FIDO Specs: Moving Beyond Passwords

How Universal Standards Could Help Enhance Authentication
FIDO Specs: Moving Beyond Passwords

Security experts see the FIDO Alliance's Dec. 9 release of two universal authentication specifications as a positive move in the effort to end reliance on passwords. But the standards' impact will be minimal unless they're widely adopted, which could prove to be an uphill climb.

See Also: 12 Top Cloud Threats of 2016

The selling point for the universal authentication specifications - the Universal Authentication Framework, known as UAF, and the Universal Second Factor, known as U2F - is that they are open-source standards. And industry experts are touting the alliance's efforts to standardize advanced authentication tools, such as biometrics and hardware tokens.

"Passwords are one of the weakest links in security today, with more than 76 percent of all breaches involving weak or stolen credentials," says Patrick Peterson, CEO and founder of e-mail security firm Agari. "The industry has been in ... agreement that something needs to be done, but the ecosystem complexity has proven insurmountable until now. These specs will provide the underlying technology standard that will enable the end of the ineffective password and create a more secure, resilient Internet."

But for now, it's more prudent to let some of the bigger online players test the FIDO waters first, contends Scott Waddell, CTO at online security firm iovation.

"We believe UAF should be recommended, but not mandatory, until we see wider deployment of the framework," Waddell says. "Some major companies are backing the standard, but its success depends on device manufacturer and SaaS [software-as-a-service] provider adoption."

Waddell acknowledges, however, that if FIDO's framework can live up to its promise, it could have far-reaching results, especially from a payments perspective.

The framework could enhance PCI data security standards for data portability and authentication, he says. "The UAF is particularly useful for the increasing cloud-based and federated, single sign-on solutions. The framework has standardized how authentication can securely store and transfer data during the authentication process."

FIDO: Interoperable Authentication

The mission of the FIDO [Fast Identity Online] alliance is reduce, and eventually eliminate, the use of passwords for authentication.

The global not-for-profit alliance's first two universal specifications can be used with devices, servers, Web browsers and cloud applications. The alliance soon expects to publish extensions that will incorporate near-field communications and Bluetooth into FIDO's range of capabilities as well.

The alliance believes that for advanced authentication to become ubiquitous, mobile devices and PCs used for e-commerce and electronic banking need to be equipped with standards-based authentication mechanisms. Under FIDO's model, these devices will register users and then authenticate those users with private keys, so that no sensitive data is directly provided by the user.

Google, Others Roll Out FIDO

FIDO's work has garnered attention among big online players.

In October, Google announced its roll out of U2F as a second-factor layer of authentication for Chrome users.

Other implementations of FIDO's authentication also are available from NoK Nok Labs, Synaptics, Alibaba, PayPal, Samsung, Google, Yubico and Plug-Up.

These types of authentication methods are a necessity, says Paul Simmonds, CEO of the Global Identity Foundation, a coalition of security vendors, technology experts and others that's attempting to establish an international and open-source identity verification system.

"It's really good to see the FIDO specification reach version 1.0, as stronger authentication of the individual is a key component in providing higher levels of trust in the overall identity ecosystem," Simmonds says.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network