nobeastsofierce - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The FIDO authentication framework: What do enterprises need to know?

Enterprises need a full understanding of the FIDO authentication framework before switching to its technology. Expert Randall Gamby looks at the most important points of the UAF.

An independent firm recently reviewed the FIDO 1.0 Universal Authentication Framework and Universal 2nd Factor specifications. What are the main takeaways from this review for enterprises considering FIDO-based authentication technology?

The FIDO Alliance is just one piece of a new emerging ecosystem for strong identities in cyberspace. FIDO's contribution focuses on standardizing strong authentication for individuals. The FIDO 1.0 Universal Authentication Framework (UAF) allows a user to use a strong, two-factor authentication credential for many of the FIDO Alliance's 150 members, and other companies that may eventually adopt the FIDO authentication framework.

The UAF uses two-factor credential services, including biometric interfaces -- like retina, fingerprint or voice recognition -- provided by newer mobile devices, or can use a software or hardware token as the second factor. Since the two-factor check is conducted on the user's mobile device or workstation, service providers aren't required to maintain this data for authentication purposes. This reduces a service provider's risk of breach of the user's credentials and more fully protects the individual's information.

A typical use-case is a user who wishes to securely log onto a FIDO member's company website. Upon the user logging in with a username and password, a FIDO-enabled authentication message is sent to the user's mobile phone for verification. In this case, the user places his thumb on the mobile phone's fingerprint reader, and a response is sent back to the company's application -- any number of biometric and two-factor authentication technologies are supported. Back at the application, upon positive acknowledgement from the mobile device, the user is then allowed access to the site. While this capability is available on many sites today, the FIDO Alliance is working toward a standardized framework that can be used by many applications supported by a multitude of vendors.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Learn about FIDO authentication online products for Windows, Linux and Android, and what the FIDO push for multifactor authentication means

This was last published in August 2015

Dig Deeper on Two-factor and multifactor authentication strategies