By Tobias Manolo
Last week, the Fast IDentity Online (Fido) Alliance (an open industry consortium that delivers standards for stronger, simpler authentication) released draft technical specifications for a new authentication protocol – the Online Security Transaction Protocol (OSTP) – that could potentially lead to the elimination of password use. The protocol has been developed with companies in mind to help them use multi-factor identity checks, utilising alternatives including TPMs (Trusted Platform Modules), biometrics, eSEs (embedded secure elements), smart cards and USB security tokens, that don’t require passwords.
Forrester Research reported that password breaches in the online services industry has resulted in $200bn in annual losses, which is backed up by the Verizon 2013 Network Investigations Data Breach Report which states that 76% of network breaches exploit stolen or weak credentials.
Most online users don’t want to deal with multiple passwords and usually opt to use just one password for several accounts; therefore accounts are only as secure as the service providers’ security measures! And the online businesses are suffering due to forgotten passwords, cyber-fraud and criminals stealing credentials and user lockouts.
The proposed Fido specifications have been designed to be extendable to allow innovation in the future, and protect existing authentication technologies. It allows device-specific authentication by online services inside an interoperable infrastructure so that users and service providers are given a choice of methods of authentication. This can also be federated via existing industry standards, i.e. SAML and OpenID.
Michael Barrett, CISO at PayPal and president of the Fido Alliance, said: “With the public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises.”
The Fido specifications are separated into two categories – UAF and U2F – so that they can accommodate a wide range of security scenarios. The UAF (Universal Authentication Framework) category is the passwordless option; users register their device via an online service by choosing a local authentication mechanism, i.e. fingerprint, microphone or PIN number, and once registered, the user is able to repeat the local authentication as and when they need to authenticate the service, without having to enter a password, from that device. The U2F (Universal Second Factor) protocol allows online services to augment the security of an existing password infrastructure, but adds a second, strong factor to the user’s login. The second factor is presented by the user at registration and authentication of the device, simply by pressing a button on a USB or tapping over NFC. Users login as normal using a username and password but the second factor allows the service to simplify passwords, i.e. to just a 4-digit PIN number, without security being compromised. The Fido U2F-enabled device can then be used across a range of online services, as long as they support the protocol, utilising built-in support found in web browsers.
The draft specifications have been released in order to build awareness and encourage companies to adopt the new protocol, and Fido-enabled authentication methods. Today, the majority of laptops incorporate fingerprint readers (I know mine does!), but how many people and/or companies actually use this as a method of authentication? As a user-friendly authentication method on a range of devices, it is hoped that more companies will start to use this in the future as a more secure and easier means of identification.
Members of Fido believe that within the next 18 months, it is expected that around 200 to 400 million devices worldwide will incorporate the Fido software; and many Alliance members are currently developing Fido Ready services and products, developed around these draft specifications, including Nok Nok Labs, Go-Trust, Yubico, AGNITiO and NXP Semiconductors.