Multifactor Authentication for e-Commerce

Current Status

This project is currently seeking technology vendors to participate in the development of an example solution. Please see our Federal Register notice for more information.

Download the Multifactor Authentication for e-Commerce Project Description (PDF) for more detailed information. A summary of the project description is available in a two-page fact sheet.

Summary

As greater security control mechanisms are implemented at the point of sale, retailers in the U.S may see a drastic increase in e-commerce fraud, similar to what has been widely observed in the UK and Europe following the rollout of EMV chip-and-PIN technology approximately ten years ago. Consumers, retailers, payment processors, banks, and card issuers are all impacted by the security risks of e-commerce transactions. Retailers bear the cost for fraudulent, card-not-present (CNP) transactions, motivating them to reduce fraud in order to avoid damage to reputation and eliminate potential revenue losses, which have been estimated to be over $3 billion dollars. Successfully reducing e-commerce fraud requires many, layered strategies, and includes an increased level of assurance in purchaser or user identity.

In collaboration with stakeholders in the retail and e-commerce ecosystem, the NCCoE has identified that implementing multifactor authentication (MFA) for e-commerce transactions, tied to existing web analytics and contextual risk calculation (by the retailer and/or by a federated identity provider), can increase assurance in purchaser or user identity and thus help reduce the risk of false online identification and authentication fraud. The NCCoE understands that retail is a volume-reliant business and that consumers and retailers will adopt multifactor authentication mechanisms as long as they do not unnecessarily encumber the purchasing process or disrupt the user experience.

The publication of this project description is the beginning of a process that will identify project participants, cybersecurity vendors, and their relevant commercially available or open-source hardware and software components. These components will be used in a laboratory environment where the project team will build open, standards-based, modular, end-to-end reference designs that will address the CNP authentication problem. The approach may include architectural definition, logical design, build development, test and evaluation, and security control mapping. The output of the process will be the publication of a multi-volume NIST Cybersecurity Practice Guide that will help consumer-facing and retail organizations implement multifactor authentication for e-commerce transactions.

Questions? Comments? Reach us at consumer-nccoe@nist.gov.