The FIDO standard supports multifactor authentication (MFA) and strong features like biometrics. FIDO stores supporting data in a smartphone to eliminate the need for multiple passwords. The system is much like an encrypted virtual container of strong authentication elements including biometrics, USB security tokens, Near Field Communication (NFC), Trusted Platform Modules (TPM), embedded secure elements, smart cards and Bluetooth. Data from authentication sources is used for the local key, while the requesting service extendedgets a separate login to keep user data private.
FIDO works through two different protocols for two different user experiences. The Universal Authentication Framework (UAF) protocol allows the user to register an enabled device with a FIDO-ready server or website. Users authenticate on their devices with fingerprints or PINs, for example, and log in to the server using a secure public key. The Universal Second Factor (U2F) protocol is designed to authenticate users with a strong second factor, such as a USB touchscreen key or an NFC tap on a mobile device.
FIDO's local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server or in the cloud. By abstracting the protocol implementation, FIDO also reduces the work required for developers to create secure logins.
FIDO is developed by the FIDO Alliance, a non-profit organization formed in 2012. Alliance board-level members include ARM, Blackberry, Google, Master Card, Microsoft, PayPal, Samsung, Synaptics and Visa.
FIDO and the need for standardization
Multifactor authentication (MFA) generally works to increase security but it is not always an easy process. MFA devices are many and historically there have been interoperability problems, which made implementing MFA within an organization, service or site tricky. MFA solutions have sometimes been tacked onto ID / password systems. However, on top of password rules, blacklists and regular changes, the burden of extra factors hampered adoption. Competing standards existed but what was needed was a more unifying standard.
Such a standard would be required to support all hardware vendors in the industry and increase interoperability. It would also have to facilitate MFA use to increase user adoption rates, which were stagnant throughout the payment industry.
Strong authentication was needed but it was important that it not be too hard to use. The solution had to be a more cohesive package between services, devices and types of authentication. To enter an existing market, vendors would also have to be brought on board. Standardization had to suit as many companies as best as possible, which meant that industry leaders would have to come to agreement on the specific requirements for a standard.
Benefits of FIDO
A major benefit is the fact that users don't need to use complex passwords beyond registration. At most, a PIN is required for login, along with a second strong authentication factor. Users aren’t required to create strong and memorable passwords, deal with complex rules and blacklists or go through recovery procedures when they forget a password. Through FIDO’s new device standard and browser plug-in, the system allows any cloud or web service to support a multitude of authentication types and devices.
For industry, FIDO eases MFA implementation by increasing interoperability. The technology supports many authentication methods and technologies from different companies. Options include biometric authentication methods like fingerscanners and iris scanners, voice and face recognition, as well as possession factor devices like USB security tokens, NFC devices and smart cards.
FIDO uses MFA and public key encryption to create secure authentication. Unlike password databases, FIDO locks down authentication-related data when not in use, rather than leaving it exposed. Users can easily unlock and present secondary factors by swiping an NFC or by pressing a button on a device. FIDO stores personally identifying information (PII), such as biometric data, locally on the user device to protect it.
The history of the FIDO Alliance
In 2007, PayPal was trying to increase security by introducing MFA to its customers in the form of its one-time password (OTP) key fob: Secure Key. Although Secure Key was effective, adoption rates were low -- it was generally used only by few security-conscious individuals and those who had experienced account hijacking. The key fob complicated authentication, and most users just didn't feel the need to tolerate it.
In talks exploring the idea of integrating fingerscanning technology into PayPal, Ramesh Kesanupalli (then CTO of Validity Sensors) spoke to Michael Barrett (then PayPal's CISO). It was Barrett’s opinion that an industry standard was needed that could support all authentication hardware. Kesanupalli set out from there to bring together industry peers with that end in mind.
The FIDO Alliance was founded as the result of meetings between the group. Formed in the summer of 2012, the alliance initially included just six companies: PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. The Alliance went public in February 2013 and since that time many companies become members, including Google, ARM, Bank of America, Master Card, Visa, Microsoft, Samsung, LG, Dell and RSA . Microsoft has announced the inclusion of FIDO for authentication in Windows 10.
The proliferation of smartphones and other mobile devices continue to call for standards that support multifactor authentication. Methods such as biometrics are being incorporated into smartphones and PCs to prevent identity theft. Today a variety of products exist on the market ranging from the EMC RSA Authentication Manager, Symantec Verisign VIP, CA Strong Authentication, and Vasco Identikey Digipass.
Continue Reading About FIDO (Fast Identity Online)
Margaret Rouse asks:
What challenges have you run into when implementing FIDO?
2 ResponsesJoin the Discussion