Get up to speed on FIDO Alliance efforts to secure online authentication

Get up to speed on FIDO Alliance efforts to secure online authentication

Date: Apr 16, 2014

Having trouble figuring out FIDO and what it means for secure authentication? In this webcast, expert David Strom covers all the key elements of fast identity online and what the organization behind it, the FIDO Alliance, has accomplished or promises to accomplish, thus far. Strom's presentation is focused on five key topics in his update on FIDO: current state of the FIDO Alliance membership; old-style two-factor authentication; the basics, and advantages, of FIDO; what FIDO does not do; and how you can implement FIDO.

In one sense, FIDO is ahead of the game: There are no FIDO-ready products for sale, though Samsung will be releasing the Galaxy S5, which comes with a fingerprint sensor. However, that is likely a temporary state, especially given that FIDO Alliance membership has grown to over 100 now, including Bank of America, MasterCard, and Google. In addition, many products are being tested and the actual draft standards specs are available now.

Before FIDO was launched, Strom explains, there were already limited kinds of two-factor authentication tools: hard tokens and soft tokens. Vendors first came out with hardware-based two-factor authentication tools that combined a password with a token that generated a one-time code. But toting around tokens meant they could get lost or stolen, and in a large enterprise they were a pain to manage, provision and track.

So the soft token was then developed, which uses a smartphone app, SMS text message or telephony to provide the extra authentication step. These are a lot easier to manage, because everyone typically carries around a cell phone and can either use its texting ability or downloaded app to generate the authentication token. 

Many different identity management tools are around that make use of either hard or soft tokens and provide more secure logins, in case you don't want to wait for FIDO to kick into gear. The downside is that, if you have multiple apps that need the stronger security, you have to add the security to each app individually. Most of the two-factor authentication tools concentrate in one of three methods: by securing a Radius or Active Directory user's identity, by providing identity information to a Web service using some form of Security Assertion Markup Language and trusted certificates, or by securing logins to a local network Web or application server itself using Javascript or some other mechanism.

Given the number of moving parts, these older two-factor products are not install-and-forget kinds of deals, and when Strom tested them in 2013 he found he had to consult many times with tech support reps.

So the question arises: Where does FIDO come into play, and how does it differ from these existing two-factor tools?

The big leap that FIDO is taking is to use something, such as a biometric feature like a voiceprint, fingerprint, facial recognition or some other combination of things unique to an individual, and digitize and protect that information with solid cryptographic features.

The FIDO method is more secure than the token methods discussed above -- there's no password or identifying information sent out across the Internet. Instead, information is processed by software on the end-user's device that calculates cryptographic strings to be sent to a login server.

If it is widely adopted, FIDO will divorce these second-factor methods from the actual apps that will depend on them. That means the same authentication device can be used in multiple ways for signing into a variety of providers, without each provider being aware of the others and without the need for extensive programming for the stronger authentication. This could banish the need for users to cart around different second factor tokens and other authentication methods.

"FIDO also makes it easier to do the authentication integration piece and not have to rewrite the client software over and over again," says Mike Goldgof, vice president of marketing at Agnito.

FIDO doesn't solve all authentication problems, of course. If you need to know who the actual person is behind the finger or voice, you will want to look elsewhere. When enrolling a new user, you will need to make sure they have been verified. Among the ways to do this could be a touch-sensitive USB key, such as one developed by Yubico, or a voice recognition print, such as the KIVOX, developed by Agnito. There's also Nok Nok's NNL S3 Suite that includes its Multifactor Authentication Server with iOS, Android, Windows 7 and 8 clients, a system that works with a variety of different sensors, including fingerprint readers. Finally, Oberthur is building specialized phone SIM cards that have FIDO authenticators included, which demonstrates the flexibility of the protocol and how they can be used on phones that don't have the latest technology.

Strom concludes that -- depending on how you look at things -- very little or quite a lot has happened with FIDO and the creation of more secure methods for authentication.

About the author:
Tech writer David Strom has covered enterprise technology for over 25 years and built dozens of websites. He is the author of two books on computer networking.

More on Two-Factor and Multifactor Authentication Strategies

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: