New standard for simpler, stronger online authentication

Passwords have had their day. With so many to remember for each application that we access and each device that we use, the majority of users resort to insecure practices in order to remember them. Even when we do remember them, exploits such as keyloggers can be used to trace and subvert them. Passwords are almost universally acknowledged as not being sufficiently secure to guard against the threats that we face today.

Some time ago, back in the 1990s, it was originally envisioned that public key cryptography technology would provide the answer for a more secure authentication mechanism than passwords. However, commercial implementations of public key cryptography proved to be costly, complex to deploy and difficult to use. Although in use, that use is limited to a few applications and markets. Strong multifactor mechanisms were touted as an alternative and have come into widespread use. However, they are not based on common standards, are often used just for specific applications and are not ideally suited for use in the online world.

The Fast Identity Online (FIDO) Alliance was launched in early 2013 to address the problems of too many passwords and lack of interoperability among existing strong authentication devices. It has developed a new standard for authentication based on a device-centric model in which users register to a server via their device using the private key that it holds. Based on public key cryptography, this standard has enormous potential to finally solve the password conundrum in a cost-effective, usable and secure manner that safeguards user privacy. Public key cryptography can finally come of age.

Almost all devices have mechanisms that can be leveraged, including embedded secure elements, which are defined by GlobalPlatform as tamper-resistant platforms that are capable of securely hosting applications and confidential cryptographic data and that control interactions in a secure manner. Smart card vendor association, Eurosmart, predicts that shipments of secure elements for near field communications devices will grow by 64% in 2014 to reach 435 million units, many of which will be embedded chips for smartphones. The new standard will also be used in trusted platform modules, USB tokens and smart cards. The standard will also be capable of supporting a range of authentication technologies, including all sorts of biometrics. Interest in the use of fingerprint biometrics, in particular, is being driven by the growth of the inclusion of fingerprint readers in smartphones.

The raison d’être behind the new FIDO standard is to provide a simpler, stronger means of online authentication supporting any device, any application and any authenticator. Since the launch of the FIDO alliance in early 2013, it has fast expanded beyond its six founder members and currently counts some 80 organisations as members, including device manufacturers, operating system and browser manufacturers, authentication vendors, payment services providers and technology giants.

According to one of the founding members of the FIDO alliance, Nok Nok Labs, this new standard not only provides secure and strong authentication for current and legacy authentication solutions, as well as existing devices, but will also help to provide security that will drive take-up of new technology innovations to ensure their rapid growth and widespread usage. It will do this by enabling end-to-end trust across the internet and inter-connected networks of devices. It will provide added impetus to the growth of cloud, mobile and ecommerce markets by providing a universal authentication mechanism that is highly secure, cost-effective and simple to use. According to CEO Phil Dunkelberger, ubiquitous use of cloud models and the promise of universal connectivity offered by the Internet of Things will never become a reality unless we fix the online authentication problem. This new standard will do much to ensure that that promise can become a reality.