Better authentication: Go get ’em, FIDO

Only a handful of industry associations accomplish what they set out to do. In the security realm, I’ve always been a huge fan of the Trusted Computing Group. It’s one of the few vendor organizations that truly makes computers more secure in a holistic manner.

The Fast Identity Online (FIDO) Alliance is another group with lots of vendor participation that’s making headway in computer security. Formed in 2012, FIDO focuses on strong authentication, moving the online world past less secure password logons and emphasizing safer browsers and security devices when accessing websites, web services, and cloud offerings. Its mission statement includes the words “open standards,” “interoperable,” and “scalable” — and the organization is actually doing it. Better, FIDO wants to do this in a way that’s so easy, users actually want to use the methods and devices.

All FIDO authentication methods use public/private key cryptography, which makes them highly resistant to credential phishing and man-in-the-middle attacks. Currently, FIDO has two authentication-specification mechanisms: Universal Authentication Framework (UAF), a “passwordless” method, and Universal Second Factor (U2F), a two-factor authentication (2FA) method. The last method may involve a password, which can be noncomplex, because the additional factor ensures the overall strength. FIDO authentication must be supported by your device or browser, along with the authenticating site or service.

With UAF, the user registers their device with the participating site or service and chooses to implement an authentication factor, such as PIN or biometric ID. When connecting to the site or service, or conducting a transaction that requires strong authentication, the device performs local authentication (verifying the PIN or biometric identity) and passes along the success or failure to the remote site or service. With U2F, an additional security device (a cellphone, USB dongle, or so on) is used as the second factor after the password or PIN has been provided.

The public/private key cryptography used behind the scenes is very reminiscent of TLS negotiations. Both the server and the client have a private/public key pair, and they only share the public key with each other to facilitate authentication over a protected transmission method. The web server’s public key is used to send randomly created “challenge” information back and forth between the server and client. The client’s private key never leaves the client device and can be used only when the user physically interacts with the device.

FIDO authentication goes much further than traditional TLS. It links “registered” devices to their users and those devices to the eventual websites or services. Traditional TLS only guarantees server authentication to the client. One authentication device can be linked to many (or all) websites and services. A nice graphical overview of the FIDO authentication process can be found here.

Google Security Keys

Google recently touted the success of its physical, FIDO-enabled “Security Keys” in a new whitepaper. Google’s Security Keys are supported in the Chrome browser (using JavaScript APIs) and by Google’s online services.

Several vendors make the physical, tamperproof Security Keys. The versions touted in the paper are small, USB-enabled dongles with touch-sensitive capacitors that act as the second factor. Each dongle has a unique device ID, which is registered to the user on each participating website. The public cryptography is Elliptical Curve Cryptography (ECC), with 256-bit keys (aka ECDSA_P256) and SHA-256 for signing.

Google tested its Security Keys by giving them to more than 50,000 employees and made them an option for Google online service customers. Google’s results? Zero successful phishing, faster authentication, and lower support costs—can’t beat that. The only negative was the one-time purchase cost of the devices, although Google says consumers should be able to buy Security Key devices for as little as $6 each. That’s not bad for greater peace of mind.

FIDO updates

FIDO recently announced the 1.1 version of its specification. It includes support for Bluetooth Low Energy, smartcards, and near-field communications (NFC). FIDO authentication can already be used by more than 1.5 billion user accounts, including through Dropbox, GitHub, PayPal, Bank of America, NTT DoCoMo, and Salesforce. Six of the top 10 mobile handset vendors already support FIDO, at least on some devices; mobile wallet vendors say they will participate as well.

The 2.0 version of the FIDO specification is already in the works. FIDO 2.0 is partitioned into two parts: the Web Authentication Spec, which is now in the W3C Web Authentication working group; and the remaining parts, including remote device authentication—which should allow you, for example, to unlock your workstation with your cellphone.

Reducing the use of stolen credentials takes a big bite out of online crime. I can only hope that the web continues to adopt the FIDO authentication standards as fast as possible. After years of previous attempts at similar initiatives, this one looks posed for broad success.