New NCSC Guidelines
The UK National Cyber Security Centre (NCSC) recently announced new guidelines to aid businesses in adopting passwordless online authentication. These guidelines extend to biometrics and FIDO2 solutions as well.
According to NCSC, “Since the average user has so many online accounts, creating different passwords for all of them (and remembering them) is hard. Inevitably, users will devise their own strategies to cope with ‘password overload’. This includes using predictable patterns to create passwords, or re-using the same password across different systems. Attackers exploit these well-known coping strategies, leaving your customers and your organisation vulnerable.” 
Passwords, FIDO warns, are the root cause of 80% of security breaches. 
Less is…NOT More
Adding multiple factors (whether biometric or possession-based) to your customer’s authentication experience provides additional layers of security — without the need to rely on passwords. In fact, relying on passwords without any additional security factors (like offering fingerprint scanning, facial biometrics, or possession as a second factor) allows cybercriminals and scammers to easily steal passwords through phishing or credential stuffing, for example.
But the good news is that NCSC has recommended four different types of authentication methods that businesses can adopt for better security and customer peace of mind: MFA (multi-factor authentication), OAuth 2.0 (sometimes called SSO, or single sign on), FIDO2, and magic links and OTPs (one-time passwords). The first three methods need not include passwords, but the option is still available to you if you’d like to use passwords as a security factor within any of these methods.
The even better news? Daon’s IdentityX® platform offers authentication methods that go above and beyond NCSC’s newest suggestions.
MFA the Right Way
Multi-factor Authentication (MFA) allows you to give your customers options and is significantly safer than just password-protecting online accounts. Implementing MFA also lets your organisation choose security measures that balance financial impact with UX and risk level.
The types of factors you should consider operationalizing with MFA include possession (something you have), inherence (something you are), and knowledge (something you know). Having multiple factors available for authentication (typically, an individual will choose a combination of two) means you can pick from biometric factors, like fingerprint, facial, or iris recognition, combined with another factor, like an SMS OTP, pin code, security token, or an app on a trusted device.
By leveraging OAuth 2.0, organisations can enable single sign on for their clients. SSO ensures that customers have a consistent authentication experience from an organisation; it also guarantees an authentication in one context can be leveraged in another without requiring the user to login again.
In addition to enabling single sign on, OAuth 2.0 can be used to federate logins, allowing users to take advantage of an account they have with another service provider, such as Google, Apple, or Microsoft, for easy login. A federated login can help with low-risk scenarios, but for higher trust scenarios, or those which must comply with regulations like PSD2, most organisations will wish to control authentication themselves.
Standards set by the FIDO Alliance ensure the strongest security, compliance, and forward-compatibility across systems and devices. We would know — we’ve been members of FIDO since 2014 and are heavily involved in the technical working groups that create FIDO specifications.
NCSC advises: “Most modern smartphone apps can support FIDO2 as they have biometrics built-in to authenticate the user to the device. FIDO2 grants authentication via a user action such as a press of a button, a PIN, or a biometric (such as fingerprint or facial recognition).” 
FIDO2 is comprised of the W3C Web Authentication specification and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance. FIDO2 supports passwordless, second-factor, and multi-factor user experiences with embedded (or bound) authenticators, such as biometrics built into modern smartphones, or external (or roaming) authenticators, such as FIDO Security Keys, mobile devices, wearables, etc.
The W3C Authentication specification that is part of FIDO2 enables the authenticators to be used in a web browser or mobile app. This brings the security and convenience of mobile biometric login to all web applications.
FIDO2’s newest feature is multi-device FIDO2 credentials, which have been introduced by major operating system vendors (Microsoft, Google, Apple) under the name “passkey”. Passkeys allow FIDO2 credentials to be easily ported from one device to another, which is much more secure than just using passwords. But, like federated OAuth 2.0, using passkeys in regulated environments may be limited, since the organisation would not have full control over the authentication.
Magic Links & OTPs
NCSC explores magic links and OTPs as a method of passwordless authentication, citing how they provide an easy user experience by eliminating forgotten passwords and password breach issues. While we agree that these mechanisms are a vital part of identity proofing and authentication processes, it is important to note that magic links and OTPs are really just quasi possession factors — they provide access to either a SIM card or email account — and should always be used in combination with another factor.
Don’t Get Left Behind!
It’s clear that moving towards a passwordless form of online identity authentication is critical to successfully reducing fraud and security risks for your business and your customers. NCSC notes that organisations in the retail, hospitality, and utility industries will especially benefit from heeding these new guidelines.
Daon is a market leader in identity proofing and authentication. We have been working with companies in the UK (and around the world!) for over 20 years, helping them stay AML/KYC-compliant and providing exceptional customer experiences.
Some of our most notable UK clients include NatWest Group, Atom Bank, BNP Paribas, and Standard Chartered.
How We Can Help
Many of our customers trust IdentityX for their MFA needs, or to provide the authentication for their OAuth 2.0 implementations — and many use our platform for both.
Our FIDO+ offering combines the security and privacy of all FIDO standards with the increased accuracy, auditability, and expanded capabilities of server-side biometrics.
FIDO-certified IdentityX offers strong security, lower cost, easy implementation, and futureproofing. We’ll handle the integration into any and every platform, saving you time, money, and peace of mind.
Sources  and