As retailers in the United States have adopted chip-and-signature and chip-and-PIN (personal identification number) point-of-sale (POS) security measures, there have been increases in fraudulent online card-not-present (CNP) electronic commerce (e-commerce) transactions. The risk of increased fraudulent online shopping became more widely known following the adoption of chip-and-PIN technology that increased security at the POS in Europe. This NIST Cybersecurity Practice Guide demonstrates how online retailers can implement multifactor authentication to help reduce e-commerce fraud.
Multifactor Authentication for E-Commerce
The NCCoE at NIST built a laboratory environment to explore methods to implement multifactor authentication (MFA) for online retail environments for the consumer and the e-commerce platform administrator. The NCCoE also implemented logging and reporting to display authentication-related system activity.
This NIST Cybersecurity Practice Guide demonstrates to online retailers that it is possible to implement open standards-based technologies to enable Universal Second Factor (U2F) authentication at the time of purchase when risk thresholds are exceeded.
This project’s example implementations analyze risk to prompt returning purchasers with additional authentication requests when risk elements are exceeded during the online shopping session. Risk elements may include contextual data related to the returning purchaser and the current shopping transaction.
The example implementations will prompt a returning purchaser to present another distinct authentication factor—something the purchaser has—in addition to the username and password when automated risk assessments indicate an increased likelihood of fraudulent activity. The MFA capabilities for e-commerce used in this guide are based upon the Fast IDentity Online (FIDO) Universal Second Factor (U2F) authentication specification. The methods chosen in this guide provide examples that can be adopted by retailers to help reduce e-commerce fraud