Leading Internet companies, system integrators and security providers have formed the FIDO Alliance (Fast IDentity Online) last year to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The Alliance plans to change the nature of authentication by developing standards-based specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to easily and securely authenticate users of online services. By now, the FIDO Alliance is a solid mix of key players in the industry, led by PayPal, Lenovo, Google and MasterCard, and has more than 50 members that are all committed to overcome prevailing limitations.
The FIDO standard will support a full range of technologies, including biometrics such as fingerprint scanners, voice and facial recognition, as well as existing authentication solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, Near Field Communication (NFC), One Time Passwords (OTP) and many other existing and future technology options. The open protocol is designed to be extensible and to accommodate future innovation, as well as protect existing investments. The FIDO protocol allows the interaction of technologies within a single infrastructure, enabling security options to be tailored to the distinct needs of each user and organization. As more organizations join the FIDO Alliance, more use cases and technologies will become part of the solution and all companies and organizations that want simpler, stronger authentication are invited to participate.
“The Internet - especially with recent rapid mobile and cloud expansion – exposes users and enterprises, more than ever before, to fraud. It’s critical to know who you’re dealing with on the Internet. The FIDO Alliance is a private sector and industry-driven collaboration to combat the very real challenge of confirming every user’s identity online,” said Michael Barrett, FIDO Alliance president and PayPal Chief Information Security Officer. "By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality. We want every company, vendor, and organization that needs to verify user identity to join us in making online authentication easier and safer for users everywhere.”
In fact, current password authentication is weak due to reuse, malware and phishing, and leaves enterprises and end-users vulnerable to financial and identity theft. FIDO’s standards-based approach automatically detects when a FIDO-enabled device is present, and offers users the option to replace passwords with authentication methods that are more secure and easier to use.
Today, users are often required to remember a selection of security questions, enter a unique ID with a main password, and potentially use a software or hardware token, as well. Most users have a handful of slightly varied passwords they use to access multiple sites and accounts. This cross-use of passwords poses serious risks if one account is compromised and user credentials are exposed to potential fraud across the range of a user’s accounts. Providers are invariably implicated when data is breached and personal information is exposed at a site or within an application. Repeated attempts to outline better security practices and change user behaviours haven’t succeeded.
FIDO rules equip fingerprint, iris, voice and facial recognition sensors, as well as security tokens, smart cards and Near Field Communication (NFC) systems, to privately unlock banking, shopping and corporate online services that adhere to the same set of rules.
The global initiative’s ultimate goal is therefore to establish common rules that ultimately would enable any biometric sensor to unlock any online account, without sharing the biometric. And if the FIDO Alliance gets any traction in its efforts to promote a new technical standard for device-centric authentication, the use of a variety of biometric sensors could begin to go mainstream.
“As device and digital consumption continues to grow exponentially, so does the challenge of maintaining privacy and ease of use,” said Sebastien Taveau, FIDO Alliance Board Member and CTO for Validity Sensors. “PC manufacturers have already recognized the power of leveraging a fingerprint for authentication, and with the upcoming release of fingerprint sensors in mobile devices, now is the time for the FIDO Alliance to bring together the hardware, software and applications that create a seamless user experience with a much needed new approach to security.”
According to FIDO, the adoption of the fingerprint swipe to log on to your laptop or Apple's latest iPhone 5s biometric security feature has been an important step in the biometric authorization. Although, biometric sensors are just arriving on the tech scene, the early adopters have already begun using Apple's Touch ID sensor to lock and unlock their iOS devices and to buy iTunes.
Now MasterCard, another big player and member of the FIDO Alliance, goes into this direction as well. Rumour has it that the company is working on paying with fingerprint on Android devices, but which technology and which payment method will make the race is still wide open.
The Alliance believes that the right combination of security and convenience will support overcoming the public perception that fingerprinting is only done for criminal applications. And convincing for biometrics are the facts that they can now be delivered in real-time and at a reasonable price, besides the ability to use only one identification method that never can be lost or forgotten. Not to mention that fraud is creating a need for more security and ease of identification and the FIDO Alliance wants to help push the market forward into accepting the technology as a standard.
Considering that 50 billion internet-connected devices are predicted to be in the marketplace by 2020, according to Cisco Systems, the future for the FIDO protocol approach looks exciting. It inherently supports consumerization trends, by allowing end users any choice of authentication method. At the same time, FIDO shifts control to providers, who can make authentication user-transparent and limit the risk of fraud.
This is the more important since IDC forecasts the strong authentication market to realize more than $2.2 billion in revenues alone by 2016. “This demand is driven by social networking, internet, cloud and mobile, all of which will require higher and higher levels of authentication by governments, corporations and consumers,” said Sally Hudson, IDC Research Director, Security Products and Services. “We believe that standards-based, automated solutions such as those advocated by FIDO will contribute greatly toward making this a reality.”
The FIDO Alliance has begun conformance and interoperability testing for FIDO Universal Authentication Framework (UAF) and Universal Second Factor (U2F) products, and members of the FIDO Alliance Technology Working Group (TWG) are implementing products to the working specifications for testing.
Interested organizations are encouraged to go to FIDO Alliance to find out more and to join the group.
By Daniela la Marca