PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login spec
System is 'device-centric'
The FIDO (Fast IDentity Online) Alliance has marked its first anniversary with the publication of specifications for technology it hopes will simplify authentication and reduce password headaches.
FIDO, which is backed by industry heavyweights such as PayPal, Google and Mastercard, is working hard to address the problems that users face with passwords by developing a set of new technology standards that seeks to make the introduction of two-factor authentication more straightforward.
The goal is simpler, stronger two or more factor authentication as a replacement for the traditional username and password approach which is becoming "outdated and unreliable".
For online businesses the technology promises an interoperable backend infrastructure for strong authentication rather than one tied to a particular technology or (at best) a particular vendor.
The alliance was formed to tackle the lack of interoperability among strong authentication technologies, as well as attempting to reduce the problems users face with creating and remembering multiple usernames and passwords.
The basic idea is that users can log into online services using FIDO-compliant products such as fingerprint scanners, voice and facial recognition, as well as USB security tokens, Near Field Communication (NFC), one time passwords (OTP) and many other existing and future technology options instead of logging in using IDs and passwords.
How it will work
The draft specification explains how this can be done while allowing users to log into the same property using multiple methods (eg fingerprint reader on smartphone, USB token on computer) while preserving the same user experience and without requiring vendors to maintain a hopelessly expensive and complicated authentication backend.
FIDO is tackling the authentication (secure login) problem through a two pronged approach. The U2F standard involves using a PIN in conjunction with a USB dongle or an NFC-enabled phone or tablet. A second related protocol, christened UAF, supports a thumbprint, vocal phrase or iris scan biometric for identity verification.
Thereafter users would just have to swipe their finger on a iPhone 5, for example, to log into PayPal. The basic set-up is explained in a diagram here.
Jamie Cowper, senior director of business development at Nok Nok Labs, explained that the goal of the alliance is to "make it simple and easy to authenticate to online properties".
The publication of the FIDO specification is a marker in the road to publishing the technology through standards bodies, either the W3C or IETF. Cowper said precedents for the development of the technology include the ratification of SSL (originally developed by Netscape) as the accepted technology to underpin web commerce transactions.
The new FIDO specifications emphasise a device-centric model and place an emphasis on usability, privacy and security.
"Users authenticate locally and this unlocks a key exchange which is unique to a service," Cowper explained. "The fingerprint or voice print never leaves device. We're not building big database of secrets.
"No one can use the technology to track you around the net," he added.
The shortcomings of the "user ID and password" combo to log into web services have been apparent for years. Data leaks from high profile websites such as Adobe as well as advances in password cracking capabilities have added to the long-standard problems of getting users to pick strong passwords.
So why have passwords remained so ubiquitous?
"We're till using passwords because other technologies are not flexible enough," according to Cowper.
The draft FIDO specification is open to review but the middleware security technology developed out of it is not open source but proprietary to vendors such as Nok Nok Labs, whose chief exec is ex-PGP Corporation chief exec Phil Dunkelberger.
Nok Nok Labs recently announced a partnership with PC vendor Lenovo to pre-install its client software on PCs. The FIDO Alliance has grown from six to almost 100 members since its launch in February 2013. Recent Alliance members include Salesforce, ARM and Dell. Microsoft, RSA and Nok Nok Labs all have representatives on the FIDO Alliance board.
The authentication technology is positioned as complementary to OAuth, a token-based authentication technology. OAuth tokens are used, for example, to connect Twitter accounts to third-party services without obliging users to hand over passwords.
One authentication vendor privately told El Reg that it was reluctant to sign up to the FIDO Alliance because of its perceived domination by Nok Nok Labs. Exposing its own patent portfolio in signing up to the FIDO Alliance and potentially restricting the ability to compete with Nok Nok in selling authentication server software and other middleware were among the other issues for the vendor, who relayed these concerns on condition of anonymity.
Cowper made a decent stab at rebuffing these concerns.
"The FIDO Alliance has an IP regime so that no one can assert payment around the standard," he told El Reg. "It's necessary and the only way something like this would work.
"There's nothing to stop a member of FIDO writing server software in competition with Nok Nok," he added. ®