The FIDO Alliance takes a major step today towards its goal of making strong yet easy authentication ubiquitous.
The consortium has been working for nearly three years now on new authentication protocols which leverage the cryptographic capabilities of modern mobiles. FIDO protocols U2F and UAF allow users of compliant devices to be seamlessly authenticated by remote services, dispensing with passwords, and, under the covers, allowing a variety of vital staristics to be verified in real time by service providers, like the state of the device being used, how it's been activated, the type of biometrics that might have been used to turn it on, the device model, its certification standing, and so on. FIDO has taken the security world by storm, and has been taken up in rapid succession by Paypal, Alipay, Google, Microsoft, NTT DOCOMO and others, to deliver identity security and convenience at the same time. And for the first time, at scale.
The FIDO Alliance has a breadth of participation across the “Relying Party” or technology buy-side that other identity consortia can only dream of. FIDO's financial services and e-commerce members include Aetna, Alibaba, American Express, Bank of America, Discover, E*trade, Goldman Sachs, ING, JP Morgan Chase, MasterCard, Netflix, PayPal, USAA and Visa.
Constellation Research has followed FIDO closely since its inception, producing a regular series of reports. An update is now imminent.
FIDO goes standard
The FIDO vision has always been to make strong authentication ubiquitous and standard. As such, the FIDO Alliance has long promised to transition its intellectual property into an open standards process. Today FIDO has taken this step, by submitting specifications to the World Wide Web Consortium (W3C) for approval as web standards.
For the announcements, see the FIDO press release, and W3C's take on FIDO authentication. And for technical detail, see FIDO 2.0: Web API for accessing FIDO 2.0 credentials.
What does it mean for web users?
The thing about FIDO is that, along with other security plumbing, it's helping make the user experience of identity management disappear.
Easy biometric authentication is becoming widespread in various devices, but the experience remains patchy, largely because the technologies aren't easy for service providers to make use of. The way things stand, each service needs to know the technical details of its end users' possible mobile phones, and then program specific connectors to call device level security features. After all that effort, the security and privacy qualities of ad hoc biometrics solutions are, from the outside, unknown. Biometrics are becoming increasingly important to life online - so vital indeed we need to make sure they're handled with care. A badly integrated biometric is going to lead to worse problems that we have with passwords.
Thanks to FIDO, service providers can find out all they need to know about a user from the state of their device, without the hassle of passwords. Note that by being more precise about the attributes that matter in authentication, FIDO helps minimise extraneous personal data collection, and thus improves privacy in general.
Moreover, FIDO will standardize biometric and other device based security methods. FIDO compliance signifies that hardware-based security and privacy benchmarks have been met, so you can be assured your biometric template is not going to get exposed to a hacker, or leave the device for a database where it might get lost in a breach. Once individuals register their FIDO compliant devices with the services they use, access to those services becomes seamless, yet more secure than ever against ID theft, phishing and interception.
Now, the additional power of W3C strandardization is going to mean that FIDO authentication will become automatically available to website developers.
Analysis
In time, all websites are going to be able to invoke strong authentication natively, by accessing FIDO credentials in end-user devices via regular browser script in any W3C compliant browser. Technical APIs will be pushed further down the programming stack, so website developers need not worry about authentication technology; in their high level code they will be able to invoke a powerful suite of standard identity management functions.
Assuming the committee process runs its course, W3C standardization will make FIDO’s style of strong authentication essentially ubiquitous, as per the vision of its founders.
This latest step validates both the FIDO vision and its business model. FIDO rewards early adopters participating in the consortium, by giving members first access to draft protocols while under development (and still proprietary) and then moves those specifications in an orderly manner into the public domain. Thus FIDO will likely shift the whole digital identity ecosystem over time.
Steve Wilson's latest report, FIDO to be The Standard will be out soon.