Editor’s Choice AWARD
The FIDO Alliance
Authenticating your identity should be as easy as 1-2-3. Unfortunately, some users take that philosophy a little too literally, using 1-2-3-4-5 or something equally insecure as their passwords when logging in to web-based services or applications.
The FIDO (“Fast IDentity Online”) Alliance has made it its mission to phase out the use of outdated password technology, and replace it with cryptographically secure, standards-backed authentication alternatives such as on-device biometrics and FIDO Security Keys. And 2018 was landmark year in the open industry association’s effort to accomplish that very goal.
In conjunction with the World Wide Web Consortium (W3C), FIDO last April officially launched the FIDO2 Project, a set of interlocking initiatives that together create a FIDO Authentication standard for the web. FIDO2 encompasses both the W3C’s Web Authentication specification (WebAuthn) and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).
Combined, WebAuthn and CTAP help users leverage common devices to achieve hassle-free authentication in both mobile and desktop environments. According to the Alliance, FIDO2 supports passwordless, second-factor and multi-factor user log-in experiences that leverage embedded/bound authenticators such as biometrics or PINs, or external/roaming authenticators like FIDO security keys, mobile devices and wearables.
Many of the world’s most popular browsers and operating systems platforms have moved quickly to take advantage. Indeed, FIDO2 technologies are already built into the latest versions of Windows 10, Google Play Services on Android, and the Chrome, Firefox and Edge web browsers. WebKit, the technology behind Apple’s Safari web browser, is also previewing support for FIDO2, and just last month, Google announced that Android is now FIDO2-certified.
The FIDO Alliance helped pave the way for adoption of its specifications by providing various testing tools for platform developers, and also by launching a FIDO2 certification program. A certification means that a product not only complies with FIDO2 specifications, but also is interoperable with other FIDO2 products.
In September 2018, the first crop of FIDO2-certified authentication products were made available from such organizations as CROSSCERT: KECA (Korea Electronic Certification Authority); Dream Security Co., Ltd. Korea; ETRI; eWBM Co., Ltd.; IBM; Infineon Technologies; INITECH Co., Ltd.; Nok Nok Labs; OneSpan; Raonsecure; Samsung SDS; Singular Key; Whykeykey Inc.; Yahoo Japan Corporation; and Yubico. This included the first universal FIDO server, which supports not only all FIDO2 authentication devices but also those running on earlier open authentication standards UAF and U2F, enabling backward compatibility for any previously certified FIDO authenticators.
Companies pursuing biometrics-based authentication were further helped by FIDO’s September 2018 launch of its Biometric Component Certification Program, the first in the industry program designed to certify that biometric recognition systems successfully meet globally recognized performance standards and are viable for commercial use. The program delivers significant time and cost savings to biometrics vendors because it enables them to test and certify their technology only once in order to validate their system’s performance, and then repeatedly re-use that third-party validation across their potential and existing customer base.
Even before the official launch of FIDO2, the Alliance expanded its previously established certification program to include multi-level security evaluations for authenticator technologies. In a press release at the time, FIDO Alliance Executive Director Brett McDowell said that the new and improved certification program “enables enterprises and online services to make better informed risk management decisions when registering credentials from FIDO-enabled devices, resulting in more accurate and reliable scores on the back-end while delivering better user experiences on the front end due to lower instances of intrusive ‘step up authentication’ challenges.”
Just last December, the FIDO Alliance reached what is arguably the highest bar set in information and communication technology (ICT) standardization when the International Telecommunication Union’s Telecommunication Standardization Sector (ITU-T) recognized UAF 1.1 and CTAP as international standards.