Password-free authentication: Figuring out FIDO

Will open FIDO standards for better interoperability of next-generation authentication technologies actually work?

This article can also be found in the Premium Editorial Download: Information Security magazine: Figuring out FIDO as the first products emerge:

Online authentication mechanisms have grown increasingly difficult for IT security teams as employees and customers expect to access online services and e-commerce sites from a myriad of devices. With password fatigue reaching new heights, many security professionals want stronger authentication methods that eliminate the complexities and risks associated with the integration of online credentials and identity management.

By now, most security professionals have heard about the Fast Identity Online (FIDO) Alliance, a non-profit founded in July 2012 and publicly announced in February 2013. The industry group is championing better multifactor authentication and open standards to promote interoperability of next-generation authentication technologies.

Not so fast

Depending on your perspective, either a lot or very little has happened in the past year. The FIDO Alliance has added many signatories, including major players such as Google, Microsoft, Bank of America, Goldman Sachs, RSA, Netflix, ARM and MasterCard. Originally founded by Lenovo, PayPal, Nok Nok Labs, Infineon Technologies, Validity Sensors and Agnitio, the FIDO Alliance now has more than 100 supporters.

How to Get FIDO-Ready

If you are interested in Fast Identity Online (FIDO) and don't mind waiting for the products and final standards, here are a few places to start to learn more.

First, review how Samsung's fingerprint sensor API works and determine whether developer access to this type of information could motivate your organization to purchase biometrics-enabled phones and deploy them across your enterprise. (Apple's iPhone 5C's sensors don't have programmatic access to its readers yet.)

Then take a look at Yubico's upcoming touch-sensitive USB key, which uses the FIDO Universal Second Factor protocol for authentication. This type of technology could be useful in "proof of life" situations in which a total fingerprint isn't needed -- for example, people receiving government pensions who need to verify that they are still alive before their monthly benefits can continue. It could also be used in situations where you need to prove your identity, such as interactions with call center agents.

To see how a voiceprint recognition application will work, check out the demo of Agnitio's KivoxMobile Software Development Kits for Android and iOS devices. Agnitio has a project underway with an American bank to implement FIDO protocols for its customers. One of the challenges of voiceprint recognition is being able to detect a recorded voice and distinguish it from the original speaker.

For a look at a client-server system based on the FIDO protocols, check out Nok Nok Labs' S3 Authentication Suite, which includes a Multifactor Authentication Server with iOS, Android, Windows 7 and Windows 8 clients. This system will work with a variety of different sensors, including fingerprint readers (shown in this online demo).

Finally, Oberthur Technologies, a founder of the Secure Identity Alliance and provider of ePassports, is building specialized phone SIM cards that have FIDO authenticators. This project demonstrates the flexibility of the FIDO protocol and how it can be used on phones that don't have the latest technology.

                                                                                      

The preview drafts of the FIDO specifications were made public this past February, almost a year after all the initial hoopla over the alliance began. The technical specifications define a common interface for user authentication on the client via biometrics, PINs and two-factor methods to promote data privacy and stronger authentication for online services without hard-to-adopt measures.

The protocols, which are based on public key cryptography, are categorized into two user experiences that support a wide range of scenarios. The Universal Authentication Framework (UAF) protocol enables the user to register a UAF-enabled device with a FIDO-ready server or website, authenticate their identity on their device with a fingerprint or PIN, for example, and log in to the server using a secure public key. The Universal Second Factor (U2F) protocol -- originally developed by Google -- is an effort to get the Web ecosystem (browsers, online service providers, operating systems) to authenticate users with a strong second factor, such as a USB touchscreen key or a Near Field Communication (NFC) tap on a mobile device.

FIDO-ready certification is established by passing a series of tests based on UAF or U2F requirements. There is a lot of testing going on, a lot of demonstration projects and a lot of promises. FIDO-ready products and services from Agnitio, GoTrust, Infineon, Nok Nok Labs, Yubico and others were shown at the International Consumer Electronics Show in January. But all of this activity is somewhat frustrating because few FIDO-ready products are for sale and there are no commercial FIDO users.

At the Mobile World Congress 2014 in February, Samsung announced that its Galaxy S5 smartphone would ship in April with FIDO-ready software and contain a fingerprint sensor that makes use of the FIDO protocols. Samsung and PayPal also announced a FIDO authentication partnership. Samsung Galaxy S5 users can authorize transactions to their PayPal accounts using their fingerprints, which authenticates users by sending unique encrypted keys to their online PayPal wallets without storing biometric information on the company's servers.

It doesn't hurt that Michael Barrett, who heads the FIDO Alliance, formerly worked at PayPal as its chief information security officer, either. As Barrett told SearchSecurity in 2013, FIDO is not authentication technology, it's a wrapper: "The one ring that binds them all."

Authentication at scale

Why should security professionals care about FIDO? FIDO promises to clean up the strong authentication marketplace, making it easier for one-fob-fits-all products.The open standards shift some of the burden for protecting personally identifiable information to software on devices or biometric features, and away from stored credentials and passwords. ComputerWeekly described FIDO's potential this way:

The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user's device that calculates cryptographic strings to be sent to a login server.

That's a big advantage. In the past, multiple factor authentication methods were based on either a hardware fob or some kind of tokenless products that made use of custom software, proprietary programming interfaces, and considerable work to integrate the method into your existing on-premises and Web-based applications.

One secure key

If it is widely adopted, FIDO will divorce these second-factor methods from the actual applications that will depend on them. That means the same authentication device can be used in multiple ways for signing into a variety of providers, without one being aware of the others or the need for extensive programming for stronger authentication.

FIDO makes it easier to do the authentication integration piece and not have to rewrite the client software over and over again.

Mike Goldgof, Agnitio vice president of marketing

"FIDO makes it easier to do the authentication integration piece and not have to rewrite the client software over and over again," said Mike Goldgof, vice president of marketing at Agnitio, a voice biometrics technology company in Madrid. Without FIDO, Agnitio would have to continue to develop different software development kits for each target audience and application, or work closely with individual application developers. "This gives us a huge population of users to draw on," Goldgof said.

Wide adoption of FIDO-compliant technology could also banish the need for users to cart around different second-factor tokens and other authentication methods. "That seems like a no-brainer and a big win," said Joseph Sikes, a security engineer with a cable communications company that has looked at the FIDO specs. "Integrating this type of built-in technology with digital wallets and ecommerce can not only help protect consumers, but reduce the risk, liability and fraud for financial institutions and digital marketplaces."

Better odds for data privacy

The big leap that FIDO is taking is to use unique features such as a biometrics -- voiceprint, fingerprint, facial recognition or some other combination -- and digitize and protect that information with solid cryptographic techniques. But unlike the traditional second-factor authentication key fobs or even the tokenless phone call-back scenarios, this information remains on your smartphone or laptop and isn't shared with any application provider. FIDO can even use a simple four-digit PIN code, and everything will remain on the originating device. With this approach, FIDO avoids the potential for a Target-like point-of-sale exploit that could release millions of logins to the world, a big selling point for many IT shops and providers.

"It will be cryptographically secure and we don't transmit this information or store it on some central database," said Jamie Cowper, a senior director at Nok Nok Labs in Palo Alto, Calif. Nok Nok Labs' S3 Authentication Suite, based on the emerging FIDO protocols, is used in independent testing environments as part of the FIDO-ready certification program.

Another big advantage is that FIDO is designed to work from the get-go both for online applications, such as ecommerce and software as a service, and for traditional local database servers and other on-premises authentication situations. For those two-factor approaches that grew up in the offline era this is another selling point. "The FIDO group has done their homework and it is put together solidly," said Dennis King, a St. Louis-based security integrator with Working Security. "A lot of people were nervous after [Edward] Snowden; and the fact that FIDO doesn't shove your biometric data into the cloud, but keeps it private and local is useful, especially if you can employ common standards and hide the complexity of the cryptographic key exchange," King said.

We are currently developing two-factor tools using a time-based algorithm for one of our applications and will probably ignore FIDO specs for the next couple of years at least.

Thomas Maro, CEO, Evrichart.com

According to its proponents, the open FIDO specifications will support existing authentication technologies and communication standards, including Trusted Platform Modules, embedded secure elements, USB security tokens, smartcards, Bluetooth and NFC. 

"FIDO will improve security for the developer," said Kapil Raina, director of product marketing for Zscaler, a cloud security provider in San Jose, Calif. "The abstraction of the actual protocol implementation will cut down on development time and errors."

FIDO-ready or not

But some people, like Tony Maro, aren't waiting around for FIDO to be finished. "We are currently developing two-factor tools using a time-based algorithm for one of our applications and will probably ignore FIDO specs for the next couple of years at least," said Maro, the CEO of Evrichart.com, a healthcare VAR in White Sulphur Springs, W. Va. "That algorithm is the same one that Google, Dropbox and even my own website host have chosen," said Maro, whose company is working with Google Authenticator, an open source project.

"It also eliminates carrying a separate dongle as just about everyone has a mobile phone these days and can run the Google Authenticator or other apps," he said. "This is a mobile world we live in, and we need mobile-compatible solutions; otherwise you're behind the curve right out of the gate."

FIDO doesn't solve all of our authentication problems, of course. If you need to know who the actual person is behind the finger or voice, you will want to look elsewhere. "When you are enrolling a new user, you want to be very sure that you have verified them and are enrolling the right person," said Nok Nok Labs' Cowper. Others, such as MiiCard.com, are working on solving this problem with their own identity system.

David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.

Send comments on this article to feedback@infosecuritymag.com.

This was first published in May 2014

Dig deeper on Two-Factor and Multifactor Authentication Strategies

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

2 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close