FIDO Alliance Releases Authentication Specs for First Public Review

By Peter Bernstein February 12, 2014

The consensus in the security industry for some time has been that because of virtualization, the cloud, mobility and BYOD in the enterprise, authentication/identity is the new perimeter.  Unfortunately, as a result of the explosion in vectors of vulnerability and the sophistication of those with malicious intent, as the headlines shout almost daily the barbarians are not at the gate but have figured out how to storm or get around them. It is why so much attention has been paid to stronger authentication technologies.

The FIDO Alliance (Fat Identity online Alliance), an open industry consortium delivering standards for simpler, stronger authentication, has been actively working the challenge of coming up with standards that make it easier for all of us to access what we need securely, and has announced a milestone with release of its first public review draft technology specifications.  

Collaboratively developed by some for marquee info-tech companies in the world, the specs are designed to enable simpler, stronger authentication to scale in the market. FIDO standards address industry and consumer pain points by ensuring that users and online service providers have a variety of choices to select from when adopting simpler, stronger authentication alternatives to today's prevailing reliance on single-factor passwords.

A huge challenge

There is ample context for just how important this effort is. For example, as FIDO points out:

  • The Q1 2013 Forrester Wave™: Enterprise Fraud Management asserts the online services industry is seeing upwards of $200B in annual losses from password breaches and related hacks that exploit the vulnerabilities inherent in single-factor password systems.
  • The Verizon 2013 Network Investigations Data Breach Report found that 76 percent of network intrusions exploit weak or stolen credentials.
  • Gartner has highlighted that 20 to 50 percent of all help desk calls are for password resets, and  Forrester Research estimates help desk labor cost at $70 per password reset.
  • InMobile Consumer Insights, Jumio reports that 68 percent of smartphone and tablet owners have attempted to make purchases on their device. Due to problems during the payment process, 66 percent of that group abandoned transactions, and 47 percent of these said they abandoned transactions that took too long.

FIDO, in part in celebration of its first-year anniversary, says the release of its specifications, “Demonstrates momentum that attests to pent-up demand for simpler, stronger authentication that must scale, as only open industry standards can deliver.”

“It is with pride that the FIDO Alliance releases the review draft specifications to the public today, before our first anniversary of starting the long overdue revolution in authentication.  Congratulations to our members for their insights, expertise, and tireless dedication to delivering better authentication that is more secure, private and easier-to-use than prevailing password schemas,” said FIDO Alliance president, Michael Barrett. “With today’s public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises.  Furthermore, we encourage Relying Parties to begin testing their unique FIDO authentication needs with the commercial solutions already available from many FIDO member companies.”

In addition to the release for review of the specifications, FIDO also revealed that its membership is approaching 100 strong, with Aetna, ARM, Dell, Discretix, IdentityX, Netflix, Next Biometrics, Oesterreichische Staatsdruckerei GmbH, Salesforce, SafeNet, Sonavation, STMicroelectronics, and Wave Systems being among the most recent companies to join as Sponsor members of the Alliance.

The specifications are device-centric

As FIDO explains, the new specifications emphasize a device-centric model that reflects the Alliance's dedication to usability, privacy and security. FIDO specifications will support a full range of authentication technologies, including:

  • Biometrics such as fingerprint and iris scanners
  • Voice and facial recognition, as well as further enable existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC).

They allow device-specific authentication capabilities to be leveraged by online services within an interoperable infrastructure, enabling authentication choice to meet the distinct needs of users and organizations. In addition, the FIDO specifications complement and add value to identity federation. It should also be noted that in conjunction with the specifications the FIDO Alliance also has published a reference whitepaper

If you are looking to kick the tires of FIDO Ready products, they will be on display at this month’s Mobile World Congress 2014 (MWC 2014), RSA Security Conference and FIDO Public Forum Event in Palo Alto, California.  

As I have noted in previous articles on the work being done by FIDO, the traction they have gotten is impressive. They have demonstrated an ability unlike many other industry groups to move fast. In an era where speed has become critical, especially when it comes to providing security, it is why they are an organization to keep a close watch on.

Edited by Ryan Sartor
Related Articles

ITEXPO's IBM Keynoter: AI is Here Today

By: Paula Bernier    2/20/2018

Many folks think the artificial intelligence is something we'll see in the future. That's true. AI will be employed in a broader variety of more sophi…

Read More

The Blockchain Event Draws a Crowd

By: Paula Bernier    2/20/2018

The Blockchain Event in Fort Lauderdale draws a crowd, offers some answers, and raises lots of interesting questions. Why have some cryptocurrencies g…

Read More

Hughes: WAN Optimization Expertise, Homegrown Solution Differentiate SD-WAN

By: Paula Bernier    2/16/2018

The SD-WAN marketplace is a crowded one. But Hughes Network Systems says it brings unique expertise and proven technology to the table. And that, Jeff…

Read More

Juniper Security Expert: Behavior Analytics Helps Address Threat Complexity

By: Paula Bernier    2/16/2018

Organizations are changing their cybersecurity strategies, says Juniper Networks Cybersecurity Strategist Nick Bilogorskiy, who presented the closing …

Read More

Welbitz Wins ITEXPO's Idea SHOWCASE

By: Paula Bernier    2/16/2018

It was a sweep. Both the audience and the judges at ITEXPO's IDEA Showcase Thursday picked Welbitz as the winner. The company went up against fellow s…

Read More