I Am Not a Dog: FIDO – A New Standard for User Authentication

Written by

Here’s a dull-sounding question: Imagine a world without SSL (secure sockets layer) or its successor TLS (transport layer security)? A security tech-head may find the whole thing quite interesting, but for the average IT user, despite relying on SSL day-in, day-out, it will not arouse much excitement. SSL just gets on and does the background task of ensuring we can all securely access websites and applications over the public internet and keep the data we exchange with them private. Without SSL (or something similar) there would probably be no internet banking, no e-commerce; in short, no internet revolution. 

That said, there are limits to the level of security offered. We trust resources accessed via secure protocols because things look right. The way URLs are displayed changes, padlocks appear, constant reassurance is offered that all is well and sensitive information will be safe. We can still be duped by spoof sites, but these will not be giving the same security assurances because of the due diligence of the authorities that issue SSL certificates. So, users feel confident to transact. But, what about the other way around? How can providers of online services be confident that we are the users we say we are?

The truth is, often they cannot, beyond checking basic login credentials, usually just a username and password, which most agree is not a safe enough way of authenticating users. However, there is a growing range of other options we can choose from to identity ourselves. Mobile phones can be used to issue one-time passwords and hardware tokens can be issued by service providers. The use of biometrics is becoming easier and it is not just fingerprints (for which the availability of built in readers is limited). Any biological or behavioral characteristic can potentially be used for identification; for example, voice pattern recognition (most devices can already hear you), face recognition (most devices now have cameras), or even recognizing the way you type on a keyboard.

Providing a standard way for all these various methods of authentication being used has been a lon- time goal to provide higher levels of reassurance to online service providers. The latest attempt to do so is a prototype industry standard dubbed FIDO (fast ID online).

Here is how it works: you request a service and, as a session is established, the service seeks to authenticate you using a local credential. If you have a (free) FIDO client installed it will ask for a means of authenticating you to the device you are using. This establishes a ‘key pair’ and unlocks a local private key to authenticate against a public key hosted on a server at the online service provider (i.e., it is all based on Public Key Infrastructure/PKI). Each time you use a new device you go through the process again. The key pair is a means of authentication to the service in question for the user on their current device. If FIDO is not installed, weaker means of authentication can be fallen back on, or it can be insisted that the FIDO client is installed. In other words, if the backers of FIDO succeed, over time service providers may see that it becomes the dominant standard for secure authentication, just like SSL has for sharing data over the internet.

To those in the know, this may sound familiar; this is not the first such attempt. For example, Entrust’s Identity Guard Platform, which can map 17 means of authentication to supporting services, and Symantec’s Validation and ID Protection (VIP) Service (based on its 2010 Verisign acquisition) are both based on a reference-architecture know as OATH (Open AuTHentication). OATH, which was primarily aimed at handling one-time passwords, uses several protocols depending on the means of authentication. FIDO is based on a different reference architecture known as UAF (universal authentication framework), all you need is the FIDO client, regardless of the means of authentication. The biggest step change that FIDO introduces is the simplicity and ease of use on the device; it is transparent to the users, all they need to know is how to create the credential (i.e., speak to the microphone, smile at the camera etc.)

For a protocol to succeed it needs backers, and the FIDO Alliance already boasts 100 paying members. 17 of them are top level board members paying $50K/annum. They include online service providers such as Microsoft and Google, payment providers including Discover, MasterCard and PayPal, device manufacturers such as Lenovo and BlackBerry and security companies such as EMC/RSA (which amongst other things, supplies hardware tokens). Non-board level ‘sponsors’ include a spectrum of vendors involved in identity and access management. Others Quocirca has spoken to that are watching with interest and may well join include Symantec and ForgeRock. Further support has just emerged with the announcement of an agreement between FIDO and the Cloud Security Alliance (CSA).

Service providers are interested for all the reasons outlined already; they want to be sure of who their users are and for their users to feel confident to make easy and secure use of services. For security companies, they want to be there if FIDO takes off and likewise for device manufacturers, they may be able to get a short-term competitive advantage if they are FIDO enabled (aka iPhone 5's Touch ID).

Another board member not previously mentioned is Nok Nok Labs. It has been the driving force behind FIDO. While FIDO aims to become a free to use, open standard (currently you have to be a FIDO member to get commercial implementation rights), Nok Nok hopes to be rewarded for its effort by providing off-the-shelf software for linking online services with users and establishing key pairs, simplifying the use of FIDO for providers of internet servers who would otherwise have to build their own servers. Nok Nok also hopes to work with partners who could provide on-demand FIDO servers based in its technology.

Way back in 1993, when the web was still a wild frontier a New Yorker magazine cartoon famously quipped, ‘on the internet no one knows if you are a dog’. If Nok Nok and its friends have their way, those days will seem even more distant as FIDO will be on guard making sure we all are who we say we are.

What’s hot on Infosecurity Magazine?