The FIDO Alliance has laid out a watertight security solution that could offer users a high level of protection from digital threats such as the Heartbleed Bug of 2014 and the DROWN attack from earlier this year. The system involves advanced channel binding methods and, of course, FIDO authentication.
‘Channel-binding’ refers to the practice of linking session credentials—things like cookies and OAuth tokens that servers issue to identify users—to the private TLS connection being used to transmit it back to the server from the user. That way, a third party can’t steal the cookie or token and send it through another channel. And major IT companies like Google and Microsoft have further developed this concept by binding session credentials not just to TLS connections, but to client keys—the security credentials that users themselves offer to external servers.
Those credentials usually take the form of passwords, but FIDO has been working to replace them with private keys that reside in users’ devices, ensuring that they can’t be stolen. And, as Google’s Dirk Balfanz notes in a new post on FIDO’s website, those FIDO keys can also be bound to channels.
Balfanz offers more in-depth detail about the ins and outs of this methodology in his post, but the main takeaway is that FIDO security can be used together with channel and token binding. And with the latter currently being standardized by the IETF, there’s a good opportunity for organizations to explore how FIDO standards can be implemented in addition for an extra layer of digital security.