Feeds

PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login spec

System is 'device-centric'

Maximizing your infrastructure through virtualization

The FIDO (Fast IDentity Online) Alliance has marked its first anniversary with the publication of specifications for technology it hopes will simplify authentication and reduce password headaches.

FIDO, which is backed by industry heavyweights such as PayPal, Google and Mastercard, is working hard to address the problems that users face with passwords by developing a set of new technology standards that seeks to make the introduction of two-factor authentication more straightforward.

The goal is simpler, stronger two or more factor authentication as a replacement for the traditional username and password approach which is becoming "outdated and unreliable".

For online businesses the technology promises an interoperable backend infrastructure for strong authentication rather than one tied to a particular technology or (at best) a particular vendor.

The alliance was formed to tackle the lack of interoperability among strong authentication technologies, as well as attempting to reduce the problems users face with creating and remembering multiple usernames and passwords.

The basic idea is that users can log into online services using FIDO-compliant products such as fingerprint scanners, voice and facial recognition, as well as USB security tokens, Near Field Communication (NFC), one time passwords (OTP) and many other existing and future technology options instead of logging in using IDs and passwords.

How it will work

The draft specification explains how this can be done while allowing users to log into the same property using multiple methods (eg fingerprint reader on smartphone, USB token on computer) while preserving the same user experience and without requiring vendors to maintain a hopelessly expensive and complicated authentication backend.

FIDO is tackling the authentication (secure login) problem through a two pronged approach. The U2F standard involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. A second related protocol, christened UAF, supports a thumbprint, vocal phrase or iris scan biometric for identity verification.

Thereafter users would just have to swipe their finger on a iPhone 5, for example, to log into PayPal. The basic set-up is explained in a diagram here.

Jamie Cowper, senior director of business development at Nok Nok Labs, explained that the goal of the alliance is to "make it simple and easy to authenticate to online properties".

The publication of the FIDO specification is a marker in the road to publishing the technology through standards bodies, either the W3C or IETF. Cowper said precedents for the development of the technology include the ratification of SSL (originally developed by Netscape) as the accepted technology to underpin web commerce transactions.

The new FIDO specifications emphasise a device-centric model and place an emphasis on usability, privacy and security.

"Users authenticate locally and this unlocks a key exchange which is unique to a service," Cowper explained. "The fingerprint or voice print never leaves device. We're not building big database of secrets.

"No one can use the technology to track you around the net," he added.

The shortcomings of the "user ID and password" combo to log into web services have been apparent for years. Data leaks from high profile websites such as Adobe as well as advances in password cracking capabilities have added to the long-standard problems of getting users to pick strong passwords.

So why have passwords remained so ubiquitous?

"We're till using passwords because other technologies are not flexible enough," according to Cowper.

The draft FIDO specification is open to review but the middleware security technology developed out of it is not open source but proprietary to vendors such as Nok Nok Labs, whose chief exec is ex-PGP Corporation chief exec Phil Dunkelberger.

Nok Nok Labs recently announced a partnership with PC vendor Lenovo to pre-install its client software on PCs. The FIDO Alliance has grown from six to almost 100 members since its launch in February 2013. Recent Alliance members include Salesforce, ARM and Dell. Microsoft, RSA and Nok Nok Labs all have representatives on the FIDO Alliance board.

The authentication technology is positioned as complementary to OAuth, a token-based authentication technology. OAuth tokens are used, for example, to connect Twitter accounts to third-party services without obliging users to hand over passwords.

One authentication vendor privately told El Reg that it was reluctant to sign up to the FIDO Alliance because of its perceived domination by Nok Nok Labs. Exposing its own patent portfolio in signing up to the FIDO Alliance and potentially restricting the ability to compete with Nok Nok in selling authentication server software and other middleware were among the other issues for the vendor, who relayed these concerns on condition of anonymity.

Cowper made a decent stab at rebuffing these concerns.

"The FIDO Alliance has an IP regime so that no one can assert payment around the standard," he told El Reg. "It's necessary and the only way something like this would work.

"There's nothing to stop a member of FIDO writing server software in competition with Nok Nok," he added. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
VVOL update: Are any vendors NOT leaping into bed with VMware?
It's not yet been released but everyone thinks it's the dog's danglies
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.