Skip to main content

FIDO passkeys are an existential threat to fintech startups

FIDO is a new authentication technology intended to supersede passwords. Here, passwords are replaced with a biometric input: for example, FaceID or TouchID on Apple devices. iOS, Android, macOS, and Windows are all getting this soon due to an alliance between Apple, Google, and Microsoft.

I think it’s unequivocally great: an open standard that provides better security for end users while simultaneously providing a better user experience. Yay!

But spare a thought for the fintech industry. It’s an open secret that the US financial industry widely uses screen scraping to enable data sharing integrations between entities. As a sector, it’s been incredibly slow to adopt open APIs and other mechanisms that would protect user safety.

Last year, Protocol wrote about screen scraping’s widespread use to integrate payroll systems:

Davis of Atomic said the company has used screen scraping "when user-permissioned APIs are not available." One example is when Atomic needs to connect with state unemployment systems, which typically don't have API connectivity. A Plaid spokesman said the company uses "a combination of API access and screen scraping at the direction of customers."

Technically, it’s not a great solution: by definition, screen scraping requires storing a user’s financial system passwords in clear text. Nonetheless, you can bet that every system that integrates with payroll systems, and almost every system that integrates with banks (at a minimum), uses the technique. The US has badly needed open banking style standards for years.

FIDO is likely to bring an end to this practice: when financial services use FIDO passkeys for authentication, screen scraping becomes impossible. Based on their historical precedent implementing new technologies, it may take years before financial services adopt the standard for authentication. But when they do, it will become impossible for third parties to access those systems without the service provider’s consent.

At this point, one of two things will happen: a set of open APIs for integration will appear and begin to reach adoption, or a whole generation of startups will die. It might be both!

If I was a fintech startup, I’d be establishing a set of open source APIs, forming an alliance with other fintech companies and financial institutions, and doing whatever I could to get traditional financial companies to adopt it before they transition away from password authentication. If I was a fintech investor, I’d be bankrolling this endeavor. If I was the government, I would be enacting strong legislation to force the industry forward (which may require lobbying from companies, investors, and consumers alike). Because otherwise, greater security and a better user experience for consumers looks a lot like an existential threat.

· Posts · Share this post