Get up to speed on FIDO Alliance efforts to secure online authentication

Having trouble figuring out FIDO and what it means for secure authentication? In this webcast, expert David Strom covers all the key elements of fast identity online and what the organization behind it, the FIDO Alliance, has accomplished or promises to accomplish, thus far. Strom's presentation is focused on five key topics in his update on FIDO: current state of the FIDO Alliance membership; old-style two-factor authentication; the basics, and advantages, of FIDO; what FIDO does not do; and how you can implement FIDO.

In one sense, FIDO is ahead of the game: There are no FIDO-ready products for sale, though Samsung will be releasing the Galaxy S5, which comes with a fingerprint sensor. However, that is likely a temporary state, especially given that FIDO Alliance membership has grown to over 100 now, including Bank of America, MasterCard, and Google. In addition, many products are being tested and the actual draft standards specs are available now.

Before FIDO was launched, Strom explains, there were already limited kinds of two-factor authentication tools: hard tokens and soft tokens. Vendors first came out with hardware-based two-factor authentication tools that combined a password with a token that generated a one-time code. But toting around tokens meant they could get lost or stolen, and in a large enterprise they were a pain to manage, provision and track.

So the soft token was then developed, which uses a smartphone app, SMS text message or telephony to provide the extra authentication step. These are a lot easier to manage, because everyone typically carries around a cell phone and can either use its texting ability or downloaded app to generate the authentication token. 

Many different identity management tools are around that make use of either hard or soft tokens and provide more secure logins, in case you don't want to wait for FIDO to kick into gear. The downside is that, if you have multiple apps that need the stronger security, you have to add the security to each app individually. Most of the two-factor authentication tools concentrate in one of three methods: by securing a Radius or Active Directory user's identity, by providing identity information to a Web service using some form of Security Assertion Markup Language and trusted certificates, or by securing logins to a local network Web or application server itself using Javascript or some other mechanism.

Given the number of moving parts, these older two-factor products are not install-and-forget kinds of deals, and when Strom tested them in 2013 he found he had to consult many times with tech support reps.

So the question arises: Where does FIDO come into play, and how does it differ from these existing two-factor tools?

The big leap that FIDO is taking is to use something, such as a biometric feature like a voiceprint, fingerprint, facial recognition or some other combination of things unique to an individual, and digitize and protect that information with solid cryptographic features.

The FIDO method is more secure than the token methods discussed above -- there's no password or identifying information sent out across the Internet. Instead, information is processed by software on the end-user's device that calculates cryptographic strings to be sent to a login server.

If it is widely adopted, FIDO will divorce these second-factor methods from the actual apps that will depend on them. That means the same authentication device can be used in multiple ways for signing into a variety of providers, without each provider being aware of the others and without the need for extensive programming for the stronger authentication. This could banish the need for users to cart around different second factor tokens and other authentication methods.

"FIDO also makes it easier to do the authentication integration piece and not have to rewrite the client software over and over again," says Mike Goldgof, vice president of marketing at Agnito.

FIDO doesn't solve all authentication problems, of course. If you need to know who the actual person is behind the finger or voice, you will want to look elsewhere. When enrolling a new user, you will need to make sure they have been verified. Among the ways to do this could be a touch-sensitive USB key, such as one developed by Yubico, or a voice recognition print, such as the KIVOX, developed by Agnito. There's also Nok Nok's NNL S3 Suite that includes its Multifactor Authentication Server with iOS, Android, Windows 7 and 8 clients, a system that works with a variety of different sensors, including fingerprint readers. Finally, Oberthur is building specialized phone SIM cards that have FIDO authenticators included, which demonstrates the flexibility of the protocol and how they can be used on phones that don't have the latest technology.

Strom concludes that -- depending on how you look at things -- very little or quite a lot has happened with FIDO and the creation of more secure methods for authentication.

About the author:
Tech writer David Strom has covered enterprise technology for over 25 years and built dozens of websites. He is the author of two books on computer networking.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

When run, it would read through the new email messages on the machine, looking for messages having a number in a previously unused field in the message header. Messages with common node numbers were exported together into a file This Fido unlock code service allows you to unlock your phone by dialling in what is called a Fido Network PIN, Fido Subsidy Code, or Fido Network Code depending on the make of your Fido phone
I expect FIDO to make their stance clear about the password used for self-rescue in case of the false rejection by the biometric sensor.

Biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.

Biometric products like Apple's Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x%) and that of a password (y%). The sum (x% + y% - xy%) is necessarily larger than the vulnerability of a password (y%), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.