A Progress Report on FIDO Authentication

The Fast Identity Online (FIDO) Alliance was founded in the summer of 2012 by several vendors, including PayPal and Lenovo, with the goal of bringing a series of technical specifications to the strong authentication market. These specifications go under the names Universal Authentication Framework (UAF) and Universal Second Factor (U2F). The former isn’t necessarily stronger auth, but rather specifications for a software stack that can support better methods.

Up until now, using strong auth methods was a very fragmented area, with numerous methods employed by vendors in different spaces, such as software-as-a-service (SaaS) applications, directory-based tools for on-premises apps and federated identities. The big win is having a piece of modular plugin software that can handle local auth so that apps can leverage what is available on each user’s device.

What FIDO Standards Do

The FIDO standards attempt to solve this fragmentation by giving you the ability to use any authentication method supported by your local device. This unifies the different providers and enables secure access to many applications. What FIDO proposes is to use something that you already have in your possession, such as your fingerprint or phone, and digitize these assets in such a way that the information isn’t shared with any of the providers or application vendors.

This has a side benefit: Each player doesn’t have to keep track of the actual auth mechanics. This is one of the issues with single sign-on (SSO) federation: Typically, the SSO stores this information centrally. Think of it like how Google and Apple Wallets have made payments easier but keep your credit card accounts private. For example, this means if a retailer is breached, all the login credentials divulged won’t do anyone any good since the criminals won’t have — and, more importantly, wouldn’t be able to obtain — the additional auth information.

Before FIDO, when we wanted to log into multiple apps, we might have had to use many kinds of authentication mechanisms, such as one-time password tokens, smartphone apps and text message confirmations. That was a lot of effort just to benefit from the stronger authentication, and it often involved some custom programming, too. With FIDO, we still can use these multiple mechanisms. But if they’re FIDO-ready, apps can use authentication methods supported by the local device rather than having to code their own authentication routines to support the multiple methods themselves. That is a big step forward.

How FIDO Authentication Helps

Since FIDO was founded, the organization has grown by leaps and bounds. There are now more than 100 members, among them major businesses such as Bank of America, Netflix, MasterCard and Microsoft, along with numerous security vendors. Samsung has built its latest Galaxy phones with fingerprint sensors that support FIDO protocols, as well. The group has published a series of draft standards that have also started being implemented by the security vendors, including the ability to use the Yubico USB touch-sensitive keys to authenticate to both Google Docs and Dropbox accounts. Interested individuals can find further explanations on how to set this up.

FIDO doesn’t solve every authentication issue. For example, you will have to use something other than the FIDO protocols to verify the identity of the person attached to that fingerprint and ensure he or she has been granted access to the given application. There are currently other vendors working on that solution. Despite the drawbacks, it represents a good start towards a more standardized approach to identity management.

David Strom

Security Evangelist

David is an award-winning writer, speaker, editor, video blogger, and online communications professional who also...