FIDO Alliance opens its security standards to the public

April 2014 Access Control & Identity Management

The FIDO (Fast IDentity Online) Alliance, a security-minded industry consortium that includes tech giants such as Google, Netflix, and PayPal has released a public draft of new security standards (available at http://fidoalliance.org/specifications) that could someday make user passwords a thing of the past. Co-founded a year ago by former PayPal executive Michael Barrett, the FIDO Alliance is drawing the support of major tech companies on the lookout for a login alternative that offers greater security, while easing the burden consumers face in creating and managing dozens of passwords for the sites they visit.

With recent data breaches at Yahoo and Adobe, the continuing Snowden revelations, and of course, the massive data theft at Target, consumers are being confronted as never before with the limitations of security in an online world. And companies are facing significant financial risk. A report by Forrester Research puts the cost of password breaches at $200 billion in annual losses. This adds up to what industry watchers feel may be a tipping point in the demand for more secure options.

“This is a very active space for vendors,” says Forrester analyst Eve Maler. “There are quite a lot of security startups attracting money from VC firms.” Barrett puts the situation in blunt terms. “We see daily occurrences of just how bad the password model is,” he says, arguing, “the way out of the mess is not going to arrive through a proprietary solution devised by any single company – it’s too big a problem. It is a system problem that requires cooperation and standard building blocks.”

The FIDO Alliance is leading an industry-wide push for a more secure alternative to user passwords.

To that end, the specifications that FIDO has released offer a two-pronged approach to providing secure logins as well as an improved consumer experience. The proposed U2F standard, which I wrote about in an earlier story, would allow you to login using a simple PIN – just like at an ATM – to identify yourself. At that point, a hardware device you carry with you, be it a USB dongle or NFC-enabled phone or tablet, would be used to verify your identity by way of encrypted communication with your Web browser.

The second protocol, dubbed UAF, allows for the use of biometric data – a thumbprint, vocal phrase or iris scan – to verify your identity. Using a phone or tablet, for example, you could log in to a site simply by swiping your finger, speaking into the microphone or looking into the camera.

Both protocols incorporate public key cryptography, a well-established method for creating a trusted connection. To work, you would first need to register your local device with any sites you will be logging onto. You would also have the ability to terminate this registration at any time, should your device become lost or stolen. In a nod to consumer privacy, the UAF standard restricts storage of any biometric data to the local device. And neither standard provides information that a site you registered with could use to track your visits to, or registration with, any other sites.

To ensure conformance with security standards and device compatibility, FIDO has begun a compliance testing program. At this year’s CES tradeshow, both biometric and hardware-based FIDO Ready products were on display. And while FIDO builds momentum by bringing on big name members like Microsoft, analyst Tim Bajarin of Creative Strategies says it’s also significant that, “FIDO is providing some very important tools for smaller companies that lack the resources to develop proprietary security solutions.”

This is an ambitious endeavour, to put it mildly. To be successful, the FIDO specifications would have to achieve widespread adoption by developers, with top companies seeing value in supporting a standards-based initiative instead of pursuing proprietary solutions. And even more importantly, the approach would have to be embraced by consumers. No easy feat. Maler notes that, “Privacy experts want consumers to value security more than they actually do. People complain about passwords, but the alternative has to be easier to use, not just more secure.” In addition, she points out that there are things passwords are actually well-suited for: giving your kid your Netflix password so she can watch a movie without you, for example.

Barrett acknowledges the challenges. And while conceding that a password-free Internet is far from imminent, he emphasises that the FIDO protocol can accommodate a wide range of implementations. “There is no one-size-fits-all approach for security,” he says, noting that different companies will obviously need to strike different balances between security and user convenience. He stresses that this is the very beginning of a long process and that some Alliance members – notably Google and Netflix – are supporting the protocol first in an internal IT environment, an approach that other companies may take to examine the benefits of the technology before deciding to roll it out to consumers. But, he maintains, the ultimate goal is to make the FIDO spec as ubiquitous for site logins as the SSL (https) protocol is today for encrypted Web browsing.

Making the draft specifications public is a big part of that effort. “Transparency breeds confidence,” Barrett says. “We are committed to an open technology, so we have to publish and let the world comment. We’re looking for feedback on what we’re doing right and what could be improved.” Barrett says FIDO expects to have specifications of the UAF and U2F standards finalised before the end of 2014.

You can read an overview of the specifications (http://fidoalliance.org/specifications), download the complete drafts (http://fidoalliance.org/specifications/download), and view a list of alliance members (http://fidoalliance.org/membership/members/) on the FIDO website.





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Disconnect between confidence in identity security and operational reality
Access Control & Identity Management News & Events
New FIDO Alliance and HID study reveals gap between identity security confidence and reality; 94% of enterprises claim they can revoke employee access within 24 hours, yet 35% experienced delays or failures in the past two years.

Read more...
Paxton Solo training available to security installers
Paxton Access Control & Identity Management News & Events
Following the launch of Solo, Paxton’s brand-new access control system, the security manufacturer is rolling out dedicated Solo training sessions across South Africa to support security installers working with the system.

Read more...
Controlling access for people and vehicles
IDEMIA STid Security Technews Publishing Editor's Choice Access Control & Identity Management Asset Management Industrial (Industry) Mining (Industry)
When it comes to access control, the security requirements of mines and the industrial sector are similar, requiring a layered approach that combines physical barriers, digital authentication, and continuous monitoring to protect personnel, assets, and operational continuity.

Read more...
Paxton launches new phone-based security system: Solo
Paxton News & Events Access Control & Identity Management
Paxton has officially unveiled Solo, a phone-based, cloud-hosted access control system. As part of the launch, installers can claim a free Solo starter kit from Paxton, allowing them to trial the system and see how it can work for their business.

Read more...
Taking control of IAM in the AI era
Access Control & Identity Management AI & Data Analytics
AI and Shadow AI are proliferating, creating a series of new risks for organisations. To gain control over who and what has access to corporate data, organisations need unified control over their entire environment.

Read more...
Impro announces Primo update
News & Events Access Control & Identity Management Integrated Solutions
Impro Technologies recently held a launch event in which it introduced a series of new products, from new readers through to its updated Primo access management software.

Read more...
If you cannot prove identity, you cannot claim security
Access Control & Identity Management Information Security
Cybersecurity planning for 2026 is a structural change in how attacks are executed and how trust is exploited, demanding that companies stop layering tools on top of infrastructure and instead prioritise intelligence and identity.

Read more...
Paxton set to launch game-changing new system
Paxton Access Control & Identity Management News & Events
Access control is evolving fast. Installers and end users are looking for systems that are simple to install, easy to manage remotely, and flexible enough to scale. In response, Paxton is exploring how emerging technologies can reshape access control.

Read more...
NEC XON secures mobile provider’s hybrid identities
NEC XON Access Control & Identity Management Information Security Commercial (Industry)
For a leading South African telecommunications operator, identity protection has become a strategic priority as identity-centric attacks proliferate across the industry. The company faced mounting pressure to secure both human and non-human identities across complex hybrid environments.

Read more...
Cloud security in visitor management and access control
SA Technologies Access Control & Identity Management Infrastructure Residential Estate (Industry) Commercial (Industry)
Cloud has become the default platform for modern security operations, from visitor management portals and remote access control to incident logging, reporting, analytics, and integrations. But “in the cloud” does not mean “someone else is securing it for us”.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.