FIDO Alliance Releases Authentication Specs for First Public Review

The consensus in the security industry for some time has been that because of virtualization, the cloud, mobility and BYOD in the enterprise, authentication/identity is the new perimeter.  Unfortunately, as a result of the explosion in vectors of vulnerability and the sophistication of those with malicious intent, as the headlines shout almost daily the barbarians are not at the gate but have figured out how to storm or get around them. It is why so much attention has been paid to stronger authentication technologies.

The FIDO Alliance (Fat Identity online Alliance), an open industry consortium delivering standards for simpler, stronger authentication, has been actively working the challenge of coming up with standards that make it easier for all of us to access what we need securely, and has announced a milestone with release of its first public review draft technology specifications.  

Collaboratively developed by some for marquee info-tech companies in the world, the specs are designed to enable simpler, stronger authentication to scale in the market. FIDO standards address industry and consumer pain points by ensuring that users and online service providers have a variety of choices to select from when adopting simpler, stronger authentication alternatives to today's prevailing reliance on single-factor passwords.

A huge challenge

There is ample context for just how important this effort is. For example, as FIDO points out:

• The Q1 2013 Forrester (News - Alert) Wave™: Enterprise Fraud Management asserts the online services industry is seeing upwards of $200B in annual losses from password breaches and related hacks that exploit the vulnerabilities inherent in single-factor password systems.
• The Verizon (News - Alert) 2013 Network Investigations Data Breach Report found that 76 percent of network intrusions exploit weak or stolen credentials.
• Gartner has highlighted that 20 to 50 percent of all help desk calls are for password resets, and  Forrester Research (News - Alert) estimates help desk labor cost at $70 per password reset.
• InMobile Consumer Insights, Jumio reports that 68 percent of smartphone and tablet owners have attempted to make purchases on their device. Due to problems during the payment process, 66 percent of that group abandoned transactions, and 47 percent of these said they abandoned transactions that took too long.

FIDO, in part in celebration of its first-year anniversary, says the release of its specifications, “Demonstrates momentum that attests to pent-up demand for simpler, stronger authentication that must scale, as only open industry standards can deliver.”

“It is with pride that the FIDO Alliance releases the review draft specifications to the public today, before our first anniversary of starting the long overdue revolution in authentication.  Congratulations to our members for their insights, expertise, and tireless dedication to delivering better authentication that is more secure, private and easier-to-use than prevailing password schemas,” said FIDO Alliance president, Michael Barrett. “With today’s public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises.  Furthermore, we encourage Relying Parties to begin testing their unique FIDO authentication needs with the commercial solutions already available from many FIDO member companies.”

In addition to the release for review of the specifications, FIDO also revealed that its membership is approaching 100 strong, with Aetna, ARM, Dell, Discretix, IdentityX, Netflix, Next Biometrics, Oesterreichische Staatsdruckerei GmbH, Salesforce, SafeNet, Sonavation, STMicroelectronics (News - Alert), and Wave Systems being among the most recent companies to join as Sponsor members of the Alliance.

The specifications are device-centric

As FIDO explains, the new specifications emphasize a device-centric model that reflects the Alliance's dedication to usability, privacy and security. FIDO specifications will support a full range of authentication technologies, including:

• Biometrics such as fingerprint and iris scanners
• Voice and facial recognition, as well as further enable existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC).

They allow device-specific authentication capabilities to be leveraged by online services within an interoperable infrastructure, enabling authentication choice to meet the distinct needs of users and organizations. In addition, the FIDO specifications complement and add value to identity federation. It should also be noted that in conjunction with the specifications the FIDO Alliance also has published a reference whitepaper

If you are looking to kick the tires of FIDO Ready products, they will be on display at this month’s Mobile World Congress 2014 (MWC 2014), RSA Security (News - Alert) Conference and FIDO Public Forum Event in Palo Alto, California.  

As I have noted in previous articles on the work being done by FIDO, the traction they have gotten is impressive. They have demonstrated an ability unlike many other industry groups to move fast. In an era where speed has become critical, especially when it comes to providing security, it is why they are an organization to keep a close watch on.