FIDO Alliance Finalizes Strong Authentication Security Specs

The effort to make strong security authentication mechanisms more pervasive reaches a major milestone.

security authentication

The FIDO (Fast Identity Online) Alliance has been working to develop a set of standardized specifications to help improve secured authentication for online application access. It's a process that reached a major milestone Dec. 9 with the official 1.0 versions of FIDO's Universal Second Factor (US2) and Universal Authentication Framework (UAF) specifications.

The FIDO Alliance is an industry consortium that now has more than 150 member companies, including Bank of America, Mastercard and Visa, as well as Google and Qualcomm.

"Reaching the 1.0 specification for FIDO means that the technology is stable and it has been through deployment experience and interoperability testing," Brett McDowell, executive director of the FIDO Alliance, told eWEEK.

McDowell said that the FIDO Alliance specifications address the challenge of secure authentication and the primary focus has been on passwords.

"A password as a single-factor authenticator has proven to be insufficient to protect consumers," McDowell said.

One of the suggested ways to make passwords better is by using two-factor authentication, which adds a second password (or factor) before a user can access a service. McDowell noted that many two-factor authentication systems have usability challenges and also still have some security risks. One-time passwords (OTPs) that are generated as part of two-factor authentication mechanisms are still vulnerable to potential phishing attacks, he said.

"You get the number from one device, type it into the screen on another device, but you're still vulnerable to typing that number into the wrong screen," McDowell said. "It's what we call a symmetric shared secret."

In contrast, the FIDO approach is asymmetric, where the secret is only present on the user device and is not shared. In terms of specifics, UAF is designed to replace the need for traditional passwords. UAF authentication can leverage the use of biometrics—for example, a user's fingerprint—to gain access.

The other specification is U2F, which does not replace a username and password; rather, it becomes a more secure second-factor authentication mechanism.

"We're providing a hardware token with a secure element in it that can talk the FIDO U2F protocol," McDowell said. "So instead of being challenged to type in a code number, the user just presses a USB hardware token in order to give presence and authenticate the user."

Google recently announced that it was embracing U2F with its Chrome browser to authenticate users across Google services. Currently, U2F leverages USB as the medium to connect the secure hardware token, though efforts are still in progress within the FIDO Alliance to expand the available approaches. McDowell said that work is under way to extend U2F for Bluetooth as well as near-field communications (NFC) deployments. He added that when completed, the Bluetooth and NFC work will be considered as extensions to the U2F 1.0 specification.

With the 1.0 specifications now complete, McDowell expects that as the technology is deployed in the market, there will be some lessons learned and there will be incremental updates to keep the specifications current.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.