Are the FIDO Alliance Authentication Specifications the Beginning of the End for Passwords?
The FIDO (Fast Identity Online) Alliance released their first documents for stronger authentication at the end of 2014 with version 1.0 of their Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications. The group of more than 150 member organizations hopes to usher in the post-password era through biometrics, hardware and other forms of authentication, and is continuing to expand on their specifications to incorporate NFC and Bluetooth capabilities.
The FIDO Alliance formed in 2012 and has continued to grow as major financial institutions, payment, hardware, and technology organizations have joined. Board level members include Alibaba Group, Bank of America, Google, Microsoft, Visa, MasterCard and others. The Alliance’s first formal and published specifications outline a new standard for authentication offering “FIDO-enabled authenticators” that any organization, website or application can interface with. The intent is for the specifications to be an open standard rather than patent-restricted authentication processes or protocols as board level organizations Google and Nok Nok Labs each donated intellectual property. FIDO members can freely implement and market solutions around the FIDO-enabled authenticators while non-members can freely deploy these solutions as well.
It’s no surprise that many people dislike passwords. Consumers don’t like them because they have to manage so many, and as a result consumers make passwords easy to remember and/or reuse them. The biggest issue with designing effective authentication is having a system that is both convenient and secure. When a password is convenient (easy to remember, reused) it is not secure, but when a password is more secure (a random sequence of at least 16 letters, numbers, and special characters) it is inconvenient, which is why the majority of consumers don’t use strong passwords.
But even when a consumer uses a strong password there are inherent security risks. Consumers are still at risk of falling victim to phishing attacks and data breaches, and many organizations are looking to get away from a heavy reliance on static passwords. This includes FIDO board members such as MasterCard and Visa that plan to phase out static passwords with one-time-use passwords and biometrics in the next evolution of 3D Secure consumer authentication programs, as well as many others that incorporate two-factor authentication and other measures to improve authentication. The FIDO Alliance was formed to supplant this reliance on passwords by developing an open, scalable and interoperable set of mechanisms, which have now been formally defined in the recent specifications.
The specifications cover the use of multi-factor authentication as well as passwordless authentication, and they support many different methods for performing authentication. The Universal Authentication Framework (UAF) protocol is FIDO’s passwordless user experience. Users must first register their device and complete authentication at that time. When the consumer returns from the same device the same authentication is used in place of a static password. The organizations can choose which supported authentication protocol to use, such as fingerprint scanning, facial scans, voice recognition as well as other biometric and non-biometric means.
U2F refers to the Universal Second Factor protocol and augments password-based user authentication by having the user present a strong second authentication factor. This second authentication takes place after the consumer logs in with their username and password and relies on hardware to complete the authentication, such as a USB dongle. The idea is that because all log-ins will require two factor authentication organizations can allow consumers to use a PIN or simplified password without compromising security.
The FIDO Alliance is already preparing an extension of the core 1.0 specifications to expand the range of options and capabilities in terms of FIDO-enabled authenticators. This includes incorporating Near Field Communication (NFC) and Bluetooth technology. For example, rather than requiring a USB drive as U2F device a consumer could present the second authentication via Bluetooth, or if a consumer previously registered a smartphone but is now accessing from a different device they can confirm possession of the registered device via NFC.
For more information: