Depending on your perspective, either a lot or very little has happened in the past year with the Fast Identity Online (FIDO) security alliance. In the former category are lots of signatories to its protocols and standards, adding new members from the Bank of America, RSA, Netflix, Mastercard and a 100 other supporters. Most notable is that Samsung’s major new smartphone, the Galaxy S5, will contain a fingerprint sensor that makes use of the FIDO protocols. Samsung and PayPal also announced a partnership where you will be able to use the phone to authenticate to your PayPal account via your fingerprint. It doesn’t hurt that the president of the FIDO alliance works at PayPal, either. (Here is an interview SearchSecurity did with him last year that is worth reviewing.)
But all of this action is somewhat frustrating, because as of this moment, there aren’t any actual FIDO-ready products that are for sale and no commercial FIDO users. Even Nok Nok Labs’ CEO Phillip Dunkelberger and one of the founding FIDO members has admitted, “There’s nothing on the end user side yet.”
Still, there is a lot of testing going on, a lot of demonstration projects, and a lot of promises (even the S5 won’t be available until mid April at the earliest and not everywhere even then). And the actual draft standards specs weren’t made public until this past February, almost a year after all the initial hoopla over the alliance began. But at least they are available now.
“FIDO promises to clean up the strong authentication marketplace, making it easier for one fob fits all solutions. The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user’s device that calculates cryptographic strings to be sent to a login server,” as was mentioned in ComputerWeekly last year.
That’s a big advantage. In the past, multiple factor authentication methods were based on either a hardware fob or some kind of tokenless solution that made use of custom software, proprietary programming interfaces, and lots of work to integrate the method into your existing on-premises and Web-based applications. (Here is a link to a review that I did last year for Network World with 8 different methods.) FIDO will change that significantly.
If it is widely adopted, FIDO will divorce these second factor methods from the actual apps that will depend on them. That means the same authentication device can be used in multiple different ways for signing into a variety of providers, without each provider being aware of the others and without the need for extensive programming for the stronger authentication. This could banish the need for users to cart around different second factor tokens and other authentication methods.
“FIDO also makes it easier to do the authentication integration piece and not have to rewrite the client software over and over again,” says Mike Goldgof, the VP of Marketing at Agnito. “This gives us a huge population of users to draw on,” he said. Without FIDO, Agnito would have to continue to develop different SDKs for each target audience and application, or work closely with individual app developers.
“That seems like a no-brainer and a big win,” says Joseph Sikes, a security engineer with a cable communications company who has looked at the specs. “Integrating this type of built-in technology with digital wallets and ecommerce can not only help protect consumers, but reduce the risk, liability and fraud for financial institutions and digital marketplaces.”
The big leap that FIDO is taking is to use something, say a biometric feature such as your voiceprint, your fingerprint, facial recognition or some other combination of things that are unique to you, and digitize and protect that information with solid cryptographic features. But unlike the traditional second factor authentication key fobs or even the tokenless phone call-back solutions, this information remains on your smartphone or laptop and isn’t shared with any application provider. FIDO can even use a simple four-digit PIN code, and everything will remain on the originating device. “It will be cryptographically secure and we don’t transmit this information or store it on some central database,” said Jamie Cowper, a senior director at Nok Nok Labs. This avoids the potential for Target POS exploits that release millions of logins to the world, a big selling point for many IT shops and providers.
The other big advantage to FIDO is that it is designed to work from the get-go both for online applications, such as eCommerce and SaaS-based sites, and for traditional local database servers and other on-premises authentication situations. For those two factor solutions that grew up in the offline era that is another selling point. “The FIDO group has done their homework and it is put together solidly,” says Dennis King, a St. Louis-based security integrator with Working Security. “A lot of people were nervous after Snowden and the fact that FIDO doesn’t shove your biometric data into the cloud, but keeps it private and local is useful, especially if you can employ common standards and hide the complexity of the cryptographic key exchange,” he said. “FIDO will also improve security for the developer,” says Kapil Raina, the director of product marketing for Zscaler. “The abstraction of the actual protocol implementation will cut down on development time and errors.”
But some people, like Tony Maro, aren’t waiting around for FIDO to be finished. The CEO of Evrichart.com, a healthcare IT-related VAR in White Sulphur Springs, WV said, “We are currently developing two factor tools using a time-based algorithm for one of our applications and will probably ignore FIDO specs for the next couple of years at least. That algorithm is the same one that Google, Dropbox, and even my own website host has chosen. It also eliminates carrying a separate dongle as just about everyone has a mobile phone these days and can run the Google Authenticator or other apps. This is a mobile world we live in, and we need mobile compatible solutions, otherwise you’re behind the curve right out of the gate.”
FIDO doesn’t solve all of our authentication problems, of course. If you need to know who the actual person is behind the finger or voice, you will want to look elsewhere. “When you are enrolling a new user, you want to be very sure that that you have verified them and are enrolling the right person,” says Cowper. Others, such as MiiCard.com, are working on solving this problem with their own identity system.
But if you are interested in FIDO, and don’t mind the wait for the products and final standards, here are a few places for enterprise developers to start to learn more.
First you should review how Samsung’s fingerprint sensor API works and whether this would motivate you to purchase new S5 phones and deploy them across your enterprise. (Apple’s iPhone 5C’s sensors don’t have programmatic access to its readers yet.)
Then take a look at this video demo from Yubico using their touch-sensitive USB key. This could be useful in situations where you want someone to acknowledge “proof of life” but where a total fingerprint isn’t needed. For example, these types of apps are useful for people receiving government pensions who need to verify that they are still alive before their monthly benefits can continue, or where you need to prove who you are when talking to a call center agent.
To see how a voice print recognition app will work, check out this one from Agnito called KIVOX, which is available for both Android and iOS that you can download here. Agnito has been working for several years on voice recognition apps, and has a project underway with one American bank to implement FIDO protocols for their customers. One of the interesting aspects of voice recognition is being able to detect a recorded voice and distinguish it from the original speaker.
You can download Nok Nok’s NNL S3 Suite that includes its Multifactor Authentication Server with iOS, Android, Windows 7 and 8 clients. This system will work with a variety of different sensors, including fingerprint readers.
Finally, Oberthur is building specialized phone SIM cards that have FIDO authenticators included, which demonstrates the flexibility of the protocol and how they can be used on phones that don’t have the latest technology.