The Push to Promote FIDO Online Authentication as a Replacement for Passwords—Contributing to the Marketplace Industry by Leading the Way
On November 1, 2022, Mercari became a sponsoring member of the FIDO Alliance, a non-profit organization promoting the standardization of online authentication technology meant to replace conventional passwords. Up until now, Mercari has continued to strive to prevent users from falling prey to cyber crimes, such as phishing and credit card fraud, with such measures as 24/7 monitoring, suspension of accounts deemed highly likely to be fraudulent, implementation of EMV-3D Secure, and early detection and shutdown requests of phishing sites, however as fraud attacks have become increasingly sophisticated, it is necessary for us to focus our efforts even more.
So, what drove us to join the FIDO Alliance now? We were motivated to promote the implementation of FIDO authentication on Mercari’s various services, deepen our partnerships with FIDO Alliance businesses, and contribute to the entire industry going forward. In this edition of Mercan, CISO Naohisa Ichihara takes up the reins as facilitator to speak in depth with the members promoting the implementation of FIDO authentication about the current situation around password technology, what we expect from FIDO, and what sort of leadership Mercari should demonstrate going forward. The passion of the people featured in this article far outweighs the word count!
Featured in this article
Naohisa Ichihara（@ichihara）Naohisa completed a master’s degree while enrolled in the Department of Industrial Administration, one of the departments comprising the Graduate School of Science and Technology of Tokyo University of Science. After that, he was involved in security-related work at NTT Data Communications Corporation (now NTT Data Corporation). In 2015, he joined LINE Corporation, where he worked to remedy various security issues. In May of 2022, he became Chief Information Security Officer (CISO) of Mercari, Inc.
Takaaki Shinohara（@unryu-in）After working as a freelance web director, Takaaki joined GREE, Inc. in 2012. He joined BizReach, Inc. in 2014, where he launched a media service for people looking to change jobs. He joined Mercari, Inc. in September 2017. After assuming the role of Director/Head of CRE, he moved to Merpay, Inc. in April 2020. Following his tenure as the person in charge of the Alliance Project, he became Head of Product for Souzoh, Inc. in January, 2021, upon the establishment of the company. In July 2022, he became VP of Trust and Safety for Japan Region.
Keisuke Tanaka（@kei.t）Keisuke joined Mitsui Sumitomo Card in 2007, where he mainly worked on improving the work efficiency of operations that use anti-fraud measures such as RPA fraud detection rules and the implementation of new tech. In 2020, he joined Merpay where he worked on implementing fraud monitoring measures and 3D-Secure, as well as anti-phishing measures, related to Merpay and Mercari’s existing and new services. He now works as a manager in charge of KYC and TnS Product.
Kotaro Oi（@koi）Kotaro joined Yahoo Japan Corporation in 2013. There he worked on developing login, authentication, and authorization services as the member of an engineering team. He joined Merpay in 2022 as a product manager (PdM) in the IDP domain.
Tatsuya Karino（@kokukuma）In 2018, Tatsuya joined Mercari and was involved in shifting the Mercari marketplace to microservices. He joined Merpay’s IDP Team in 2019 and now works as the team’s Tech Lead, where he drafts the future vision of the IDP domain for Mercari and Merpay and establishes strategies in his role as a hub for other microservices.
How to fix the growing problem of passwords without negatively affecting the UX
──So to kick things off, could you share your thoughts on the recent situation with passwords and tell us what FIDO is?
@ichihara：Even before the advent of the internet, we used passwords to access information systems, and as the number of security threats has increased in the world, the more attractive passwords have become as tools for outside attackers to exploit for profit. Stealing personal information from company servers is the same sort of thing, but if an attacker can steal user passwords along with that information, they can zero in on their victim’s assets as well. Nowadays, you can find reams of password and username pairs for sale on the dark web.
If users try to make their passwords super difficult to crack, they run into the problem of not being able to remember them, and regardless of how long a user makes their password, if it gets stolen, the whole exercise is pointless in the first place. Moreover, the more difficult-to-crack a user makes their password, the more likely they are to reuse the same password in several places, further eroding the security designed to keep them safe.
What this means is that if an attacker gets their hands on one password, it gives them the chance to attack several different places where the user has accounts. This negative chain reaction has occurred across the cybersecurity world and has driven efforts to somehow move away from passwords since the early 2000s. Among the various approaches out there, there are some effective methods, such as biometrics. However, there are difficulties associated with biometrics, one being that fingerprint data or portrait data has to be stored on a server. Storing biometric data on a server is a problem, because if it were to be exposed even once, it’s the sort of data that can be exploited over and over for the duration of a person’s life. The cost of storing and managing the data was expensive, so it did not spread as the replacement for passwords.
A method that used smart cards was also on the table as a password replacement. As long as the user didn’t lose their IC card, this method would provide accurate authentication, and keep the user protected from attacks provided the physical card wasn’t stolen. However, right off the bat there’s a problem of figuring out how to distribute the IC card in the first place, since private-sector companies can’t distribute cards in the same way that the government can issue Individual Number cards, for example. It’s simply too big an undertaking for private-sector companies.
Meanwhile, in 2012, North American company Nok Nok Labs developed a unique protocol that would become the prototype for FIDO, and they worked to make it the standard for next-generation authentication technology. The FIDO Alliance was established to make their technology’s specs standard.
The FIDO protocol is not some unique innovation. It’s really just a recombination of existing technologies. However, it does comprise one very intelligent idea—the server and the user do not share secret information. The protocol uses public-key cryptography. A public key that is viewable to anyone is stored on the server, and a secret key that must not be shown to anyone is stored on the client side. The information for biometric authentication is also only on the client side. The concept of this is that there is no information on the server side that would potentially inconvenience the user if stolen.
In Japan, NTT DOCOMO was the first company to join the FIDO Alliance, becoming a member in 2015. I was actually involved in NTT DOCOMO’s project to implement FIDO at the time, so I’ve actually known about it for nearly ten years. Since the time I was involved with the Alliance at DOCOMO, I’ve always thought that it was sensible tech, and something told me that it was going to become a standard going forward. So when I joined LINE, I said that there was no reason not to implement FIDO, and the company subsequently joined the FIDO Alliance. It was not only in the best interests of LINE to join the Alliance, but also the interests of the entire industry. The knowledge acquired from the FIDO Alliance was shared with the industry, and even if only indirectly, I think it was a very contribution to the resolution of the password problem. I think this is also the case at Mercari.
Now, FIDO is implementing a new concept called “passkeys,” which use passwordless authentication. This innovation allows users to log in to the same service from multiple devices; I see this as a sort of “third wave.” Mercari joined the FIDO Alliance in the midst of this concept being rolled out. I feel that contributions like joining the Alliance will allow us to upgrade Mercari’s value as a safe and secure service, so this is precisely what I want us to focus on.
──Could you tell our readers how you plan to continue our policy of providing Mercari users with an environment where they can buy and sell safely and securely?
@unryu-in：Mercari is a platform that provides a place transactions between users, which means that money changes hands through our service. The sales don’t go to Mercari, Inc., but rather to the seller, of course. In that context, when we set out to build a safe and secure service and an organization, we debated what to set as an indicator of improvement. The indicator that’s most obviously connected with the user experience is how much compensation we provide for instances of fraud. If this number goes down, that means the scale of fraud on our service is going down as well.
Just so you know, the kinds of places where we see cases of fraud compensation involve trouble over shipping in C2C transactions, but the highest volume comes from cases of fraudulent payments. The next largest category is cases of compensation being paid to users after someone has used phishing to hack an account and take out the sales balance that the user had saved up. As a result, fraudulent payments and account hacking were the two issues we had to prioritize the most for closing down.
Thanks to the implementation of EMV-3D Secure (3D Secure 2.0), we’ve been able to slash fraudulent payments down to less than one-tenth of what they were. So you might be wondering how anti-phishing measures work. It’s actually fairly general; the approach is we have to use two-step verification. The Mercari platform isn’t the only service where phishing incidents have grown. It’s been a rapidly growing problem across the tech world, and the means by which bad actors commit fraud have become increasingly sophisticated. They are so sophisticated that even people who have always had an eye on this issue, the way Ichihara and I have, are at risk if we let our guard down. (laughs)
We have improved as a service provider in shielding our users from risk by taking effective measures, such as SMS authentication and two-step verification, but as a product manager, I’m always worried about hurting the UX.
When authentication has to be requested multiple times, it requires the user to make that much more effort, but there are a lot of services that require the user to authenticate multiple times. When that happens, we see patterns emerge in the passwords that people use, and yet using a different password for individual services makes it difficult to remember them all. Because there are issues like this, we don’t want to leave risk countermeasures in the hands of our users; rather, we want Mercari to provide a seamless experience where users are safe from these risks without having to do anything special.
FIDO provides passwordless authentication; what this does, first of all, is it improves the UX, and you basically don’t need to worry about forgetting your password. In addition, even if information ended up being exposed to a third party, the service doesn’t use biometric data, so FIDO is effective as an anti-phishing measure. Make no mistake, this will become more popular going forward.
However, if you look back, even though FIDO has already been available for about ten years, you don’t normally hear about it. I think this is probably because the successful cases of implementing FIDO are not promoted. Any points of concern regarding the implementation of the service are hard to fathom. For commercial enterprises that operate services, every company is probably talking about what the downsides are to implementing FIDO. But there remains no optimal solution to this, and it is seldom discussed—or at least that’s the case in Japan. As far as we’re concerned, things are running a little late, but we would like to make Mercari a leading communicator about this technology, so we would like to share a variety of examples of implementation going forward. On top of that, I want us to enhance the UX of our service at the same time. When we do implement FIDO, I would like us to explore what would be the right way of incorporating an operation for the UX of account recovery.
@ichihara：Exactly! I feel that we should take the lead on the third wave.
@unryu-in：Mercari Group being the only company to strengthen anti-phishing measures using FIDO doesn’t get at the heart of the problem. For starters—and keep in mind that this is not limited to just FIDO—if our company is the only service to strengthen its anti-fraud countermeasures, any move we make is kind of pointless. The reason being that fraud often crops up in places where different services are coupled together. Therefore, it’s essential for the industry as a whole to strengthen security countermeasures.
If we look at only the science of anti-fraud measures on the Mercari platform, we won’t be equipped to look at gap analysis inside and outside of our platform. This is why we also want to be aggressive about getting the word out about use cases where possible. In particular, we would like to increase the contact points between us and business operators overseas steadily and procure early use cases from overseas and implement those use cases to generate more and more output and raise the bar for the entire marketplace industry.
Where are the risks lurking? We put our imaginations to work to make things harder for attackers
──So then, what are the unique challenges that Mercari faces?
@ichihara：Within the Mercari app you have a C2C marketplace, but also a payment service, a virtual credit card and—in the future—access to things like cryptocurrency (through Mercoin). Speaking from a security standpoint, our one app contains services with completely different security requirements. In the context this integrated app, I think it will be a massive challenge for us to figure out how to optimize FIDO, but I believe that we should come up with our own unique solution and showcase it as soon as possible.So @kei.t, since you have the same point of view as @unryu-in, what sort of expectations do you have for FIDO?
@kei.t：About six months ago, Mercari also saw an explosion of phishing incidents, and no matter what sort of measures we applied to the problem, the methods of fraud became increasingly sophisticated. Plus, because of the pandemic, the number of people who hadn’t used the internet that frequently before increased, and as a result, more people fell prey to phishing.
Currently, Mercari has reduced the number of phishing incidents, but at best we’ve only managed to reduce them during our handling of this transition phase, and so there is still a chance that the attacks will again become more sophisticated. When that happens, it will put pressure on our profit and loss statement. To keep that from happening, I’d like to see us switch from SMS authentication to FIDO authentication.
Also, we used SMS a lot as a stopgap measure, but now costs like SMS communication fees have gone up. This impact is not good for our users. Now the UX has become inconvenient since you have to use SMS authentication in order to do anything. Based on cost reduction, improving the UX, and considering anti-fraud measures, I think we have to discuss moving promptly to promoting FIDO.
@ichihara：There is a really broad range of people who use Mercari, so we have to provide them with support when they experience trouble.
@kei.t：I used to work for a credit card company, and we had an issue where it was easy to guess user passwords because people would use the ID across different services so that it would be more convenient for them to log in to each service later. I spent roughly the last five years trying to get people to switch to using dynamic passwords, but the industry as a whole has not managed to make much progress on this.
This has to do with notifying users, but for instance at Merpay, we’re used to communicating with our users through the app, but the point of contact with credit card companies is not necessarily an app, so figuring out how to communicate with customers regarding biometrics is an issue. For Mercari to be leading the way on topics like this that are hard to push ahead will be very significant.
@ichihara：Earlier we talked about the pressure on our profit and loss statements. Well, when we announced our business results in April 2022, damages due to phishing were a direct cause of our business losses. The fact that we were unable to be profitable due to the pressure on our profit and loss statement was big news within our industry, and I think that the word got out within society that phishing is a problem that can have a serious impact on business operations. I think that FIDO is a breakthrough that we can expect a lot from as a company.
@kei.t：I think that one of the issues of the project is that, even though everyone shares the same awareness that FIDO is important, agreeing on when to proceed is kind of hard. From the standpoint of anti-fraud measures, I want us to implement FIDO as soon as possible, but in light of other things that are priorities companywide, discussions easily cast doubt on this. Currently, the immediate threat of damages due to phishing has receded, and there are those who take this to mean that things are okay, so I think we have to keep conveying the importance of this project while also conveying the risks that could emerge going forward.
Plus, for the product that we are creating, I think it’s going to be impossible to get the risk posed by phishing down to zero, but I think that what we likely need for this is imagination. I think it’s important for our members to put their imaginations to work from their various perspectives and move forward discussions and brainstorm about breakthroughs and places where risks could be lying in wait.
@ichihara：Exactly. I think that reducing phishing incidents to zero basically means the same thing as getting security risks down to zero. In the end, the only thing we can do is keep making things harder for attackers. Luckily, the number of phishing incidents is now declining, demonstrating the effect of Mercari’s countermeasures. The way I see it, FIDO is one of the more substantial activities through which we are continuing our efforts to make Mercari safe and secure.
──So, is geography a factor when it comes to trends in attackers? Is the sophistication of attacks progressing in the same direction in Japan as it is overseas? For example, do Japan’s “legacy industries” make easy targets because they are slow to adopt new countermeasures?
@ichihara：For cybersecurity as a whole, it’s said that attackers tend to be based overseas rather than in Japan. What you said about attackers targeting legacy industries and weaknesses is exactly the case. Manufacturing, hospitals, and other industries and companies that are not tech companies are in the crosshairs of attackers. However, when you look at how much money can be made or how scalable an attack would be, attackers are more likely to be drawn to major apps. Mercari has a lot of users, and we have a wide range of user demographics, so someone is always in a position to be targeted.
At the moment, this is precisely the sort of countermeasures that @koi and @kokukuma are plugging away at, but allow me to start by asking @koi about this. So, including the method for creating the UX, can I ask you how you are encouraging understanding of concepts like the FIDO key among users?
@koi：Establishing FIDO’s safety is premised on regular users registering using a regular flow, but attackers are targeting the authentication process leading up to registration as well as authorization touchpoints. This is where we have to figure out how to enhance identity verification and examine whether we can make secure registration possible. It’s hard to list up what sorts of inherent risks there are in the process, and even if we do find something of concern, it’s difficult for us as a single company to resolve some of the issues on our own. For this reason, I feel we have to constantly keep up with industry standards while making the activity of the FIDO Alliance a top priority.
When it comes to the things we have implemented to date, there were some elements of phishing risk that we could not get rid of completely; however, by incorporating new solutions that have come along since then, we are moving ahead with decision-making and implementation for safety including the prospect of finding a solution to phishing. In this way, our goal is to reassure our users and persuade them to use our products while we work with our engineers to stamp out risk through trial and error. I think it’s our role to continue spreading awareness about our products, and that includes both publishing guides that explain how to use our products’ features effectively and even transmitting information about the Group through Mercan articles. Plus, it’s not enough for Mercari alone to work on spreading knowledge about FIDO. Going forward, it will be important for us to expand our activities with companies across Japan and also organizations around the world that use FIDO. I think that is the very point of joining the Alliance.
Mercari will be able to make a contribution specifically because FIDO’s specs are open
@ichihara： I think there are differences in the levels of Mercari product literacy from one user to the next. This varies depending on how people have been using Mercari to date, so it’s incredibly hard to consider every possible usage pattern. I’d also like to ask @kokukuma about this too. So, some people get requests for SMS authentication over and over again, right? It’s easy to imagine that there are some users who, having just performed SMS authentication, receive another such request that they wish they could skip. I can assume that FIDO would cut down on that load, right?
@kokukuma：Having an authenticator bound to an account using a safe method is a prerequisite for using FIDO, but one of the things that we would like to establish is an environment where, once the prerequisite is satisfied and the user is authenticated at a particular endpoint, they can skip any additional authentication based on the information they used to log in with FIDO authentication.
The reason why interest in the integration of FIDO is heating up is largely because of Mercoin. Generally speaking, what @ichihara just described about the motivation for implementing FIDO is correct, and I don’t think you’ll find a company anywhere that would reject such a concept, but when it comes down to actually taking action, all of a sudden progress stalls. We’ve also talked about implementing FIDO at Mercari in the past, but in the end those conversations didn’t lead to implementation. Whether in terms of security or the UX, we talked about how there was no reason not to implement FIDO, but despite that, there wasn’t much motivation on the product side to follow through, and I think that FIDO implementation was too easily interpreted as an experimental initiative.
It was in June of 2021 when phishing became a big problem that we saw a large boost of support for the position that the only solution was to use FIDO because dealing with phishing was turning into an endless wild goose chase. In addition to this, the design that was being developed for Mercoin at the time was based on authentication factors that were not immune to phishing, and in light of this, there were discussions that we wouldn’t be able to reassure users that they could use Mercoin securely. If only one of these elements had come up, I think we would still only be talking about how much we want to implement FIDO.
@ichihara： I’ve been involved with FIDO for several years, and one problem that I’ve often run up against is that people end up seeing it as a “nice to have” feature. FIDO improves security and the UX, but the people who create the product prioritize creating flashy, interesting features that are appealing to users (like new ways to use the service, rather than security features). This is why they see FIDO as a “nice to have” rather than a high-priority thing.
FIDO adoption also involves some R&D, so without the full backing of a company that has decided to go all in on adopting the technology, taking the lead on FIDO is no simple task. That’s not to say that everything will come up roses once we actually plug FIDO into place on our platform. There are going to be a range of difficulties and issues, but with phishing spreading as much as it has, the problem is about more that just passwords. People are aware that continuing with business as usual is nearing the end of its rope. Looking at this from a global perspective, organizations that establish internet standards, such as the W3C (World Wide Web Consortium), and FIDO, which of course formed the FIDO Alliance, have provided “WebAuthn,” an internet standard for establishing FIDO. It is now supported by major web browsers and APIs for native apps.
A new breed of spec called a passkey has made its appearance, and while it still has some issues for us to iron out, we’re going to move it out of the realm of ”nice to have” in a big way in order to resolve some of our problems. As recently as 2022, Microsoft, Google, and Apple announced their support for passkeys in unison, while at Mercari, we’re examining how to implement this technology. What do you think about the issues we’ll see when we implement passkeys at Mercari?
@kokukuma：The current implementation was put in place before multi-device credentials and hybrid transport were released, so we’ll have to redesign things like the registration of credentials and authenticators as well as how to register a second authenticator premised on passkey use. The problem we face with existing keys is how to seamlessly migrate users from the existing environment to an environment that can use passkeys. This is precisely what we are now looking at now.
@ichihara： Looking at this in terms of prerequisites, we’ve already implemented FIDO for Mercoin, and the implementation is premised on not using anything at all like a passkey. I think making the switch to passkeys will—without a doubt—be better going forward, including various aspects of the user experience. Obviously it would also be better to base Merpay authentication on using passkeys, but imagine you’re one of our users; for Mercoin you use the version of FIDO that was implemented before passkeys were supported, and for Merpay you use the version of FIDO that was implemented after passkeys were supported. How can we possibly provide you with a seamless user experience that mixes pre- and post-passkey implementation? It’s an issue from the perspectives of both implementation and the UX. These are facts that we now face at Mercari, which is precisely why these are issues that we have to think about, and the discussions between our members on these topics are white hot.
Generally speaking, FIDO is open-sourced, so even attackers have access to its specs, but on the other hand, the specs are excellent from a security perspective. Keeping specs closed off is the worst way to proceed security-wise. You often hear people say that encrypted algorithms that no one knows anything about are dangerous. If we were to publish details about every result that Mercari has puzzled over and examined, we might end up exposing a secret path that was vulnerable to attackers, so I think we have to be on our guard. However, if sometime in the future a company that is not as large as Mercari implements FIDO, I hope that we will have contributed to lightening their workload. I think that is Mercari’s role and something I want us to be a part of.