As security breaches continue to grab headlines, I was intrigued by new claims that not only could online security be improved for consumers, but it could actually become a more delightful user experience. The launch of Apple Pay has proven to us that this
is possible.
With over 150 FIDO members, the Board of Directors alone reads like a Who’s Who List: Alibaba/Alipay, ARM, Bank of America, CrucialTec, Discover Financial Services, Google, Identity X, Lenovo, MasterCard,
Microsoft, Nok Nok Labs, NXP semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA Security, Samsung, Synaptics, Visa, and Yubico.
Keen to understand what attracted so many key players, I was delighted to have an opportunity to interview Executive Director of the FIDO Alliance, Brett McDowell, to understand more about how all this works and what changes we are likely to see in the world
of payments because of this.
This post shares a summary of what I learnt from Brett about how all this works.
The FIDO Alliance
The FIDO Alliance produces open standards and industry adoption programs that enable implementers to change the nature of online authentication by improving user experience while simultaneously providing better security in a privacy-respecting manner. They
just released the
final FIDO 1.0 specifications at the end of 2014.
Strong authentication and the need for standards
Before FIDO authentication, online service provider typically used username and password for authentication. For more security they would add another authentication factor from a set of options that were not necessarily designed for ease-of-use. Strong authentication
combines something you know (such as a password), with something you are (such as a biometric) or something you have, such as a token.
The industry norm in 2011-2012, before FIDO authentication was announced, was username and password as the ubiquitous first-factor. As for the second factor, if there was one, it was typically a 6-digit one-time-use passcode. The consumer would get the second
factor through an SMS to their mobile device or create it on a specialised hardware device or copy it from a code-generating mobile app on their smartphone. This 6 digit number, or one-time password (OTP), is called a security token.
However there are usability and other problems with OTP that FIDO addresses. The first word in FIDO is
fast, and it helps to explain why FIDO technologies became so disruptive so quickly. Instead of bolting on extra security in a way that burdens the user, FIDO aims to deliver an end-to-end innovative approach to authentication through a new, open,
online cryptographic protocol that enables best-of-breed device-centric authentication to be used for online access.
The FIDO UAF Architecture enables online services and websites to leverage native security features of devices
Brett explained how the standards enable a better user experience – faster, more secure, privacy respecting and easier-to-use. For instance Samsung enabled a number of payments applications using FIDO to allow a user to simply swipe a finger
across a sensor on their smartphone or tablet. This is arguably easier than most other ways, especially passwords.
Strong authentication has been around for a while but failed to achieve widespread adoption in the consumer market as it lacked the means to achieve interoperability among systems and devices. Now FIDO authentication standards enable any strong authentication
method, they call "authenticators", to interoperate with any online service, independent of solution vendor or device.
The interoperability issue is something FIDO addresses through UAF and U2F
Brett explains that both UAF and U2F protocols, applied to devices, client software and online servers, produce entirely interoperable strong authentication. The Universal Authentication Framework (UAF) protocol was introduced first. It solves pain points
around first-factor authentication because it is designed to replace the password, usually (but not exclusively) with a biometric factor that is retained only locally on the user device, never shared centrally or in the cloud. FIDO UAF is a strong authentication
framework that enables online services and websites, whether on the open Internet or within enterprises, to transparently leverage native security features of end-user computing devices.
U2F provides a simpler 1st factor authenticator
FIDO U2F authentication addresses a totally different use case. While FIDO UAF provides a simpler, stronger 1st factor authenticator, U2F provides a simpler, stronger 2nd factor authenticator. FIDO U2F does not replace the password but instead replaces
the second factor and enables a simpler form of password, like a short PIN number, because the security burden can now be placed on the FIDO U2F authenticator and not the password. FIDO U2F is already been deployed by Google Accounts and now ships in all Google
Chrome browsers.
So far the implementations of FIDO U2F authenticators are in the form of external specialized devices, but these capabilities could be embedded directly in handsets or other form factors in the future. What separates FIDO U2F security tokens from the OTP
tokens discussed previously is that one device will work with any FIDO U2F server, regardless of vendor solution or device manufacturer. Another key differentiator is the phishing resistance inherent in the FIDO U2F standard. A FIDO U2F user cannot be tricked
into giving a secret to a fraudster the way they can in an OTP use case.
Yubico and Plug-up are the two primary providers of U2F-enabled devices today, which work by being inserted into a USB slot. NFC and BLE support for U2F tokens is expected soon and will accommodate U2F devices for use with devices that don’t have USB slots.
How do you see passwordless experience evolving, and what other methods are you using in your part of the world?