New FIDO Alliance pushing 'fast-identity' strong authentication protocol

Client/server Online Security Transaction Protocol intended for flexible multi-factor authentication

FIDO Alliance

A new industry group called the Fast IDentity Online Alliance, or FIDO Alliance for short, makes its debut Tuesday to promote adoption in e-commerce and websites an innovative authentication protocol that's intended to bring a higher level of security for online users.

The Online Security Transaction Protocol (OSTP), and its client/server components, work by gleaning information gained about the user's device, such as whether it has the Trusted Platform Module chip, or a webcam, or a fingerprint device or other biometrics, or two-factor authentication, and combine that though a cryptographic process to create a shared secret between the back-end server and the device. This OSTP-based type of multi-factor authentication process would be selectively invoked voluntarily by the user for security purposes in transactions, for instance, to assure the identity of the user, beyond simple login and password, to prevent fraud.

[ IN DEPTH: Hybrid clouds pose new security strategies 

RELATED: Startup Nok Nok Labs pitches strong new authentication process ]

One of the driving forces behind the FIDO Alliance is PayPal's chief information security officer, Michael Barrett, and that raises the question of whether PayPal plans to adopt the fast-identity authentication system.

Though Barrett didn't respond to this directly, another of the group's founders, Ramesh Kesanupalli, FIDO Alliance vice president, says "We expect that." Barrett is president of the FIDO Alliance.

However, the alliance doesn't expect to be able to publish its specification until the second half of the year. And the group's aspirations are certain to face some skeptics who will question whether it can succeed in getting the necessary client software both onto the user's computer or mobile device and get the server-side support in place across the Web for widespread use of OSTP. The type of flexible mass-market multi-factor authentication envisioned using multi-factor OSTP for sensitive transactions has never been done before, and any success it has would be ground-breaking.

Kesanupalli is also chief alliance officer at the startup Nok Nok Labs, which also officially launched today to implement OSTP in software. Palo Alto, Calif.-based Nok Nok Labs, backed by a $15 million investment, will have software available later this year that's expected to be the first implementation of the protocol. Barrett is also a founder of Nok Nok Labs.

Besides PayPal and Nok Nok Labs, the four other founding members of FIDO Alliance are Lenovo, Validity Sensors, Agnitio and Infineon. Clain Anderson, director of software at Lenovo, says the hope is that the FIDO protocol could eventually be added as an inexpensive piece of code to all manner of computers and smartphones. "We need something that can work across everything," he says.

The FIDO Alliance indicated that to influence the OSTP protocol, a company has to join the organization. But the group, set up as a 501(c) nonprofit organization, intends to make the specification it completes public in the future.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies