Amending FIDO2: Strengthening Digital Security for Swiss Banks and their Clients 

The GBIC is advocating for an extension of the FIDO2 standard to support the secure display of transaction data by the respective authenticator. The standard currently focuses largely on logging in to platforms and systems and using the browser for display purposes. GBIC, however, is calling for the standard to be expanded, making it usable for a broader range of transactions and business activities. For the banking industry, this primarily refers to online banking and card payments. 

We support the GBIC proposition to amend the FIDO2 standard. We are convinced that this amendment would also benefit the Swiss banking industry by allowing for a broader use of FIDO2 beyond login authentication. The SBA and the Swiss FS-CSC therefore support the GBIC’s proposal to: 

• Transmit transaction data to the authenticator: instead of sending only a hash value, the full transaction data should be transmitted to the external authenticator. 
• Integrate a secure display: authenticators with displays should be expanded to show users the transmitted transaction data, which the user can then verify. 
• Link the authentication code to the data on display: the authentication code generated by the authenticator should include a hash value which is calculated by the authenticator for the data shown on the display, so that the authentication code is securely linked to this data. This will allow the bank to verify the secure display and confirmation of the transaction data. 
• Expand the CTAP specification: The FIDO Alliance should expand the client authenticator protocol (CTAP) to include a standardised interface for transmitting and displaying transaction data. 

This amendment would not just allow FIDO2 standards to be implemented in the financial sector, it would also increase user confidence in FIDO2-based authentication and transaction confirmation methods. The full recommendations by the GBIC can be found here.