FIDO Alliance Brings Password-less Online Authentication
Prevailing password systems may have proven less than adequate to prevent data breaches, but now there’s hope that we might be at the point of doing away with creating and remembering numerous passwords—especially the really bad ones like "123456" and “password.” Believe it or not, those were the top two on the list of the worst passwords of 2013 published by security firm Splashdata.
The FIDO (Fast IDentity Online) Alliance, an industry consortium for delivering standards for simpler, stronger authentication, has released final 1.0 specifications for an open standard to replace commonly used single factor username and password logins. Although previous authentication methods beyond a single password have been hindered by lack of interoperability, the FIDO protocols use standard public key cryptography techniques and are unencumbered by FIDO member patents.
FIDO has developed specifications for two user experiences: the Universal Authentication Framework (UAF) and the Universal Second Factor (U2F) standard.
The UAF protocol lets the user register their FIDO-enabled smartphone or other device to an online service by selecting a local authentication mechanism using biometrics, such as fingerprints, facial or voice recognition, or by entering a PIN. Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service from that device.
The U2F protocol enables online services to enhance the security of their existing password infrastructure by adding a physical second factor to user login. For example, the user logs in with a username and password and then may be prompted to present a second factor, such as pressing a button on a USB device.
Early implementations using FIDO-authentication are already deployed through Alibaba, Google, Nok Nok Labs, PayPal, and Samsung.
Formed in 2012, FIDO Alliance members include Alibaba, Bank of America, BlackBerry, Discover, Google, MasterCard, Microsoft, Nok Nok Labs, OberthurTechnologies, PayPal, Qualcomm, RSA, Samsung, Visa, Yubico, Wells Fargo Bank,and others.
As for the future, the FIDO Alliance press release notes it is nearing completion of extensions that will incorporate Near Field Communications and Bluetooth into the range of FIDO capabilities.
To see the technology in action, you can watch a video on FIDO U2F and Google's two-step verification and a video on how the Nok Nok Labs authentication solution works.