FIDO Alliance Extends Two-Factor Security Standards to Bluetooth, NFC

The FIDO Alliance adds Bluetooth and near-field communications to security specifications first defined in December 2014.

FIDO Alliance

In December 2014, the FIDO (Fast Identity Online) Alliance issued the 1.0 version of its U2F (Universal Second Factor) security specifications to enable two-factor authentication. The U2F 1.0 specification is now being expanded to support the wireless Bluetooth and near-field communications (NFC) protocols.

What U2F provides is a second-factor authentication mechanism that can be used to supplement a username and password to provide more secure access to a site or online service. With the initial rollout of U2F, USB-based devices were the primary technology mechanism. USB keys, including those from security vendor Yubico, can be used for U2F to enable secure authentication.

As to why Bluetooth and NFC are being added now to U2F, Sam Srinivas, FIDO Alliance vice president and co-chair of the FIDO U2F Technology Working Group, said FIDO is being pragmatic and incremental in its approach to standardization.

"We wanted to get the core USB transport, which is very appropriate for desktop use cases, shaken out and into the market," Srinivas told eWEEK. "We also wanted to make sure the higher crypto layer of the protocol was working well in the field before expanding to other transports—this higher crypto layer is the same regardless of the physical transport."

Srinivas added that the need to make sure everything was working properly is why FIDO consciously decided to defer working on other transports, though conceptually it is just the same crypto running over a different underlying physical connection.

"As soon as we successfully launched FIDO U2F with just the USB transport, we brought the focus back on to the work we were doing on the wireless transports which are most relevant to mobile [Bluetooth and NFC], and what we are announcing now is the completed work," he said.

With the U2F specification additions for Bluetooth and NFC, new forms of FIDO-compliant devices can now be built and deployed. For example, FIDO U2F can now be used to enable a key fob or even a credit card-sized device to be used as a second-factor authentication mechanism.

From a device certification perspective, Srinivas said that FIDO will certify Bluetooth and NFC the same as it has certified USB devices. The certification involves a standard test driver that exercises a device through all of the expected operations for that particular transport (NFC, Bluetooth etc.). He added that after a device passes the test, it is then subject to an operational test where it must perform actual log-ins against a reference test server (i.e., full stack test, not just the transport). Finally, there is an interoperability test where a device must perform log-ins against multiple vendor server implementations.

"We expect to announce the certification program details at a later date, after people have had a chance to make prototype implementations," Srinivas said. "Again, here we are following the same model we established with USB in terms of how we sequence the various events."

While USB is a universal standard with little variation, Bluetooth implementations can vary across different mobile vendors. However, as to the variations of Bluetooth stacks, many of the FIDO member companies have deep Bluetooth experience, and considerations about stack variations were brought into the design by various member companies that fleshed out the transport protocol design, he said.

Looking beyond Bluetooth and NFC, Srinivas said FIDO is considering SIM cards and secure memory cards acting as FIDO U2F devices, or more precisely as repositories of FIDO U2F keys.

"The user would be able to move a SIM or a secure memory card from one phone to another, and their FIDO U2F keys would move to the new phone," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.