FIDO Alliance to promote common authentication protocol to eliminate passwords

13 February 2013

The Fast Identity Online Alliance (FIDO) is a new industry group consisting of PayPal, Lenovo, Nok Nok Labs and Infineon among others, which has been launched to encourage the adoption of an open protocol security and identification tool that is tied to the mobile or other device being used to access the internet, eliminating the reliance on passwords and log-ins.

The Alliance’s protocol-based model will automatically detect when a FIDO-enabled device is present, meaning that end users from the banking, corporate, public sector or consumer arenas could be given the option to replace passwords with authentication methods embedded in the hardware.

The Online Security Transaction Protocol (OSTP) can be deployed in biometric tools such as fingerprint scanners, voice and facial recognition technology, or more traditional security aids such as one-time password (OTP) tokens or trusted platform models. Any security vendor, bank or payment processor that installs the protocol on their servers must also convince users to then download the new authentication software on their Internet-enabled smartphones, PCs, tablets and other devices.

How it Works
The OSTP protocol and its client/server components work by gleaning information gained about the end user's device, such as whether it has a Trusted Platform Module chip, or a webcam, or a fingerprint device or other biometrics, or two-factor authentication, and combine that though a cryptographic process to create a shared secret between the back-end server and the device. This OSTP-based type of multi-factor authentication process would be selectively invoked voluntarily by the user for security purposes in transactions, for instance, to assure the identity of the user, beyond simple login and password, to prevent fraud.

One of the driving forces behind FIDO as the Alliance’s president is PayPal's chief information security officer (CISO), Michael Barrett. Although it is not yet clear if PayPal intends to adopt the fast-identity authentication system itself, his involvement suggests that it is likely.

“The Internet, especially with recent rapid mobile and cloud expansion, exposes users and enterprises, more than ever before, to fraud,” said Barrett. “It’s critical to know who you’re dealing with on the Internet.

“The FIDO Alliance is a private sector and industry-driven collaboration to com-bat the very real challenge of confirming every user’s identity online,” he added. "By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality. We want every company, vendor, and organisation that needs to verify user identity to join us in making online authentication easier and safer for users everywhere.”

The full specification is not likely to be available until H2 2013 but the FIDO Alliance is inviting other companies to join the drive to create a global standard. Agnitio and Validity Sensors are the other launch partners. Whether enough others join in and crucially if the Alliance can get the necessary client software both onto end user's computer or mobile devices and also the server-side support in place across the entire web, enabling the widespread adoption of OSTP, must be up for debate.

Getting such a multifactor authentication tool adopted at both ends will not be easy, particularly as banks and payment processors are notoriously reluctant to open up their systems, will not be easier, making the e-commerce and online transactions a much more feasible initial user base.

Ground Breaking
If the scheme succeeds it would be ground-breaking and, in a call after the launch with ‘Bobsguide’, Phil Dunkelberger, chief executive officer (CEO) of founder member Nok Nok Labs, added that he did not foresee any problems linking with closed national authentication infrastructures, such as the National Payments Corporation of India (NPCI), which he saw as “complementary”, adding that “the Alliance has actually been contacted by a number of such national boards” that were keen to find out more.

“The formation of the FIDO Alliance addresses a long-time, critical need for technology providers and their users: [namely] stronger security that is easier to use,” concluded Dunkelberger.

Certainly, the scheme appears to have a number of influential backers who talked to the working group during the formation of the protocol, and indeed of the FIDO Alliance itself. John Stewart, CISO at Cisco, for instance, supported Dunkelberger with his testimonial that: “Authentication and brokered identity is a problem that has gone unsolved too long. We can no longer wait”.

According to Jeremy Grant, who is leading the US National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, and is a senior advisor on identity management at the National Institute for Standards and Technology (NIST), at the core of the NSTIC drive is a call for the private sector to take the lead in developing open technology standards that will enable a more trusted and secure identity ecosystem: “The new FIDO Alliance has pledged to do just that."

"I am excited to see what the FIDO Alliance's members can do to deliver the kind of usable, cost-effective, privacy-enhancing, interoperable strong authentication envisioned in NSTIC."

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development