NIST SPECIAL PUBLICATION 1800 -17 Multifactor Authentication for E-Commerce Risk-Based, FIDO Universal Second Factor Implementations for Purchasers I ncludes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How -To Guides (C) W illiam Newhouse Brian Johnson Sarah Kinling Jason Kuruvilla Blaine Mulugeta Kenneth Sandlin This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800- 17 T he first draft of this publication is available free of charge from https://www.nccoe.nist.gov/sites/default/files/library/sp1800/cr -mfa-nist-sp1800- 17.pdf NIST SPECIAL PUBLICATION 1800 -17 Multifactor Authentication for E-Commerce Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B ); and How -To Guides (C) William Newhouse Information Technology Laboratory National Institute of Standards and Technology Brian Johnson Sarah Kinling Jason Kuruvilla Blaine Mulugeta Kenneth Sandlin The MITRE Corporation McLean, Virginia July 2019 U.S. Department of Commerce Wilbur Ross , Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Undersecretary of Commerce for Standards and Technology NIST SPECIAL PUBLICATION 1800 -17A Multifactor Authentication for E-Commerce Risk-Based, FIDO Universal Second Factor Implementations for Purchasers Volume A : Executive Summary William Newhouse Information Technology Laboratory National Institute of Standards and Technology Brian Johnson Sarah Kinling Jason Kuruvilla Blaine Mulugeta Kenneth Sandlin The MITRE Corporation McLean, Virginia July 2019 This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800- 17 The first draft of this publication is available free of charge from https://www.nccoe.nist.gov/sites/default/files/library/sp1800/cr -mfa-nist-sp1800- 17.pdf NIST SP 1800-17A: Multifactor Authentication for E- Commerce 1 Executive Summary  Retailers can implement multifactor authentication (MFA) to reduc e the opportunity for a customer’s online account to be used for fraudulent purchases .  MFA is a security enhancement that allows a user to present several pieces of evidence when logging into an account. This evidence falls into three categories: something you know (e.g. , password), something you have (e.g. , smart card), and something you are (e.g. , fingerprint). The presented evidence must come from at least two different categories to enhance security.  The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology ( NIST ) built a laboratory environment to explore MFA options available to retailers today , and documented the example implementations that retailers can consider for their environment .  This NIST Cybersecurity Practice Guide demonstrates how online retailers can implement MFA to help reduce electronic commerce ( e-commerce ) fraud. CHALLENGE Smart chip credit cards and terminals work together to protect in -store payments. The in -store security adva nces were introduced in 2015, and those have pushed malicious actors who possess stolen credit card data to perform payment card fraud online. This guide describes implementing stronger user- authentication techniques to reduce the risk of e -commerce fraud. The guide documents a system in which risk determines when to trigger MFA challenges to existing customers. SOLUTION This project’s example implementation s analyze risk to prompt returning purchas ers with additional authentication requests when risk elements are exceeded during the online shopping session . Risk elements may include contextual data related to the returning purchaser and the current shopping transaction . The example implementation s will prompt a