Web users rely on SSL (secure sockets layer) on a regular basis without having to know what it is or even if it is securing their transactions and data in the background. Without SSL there would have been no Internet banking, no e-commerce, no Internet revolution.
There are limits to the level of security offered by SSL; we can still be duped into linking to spoof sites. However, the due diligence of the authorities that issue SSL certificates increases our level of trust so we feel confident to transact. But, what about the other way around, how can providers of online services be confident that we are the users we say we are? Beyond checking basic login credentials, usually just a username and password, often they cannot.
Most agree stronger authentication is needed; there is a growing range of other options. Mobile phones can be used to issue one time passwords and hardware tokens can be issued by service providers. The use of biometrics is becoming easier and it is not just fingerprints (for which the availability of built in readers is limited). Any biological or behavioural characteristic can potentially be used for identification, for example voice pattern recognition (most devices can now hear you via microphones), face recognition (most devices can see you with cameras).
Standardizing the use of these means of authentication is the motivation behind a new prototype industry standard dubbed FIDO (fast ID online). Here is how FIDO works; you request a service and, as a session is established, the service seeks to authenticate you using a local credential. If you have the FIDO client installed it will ask for a means of authenticating you to the device you are using. This establishes a ‘key pair’ and unlocks a local private key to authenticate against a public key hosted on a server at the online service provider. Each time you use a new device you go through the process again.
The key pair is a means of authentication for the service in question for the user on their current device. If the FIDO client (which free) is not installed, weaker means of authentication can be fallen back on, or it can be insisted that the FIDO client is installed. So, if the backers of FIDO succeed, over time service providers may see that it becomes the dominant standard for secure authentication, just like SSL has for sharing data over the Internet.
This is not an entirely new idea; for example, Entrust’s Identity Guard Platform, which can map 17 means of authentication to supporting services and Symantec’s Validation and ID Protection (VIP) Service are both based on OATH (Open AuTHentication). OATH is a reference architecture, which was primarily aimed at handling one time passwords, uses several protocols depending on the means of authentication. FIDO is based on a different reference architecture known as UAF (universal authentication framework), all you need is the FIDO client, regardless of the means of authentication. The biggest step change that FIDO introduces is the simplicity and ease of use on the device; all users need to know is how to create the credential (i.e. speak to the microphone, smile at the camera etc.)
For a protocol to succeed it needs backers and the FIDO Alliance already boasts 100 paying members. 17 of them are top level board members paying $50K/annum. They include online service providers such as Microsoft and Google, payment providers including Discover, MasterCard and PayPal, device manufacturers such as Lenovo and Blackberry and security companies such as EMC/RSA (which amongst other things, supplies hardware tokens). Non-board level ‘sponsors’ include a spectrum of vendors involved in identity and access management. Others, Quocirca has spoken to that are watching with interest and may well join include Symantec and ForgeRock. Further support has just emerged with the announcement of an agreement between FIDO and the Cloud Security Alliance (CSA).
Service providers want to be sure of who their users are and for their users to feel confident to make easy and secure use of services. Security want to be there if FIDO takes off, likewise for device manufacturers, they may be able to get a short term competitive advantage if they are FIDO enabled.
Nok Nok Labs is another board member not mentioned above. It has been the driving force behind FIDO. Whilst FIDO is aimed to become a free to use, open standard (currently you have to be a FIDO member to get commercial implementation rights), Nok Nok hopes to be rewarded for its effort by providing off-the-shelf software for linking online services with users and establishing key pairs, simplifying the use of FIDO for providers of internet servers who would otherwise have to build their own servers. Nok Nok also hopes to work with partners who could provide on-demand FIDO servers based in its technology.
A cartoonist once quipped, ‘on the Internet no one knows if you are a dog.’ If Nok Nok and its friends have their way, those days will seem even more distant as FIDO will be on guard making sure we all are who we say we are.