Manage Learn to apply best practices and optimize your operations.

What the FIDO specification means for multi-factor authentication

Stay apprised of developments with the FIDO specification and share the joy of what FIDO authentication and freedom from passwords mean.

FROM THE SECURITY SCHOOL:

Game-changing enterprise authentication technologies and standards

SECURITY SCHOOL SECTIONS

  1. Authentication
+ Show More

Editor’s Note: The forthcoming FIDO 2.0 specification is now being updated and will offer native platform support,...

security for the plethora of emerging Internet of Things devices and a new Client-to-Authenticator Protocol. Read more about the new FIDO authentication standard in this tip. 

The inability of passwords to keep online accounts secure has been recognized for quite some time, but the IT industry has struggled to establish a practical alternative.

Strong authentication products, long thought to be the solution to single-factor password-based authentication, have been around for years, but are no panacea for preventing the compromise of credentials. But there are many stumbling blocks like cost, lack of interoperability, vendor lock-in and inconvenience to users, not to mention they offer little protection from credential theft via phishing and man-in-the-middle attacks. These factors have hindered adoption to the point where the the financial services industry is the only one using these products on any significant scale.

Thankfully, a long-term solution may be on the horizon, as a consortium of 150 companies called the Fast Identity Online Alliance, or FIDO, is pushing for the adoption of a new technical specification that aims to make accessing online accounts and services more secure and private while being easier to use than passwords. It is an open and interoperable set of specifications based on standard public-key cryptography.

The FIDO specification is a device-centric model but is not designed for any specific type of authentication technology. It is a complement to federation protocols such as OAuth, a token-based authentication technology being used by firms such as Twitter to connect users' accounts to third-party services without obliging them to share their passwords. As cameras, microphones and fingerprint readers already exist in many mobile devices, biometric authentication is likely to become the most common method of authorizing users using FIDO, but other options include USB security tokens, Trusted Platform Module and Near Field Communication chips to support multi-factor authentication.

Enterprises should take this initiative seriously, as it's led by major Internet and technology players such as PayPal, Samsung, Lenovo, Microsoft, Google and MasterCard. PayPal has already implemented secure payments using FIDO authentication, and it's available to users on a range of Samsung devices, starting with the Galaxy S5. China's online giant Alibaba has also just endorsed FIDO authentication. Alipay, an Alibaba group company, is also offering secure payments based on FIDO authentication to 600 million users.

How the FIDO specification works

FIDO provides two ways to authenticate users: Passwordless UX and Second Factor UX (UX stands for user experience). The registration process for both methods is the same. The user's FIDO-enabled device creates a new key pair, and the public key is shared with the online service and associated with the user's account. The service can then authenticate the user by requesting the registered device to sign a challenge with the private key. The private key and any information about the authentication method, such as biometric measurements, never leave the user's device, and there is no information given out that can be used by different online services to collaborate and track a user across the Internet, even though the same device can be used for logging in to any number of services.

Using Passwordless UX, a registered user simply repeats the action performed during registration, such as swiping a finger, looking at the camera or speaking into the mic -- no password is needed. Second Factor UX involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. Google Chrome is the first Web browser to implement support for Second Factor UX, which means Google can offer an alternative to the one-time passcodes it sends users during the login process. Instead of typing in a six-digit passcode, users simply insert a FIDO-compliant USB key into their computer and tap it when asked to do so by the browser.

Even though major enterprises are already up and running with FIDO, the specification is still actively being edited and refined. Nevertheless, large organizations should follow developments closely and even begin their own testing. It's too soon to say that the FIDO specification will become the global de facto standard for authentication, but the omens are good. It's supported by the world's leading technology players, and they all desperately need better authentication. The Internet of Things will also need something better than passwords to avoid becoming a security disaster.

FIDO embraces several authentication technologies, so innovation and competition hopefully will thrive whilst remaining interoperable and the FIDO Alliance has stated that it is committed to submitting the protocols to a recognized standards development organization such as the IETF or W3C. As more users discover the joy of being free from passwords, and hopefully appreciate the added security FIDO authentication provides online services left relying on passwords may well begin to lose out.

About the author:

Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com/ offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.

Next Steps

Learn what specifications the FIDO Alliance has issued for passwordless authentication

Read about the case for privileged identity management

Here's how Barclay's uses voice authentication instead of passwords

Is multi-factor authentication right for your enterprise

This was last published in January 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Security School

Game-changing enterprise authentication technologies and standards

SECURITY SCHOOL SECTIONS

  1. Authentication

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has your organization incorporated FIDO authentication technology?
Cancel
Many people take it for granted that PIN is easier to remember than an alphanumeric password because it is simpler. The fact is, however, that PIN, a numbers-only short password, is even more subject to the interference of memory exactly because it is simpler, say, it contains less information, which gets the user confused more easily and more badly than a longer alphanumeric password. It is, therefore, more difficult for us to eliminate the reuse across many accounts. You could listen to yourself for your own experience.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close