Multifactor Authentication for E-Commerce

Smart chip credit cards and terminals work together to protect in-store payments. These in-store security advances were introduced in 2015, and have pushed malicious actors who possess stolen credit card data to perform payment card fraud online. Because online retailers cannot utilize all of the benefits of improved credit card technology, they should consider implementing stronger authentication to reduce the risk of electronic commerce (e-commerce) fraud.

Reducing the risk of false online identification and authentication fraud for e-commerce transactions using multifactor authentication tied to web analytics and contextual risk calculation.

In collaboration with stakeholders in the retail sector, the NCCoE published a practice guide that explores risk-based scenarios to trigger the use of multifactor authentication (MFA) to help reduce fraudulent online purchases. In the project’s example implementations, if certain risk elements (contextual data related to the transaction) are exceeded that could indicate an increased likelihood of fraudulent activity during the online shopping session, the purchaser will be prompted to present another distinct authentication factor—something the purchaser has—in addition to the username and password.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-17: Complete Guide (HTML)Web Version NIST SP 1800-17: Complete Guide (HTML)
NIST SP 1800-17: Complete Guide (PDF)Web Version NIST SP 1800-17: Complete Guide (PDF)
NIST SP 1800-17A: Executive SummaryDocument Version NIST SP 1800-17A: Executive Summary
NIST SP 1800-17B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-17B: Approach, Architecture, and Security Characteristics

Project Abstract​

As retailers in the United States have adopted chip-and-signature and chip-and-PIN (personal identification number) point-of-sale (POS) security measures, there have been increases in fraudulent online card-not-present electronic commerce (e-commerce) transactions. The risk of increased fraudulent online shopping became more widely known following the adoption of chip-and-PIN technology that increased security at the POS in Europe.

The NCCoE at NIST built a laboratory environment to explore methods to implement multifactor authentication (MFA) for online retail environments for the consumer and the e-commerce platform NIST SP 1800-17B: Multifactor Authentication for E-Commerce iii administrator. The NCCoE also implemented logging and reporting to display authentication-related system activity.

This NIST Cybersecurity Practice Guide demonstrates to online retailers that it is possible to implement open standards-based technologies to enable Universal Second Factor (U2F) authentication at the time of purchase when risk thresholds are exceeded.

The example implementations outlined in this guide encourage online retailers to adopt effective MFA implementations by using standard components and custom applications that are composed of open-source and commercially available components.

Read the project description

A consumer who reuses an online account password for their account with an E-Commerce retailer risks having their account used by a malicious user. Retailers who enable multifactor authentication and encourage its use by their customers reduce the amount of fraud they will experience from account takeovers.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name