Multifactor Authentication for e-Commerce

Current Status

This project is currently seeking technology vendors to participate in the development of an example solution. Please see our Federal Register notice for more information.

Download the Multifactor Authentication for e-Commerce Project Description (PDF) for more detailed information. A summary of the project description is available in a two-page fact sheet.

Summary

As greater security mechanisms are implemented at the point of sale, retailers in the U.S. may see an increase in e-commerce fraud, similar to what has beenobserved in the UK and Europe following the rollout of EMV chip-and-PIN technology ten years ago. Consumers, retailers, payment processors, banks, and card issuers are all impacted by e-commerce fraud. Reducing e-commerce fraud requires implementing security standards and processes to achieve an increased level of assurance in purchaser or user identity.

In collaboration with stakeholders in the retail and e-commerce ecosystem, the NCCoE will demonstrate that implementing risk-based multifactor authentication (MFA), tied to existing web analytics and contextual risk calculation, can increase assurance in purchaser or user identity. This project will explore prompting online customers with additional authentication challenges when web analytics and contextual risk calculations (such as transaction and navigation details, behavioral web session monitoring, and device identification) indicate some doubt that the customer is legitimate. Multiple forms of multifactor authenticators, such as FIDO, out-of-band, and one-time-password devices will be considered to provide retailers and their customers a diverse sets of implementation options.

This project will produce a NIST Cybersecurity Practice Guide—a publicly available description of the solution and practical steps needed to effectively implement risk-based MFA.

Questions? Comments? Reach us at consumer-nccoe@nist.gov.