FIDO Members Take a Major Step to Eliminate Passwords
Rallying its members to wipe out passwords, the Faster IDentity Online Alliance an organization of more than 150 payments and technology businesses released standards Dec. 9 for multi-factor e-commerce authentication.
The FIDO Alliance has set 1.0 specifications for what it calls Universal Second Factor [U2F] and Universal Authentication Framework [UAF]. The major benefit of FIDO 1.0 is the option for e-commerce merchants to add second authentication factors, such as biometrics, through a UAF server.
FIDO's board members include Alibaba, Discover, Google, MasterCard, Microsoft, PayPal and Visa.
The release of the FIDO specifications is a "notable milestone" in transaction security and network access authorization, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group. "The useful days of username/password as an authenticator are far behind us."
E-commerce merchants in particular are facing a heightened risk of account takeover fraud, Conroy added. "To the extent the industry can work together to make security both more effective while not bringing extra friction to the process, that will benefit all players in the ecosystem."
Nok Nok Labs, the Palo Alto, Calif.-based authentication technology provider that initiated the FIDO Alliance two years ago, is one of the first to announce its support of FIDO's operating standard, which enables the sale of FIDO-Certified technology as opposed to what has been labeled FIDO-Ready services.
"This is the dawn of the FIDO capability age and all of our hard work has led to this," said Phillip Dunkelberger, CEO of Nok Nok Labs. "We were all up to developing the new standard; now let's see if we're up to the rest of it in getting it deployed."
Nok Nok developed the UAF server that accepts all forms of authentication from fingerprint scans or facial or voice recognition, to heartbeat monitoring and PINs.
The server "tells the relaying parties' systems that it is a FIDO element in good standing and has never been breached, while storing the keys that are generated," Dunkelberger said.
South Africa- and Atlanta-based Entersekt, another transaction authentication provider and FIDO Alliance member, will provide U2F-enabled authentication to banks through its Transakt app using the new specifications.
Entersekt developed a USB bridge installed on a user's computer, allowing a browser to connect with the FIDO U2F-enabled Transakt app on their phone. Rather than requiring one-time-passwords or hardware tokens, Transakt prompts users to tap "accept" or "reject" on a mobile device's screen to authenticate identity when conducting a transaction.
"With the traditional one-time password serving as nothing more than a Band-Aid for protecting users from increasing instances of fraud, we fully support the newly-introduced guidelines from the FIDO Alliance in order to combat advanced fraud attacks," Christiaan Brand, chief technology officer at Entersekt, said in a company announcement.
Other FIDO members also reaffirmed their commitment to secure authentication. PayPal, for example, supports FIDO-based fingerprint logins through its mobile app when operating on FIDO Ready devices such as the Samsung Galaxy S5.
"The world needs a simpler and more secure login method for online services and FIDO's open specifications help achieve this," Andy Steingruebl, PayPal's director of product and ecosystem security, said in a FIDO statement.
Ritu Favre, senior vice president and general manager of the biometrics product division at Synaptics, a FIDO founder, said his company has been eager to see its work with the alliance come to fruition.
"Expanding the value of client-based local authentication to online identity has been the dream," Favre said. "We are extremely excited to see it turn into reality with the U2F and UAF specification rollouts."
The advancement of official FIDO specifications will also help the fight against fraudsters trying to enter major retail networks through third-party vendor credentials, as occurred in both the Target and Home Depot breaches, Dunkelberger said.
"Now, companies can require third-party vendors to use FIDO-Certified multi-factor authentication, not just a username and password," Dunkelberger said. "Once a criminal steals a password, he can go phishing and assume that identity to install malware and steal card data."
The only thing a criminal could steal on the back end of a FIDO system would be a public key, Dunkelberger added. "They could not steal authentications for credit card data or authentications into systems."
FIDO plans to add members and expand upon its specifications in the future, Dunkelberger said.
MasterCard has already announced it was working with Visa to update 3D Secure for e-commerce next year, essentially eliminating passwords.
"The industry has come together to try to solve a major problem," Dunkelberger said of FIDO. "These companies gave their tech people to this project in addition to their full-time jobs and all of the tech teams have been big contributors to a great idea."