FIDO Alliance Seminar
Home
eMarketing
eSecurity
Mobile Comm
Global e-Business
News & Insights
Contact Us

Articles

Security breach at Target part 2
FIDO Alliance Seminar
Security Breach at Target
Myth on Web Service Security
End-to-End Security for Cloud Computing
Optimize Security Services in the Cloud
Data at Rest, Data at Risk
Data Security Best Practices
DOD Common Criteria
Need for Information Security Professionals
Protect Social Security Info
Virtual VPN Gateway
Don't Hack the Ox!
6 eSecurity Pitalls
Data Security at Risk
CCNA Certification
NAC Forum
eSecurity Market
eSecurity Philosophy
PC Security
eSecurity Facts
Encryption Tool
Checking Security
Identity Theft
Home PC Security
eSecurity Training
Security Software
eSecurity & You
Web Security
Browser Security
Spyware & Viruses
448 Bit Encryption
Vital PC Security
Spyware Security
What's PC Security
Optimize eSecurity
Delete Cookies
Basic SB Security
eSecurity 101
Email Security

FIDO Alliance Seminar
By Steve Tsai, Managing Editor, Internet Journal
02/17/2014

I attended a seminar organized by FIDO (Fast Identification Online) Alliance on Feb. 14, 2014 at Garden Court Hotel in Palo Alto. There were about 60 people attended the seminar. FIDO Alliance has grown from 6 members a year ago to more than 75 members now. The members include Internet Services companies such as Google, BlackBerry, Microsoft, PayPal, MasterCard; Components and Device Vendors such as Lenovo, Synaptics, LG, NXP, Infineon, ARM, Oberthur, Yubico, CrucialTec, FingerQ, Crocus Technologies; and Software and Stacks vendors such as RSA Security, SafeNet, SecureKey, Agnitio, Nok Nok Lab, Ping Identity, etc.

The objective of FIDO Alliance is to provide a standard based authentication mechanism that is secure and harder for hacker to get consumer login information is a wholesales way. As a contrast, in eCommerce for communication and transaction, there is the SSL standard. Yet in authentication, there are too many different approaches. FIDO wants to create usable authentication standards that consumers, merchants, service providers, device vendors, and software providers are all willing to use.

The identity stack consists of the following layers:

  • Physical-to-Digital Identity
  • User Management
  • Authentication
  • Federation
  • Single Sign-on

FIDO standard is focusing only on the Authentication piece. The modern authentication is strong and risk based rather than using the password.

The drawbacks of password are obvious: too many to remember, difficult to type, and not secure.

One time code improves security but is not easy to use.

The new trend is for simpler, stronger local device authentication. FIDO standards are based on the core idea of using local device authentication for online authentication. That is user authenticates to device, device authenticates to service.

The FIDO Standards interfaces between applications and authentication methods. It consists of Online Crypto Protocol and Pluggable Authentication mechanisms.

There are two draft standards that are being published:

  • UAF (Universal Authentication Framework), a passwordless experience.
  • U2F (Universal 2nd Factor), a second factor experience.

As an example of how this would improve online user authentication, the password method of authenticate a user online is wrought with problems. Most people use only a limited number of passwords for all their online accounts. Those online service companies that keep user passwords are prime target for hackers. When a security breach occurred at any of these companies, tens of thousands or more of these passwords are now fair game for the hackers. Because users are likely to use the same passwords for many online accounts, their high value online accounts are at great risk.

The FIDO philosophy is that the user identify information is kept at the user's device. Therefore, the authentication data is distributed, unlike the password mechanism where a centralized password file is kept at the server, ripe to be hacked. Even if the device is breached, the hacker would have to do that one device at a time, unlike the password mechanism where the passwords can be stolen en masse.

FIDO Alliance members will be demoing their systems at RSA 2014 at Moscone Center in San Francisco.

About The Author
Steve Tsai is the Managing Editor of the
Internet Journal http://www.intnetjournal.com. Internet Journal provides the insights and analysis on Internet marketing, eCommerce, mobile communications, eSecurity, and global e-Business. If you have any comments about Internet Journal, please send email to stt@intnetjournal.com.
 

[Home] [eMarketing] [eSecurity] [Mobile Comm] [Global e-Business] [News & Insights] [Contact Us]

eMarketing