December 10, 2014 weblog
FIDO specs to pave way for post-password era
Dedicated to easier yet stronger authentication, the FIDO (Fast IDentity Online) Alliance announced Tuesday that it has published specifications, for broad industry adoption of strong authentication next year. The standards-delivering consortium formed in July 2012. The mission has been to address a lack of interoperability among strong authentication technologies, and to remedy user problems in creating and remembering multiple usernames and passwords. The new entrants are final 1.0 drafts of two specifications, Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). Alliance members include device manufacturers, online service providers and enterprise, They can now implement and commercialize the 1.0 specs. The Alliance notice said that "both specifications are unencumbered by FIDO member patents. Members are free to implement and market solutions around FIDO-enabled strong authentication, and non-members are free to deploy those solutions." Current implementations available in the market include those from Nok Nok Labs, Synaptics, Alibaba, PayPal, Samsung, Google, Yubico and Plug Up.
The specifications outline a standard for devices, servers and client software, These include browsers, browser plugins, and native app subsystems. A website or cloud application can interface with existing and future FIDO-enabled authenticators, from biometrics to hardware tokens. Popular Science noted that your iris, voice or fingerprint will serve as your passport to the online world.
The Verge said "the days of the password-free login are closer than you think" and called the announcement a big step forward. Russell Brandom said "As a result, life just got a lot easier for anyone who wants to make a phone with a fingerprint reader or an app that requires a fingerprint before it opens up."
Michael Barrett, president of the FIDO Alliance, said that "we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die." Meanwhile, the FIDO Alliance is nearing completion of extensions to incorporate Near Field Communications (NFC) and Bluetooth into the range of FIDO capabilities.
Smartphones such as Apple's iPhone 6 and the Samsung Galaxy S5 already offer fingerprint authentication but, as Dan Moren explained in Popular Science, FIDO is not a consumer-facing solution; "it's a software system that can be incorporated into apps and websites, free of charge—and it can work with a variety of different hardware." Moren further observed that some companies will no doubt balk at re-doing authentication infrastructure but he said that "one thing is clear: with security failures coming at a breakneck rate, we can't count on the password to protect us anymore."
The FIDO Alliance announcement said that, according to Verizon's Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76 percent of breaches analyzed.
© 2014 Tech Xplore