Depending on your perspective, either a lot or very little has happened in the past year with the Fast Identity Online (FIDO) security alliance. In the former category are lots of signatories to its protocols and standards, adding new members from the Bank of America, RSA, Netflix, Mastercard and a 100 other supporters. Most notable is that Samsung’s major new smartphone, the Galaxy S5, will contain a fingerprint sensor that makes use of the FIDO protocols. Samsung and PayPal also announced a partnership where you will be able to use the phone to authenticate to your PayPal account via your fingerprint. It doesn’t hurt that the president of the FIDO alliance works at PayPal, either. (Here is an interview SearchSecurity did with him last year that is worth reviewing.)

But all of this action is somewhat frustrating, because as of this moment, there aren’t any actual FIDO-ready products that are for sale and no commercial FIDO users. Even Nok Nok Labs’ CEO Phillip Dunkelberger and one of the founding FIDO members has admitted, “There’s nothing on the end user side yet.”

Still, there is a lot of testing going on, a lot of demonstration projects, and a lot of promises (even the S5 won’t be available until mid April at the earliest and not everywhere even then). And the actual draft standards specs weren’t made public until this past February, almost a year after all the initial hoopla over the alliance began. But at least they are available now.

“FIDO promises to clean up the strong authentication marketplace, making it easier for one fob fits all solutions. The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user’s device that calculates cryptographic strings to be sent to a login server,” as was mentioned in ComputerWeekly last year.

That’s a big advantage. In the past, multiple factor authentication methods were based on either a hardware fob or some kind of tokenless solution that made use of custom software, proprietary programming interfaces, and lots of work to integrate the method into your existing on-premises and Web-based applications. (Here is a link to a review that I did last year for Network World with 8 different methods.) FIDO will change that significantly.

If it is widely adopted, FIDO will divorce these second factor methods from the actual apps that will depend on them. That means the same authentication device can be used in multiple different ways for signing into a variety of providers, without each provider being aware of the others and without the need for extensive programming for the stronger authentication. This could banish the need for users to cart around different second factor tokens and other authentication methods.

“FIDO also makes it easier to do the authentication integration piece and not have to rewrite the client software over and over again,” says Mike Goldgof, the VP of Marketing at Agnito. “This gives us a huge population of users to draw on,” he said. Without FIDO, Agnito would have to continue to develop different SDKs for each target audience and application, or work closely with individual app developers.

“That seems like a no-brainer and a big win,” says Joseph Sikes, a security engineer with a cable communications company who has looked at the specs. “Integrating this type of built-in technology with digital wallets and ecommerce can not only help protect consumers, but reduce the risk, liability and fraud for financial institutions and digital marketplaces.”

The big leap that FIDO is taking is to use something, say a biometric feature such as your voiceprint, your fingerprint, facial recognition or some other combination of things that are unique to you, and digitize and protect that information with solid cryptographic features. But unlike the traditional second factor authentication key fobs or even the tokenless phone call-back solutions, this information remains on your smartphone or laptop and isn’t shared with any application provider. FIDO can even use a simple four-digit PIN code, and everything will remain on the originating device. “It will be cryptographically secure and we don’t transmit this information or store it on some central database,” said Jamie Cowper, a senior director at Nok Nok Labs. This avoids the potential for Target POS exploits that release millions of logins to the world, a big selling point for many IT shops and providers.

The other big advantage to FIDO is that it is designed to work from the get-go both for online applications, such as eCommerce and SaaS-based sites, and for traditional local database servers and other on-premises authentication situations. For those two factor solutions that grew up in the offline era that is another selling point. “The FIDO group has done their homework and it is put together solidly,” says Dennis King, a St. Louis-based security integrator with Working Security. “A lot of people were nervous after Snowden and the fact that FIDO doesn’t shove your biometric data into the cloud, but keeps it private and local is useful, especially if you can employ common standards and hide the complexity of the cryptographic key exchange,” he said.  “FIDO will also improve security for the developer,” says Kapil Raina, the director of product marketing for Zscaler. “The abstraction of the actual protocol implementation will cut down on development time and errors.”

But some people, like Tony Maro, aren’t waiting around for FIDO to be finished. The CEO of Evrichart.com, a healthcare IT-related VAR in White Sulphur Springs, WV said, “We are currently developing two factor tools using a time-based algorithm for one of our applications and will probably ignore FIDO specs for the next couple of years at least.  That algorithm is the same one that Google, Dropbox, and even my own website host has chosen.  It also eliminates carrying a separate dongle as just about everyone has a mobile phone these days and can run the Google Authenticator or other apps. This is a mobile world we live in, and we need mobile compatible solutions, otherwise you’re behind the curve right out of the gate.”

FIDO doesn’t solve all of our authentication problems, of course. If you need to know who the actual person is behind the finger or voice, you will want to look elsewhere. “When you are enrolling a new user, you want to be very sure that that you have verified them and are enrolling the right person,” says Cowper. Others, such as MiiCard.com, are working on solving this problem with their own identity system.

But if you are interested in FIDO, and don’t mind the wait for the products and final standards, here are a few places for enterprise developers to start to learn more.

First you should review how Samsung’s fingerprint sensor API works and whether this would motivate you to purchase new S5 phones and deploy them across your enterprise. (Apple’s iPhone 5C’s sensors don’t have programmatic access to its readers yet.)

Then take a look at this video demo from Yubico using their touch-sensitive USB key. This could be useful in situations where you want someone to acknowledge “proof of life” but where a total fingerprint isn’t needed. For example, these types of apps are useful for people receiving government pensions who need to verify that they are still alive before their monthly benefits can continue, or where you need to prove who you are when talking to a call center agent.

To see how a voice print recognition app will work, check out this one from Agnito called KIVOX, which is available for both Android and iOS that you can download here. Agnito has been working for several years on voice recognition apps, and has a project underway with one American bank to implement FIDO protocols for their customers. One of the interesting aspects of voice recognition is being able to detect a recorded voice and distinguish it from the original speaker.

You can download Nok Nok’s NNL S3 Suite that includes its Multifactor Authentication Server with iOS, Android, Windows 7 and 8 clients. This system will work with a variety of different sensors, including fingerprint readers.

Finally, Oberthur is building specialized phone SIM cards that have FIDO authenticators included, which demonstrates the flexibility of the protocol and how they can be used on phones that don’t have the latest technology.

The Target security breach of their point of sale system (POS) earlier this year and the theft of millions of customers’ credit cards was unfortunate, to say the least. A good rundown of what happened to them can be found here in the New York Times. But the exploit has some important lessons for beefing up your own security posture. Here are a few important takeaways.

1. Segment your network properly. 

One of the main entry points into their POS network was that their heating contractor had way more access rights than they needed. Why does such a contractor need to have access to your entire network just to turn up the heat? Brian Krebs writes, “it is common for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store.” That being said, it turns out that the bad guys were able to steal the contractor’s network credentials and be able to get into many stores’ networks as a result.

2. Take a closer look at two factor authentication. Another issue was the heating contractor wasn’t using two-factor authentication on their network credentials. There was simply no excuse for this, and nowadays you can add a second factor to your logins at Facebook, Twitter, Google Docs, LinkedIn and many other software sites. The US CERT has put together a list of recommendations for specifically protecting POS systems but the first step is in strengthening passwords. I have reviewed many of the two factor tools that enterprises can use here for Network World; they are relatively straightforward to implement. And while they can’t protect you against every attacker (as one notable example: in the Netflix series of House of Cards, the two factor protection is defeated by one of the story’s characters in season 2), still it is better than not having it at all.

3. Change your default admin accounts. One part of the exploit made use of a username which was the same one that gets installed with an IT management software suite from BMC called Performance Assurance for Microsoft Servers. Brian Krebs again has more information about how this all happened. This is again a common exploit, and there is no excuse for laziness: change those default passwords, especially on accounts that have administrative or supervisory access to multiple or sensitive systems.

Obviously, these are just the tip of the iceberg, But all three lessons are important ones to remember to strengthen your own network security so you don’t become another Target. There is no point in having a strong perimeter defense if outsiders can easily become insiders and roam freely around your network.

Businesses are getting more innovative about how they deploy their mobile apps. They are using them to reach a wider customer base or building exciting new internal apps that couldn’t be delivered to desktops. As an example, PKO, Poland’s largest bank, wanted to roll out a new epayment app for its smartphone users last year. Their challenge was to ensure that the banking data transmitted to those phones was kept secure.

Certainly, there is increasingly more malware that is targeted at mobile phones. Here are a few tips to help make your users’ mobile experience more secure.

1. Train your users to steer clear of malware-infected websites. While it is hard to always resist the temptation to just type in some random URL, part of good security practice is not opening your phone up to downloadable exploits from sites that specialize in this sort of thing. There are various hacking contests, such as this one, where just visiting the site easily downloads exploits. And while you can’t always tell in advance, you should spend some time training your users and your customers to be more vigilant about where they navigate with their mobile browsers.
2. Make sure your users are always downloading genuine apps. Trend Micro has a report about how the number of bad apps for Android now tops a million and is still rising. That is somewhat depressing to be sure. Even more depressing is that this is more than double the number that existed at the beginning of 2013. One way to avoid this situation is to provide a corporate app store with links to the genuine apps. Or you can lock down your corporate-owned phones to prevent random app downloads.
3. Make sure your users connect securely or not at all. They should avoid open Wifi networks like the plague, because chances are they will catch something from these open networks. Spend some effort educating them about phony Wifi networks that are just virus swamps, and have them understand the consequences of connecting insecurely.

4. Understand digital Trojans and how they work. They have been around for many years, with the first mobile trojans infecting the Symbian OS back in 2004. Other trojans can even hold your phone hostage and demand payment before they will release their grip. Make sure your IT staff understand how these exploits work and have them set up periodic scans of all of your corporate-owned phones to check for them.

Making your mobiles more secure can make it a center of enterprise IT innovation. If you tighten up your phones, you can have a more solid foundation to develop your own apps on them and provide more innovative ways to reach your customers, react to changing market conditions, or do more business.

In the escalating arms race against advanced malware, many organizations require defenses to protect enterprise networks in real time that go beyond desktop endpoint virus scanners and network-based intrusion prevention products.

Unfortunately for security organizations, advanced malware is getting harder to detect.

You can read more in SearchSecurity here.