Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

MasterCard joins FIDO Alliance march to standardize biometric auth, other password alternatives

MasterCard has joined forces with an organization that aims to eliminate consumers' dependency on passwords and PINs for authentication.

Last Wednesday, USA Today broke the news that the global payment processor planned to become a member of the Fast Identity Online (FIDO) Alliance, which was formed in 2012 by online transaction giant PayPal and a number of other companies to embrace innovative solutions for verifying users' identities.

By early 2014, the FIDO Alliance plans to introduce specifications for an open protocol standard for two-factor and multifactor authentication. The specifications would support biometric technologies, such as fingerprint scanners, voice and facial recognition, and other authentication measures, including one-time passwords (OTP) and near-field communication (NFC), a wireless technology that establishes communication between mobile devices through physical contact.

In April, Google joined the FIDO Alliance. Now with the addition of MasterCard, the organization gains another power player in the industry that could give weight to its mission.

On Tuesday, Brennen Byrne, CEO of Clef, an Oakland, Calif.-based mobile authentication startup, told that MasterCard's participation in FIDO was a positive step.

“The industry in general is looking for new ways to improve [methods] of authenticating,” Byrne said. “So it's not surprising to me that MasterCard is joining on and taking the FIDO Alliance seriously,” he continued, adding later that “it's good that a major payment provider is involved.”

But other experts have some questions. Charles McColgan, CTO of TeleSign, a Marina del Rey, Calif.-based mobile identity solutions firm, told in a Tuesday interview that he doubts payment processors, like MasterCard, would “fully rely” on biometric technologies for authentication.

“I think a bank or payment processor wouldn't necessarily fully rely on biometric,” McColgan said, explaining that organizations may opt to incorporate biometric solutions with technology they already use.  

“The incorporation of those products will take a lot of time," he said. "[Payment processors] have existing threat models around passwords and PIN technology, but the FIDO Alliance may make it easier for them to use those things,” he said of authentication alternatives.

In a Tuesday email to, Ed McLaughlin, MasterCard's chief emerging payments officer, commented briefly on the company's membership with the alliance.

“We believe our involvement with the FIDO Alliance, as well as other activities across the industry, will help deliver strong security for consumers, merchants and issuers, as well as a great consumer experience,” McLaughlin wrote.

The company has tested the waters with biometric initiatives before.

In August, MasterCard collaborated with the South African Social Security Agency (SASSA) to issue 10 million debit cards using fingerprint and voice authentication to verify cardholders' identities for welfare disbursements.

In a Tuesday email to, Sebastien Taveau, a FIDO Alliance founding board member, addressed the impact of MasterCard, a globally recognized brand, joining the alliance. Taveau is also the CTO of Validity, a San Jose, Calif.-based provider of fingerprint sensor security solutions.

“FIDO specifications ensure that payment providers such as MasterCard have authentication choice and control according to what works best for them to manage their risk and simplify their customers' experience,” Taveau wrote. “MasterCard is taking a strong leadership position for the industry to move beyond password and PIN authentication and achieve better authentication that is more secure, private and easy to use.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.