FIDO two-factor authentication goes wireless

FIDO Alliance spells out how Bluetooth, Bluetooth-Lite and near-field communications can support more secure authentication

Expect vendors soon to introduce devices with three forms of wireless support to Fast Identity Online (FIDO) two-factor authentication.

The FIDO Alliance today is issuing a new specification for FIDO to support Bluetooth, low-energy Bluetooth (BLE) and near field communications (NFC) wireless technologies in two-factor authentication tokens, according to FIDO Alliance executive director Brett McDowell.

That means the alliance recommends that device manufacturers use the spec to start producing and selling these wireless devices.

Existing FIDO specs already defined how to make authentication tokens that can be plugged into USB ports. With the new specification these authentication devices would just have to be near a phone, tablet, laptop or desktop that also supports the same wireless technology and is trying to connect with a server that supports FIDO authentication. So devices without USB ports could still authenticate via FIDO.

The new specification defines how to support what FIDO calls universal second factor (U2F) authentication wirelessly. After users authenticate to FIDO-compliant servers using username and password they are prompted for use of a second factor to authenticate. The second factor until now was a U2F dongle inserted in the USB port of the connecting client machine.

And the specification leaves room for U2F wireless support to be built in to devices that have more than one function, says Alexei Czeskis, a Google software engineer who serves on the FIDO U2F Technology Working Group (TWG). For example, U2F support could be built into “a headset or keyboard or something else a user uses every day for other tasks but that are capable of strong cryptography for two-factor authentication,” he says.

A cell phone that is Bluetooth capable, for example, could be used to support U2F and serve as a second authentication factor for a laptop, says McDowell. The specification creates “a matrix of interoperability” that could lead to a range of U2F authentication tokens, he says.

Yubico, a FIDO Alliance member, makes a product called YubiKey Neo that already supports pre-standard U2F specs for NFC. Here’s what John Fontana, an author at Yubic, wrote about it in the Yubico blog in March:

“Today, our NFC-enabled YubiKey NEO works with Android devices, and eventually Apple products when the company opens its NFC implementation to developers. (See some ideas on using NEO without a USB port).

“Both the Bluetooth and NFC authenticators perform in a similar way as today’s USB-based YubiKeys, but do it without plugging anything into a port. The NFC YubiKey is simply tapped to an NFC-enabled device. A Bluetooth version will hang on your key-chain or sit in your pocket and you touch it for generating authentications that are completed wirelessly. The addressable market for these wireless options includes smart phones, tablets, devices, and yes, future laptops that may be pruning ports.”

The FIDO Alliance mission is to make FIDO more widely available and so reduce the reliance on usernames and passwords in favor of more secure two-factor authentication. FIDO two-factor authentication is less expensive than traditional two-factor infrastructure. A Yubico NEO, for instance, costs $50 on

Some of the FIDO Alliance’s 150-plus members are Google, PayPal, Bank of America, Wells Fargo, Microsoft, RSA, VISA, Discover, MasterCard, Lenovo and Alibaba.

FIDO specifications address the new FIDO U2F transport protocols can be found here.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022