FIDO Alliance Releases Authentication Specs for First Public Review

By Peter Bernstein February 12, 2014

The consensus in the security industry for some time has been that because of virtualization, the cloud, mobility and BYOD in the enterprise, authentication/identity is the new perimeter.  Unfortunately, as a result of the explosion in vectors of vulnerability and the sophistication of those with malicious intent, as the headlines shout almost daily the barbarians are not at the gate but have figured out how to storm or get around them. It is why so much attention has been paid to stronger authentication technologies.

The FIDO Alliance (Fat Identity online Alliance), an open industry consortium delivering standards for simpler, stronger authentication, has been actively working the challenge of coming up with standards that make it easier for all of us to access what we need securely, and has announced a milestone with release of its first public review draft technology specifications.  

Collaboratively developed by some for marquee info-tech companies in the world, the specs are designed to enable simpler, stronger authentication to scale in the market. FIDO standards address industry and consumer pain points by ensuring that users and online service providers have a variety of choices to select from when adopting simpler, stronger authentication alternatives to today's prevailing reliance on single-factor passwords.

A huge challenge

There is ample context for just how important this effort is. For example, as FIDO points out:

  • The Q1 2013 Forrester Wave™: Enterprise Fraud Management asserts the online services industry is seeing upwards of $200B in annual losses from password breaches and related hacks that exploit the vulnerabilities inherent in single-factor password systems.
  • The Verizon 2013 Network Investigations Data Breach Report found that 76 percent of network intrusions exploit weak or stolen credentials.
  • Gartner has highlighted that 20 to 50 percent of all help desk calls are for password resets, and  Forrester Research estimates help desk labor cost at $70 per password reset.
  • InMobile Consumer Insights, Jumio reports that 68 percent of smartphone and tablet owners have attempted to make purchases on their device. Due to problems during the payment process, 66 percent of that group abandoned transactions, and 47 percent of these said they abandoned transactions that took too long.

FIDO, in part in celebration of its first-year anniversary, says the release of its specifications, “Demonstrates momentum that attests to pent-up demand for simpler, stronger authentication that must scale, as only open industry standards can deliver.”

“It is with pride that the FIDO Alliance releases the review draft specifications to the public today, before our first anniversary of starting the long overdue revolution in authentication.  Congratulations to our members for their insights, expertise, and tireless dedication to delivering better authentication that is more secure, private and easier-to-use than prevailing password schemas,” said FIDO Alliance president, Michael Barrett. “With today’s public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises.  Furthermore, we encourage Relying Parties to begin testing their unique FIDO authentication needs with the commercial solutions already available from many FIDO member companies.”

In addition to the release for review of the specifications, FIDO also revealed that its membership is approaching 100 strong, with Aetna, ARM, Dell, Discretix, IdentityX, Netflix, Next Biometrics, Oesterreichische Staatsdruckerei GmbH, Salesforce, SafeNet, Sonavation, STMicroelectronics, and Wave Systems being among the most recent companies to join as Sponsor members of the Alliance.

The specifications are device-centric

As FIDO explains, the new specifications emphasize a device-centric model that reflects the Alliance's dedication to usability, privacy and security. FIDO specifications will support a full range of authentication technologies, including:

  • Biometrics such as fingerprint and iris scanners
  • Voice and facial recognition, as well as further enable existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC).

They allow device-specific authentication capabilities to be leveraged by online services within an interoperable infrastructure, enabling authentication choice to meet the distinct needs of users and organizations. In addition, the FIDO specifications complement and add value to identity federation. It should also be noted that in conjunction with the specifications the FIDO Alliance also has published a reference whitepaper

If you are looking to kick the tires of FIDO Ready products, they will be on display at this month’s Mobile World Congress 2014 (MWC 2014), RSA Security Conference and FIDO Public Forum Event in Palo Alto, California.  

As I have noted in previous articles on the work being done by FIDO, the traction they have gotten is impressive. They have demonstrated an ability unlike many other industry groups to move fast. In an era where speed has become critical, especially when it comes to providing security, it is why they are an organization to keep a close watch on.

Edited by Ryan Sartor
Related Articles

Congress Passes Consumer Privacy Rollback

By: Paula Bernier    3/29/2017

Yesterday, the House of Representatives voted 215-205 to eliminate privacy rules aimed at protecting the browsing histories and data of U.S. broadband…

Read More

How Enhanced Connectivity Benefits Analytics and Big Data

By: Lindsey Patterson    3/29/2017

Potential benefits of data analysis include enhanced marketing potential, the ability to improve overall efficiency as well as the means to track and …

Read More

Think IT Can Handle Security On Its Own? Think Again

By: Special Guest    3/28/2017

One of the major fears of any IT department is losing control - of projects, of users, of applications. Yet, even with the best technology solutions, …

Read More

Optane: Intel Builds a Supercharger for PCs

By: Rob Enderle    3/28/2017

Optane is Intel's brand name for 3D XPoint memory, a brand-new memory architecture which has speed a bit slower than DRAM but otherwise performs like …

Read More

IBM's Cloud/Data/AI Trinity Vision

By: Doug Mohney    3/27/2017

If you want to know what the future of IT looks like, it's always good to look to IBM. The company pioneered and championed PCs, the Internet, open so…

Read More