Multifactor Authentication for e-Commerce

Current Status

This project is moving into the build phase. We have selected several technology collaborators for this project. If you are interested in collaborating on this effort please see our Federal Register notice for more information. Companies that have been selected to participate have signed a Cooperative Research and Development Agreement (CRADA; see an example) with NIST.

Download the Multifactor Authentication for e-Commerce Project Description (PDF) for more detailed information. A summary of the project description is available in a two-page fact sheet.


As greater security mechanisms are implemented at the point of sale, retailers in the U.S. may see an increase in e-commerce fraud, similar to what has been observed in the UK and Europe following the rollout of EMV chip-and-PIN technology ten years ago. Consumers, retailers, payment processors, banks, and card issuers are all impacted by e-commerce fraud. Reducing e-commerce fraud requires implementing security standards and processes to achieve an increased level of assurance in purchaser or user identity.

In collaboration with stakeholders in the retail and e-commerce ecosystem, the NCCoE will demonstrate that implementing risk-based multifactor authentication (MFA), tied to existing web analytics and contextual risk calculation, can increase assurance in purchaser or user identity. This project will explore prompting online customers with additional authentication challenges when web analytics and contextual risk calculations (such as transaction and navigation details, behavioral web session monitoring, and device identification) indicate some doubt that the customer is legitimate. Multiple forms of multifactor authenticators, such as FIDO, out-of-band, and one-time-password devices will be considered to provide retailers and their customers a diverse sets of implementation options.

This project will produce a NIST Cybersecurity Practice Guide—a publicly available description of the solution and practical steps needed to effectively implement risk-based MFA.

Questions? Comments? Reach us at

Collaborating Vendors

Ca Technologies logo
Callsign logo
Rivetz logo
RSA logo
Splunk logo
TokenOne logo
Yubico logo

The technology vendors who participated in this project submitted their capabilities in response to a call in the Federal Register. Companies with relevant products were invited to sign a Cooperative Research and Development Agreement with NIST, allowing them to participate in a consortium to build this example solution.


Disclaimer: Certain commercial entities, equipment, products, or materials may be identified in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.