Multifactor Authentication for e-Commerce

Current Status

This project is moving into the build phase. We have selected several technology collaborators for this project. Companies that have been selected to participate have signed a Cooperative Research and Development Agreement (CRADA; see an example) with NIST.

Download the Multifactor Authentication for e-Commerce Project Description (PDF) for more detailed information. A summary of the project description is available in a two-page fact sheet.


As greater security mechanisms are implemented at the point of sale, retailers in the U.S. may see an increase in e-commerce fraud, similar to what has been observed in the UK and Europe following the rollout of EMV chip-and-PIN technology ten years ago. Consumers, retailers, payment processors, banks, and card issuers are all impacted by e-commerce fraud. Reducing e-commerce fraud requires implementing security standards and processes to achieve an increased level of assurance in purchaser or user identity.

In collaboration with stakeholders in the retail and e-commerce ecosystem, the NCCoE will demonstrate that implementing risk-based multifactor authentication (MFA), tied to existing web analytics and contextual risk calculation, can increase assurance in purchaser or user identity. This project will explore prompting online customers with additional authentication challenges when web analytics and contextual risk calculations (such as transaction and navigation details, behavioral web session monitoring, and device identification) indicate some doubt that the customer is legitimate. Multiple forms of multifactor authenticators, such as FIDO, out-of-band, and one-time-password devices will be considered to provide retailers and their customers a diverse sets of implementation options.

This project will produce a NIST Cybersecurity Practice Guide—a publicly available description of the solution and practical steps needed to effectively implement risk-based MFA.

Questions? Comments? Reach us at

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

Ca Technologies logo
Callsign logo
Rivetz logo
RSA logo
Splunk logo
StrongAuth logo
TokenOne logo
Yubico logo