Feeds

PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login spec

System is 'device-centric'

Top 5 reasons to deploy VMware with Tegile

The FIDO (Fast IDentity Online) Alliance has marked its first anniversary with the publication of specifications for technology it hopes will simplify authentication and reduce password headaches.

FIDO, which is backed by industry heavyweights such as PayPal, Google and Mastercard, is working hard to address the problems that users face with passwords by developing a set of new technology standards that seeks to make the introduction of two-factor authentication more straightforward.

The goal is simpler, stronger two or more factor authentication as a replacement for the traditional username and password approach which is becoming "outdated and unreliable".

For online businesses the technology promises an interoperable backend infrastructure for strong authentication rather than one tied to a particular technology or (at best) a particular vendor.

The alliance was formed to tackle the lack of interoperability among strong authentication technologies, as well as attempting to reduce the problems users face with creating and remembering multiple usernames and passwords.

The basic idea is that users can log into online services using FIDO-compliant products such as fingerprint scanners, voice and facial recognition, as well as USB security tokens, Near Field Communication (NFC), one time passwords (OTP) and many other existing and future technology options instead of logging in using IDs and passwords.

How it will work

The draft specification explains how this can be done while allowing users to log into the same property using multiple methods (eg fingerprint reader on smartphone, USB token on computer) while preserving the same user experience and without requiring vendors to maintain a hopelessly expensive and complicated authentication backend.

FIDO is tackling the authentication (secure login) problem through a two pronged approach. The U2F standard involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. A second related protocol, christened UAF, supports a thumbprint, vocal phrase or iris scan biometric for identity verification.

Thereafter users would just have to swipe their finger on a iPhone 5, for example, to log into PayPal. The basic set-up is explained in a diagram here.

Jamie Cowper, senior director of business development at Nok Nok Labs, explained that the goal of the alliance is to "make it simple and easy to authenticate to online properties".

The publication of the FIDO specification is a marker in the road to publishing the technology through standards bodies, either the W3C or IETF. Cowper said precedents for the development of the technology include the ratification of SSL (originally developed by Netscape) as the accepted technology to underpin web commerce transactions.

The new FIDO specifications emphasise a device-centric model and place an emphasis on usability, privacy and security.

"Users authenticate locally and this unlocks a key exchange which is unique to a service," Cowper explained. "The fingerprint or voice print never leaves device. We're not building big database of secrets.

"No one can use the technology to track you around the net," he added.

The shortcomings of the "user ID and password" combo to log into web services have been apparent for years. Data leaks from high profile websites such as Adobe as well as advances in password cracking capabilities have added to the long-standard problems of getting users to pick strong passwords.

So why have passwords remained so ubiquitous?

"We're till using passwords because other technologies are not flexible enough," according to Cowper.

The draft FIDO specification is open to review but the middleware security technology developed out of it is not open source but proprietary to vendors such as Nok Nok Labs, whose chief exec is ex-PGP Corporation chief exec Phil Dunkelberger.

Nok Nok Labs recently announced a partnership with PC vendor Lenovo to pre-install its client software on PCs. The FIDO Alliance has grown from six to almost 100 members since its launch in February 2013. Recent Alliance members include Salesforce, ARM and Dell. Microsoft, RSA and Nok Nok Labs all have representatives on the FIDO Alliance board.

The authentication technology is positioned as complementary to OAuth, a token-based authentication technology. OAuth tokens are used, for example, to connect Twitter accounts to third-party services without obliging users to hand over passwords.

One authentication vendor privately told El Reg that it was reluctant to sign up to the FIDO Alliance because of its perceived domination by Nok Nok Labs. Exposing its own patent portfolio in signing up to the FIDO Alliance and potentially restricting the ability to compete with Nok Nok in selling authentication server software and other middleware were among the other issues for the vendor, who relayed these concerns on condition of anonymity.

Cowper made a decent stab at rebuffing these concerns.

"The FIDO Alliance has an IP regime so that no one can assert payment around the standard," he told El Reg. "It's necessary and the only way something like this would work.

"There's nothing to stop a member of FIDO writing server software in competition with Nok Nok," he added. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
729 teraflops, 71,000-core Super cost just US$5,500 to build
Cloud doubters, this isn't going to be your best day
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
SAVE ME, NASA system builder, from my DEAD WORKSTATION
Anal-retentive hardware nerd in paws-on workstation crisis
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.