
The new FIDO specification will be designed to add a layer of convenience to the consumer mobile payment experience by providing mobile payment applications with additional risk management information, ultimately reducing the number of times that a consumer needs to authenticate themselves in order to approve a payment within a given time period.
For example, when the mobile payment application calls the FIDO authenticator, it can check the last time the user was verified by the authenticator. If that falls within the requirements for Consumer Device Cardholder Verification Method, the payment will be authorized without any additional interaction with the user. The FIDO Alliance also sees the potential for this capability to be extended to use cases beyond payments, including for VPN access, rights managements and workflow management.