Now That Passwords Are Not Enough: Authentication Standards
What do Google, PayPal, Microsoft, Samsung, Lenovo, Visa, Mastercard, Alibaba, Bank of America, American Express, and Dropbox have in common? They are all involved in finding a way to retire passwords in favor of more secure gatekeepers to their information or services. Realizing that as technologically advanced as each is, coming up with a foolproof means of identity authentication is a quest that takes a village, they have joined the Fast Identity Online Alliance, also known as FIDO.
FIDO is a cross-industry and multi-national consortium of IT, internet and financial services firms working together to develop specifications to define an open, scalable, interoperable set of protocols. FIDO’s mission is not to create individual technologies but rather to establish open authentication standards to aid individual developers of security technology in coming up with their own inter-operable solutions.
In 2014, the alliance published the final technical specifications for its password authentication standards. The FIDO 1.0 Specifications include the Universal Authentication Framework (UAF) protocol and Universal Second-Factor (U2F) protocol, and are aimed at eliminating passwords by enabling interoperability between authentication devices. The announcement of these final versions means they can be implemented by members and non-members alike, bringing everyone closer to the day of a universal FIDO compliant token that can be incorporated into any number of universal FIDO-compliant strong authentication applications.
Alternative Means of Identity Authentication
Until now, the majority of organizations requiring second factor, or 2-step, authentication have relied on six-digit one time passcodes (OTP) delivered by text or email. However, this process is prone to several difficulties such as when a user loses, or does not have his smartphone at hand, or when hackers rise to the challenge of, not only finding ways to intercept OTPs, but to steal intended users’ credentials as well.
Although many of the consortium members have worked on authentication technologies, they have been hampered by a lack of interoperability. FIDO’s protocol has been designed to not only address this shortcoming but to remedy the problems users face in remembering multiple usernames and passwords. The announced standards cover a range of authentication tools including Biometrics, Smart Cards, Near Field Communication (NFC), Trusted Platform modules (TPM), Embedded Secure Elements (eSE), and USB Security Tokens. They are intended to be scalable so as to not only protect present investments but accommodate future innovations.
Google’s Security Key
Google, the first FIDO member to deploy the published U2F standard, has seized on the USB token as a security key for users of its products. Instead of typing in a password when signing into a Google account, users insert a token into the computer’s USB port, then tap it when instructed by the Chrome browser. The USB security key is designed to be “un-phishabe” since its cryptographic signature is not provided should a fake site try to impersonate the Google chrome log-in page.
Working toward the day when users will carry one single security authentication key that works everywhere FIDO U2F is supported, Chrome incorporates the open FIDO U2F protocol so other websites with log-in requirements can build support for FIDO U2F into their applications. In addition, the key can be used at any Google account at no charge, and users can buy compatible USB devices from any tested and approvedFIDO Ready U2F provider.
A Post Password Era
As a new authentication era dawns, several alliance members have come out with product lines of FIDO-compliant devices that work with the Google key to enable online service providers and enterprises to adopt FIDO U2F authentication. Others have developed their own large scale deployment of FIDO authentication standards in payment applications. These include PayPal, Alipay, Samsung, Synaptics, and Nok Nok Labs.
Entities working on their own FIDO-compliant authentication tools also include Microsoft, whose vision, similar to Google’s is to be able to use one log-in for all its online services and Germany who is involved in developing an e-ticketing tool for users of public transportation.
When it comes to your IT needs, contact us for information about our computer services, network systems, or website solutions