eBay’s Journey to Passwordless with FIDO

Access & Identity Management Handbook 2022 Access Control & Identity Management

A global commerce leader connecting millions of buyers and sellers around the world, eBay enables economic opportunity for individuals, entrepreneurs, businesses and organisations of all sizes. Because its users are at the core of its success, eBay emphasises providing a positive and secure experience for both buyers and sellers.

As with most websites, every user’s interaction with eBay begins with logging onto the site and authenticating themselves, i.e., verifying that they are who they say they are. However, the typical authentication sequence using usernames and passwords impacted the user experience and made eBay more vulnerable to bad actors at the same time.

Users were constantly forgetting and resetting their passwords – a frustrating process. And with many buyers and sellers using the same password for multiple accounts on multiple sites, a breach on any of those sites could open eBay to a breach as well. eBay knew it needed to make the authentication process more secure, but not at the expense of the user experience.

Prioritising security and the user journey

To add an extra layer of security to the login process, eBay implemented SMS one-time passcodes (OTPs). Even though it helped provide a more secure option, the method added costs, user friction and was still vulnerable to certain security issues.

After reviewing a variety of other options to provide a simple, easy and secure user authentication experience, eBay decided to roll out FIDO for strong authentication across both its native mobile app and browser-based mobile and web sites.

eBay decided to build its own open-source FIDO server, which it felt gave it maximum control of the user experience and the end-to-end login flow. This approach also gives eBay better ability to manage its other login options, such as social logins.

Realising the benefits of standards

The strength of the FIDO Alliance and the FIDO standard, including the involvement of a wide range of major technology companies, was another significant factor in eBay’s selection of FIDO.

From push to passwordless

As a first step, eBay implemented FIDO for second factor authentication using the FIDO UAF protocol with a push notification flow. This meant that, when a user logged into eBay with a username and password, they would receive a notification from the mobile eBay app to confirm the login. Implemented as an opt-in feature, FIDO immediately garnered significantly higher opt-in rates than the previous SMS OTP solution, validating the FIDO standard’s ease-of-use.

Six months later, after seeing the already quick user adoption rate continue to rise, eBay decided to take the next step in passwordless authentication. In order to further simplify login flows, the company launched FIDO2 for primary authentication, no longer requiring users to take a second step to log in. Here’s how it works:

• When the user logs in as normal, eBay detects whether the device supports FIDO2. If so, the user receives a pop-up box asking them if they would like to enrol in passwordless authentication.

• If they opt in, the user is asked to enrol their facial or fingerprint biometric and is automatically enrolled.

• The next time the user logs in, all they need to do is present their biometric. No username and no password required.

Realising benefits for both eBay and its users

Less than one year into its implementation of FIDO, eBay is already realising its benefits: Not only are opt-in rates higher than for SMS OTPs, but also login success and completion rates have significantly improved, especially on mobile devices. eBay started to roll out FIDO2/WebAuthn on Android/Chrome and have since expanded to Mac, Windows as well as iOS. Recently, eBay has also added support for roaming authenticators, such as security keys providing another secure way to access eBay.

Looking forward to a completely passwordless future

In order to implement completely passwordless authentication, eBay must have a process in place for recovering accounts if a FIDO authenticator is lost or when a user adds a new device. In typical password authentication, users can recover their accounts through the email/password reset process, but removing a password from the equation presents a new challenge. According to Ashish Jain, head of identity at eBay, solving this issue is a priority for his team.

“Today, our users can experience much faster and convenient login experiences by opting in to FIDO,” observed Jain. “But to fully realise the security benefits of FIDO, we’re looking forward to disabling passwords entirely. By taking one step at a time and working as an industry to find solutions to issues like account recovery, we believe we will get there.”

Inside FIDO standards

The FIDO protocols, including FIDO UAF and FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks. The protocols are also designed from the ground up to protect user privacy.

The protocols do not provide information that can be used by different online services to collaborate and track a user across the services and biometrics, when used, never leave the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at login, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.

Reprinted with the permission of the FIDO Alliance (www.fidoalliance.org).

FIDO Alliance specifications

User authentication specifications

The FIDO Alliance has published three sets of specifications for simpler, stronger user authentication: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and the Client to Authenticator Protocols (CTAP). CTAP is complementary to the W3C’s Web Authentication (WebAuthn) specification (www.w3.org/TR/webauthn-1/); together, they are known as FIDO2.

FIDO2 is comprised of the W3C Web Authentication specification and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance. FIDO2 supports passwordless, second-factor and multi-factor user experiences with embedded (or bound) authenticators (such as biometrics or PINs) or external (or roaming) authenticators (such as FIDO Security Keys, mobile devices, wearables, etc.).

All FIDO protocols are based on public key cryptography and are strongly resistant to phishing. They provide for a wide range of use cases and deployment scenarios.

In addition to meeting the technical requirements, the FIDO Alliance developed further security requirements that need to be implemented to enhance the security assurance of each device. These requirements are covered in the Authenticator Certification program found on the Certified Authenticator Levels page (www.fidoalliance.org/certification/authenticator-certification-levels/).

Read the technical specifications at www.fidoalliance.org/specifications/.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Gallagher to showcase new Controller 7000 single door
Technews Publishing Access Control & Identity Management Products
Gallagher will be showcasing its latest access control innovation, the Controller 7000 Single Door on its stand at Intersec Dubai from 17-19 January 2023.

Smart parking management platform
Access Control & Identity Management Asset Management, EAS, RFID
Parket builds a seamless bridge between supply and the ever-increasing, but fluid – and often temporary – demand for parking bays.

Visible-light facial recognition terminal
ZKTeco Access Control & Identity Management Products
The SpeedFace-V5L [P] is a visible-light facial recognition terminal using intelligently engineered facial recognition algorithms and the latest computer vision technology.

Facial and palm verification
ZKTeco Access Control & Identity Management Products
The ProFace X [P] supports both facial and palm verification, with a large capacity and rapid recognition.

Glide Master High Security 90° Sliding Gate
BoomGate Systems Access Control & Identity Management Products
Boomgate Systems was asked to make a sliding gate that can turn 90 degrees. The gate had to offer high security and be vandal-proof.

Informing, entertaining and communicating across your landscape
Evolving Management Solutions Access Control & Identity Management
For the first time, the attraction of large shopping malls with many stores, entertainment and food courts no longer offers enough appeal to attract customers.

Suprema’s new BioStation 3
Suprema Access Control & Identity Management Products
The brand new BioStation 3 is not only Suprema’s smallest face recognition device to date, but it also comes packed with the largest variety of features.

Suprema renews international privacy and security standard certifications
Suprema News Access Control & Identity Management
Suprema has simultaneously renewed two important international standard certifications regarding information security management (ISO/IEC 27001) and privacy information management (ISO/IEC 27701).

SuperVision biometric access control
Integrated Solutions Access Control & Identity Management Products
SuperVision is a time & attendance (T&A) biometric access control system Fourier IT has been developing and enhancing for 18 years.

Manage energy usage with Paxton access control
Paxton Access Control & Identity Management Products
Paxton provides access control systems that can integrate with existing infrastructure and manage a building’s energy-consuming activities to save energy and costs.