Strong Online Authentication Month: A FIDO Profile

It all starts with a concept: passwords just are not doing their job any more. The average user has about 26 separate usernames for personal and work accounts, each requiring the demanding best password practices that, on their own, seem archaic and demanding. It’s no surprise then that a large number of users recently surveyed repeatedly use the same password between accounts and are eager for an alternative.

Strong authentication has long presented the key to this password problem, and thanks to the work of organizations like the FIDO Alliance, we are finally starting to see some headway in killing the password.

The Rules

Biometric Authentication BannersWhile the FIDO Alliance was founded in 2013, and grown tremendously since then, its purpose has not wavered. FIDO is dedicated to reducing user reliance on passwords through the creation of strong authentication standards and specifications. It has developed final 1.0 specification drafts, which were published late last year, and they describe two password mitigating standards, Universal Authentication Factor (UAF) and Universal Second Factor (U2F), both of which will be described in the following sections.

2015 has been a big year for the Alliance, with its expansion to include its first government members – NIST and the UK’s Office of the Cabinet – as well as its support of Bluetooth LE and NFC support. The most recent round of testing for FIDO compliance has determined that there are 62 FIDO Certified authentication products now, and with many of those relying on compliant integrated tech, that number is sure to grow.

Here is a rundown of what the Alliance has been up to recently:

FIDO Publishes Final 1.0 Specification Drafts, Kills Passwords

FIDO Adds NFC, Bluetooth LE Support to 1.0 Specifications

FIDO Certification Extends to 62 Products

FIDO Welcomes First Government Members

 

Across the Universe

Biometric Authentication BannersThe FIDO UAF specifications stand as the Alliance’s heavy hitter in terms of identity management. Relying solely on biometric factors and on-device authentication, products that meet the criteria of the UAF standard are completely passwordless. The process is described on the FIDO website in an infographic and it’s almost staggeringly simple: authorization is requested from the transaction provider, the user shows a biometric, the transaction is completed.

The standard is multimodal, and products range from voice, face and fingerprint recognition even to the iris biometrics included on the Fujitsu Arrows NX F-04G.

The links below will give you an idea on the diversity of UAF solutions and how they function:

Multimodal Sensory Platform Gets FIDO UAF Certification

NTT DOCOMO And FIDO Make History

Microsoft Embraces FIDO Standards for Windows 10

Four Synaptics Products Get FIDO Certification

Egis Showing Off FIDO Certified Tech at MWC Shanghai

Daon’s IdentityX Platform Gets FIDO Certification

Reinforcements

securityAs I mentioned in the first subsection of this post, the FIDO standards are meant to reduce reliance on passwords. That means that, while UAF can outright make passwords disappear from your life, there still might be situations in which the implementation of such technology is not possible at first. Moving on from the password will be a process, and it can start with the Alliance’s other standard, U2F.

U2F certified devices do not require biometrics to authenticate, but rather act as digital keys to your online identity. While biometrics are a factor of what you are, the U2F specifications combine the other two modes of identity: what you have and what you know. A user authenticating in this manner enters her password and then when prompted activates her dongle, proving that she is at the online access point, and is subsequently granted access.

The following links will help give an idea of what U2F solutions are, how they work and who is embracing the two-step standard:

Dropbox Embraces FIDO U2F Standard

FIDO MOU Approves Bluetooth Smart for U2F Authentication

Could U2F Keys Kill the Password?

Google and Yubico Throw Their Weight Behind U2F Support

The Long Death of the Password

Keyboard 1In December of 2013, the FIDO Alliance joined Mobile ID World and our sister site FindBiometrics for an exclusive webinar event ushering in the post-password era. While the presentation took place almost two years ago, and the FIDO Alliance has grown in leaps and bounds since then, the webinar recording bellow still captures the spirit and intention of the global strong authentication initiative being forwarded by the consortium and its legion of high profile members.

Webinar: The Password is Dead!

*

September is Strong Authentication Month at Mobile ID World. Participate in the conversation online by following us on Twitter and tweeting with the hashtag #MIDWOnline.