Feeds

PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login spec

System is 'device-centric'

Security for virtualized datacentres

The FIDO (Fast IDentity Online) Alliance has marked its first anniversary with the publication of specifications for technology it hopes will simplify authentication and reduce password headaches.

FIDO, which is backed by industry heavyweights such as PayPal, Google and Mastercard, is working hard to address the problems that users face with passwords by developing a set of new technology standards that seeks to make the introduction of two-factor authentication more straightforward.

The goal is simpler, stronger two or more factor authentication as a replacement for the traditional username and password approach which is becoming "outdated and unreliable".

For online businesses the technology promises an interoperable backend infrastructure for strong authentication rather than one tied to a particular technology or (at best) a particular vendor.

The alliance was formed to tackle the lack of interoperability among strong authentication technologies, as well as attempting to reduce the problems users face with creating and remembering multiple usernames and passwords.

The basic idea is that users can log into online services using FIDO-compliant products such as fingerprint scanners, voice and facial recognition, as well as USB security tokens, Near Field Communication (NFC), one time passwords (OTP) and many other existing and future technology options instead of logging in using IDs and passwords.

How it will work

The draft specification explains how this can be done while allowing users to log into the same property using multiple methods (eg fingerprint reader on smartphone, USB token on computer) while preserving the same user experience and without requiring vendors to maintain a hopelessly expensive and complicated authentication backend.

FIDO is tackling the authentication (secure login) problem through a two pronged approach. The U2F standard involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. A second related protocol, christened UAF, supports a thumbprint, vocal phrase or iris scan biometric for identity verification.

Thereafter users would just have to swipe their finger on a iPhone 5, for example, to log into PayPal. The basic set-up is explained in a diagram here.

Jamie Cowper, senior director of business development at Nok Nok Labs, explained that the goal of the alliance is to "make it simple and easy to authenticate to online properties".

The publication of the FIDO specification is a marker in the road to publishing the technology through standards bodies, either the W3C or IETF. Cowper said precedents for the development of the technology include the ratification of SSL (originally developed by Netscape) as the accepted technology to underpin web commerce transactions.

The new FIDO specifications emphasise a device-centric model and place an emphasis on usability, privacy and security.

"Users authenticate locally and this unlocks a key exchange which is unique to a service," Cowper explained. "The fingerprint or voice print never leaves device. We're not building big database of secrets.

"No one can use the technology to track you around the net," he added.

The shortcomings of the "user ID and password" combo to log into web services have been apparent for years. Data leaks from high profile websites such as Adobe as well as advances in password cracking capabilities have added to the long-standard problems of getting users to pick strong passwords.

So why have passwords remained so ubiquitous?

"We're till using passwords because other technologies are not flexible enough," according to Cowper.

The draft FIDO specification is open to review but the middleware security technology developed out of it is not open source but proprietary to vendors such as Nok Nok Labs, whose chief exec is ex-PGP Corporation chief exec Phil Dunkelberger.

Nok Nok Labs recently announced a partnership with PC vendor Lenovo to pre-install its client software on PCs. The FIDO Alliance has grown from six to almost 100 members since its launch in February 2013. Recent Alliance members include Salesforce, ARM and Dell. Microsoft, RSA and Nok Nok Labs all have representatives on the FIDO Alliance board.

The authentication technology is positioned as complementary to OAuth, a token-based authentication technology. OAuth tokens are used, for example, to connect Twitter accounts to third-party services without obliging users to hand over passwords.

One authentication vendor privately told El Reg that it was reluctant to sign up to the FIDO Alliance because of its perceived domination by Nok Nok Labs. Exposing its own patent portfolio in signing up to the FIDO Alliance and potentially restricting the ability to compete with Nok Nok in selling authentication server software and other middleware were among the other issues for the vendor, who relayed these concerns on condition of anonymity.

Cowper made a decent stab at rebuffing these concerns.

"The FIDO Alliance has an IP regime so that no one can assert payment around the standard," he told El Reg. "It's necessary and the only way something like this would work.

"There's nothing to stop a member of FIDO writing server software in competition with Nok Nok," he added. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
Symantec backs out of Backup Exec: Plans to can appliance in Jan
Will still provide support to existing customers
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.