The Fast Identity Online (FIDO) Alliance will allow government agencies to become involved directly in its mission to replace passwords with stronger methods for user authentication. Those methods will be based primarily on biometrics such as face, voice, iris, fingerprint, palm or hand recognition.
FIDO says that U.S. and UK government agencies are the first to join the industry consortium. They do so under a class of membership created in response to government requests to participate in the development of future standards.
The addition of two government bodies—the U.S. National Institute of Standards and Technology and the UK Office of the Cabinet—comes after a busy period for FIDO that included Intel and NTT Docomo joining its board of directors.
FIDO's board now contains representatives of many significant players in global IT and online commerce. The board includes Alibaba, ARM, Google, Intel, Lenovo, Mastercard, Microsoft, NTT Docomo, NXP, Paypal, Qualcomm, RSA, Samsung, Synaptics and Visa, among others. The FIDO group launched in 2013 with only a handful of companies has now grown to include more than 200 members.
FIDO says that thieves are becoming more sophisticated at phishing for passwords and stealing online identities. AtFIDO offers two versions of user authentication, both based on public key cryptography. Image source: FIDO Alliance. the same time, consumers find that the number of passwords they need to create for online services to be burdensome. The reuslt is that passwords are not safe and are difficult to use.
In May 2015, FIDO unveiled a certification program for the 1.0 specification and announced the first products compliant to that spec. This, together with an announcement from Microsoft that the Windows 10 operating system will include a non-password version and that it plans to support FIDO authentication, indicates the initiative may be on track to achieve its goal of global standardization.
The government membership scheme was created in response to requests by public agencies that they be allowed to participate and represent their interests in cyberspace security, FIDO says in a statement. NIST, for example, is the U.S. government agency responsible for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
"Governments can often influence market acceptance of new information security technology, both as a significant user of the technology themselves, as well as policy maker and regulator," says Brett McDowell, FIDO Alliance executive director, in the statement.
FIDO is one of several bodies working on authentication under the auspices of groups such as GSMA, ETSI, 3GPP, Trusted Computing Group. Each addresses the problem from a different perspective.
Apple not so Far Away
"The FIDO Alliance has come a long way in such a short time. It has taken other trade bodies and associations longer to have such a critical mass of global members and to develop and publish global specifications," says Don Tait, senior analyst for digital ID and IT security at IHS, in the Chip-to-Cloud Security Report - 2015.
FIDO has achieved a consensus and its remit is likely to be extended. Tait says that extensions to the FIDO 1.0 specification are nearing completion that incorporate NFC and Bluetooth connectivity into FIDO's coverage.
One exception from the list of FIDO backers is Apple. "Apple is not in the FIDO Alliance, but it is close to it with local biometric authentication in the TouchID," says Tait. THe says some security also exists with the chip in the phone and the server. "Apple’s solution is not that far away from the FIDO Alliance," he says.
UAF and U2F
Don Tait, senior analyst for digital ID and IT security IHS.The FIDO 1.0 specifications fall into two categories; the so-called UAF password-less user authentication and U2F, which uses a second factor, such as a plug-in dongle for authentication. The FIDO certified testing allows the use of a logo to tell customers and partners that a product is compliant. FIDO says that 31 implementers have already passed its certification and have products in the market.
With the 1.0 specification in the market, FIDO has also formed a working group to consider future requirements and to ensure interoperability among devices, clients and servers. The Fido 2.0 technology working group is co-chaired by Anthony Nadalin of Microsoft and Sampath Srinivas of Google, according to FIDO.
Questions or comments on this story? Contact peter.clarke@ihs.com
Related links and articles:
IHS Digital ID and IT Security
Chip-to-Cloud Security Report - 2015
News articles:
Cypress Joins Authentication Interoperability Group
Top 10 Technologies: The Cloud Comes of Age