Amending FIDO2: Strengthening Digital Security for Swiss Banks and their Clients

The Swiss Bankers Association (SBA) and the Swiss Financial Sector Cyber Security Centre (Swiss FS-CSC) support the German Banking Industry Committee (GBIC) recommendation on amending the FIDO2 standard – a change deemed important also from a Swiss perspective towards making the standard usable for secure transaction confirmations, not just for login authentication.

The GBIC is advocating for an extension of the FIDO2 standard to support the secure display of transaction data by the respective authenticator. The standard currently focuses largely on logging in to platforms and systems and using the browser for display purposes. GBIC, however, is calling for the standard to be expanded, making it usable for a broader range of transactions and business activities. For the banking industry, this primarily refers to online banking and card payments.

We support the GBIC proposition to amend the FIDO2 standard. We are convinced that this amendment would also benefit the Swiss banking industry by allowing for a broader use of FIDO2 beyond login authentication. The SBA and the Swiss FS-CSC therefore support the GBIC’s proposal to:

  • Transmit transaction data to the authenticator: instead of sending only a hash value, the full transaction data should be transmitted to the external authenticator.
  • Integrate a secure display: authenticators with displays should be expanded to show users the transmitted transaction data, which the user can then verify.
  • Link the authentication code to the data on display: the authentication code generated by the authenticator should include a hash value which is calculated by the authenticator for the data shown on the display, so that the authentication code is securely linked to this data. This will allow the bank to verify the secure display and confirmation of the transaction data.
  • Expand the CTAP specification: The FIDO Alliance should expand the client authenticator protocol (CTAP) to include a standardised interface for transmitting and displaying transaction data.

This amendment would not just allow FIDO2 standards to be implemented in the financial sector, it would also increase user confidence in FIDO2-based authentication and transaction confirmation methods. The full recommendations by the GBIC can be found here.

The FIDO standard
FIDO stands for Fast Identity Online. The FIDO Alliance developed the FIDO Authentication standards based on public key cryptography. FIDO2 offers a standardised solution for two-factor authentication, implemented using WebAuthn and the Client to Authenticator Protocol (CTAP). Unfortunately, the CTAP does currently not support the secure display of transaction data by external authenticators. This limitation prevents clients from verifying the actual transaction details on a trusted display before confirming a payment, which poses a security risk when used in online banking and card payments.

You can find more information about FIDO here.