I attended a seminar organized by FIDO (Fast
Identification Online) Alliance on Feb. 14, 2014 at Garden Court Hotel in Palo Alto. There were about 60 people attended the seminar. FIDO Alliance has grown from 6 members a year ago to more than 75 members now. The
members include Internet Services companies such as Google, BlackBerry, Microsoft, PayPal, MasterCard; Components and Device Vendors such as Lenovo, Synaptics, LG, NXP, Infineon, ARM, Oberthur, Yubico, CrucialTec,
FingerQ, Crocus Technologies; and Software and Stacks vendors such as RSA Security, SafeNet, SecureKey, Agnitio, Nok Nok Lab, Ping Identity, etc.
The objective of FIDO Alliance is to provide a standard
based authentication mechanism that is secure and harder for hacker to get consumer login information is a wholesales way. As a contrast, in eCommerce for communication and transaction, there is the SSL standard. Yet in
authentication, there are too many different approaches. FIDO wants to create usable authentication standards that consumers, merchants, service providers, device vendors, and software providers are all willing to use.
The identity stack consists of the following layers:
- Physical-to-Digital Identity
- User Management
- Single Sign-on
FIDO standard is focusing only on the Authentication piece. The modern authentication is strong and risk based rather than using the password.
The drawbacks of password are obvious: too many to remember, difficult to type, and not secure.
One time code improves security but is not easy to use.
The new trend is for simpler,
stronger local device authentication. FIDO standards are based on the core idea of using local device authentication for online authentication. That is user authenticates to device, device authenticates to service.
The FIDO Standards interfaces between applications and authentication methods. It consists of Online Crypto Protocol and Pluggable Authentication mechanisms.
There are two draft standards that are being published:
- UAF (Universal Authentication Framework), a passwordless experience.
- U2F (Universal 2nd Factor), a second factor experience.
As an example of how this would improve online user authentication, the password method of authenticate a user online is wrought with problems. Most people use only a limited number of passwords for all their online
accounts. Those online service companies that keep user passwords are prime target for hackers. When a security breach occurred at any of these companies, tens of thousands or more of these passwords are now fair game
for the hackers. Because users are likely to use the same passwords for many online accounts, their high value online accounts are at great risk.
The FIDO philosophy is that the user identify information
is kept at the user's device. Therefore, the authentication data is distributed, unlike the password mechanism where a centralized password file is kept at the server, ripe to be hacked. Even if the device is breached,
the hacker would have to do that one device at a time, unlike the password mechanism where the passwords can be stolen en masse.
FIDO Alliance members will be demoing their systems at RSA 2014 at Moscone Center in San Francisco.