close icon

Why NIST Recommends MFA to Fight E-Commerce Fraud

MFA adoption urged to fight e-commerce fraud

September 18, 2019

Fraudulent purchases and data breaches are an incredibly costly problem for online retailers, and they are on the rise. A ThreatMetrix report found that in the first quarter of 2018, the growth of e-commerce fraud attempts outpaced the growth of overall e-commerce transactions by 83%.

According to the latest data from IBM, the average cost of a data breach is currently $150 per compromised record, and the costs of data breaches will only increase with the passage of new privacy legislation.

For business leaders concerned about protecting profits and customer data from attacks the National Institute of Standards and Technology’s (NIST) recent guidance for e-commerce businesses to implement multi-factor authentication (MFA) can offer some relief.

"According to the latest data from IBM, the average cost of a data breach is currently $150 per compromised record"


Tweet This

When deployed properly, MFA is one of the strongest defenses against fraudulent purchases and administrative data breaches, yet e-commerce has been slow to adopt it. Experian’s research found that only 44% of businesses currently employ MFA, which they attribute to concerns about it negatively impacting customer experience.

Yet modern MFA solutions allow businesses to balance security and convenience. The NIST’s guidelines offer actionable advice for e-commerce to catch up to current security standards and what to look for when embracing MFA.

In this piece, we’ll go over what MFA is, how the NIST defines sound MFA solutions, and how e-commerce businesses can effectively implement MFA while balancing their other business needs.

MFA in a Nutshell

In the simplest terms, MFA is a protocol for determining if individuals using your system are who they claim to be. MFA demands more than one (usually two) types of credentials:

  • Something someone knows (like a password or their mother’s maiden name)
  • Something they have (such as a phone on which they can receive a one-time SMS code)
  • Something they are (biometric ID such as a fingerprint or facial scan)

Multi-Factor Authentication Auth0

A business using MFA can request additional verification at any point in a user’s session: login, purchase, or when navigating within a site or app.

Developers generally consider MFA to be the safest form of authentication, but there are a wide variety of MFA solutions available, and they are not all created equally.

Finally, while most of us are familiar with MFA from our own online shopping experiences, it isn’t just for end users. The NIST emphasizes that requiring MFA for e-commerce admins is crucial for preventing data breaches rising from admin phishing attacks.

Why E-Commerce Needs MFA

The continually-evolving digital threat landscape makes e-commerce businesses particularly vulnerable. As the NIST’s guide explains, 2015 saw the introduction of security improvements to credit cards and in-store terminals. These improvements reduced traditional credit card fraud but had the unintended effect of pushing more theft online.

E-commerce businesses are vulnerable to several types of attack, including brute force attacks, phishing, and credential stuffing, which the NIST gives particular focus to in its guidelines.

In credential stuffing, user IDs and passwords stolen from one site are used to log in to another, preying on the tendency of users to recycle the same few passwords. Credential stuffing is arguably the most dangerous and prevalent security threat of 2019. An Akamai report found that retail was the single most vulnerable vertical for this attack, with over 10 billion credential abuse attempts in 2018.

"Developers generally consider MFA to be the safest form of authentication"


Tweet This

Credential stuffing is difficult to combat, and will likely worsen as hackers develop more sophisticated bots that can combine data from multiple breaches in their attacks. Successful credential stuffing can lead to account takeover. For customers, account takeovers can result in fraudulent purchases being shipped to strangers.

For admins, they can lead to even more serious data breaches.

So how do you know if your current authentication system is at risk for these types of breaches? NIST lists the following common traits of vulnerable systems:

  • Allow multiple incorrect logins without account lockouts
  • Purchasers have reused the same password on multiple systems
  • Accept weak passwords

If any of those describe your company’s authentication system, implementing MFA can quickly patch those leaks to project you and your customers while you strengthen your identity solution.

What Makes a Good E-Commerce MFA Solution

MFA is open-source technology, but there’s a great deal of variance between implementation methods. NIST specifies a few “must-haves” for MFA solutions to protect your business effectively.

  • Customization: Not every transaction should require additional authentication, so a good MFA solution allows you to tailor your system to your needs. NIST lists the most common parameters to trigger verification as cost threshold (a purchase above a certain dollar amount) and risk threshold. You can customize your definition of risk any number of ways, such as a customer using a new shipping address, paying with a new card, buying an item commonly associated with fraud, or making a purchase at an unusual time of day.
  • Require MFA for admin tasks: A criminal with fraudulent admin credentials can do incalculable damage to your business, so NIST recommends that any administration activity requires verification.
  • Dashboards for suspicious activity: The NIST report specifically mentions that e-commerce businesses should “enable system-activity situational awareness by providing dashboards that display account lockout and authentication activity.” Auth0’s dashboard does just this: giving you a high-level look at your users, allowing your admins to spot patterns and being aware of new threats as they evolve.

Auth0 Dashboard

Auth0 also offers breached password protection, which tracks security breaches at third-party sites and flags potentially stolen credentials. Taken together, these features are a proactive way for e-commerce teams to detect and prevent fraudulent transactions.

How an IDaaS Partner Manages Your MFA Needs

Many e-commerce executives have been slow to push for MFA because they feared alienating customers with irritating demands for credentials. However, online shoppers are increasingly reassured rather than irritated by such measures.

In Experian’s 2018 Global Fraud and Identity Report, 66% of surveyed customers reported that they “like all the security protocols when I interact online because it makes me feel protected." Yet customer tolerance isn’t infinite, and in the same survey, a third of customers reported that security demands caused them to make fewer online purchases.

E-commerce businesses have to find an MFA solution that provides both effective fraud prevention and positive user experiences. By partnering with an identity management platform like Auth0, you can reap the benefits of increased security without taxing your developers or frustrating your customers.

  • Balance of ease and customizability: Auth0’s MFA solutions can be turned on by flipping a single toggle, so you don’t have to wait weeks or months for your developers to secure your system. However, Auth0 also gives your team the freedom to write customized rules for MFA around any of the parameters discussed above.
  • Reduced friction for users: Auth0’s MFA lets developers choose which factors for authentication suit their needs, whether that’s SMS, a token generator app, or Guardian, which lets users authenticate via a push notification.This allows users to utilize the MFA method they want while maintaining proper security practices.

Multi-Factor Authentication Auth0

Guardian doesn’t require your customers to install an app or even have a smartphone, so it’s a truly universal solution that meets both security and UX needs.

  • Evolves with and for you: Keeping on top of current security standards can be a full-time job. But it’s not your full-time job, so outsourcing MFA to a highly respected and accredited IDaaS partner like Auth0 can provide peace of mind to your customers and yourself.

NIST Guidance Can Offer Immediate Protection

Though NIST’s guidelines are voluntary suggestions, their very existence points to the urgent need for MFA adoption to protect online shopping as a whole. As the guide says: “fraud impacts the e-commerce ecosystem by decreasing purchaser confidence...and by increasing costs to offset the e-commerce fraud.”

Business leaders are under pressure to protect their customers from identity-based attacks without sacrificing revenue through excessive security measures. Finding this balance requires expert help, so reach out to an [Auth0 resource](mailto: to talk about how you can put NIST advice into practice.

About Auth0

Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit

  • Twitter icon
  • LinkedIn icon
  • Faceboook icon