Security standards always seem to languish in committee, but the FIDO Alliance breaks the mold, rolling out new, usable authentication systems at a rapid clip Credit: Thinkstock Only a handful of industry associations accomplish what they set out to do. In the security realm, I’ve always been a huge fan of the Trusted Computing Group. It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner.The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security. Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings. Its mission statement includes the words “open standards,” “interoperable,” and “scalable” — and the organization is actually doing it. Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices.All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks. Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method. The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength. FIDO authentication must be supported by your device or browser, along with the authenticating site or service. With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided. The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations. Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method. The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client. The client’s private key never leaves the client device and can be used only when the user physically interacts with the device.FIDO authentication goes much further than traditional TLS. It links “registered” devices to their users and those devices to the eventual websites or services. Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services. A nice graphical overview of the FIDO authentication process can be found here. Google Security KeysGoogle recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper. Google’s Security Keys are supported in the Chrome browser (using JavaScript APIs) and by Google’s online services.Several vendors make the physical, tamperproof Security Keys. The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor. Each dongle has a unique device ID, which is registered to the user on each participating website. The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing.Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers. Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that. The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each. That’s not bad for greater peace of mind. FIDO updatesFIDO recently announced the 1.1 version of its specification. It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC). FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce. Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well.The 2.0 version of the FIDO specification is already in the works. FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone.Reducing the use of stolen credentials takes a big bite out of online crime. I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible. After years of previous attempts at similar initiatives, this one looks posed for broad success. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe