CybersecurityFIDO 1.0 specifications published aiming to promote stronger authentication

The FIDO (Fast IDentity Online) Alliance, an open industry consortium promoting standards for simpler, stronger authentication, the other day published final 1.0 drafts of its two specifications — Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F).

Members of the FIDO Alliance comprise device manufacturers, online service providers, and enterprises, which can now implement and commercialize FIDO 1.0 specifications to make authentication simpler and stronger for all.

“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the FIDO Alliance. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce.”

The FIDO Alliance notes that according to Verizon’s Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76 percent of the breaches analyzed. Along with Verizon, Ponemon Research, and PwC report that the volume and severity of data breaches is continuing to rise, with centralized datasets of personal and sensitive information being the most targeted and the most vulnerable to scaled attacks. Responding to the risk and loss perpetuated by prevailing password systems, FIDO specifications define an open, scalable, interoperable set of strong authentication mechanisms that reduce the reliance on single­factor username and password login.

The specifications outline a new standard for devices, servers, and client software, including browsers, browser plugins, and native app subsystems. Any Web site or cloud application can interface with a broad variety of existing and future FIDO­enabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments, and organizations of all types.

The Alliance says that keeping with its mission, both specifications are unencumbered by FIDO member patents. Members are free to implement and market solutions around FIDO­enabled strong authentication, and non­members are free to deploy those solutions. As previously announced, current implementations available in the market include those from Nok Nok Labs, Synaptics, Alibaba, PayPal, Samsung, Google, Yubico, and Plug­Up.

While the core 1.0 specifications are final, the FIDO Alliance says it is nearing completion of extensions that will incorporate Near Field Communications (NFC) and Bluetooth into the range of FIDO capabilities. Continuing evolution of the specifications based on new requirements and/or deployment experience will help ensure ongoing alignment of FIDO standards with demands in the consumer devices, online services and enterprise markets.

“The fact that the FIDO Alliance was able to develop complete specifications so quickly and with such broad support is evidence that they are tackling a pervasive industry pain point,” said Steve Wilson, Vice President and Principal Consultant at Constellation Research. “No consortium in the identity management (IdM) industry has every grown so fast, with such strong representation from the technology buy side. What’s most impressive is the FIDO Alliance’s focus on the authentication plumbing. The protocols enable trusted client devices to trade just the right data about their users. FIDO specifications aren’t tangled up in messy identity policy decisions. It’s an elegant breakthrough, and, going forward, it should drive a lot of the classic complexity out of the IdM space.”

“Our members’ determination, cooperation and tireless perseverance have delivered this landmark accomplishment in less than two years from announcing the FIDO Alliance and its goal to develop industry open standards for interoperable, privacy­respecting strong authentication,” said Brett McDowell, executive director of the FIDO Alliance. “I applaud and congratulate the members of the FIDO Alliance on these accomplishments, and look forward to our continued collective effort to bring FIDO­enabled experiences to the global marketplace in 2015 and beyond.”