This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
For many security professionals, passwords are the scourge of the authentication world, and their death can't come soon enough. Passwords are too often stolen, shared, forgotten or simply too weak or obvious to be effective. According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involve the use of weak, default or stolen passwords.
End users hate passwords too, because they create a bad user experience (UX). We are advised (or forced) to use complex combinations of numbers, characters and symbols that are practically impossible to remember, and we are supposed to have a different password for every system and application we use. Years ago I resorted to a password manager to keep track of my 300+ sets of credentials.
Nearly every form of online or mobile business transaction depends on absolute trustworthy authentication of the end user who is logging in. Banking, stock trades, electronic payments, e-commerce, enterprise apps, and on and on. Companies that own and operate such applications want a much stronger form of authentication than simple credentials like a username and password.
Some companies, especially financial institutions, have developed their own authentication processes to go beyond the password. They have worked independently and in silos, which means that end users – customers – have a different experience as they go from one company's application to the next company.
The FIDO (Fast IDentity Online) Alliance formed in 2012 to address this lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. Today the alliance has more than 150 members representing a variety of aspects of the authentication process, including software companies, Internet services, component and device vendors, security specialists and financial institutions.
A key achievement of the alliance is the 2014 release of two sets of specifications that define open, scalable, interoperable sets of mechanisms that supplant reliance on passwords to securely authenticate users of online services.
The first specification is for a passwordless UX based on the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger (i.e., a biometric), looking at the camera (i.e., a selfie), speaking into the microphone, entering a PIN, etc. The UAF protocol allows the service to select which mechanisms are presented to the user.
Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.
The second FIDO specification is for a second factor UX supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service also can prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords (e.g. 4–digit PIN) without compromising security.
During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their FIDO U2F device across all online services that support the protocol leveraging built-in support in web browsers.
Any device manufacturer, software developer or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. Through this global standardization, the FIDO ecosystem can grow and scale by means of the “net effect,” where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.
Here's how it works. The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service – for example, with a bank or an e-commerce company – the user’s client device creates a new key pair. The device retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user-friendly and secure action such as reading a biometric, entering a PIN, speaking into a microphone, inserting a second factor device or pressing a button.
The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
One of FIDO’s main design principles is to achieve a satisfactory user experience, which means the authentication must be easy to use while providing strong security. One of the ways to achieve ease of use is to use the same authentication factor – for example, a biometric sensor – seamlessly across multiple services, once initial registration with each service is complete.
So far there has been strong adoption of the FIDO protocols in the financial services industry, especially for applications such as mobile payments and online banking. Enterprise organizations also can benefit from deploying FIDO authentication for their online applications, primarily by eliminating the need for expensive hardware tokens and the support costs of end users forgetting and resetting their passwords.
For more information about the FIDO Alliance and its authentication protocols, visit https://fidoalliance.org/.