This content is part of the Security School: Game-changing enterprise authentication technologies and standards
Manage Learn to apply best practices and optimize your operations.

What the FIDO specification means for multi-factor authentication

Stay apprised of developments with the FIDO specification and share the joy of what FIDO authentication and freedom from passwords mean.

Editor’s Note: The forthcoming FIDO 2.0 specification is now being updated and will offer native platform support,...

security for the plethora of emerging Internet of Things devices and a new Client-to-Authenticator Protocol. Read more about the new FIDO authentication standard in this tip.

The inability of passwords to keep online accounts secure has been recognized for quite some time, but the IT industry has struggled to establish a practical alternative.

Strong authentication products, long thought to be the solution to single-factor password-based authentication, have been around for years, but are no panacea for preventing the compromise of credentials. But there are many stumbling blocks like cost, lack of interoperability, vendor lock-in and inconvenience to users, not to mention they offer little protection from credential theft via phishing and man-in-the-middle attacks. These factors have hindered adoption to the point where the the financial services industry is the only one using these products on any significant scale.

Thankfully, a long-term solution may be on the horizon, as a consortium of 150 companies called the Fast Identity Online Alliance, or FIDO, is pushing for the adoption of a new technical specification that aims to make accessing online accounts and services more secure and private while being easier to use than passwords. It is an open and interoperable set of specifications based on standard public-key cryptography.

The FIDO specification is a device-centric model but is not designed for any specific type of authentication technology. It is a complement to federation protocols such as OAuth, a token-based authentication technology being used by firms such as Twitter to connect users' accounts to third-party services without obliging them to share their passwords. As cameras, microphones and fingerprint readers already exist in many mobile devices, biometric authentication is likely to become the most common method of authorizing users using FIDO, but other options include USB security tokens, Trusted Platform Module and Near Field Communication chips to support multi-factor authentication.

Enterprises should take this initiative seriously, as it's led by major Internet and technology players such as PayPal, Samsung, Lenovo, Microsoft, Google and MasterCard. PayPal has already implemented secure payments using FIDO authentication, and it's available to users on a range of Samsung devices, starting with the Galaxy S5. China's online giant Alibaba has also just endorsed FIDO authentication. Alipay, an Alibaba group company, is also offering secure payments based on FIDO authentication to 600 million users.

How the FIDO specification works

FIDO provides two ways to authenticate users: Passwordless UX and Second Factor UX (UX stands for user experience). The registration process for both methods is the same. The user's FIDO-enabled device creates a new key pair, and the public key is shared with the online service and associated with the user's account. The service can then authenticate the user by requesting the registered device to sign a challenge with the private key. The private key and any information about the authentication method, such as biometric measurements, never leave the user's device, and there is no information given out that can be used by different online services to collaborate and track a user across the Internet, even though the same device can be used for logging in to any number of services.

Using Passwordless UX, a registered user simply repeats the action performed during registration, such as swiping a finger, looking at the camera or speaking into the mic -- no password is needed. Second Factor UX involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. Google Chrome is the first Web browser to implement support for Second Factor UX, which means Google can offer an alternative to the one-time passcodes it sends users during the login process. Instead of typing in a six-digit passcode, users simply insert a FIDO-compliant USB key into their computer and tap it when asked to do so by the browser.

Even though major enterprises are already up and running with FIDO, the specification is still actively being edited and refined. Nevertheless, large organizations should follow developments closely and even begin their own testing. It's too soon to say that the FIDO specification will become the global de facto standard for authentication, but the omens are good. It's supported by the world's leading technology players, and they all desperately need better authentication. The Internet of Things will also need something better than passwords to avoid becoming a security disaster.

FIDO embraces several authentication technologies, so innovation and competition hopefully will thrive whilst remaining interoperable and the FIDO Alliance has stated that it is committed to submitting the protocols to a recognized standards development organization such as the IETF or W3C. As more users discover the joy of being free from passwords, and hopefully appreciate the added security FIDO authentication provides online services left relying on passwords may well begin to lose out.

About the author:

Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.

Next Steps

Learn what specifications the FIDO Alliance has issued for passwordless authentication

Read about the case for privileged identity management

Here's how Barclay's uses voice authentication instead of passwords

Is multi-factor authentication right for your enterprise

This was last published in January 2015

Dig Deeper on Two-factor and multifactor authentication strategies