« Previous 1 2 3 4 Next »
Multifactor authentication from FIDO
Watchdog
Open and Interoperable
Imagine, if you will, that the early Internet had been built on closed-source proprietary technologies that didn't interoperate. In nearly every case those closed non-standardized technologies would have failed and only gained meager adoption. Why? It's simple – open standards and technologies have economic benefits. The Internet is very much predicated on open technologies and standards. Anyone with an elemental understanding of the underpinnings of the Internet must acknowledge that the vast majority of it wouldn't exist without open standards and open source.
Brett McDowell, Executive Director of the FIDO Alliance, stated it succinctly in a recent interview: "There is simply no other plausible way to solve an Internet-scale problem other than open standards. It is entirely untenable to presume all the world's devices and Internet services are going to adopt a single authentication product from a single company."
He added: "Since FIDO itself doesn't define how to perform the device-side user identification, but rather performs the function to securely connect those devices to any Internet service or web site that can 'speak' the protocol, FIDO standards actually drive market demand for innovations and competition for the best products and methods in that arena, e.g. fingerprint or voice recognition, motion, gestures, etc."
FIDO is a natural expansion of this powerfully successful open model that will open up innovation in this much needed space. It changes the economics of authentication and focuses on interoperability and openness. FIDO also means real-world deployment and testing, which can only mean gradual improvement of this open technology standard.
Many Technologies/Many Options
The many players in the alliance are opening up multifactor authentication to innumerable options. Using technology ranging from biometrics (fingerprint, iris, voice, and facial recognition), tokens, Trusted Platform Modules (TPMs), embedded security elements (eSEs), smartcards, Bluetooth low energy (BLE), or even your smartphone, you can now deploy two-factor authentication.
This full range of authentication technologies across multiple services and devices means an interoperable infrastructure that can apply the multifactor technology of today and tomorrow. FIDO can use existing industry standards such as OpenID and SAML. The FIDO Alliance offers opportunities for improving the security of end consumers and enterprise IT as well. Next, I'll explore the basic FIDO protocols U2F and UAF.
U2F vs. UAF
The FIDO protocols U2F and UAF offer a variety of use cases and configurations. Based in public key cryptography, these protocols take the cost and complexity out of traditional public key infrastructure deployment. These two protocols offer very different user experiences.
The UAF (Universal Authentication Framework) protocol is the passwordless experience, whereby the user registers a FIDO Ready device to an online service. This can be a fingerprint, facial recognition, voice, PIN, and so on. The passwordless UX (User Experience) is explained in Figure 1.
UAF allows online providers to configure the user experience they choose. This means any service provider can configure it to use the local biometric alone or biometric plus PIN combination. After a device is registered, a user can authenticate simply by using the registered authentication mechanism without any further complexity, which is quite a bit better than single-factor passwords.
The U2F (Universal Second Factor) protocol delivers strong multifactor authentication to online services. These services can still offer a user name and password but augment it with another factor, such as a USB or near-field communication (NFC)-capable USB device. Users simply register the second factor for the online service. When authenticating, they present this registered device by plugging in the USB device, NFC tap, or other FIDO Ready hardware. U2F is explained in Figure 2.
Browsers will build in support for the use of a variety of U2F options, enabling the protocol with a myriad of FIDO Ready MFA devices.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)