Feeds

PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login spec

System is 'device-centric'

High performance access to file storage

The FIDO (Fast IDentity Online) Alliance has marked its first anniversary with the publication of specifications for technology it hopes will simplify authentication and reduce password headaches.

FIDO, which is backed by industry heavyweights such as PayPal, Google and Mastercard, is working hard to address the problems that users face with passwords by developing a set of new technology standards that seeks to make the introduction of two-factor authentication more straightforward.

The goal is simpler, stronger two or more factor authentication as a replacement for the traditional username and password approach which is becoming "outdated and unreliable".

For online businesses the technology promises an interoperable backend infrastructure for strong authentication rather than one tied to a particular technology or (at best) a particular vendor.

The alliance was formed to tackle the lack of interoperability among strong authentication technologies, as well as attempting to reduce the problems users face with creating and remembering multiple usernames and passwords.

The basic idea is that users can log into online services using FIDO-compliant products such as fingerprint scanners, voice and facial recognition, as well as USB security tokens, Near Field Communication (NFC), one time passwords (OTP) and many other existing and future technology options instead of logging in using IDs and passwords.

How it will work

The draft specification explains how this can be done while allowing users to log into the same property using multiple methods (eg fingerprint reader on smartphone, USB token on computer) while preserving the same user experience and without requiring vendors to maintain a hopelessly expensive and complicated authentication backend.

FIDO is tackling the authentication (secure login) problem through a two pronged approach. The U2F standard involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. A second related protocol, christened UAF, supports a thumbprint, vocal phrase or iris scan biometric for identity verification.

Thereafter users would just have to swipe their finger on a iPhone 5, for example, to log into PayPal. The basic set-up is explained in a diagram here.

Jamie Cowper, senior director of business development at Nok Nok Labs, explained that the goal of the alliance is to "make it simple and easy to authenticate to online properties".

The publication of the FIDO specification is a marker in the road to publishing the technology through standards bodies, either the W3C or IETF. Cowper said precedents for the development of the technology include the ratification of SSL (originally developed by Netscape) as the accepted technology to underpin web commerce transactions.

The new FIDO specifications emphasise a device-centric model and place an emphasis on usability, privacy and security.

"Users authenticate locally and this unlocks a key exchange which is unique to a service," Cowper explained. "The fingerprint or voice print never leaves device. We're not building big database of secrets.

"No one can use the technology to track you around the net," he added.

The shortcomings of the "user ID and password" combo to log into web services have been apparent for years. Data leaks from high profile websites such as Adobe as well as advances in password cracking capabilities have added to the long-standard problems of getting users to pick strong passwords.

So why have passwords remained so ubiquitous?

"We're till using passwords because other technologies are not flexible enough," according to Cowper.

The draft FIDO specification is open to review but the middleware security technology developed out of it is not open source but proprietary to vendors such as Nok Nok Labs, whose chief exec is ex-PGP Corporation chief exec Phil Dunkelberger.

Nok Nok Labs recently announced a partnership with PC vendor Lenovo to pre-install its client software on PCs. The FIDO Alliance has grown from six to almost 100 members since its launch in February 2013. Recent Alliance members include Salesforce, ARM and Dell. Microsoft, RSA and Nok Nok Labs all have representatives on the FIDO Alliance board.

The authentication technology is positioned as complementary to OAuth, a token-based authentication technology. OAuth tokens are used, for example, to connect Twitter accounts to third-party services without obliging users to hand over passwords.

One authentication vendor privately told El Reg that it was reluctant to sign up to the FIDO Alliance because of its perceived domination by Nok Nok Labs. Exposing its own patent portfolio in signing up to the FIDO Alliance and potentially restricting the ability to compete with Nok Nok in selling authentication server software and other middleware were among the other issues for the vendor, who relayed these concerns on condition of anonymity.

Cowper made a decent stab at rebuffing these concerns.

"The FIDO Alliance has an IP regime so that no one can assert payment around the standard," he told El Reg. "It's necessary and the only way something like this would work.

"There's nothing to stop a member of FIDO writing server software in competition with Nok Nok," he added. ®

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
European Court of Justice rips up Data Retention Directive
Rules 'interfering' measure to be 'invalid'
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.