FIDO Standard Aims To Eliminate Passwords

An industry consortium that aims to establish online standards for two-factor and biometric authentication has released the first draft of its technical specifications.

The Fast Identity Online (FIDO) Alliance published a draft of its technical document on 11 February to allow nonmember companies to check out the specifications and develop products without actually joining the alliance.

Exchanging of authentication information

The FIDO Alliance aims to establish a common way for products and service providers to exchange authentication information, allowing customers to use a smartphone, USB token or some other device as security token.

If developers widely adopt the specification, it could allow consumers and workers to reduce their reliance on passwords, Phil Dunkelberger, chief executive of Nok Nok Labs, an authentication provider and a founding member of the FIDO Alliance, told eWEEK. A biometric, such as a picture or a thumbprint, could be used instead of a username-password combination, or a device or code could be added to a username and password to make the combination more secure.

“The specification is designed to allow you to use whatever you have in your hand as a second factor of authentication,” Dunkelberger said. “It allows you to use something you already have without forcing you to use something new.”

The open specification calls for two methods of improving authentication for users online. The first, known as the universal second factor (U2F), lets a service provider give users the ability to use any device, token or passcode generator as a second factor to strengthen authentication. The second method, known as the universal authentication framework (UAF), gives users the ability to register their device and use a biometric or other method to log into a web service.

Partner support

With either of the techniques, the collaboration among services and security firms promises to weaken online providers’ reliance on usernames and passwords, according to member companies.

“It is incumbent upon enterprise IT to begin moving away from the world of basic username/password authentication, and we are excited to join the FIDO Alliance in shaping the future of strong authentication,” said Mike D. Kail, vice president of IT Operations with Netflix, which recently joined the alliance.

Companies have already begun supporting the specification. Nok Nok Labs, a founding member of FIDO Alliance, announced the release of a server and desktop and mobile clients that allow a customer to use their mobile device or another computer to log into a service. The service provider can specify the strength of the authentication and support new and innovative forms of identity verification, Dunkelberger said.

Nok Nok estimates that between 200 million and 400 million users could be using this new authentication framework within the next 18 months. Because the specification calls for service providers to store authentication keys rather than passwords, the FIDO specification would limit the damage if a supporting online service was compromised.

Do you know all about Edward Snowden And the NSA? Take our quiz.

Originally published on eWeek.