Run, FIDO, Run: Alliance Works on Non-Proprietary Authentication

By TMCnet Special Guest
William Leddy
  |  April 29, 2013

The FIDO Alliance, formally established in July of 2012, has been working for more than 2 years developing the open FIDO standards – the first open industry standard for online authentication.

The goals of the FIDO Alliance are to define and promote protocols to enable a broad range of strong authentication options across all end user devices; enable stronger authentication and better user experience; support the international standardization of the FIDO protocols by a recognized standards body; work with existing standards not replace them; and make the protocol stack ubiquitously available on client devices.

Relying parties, system integrators and security providers have formed the FIDO Alliance (Fast IDentity Online) to revolutionize online authentication with an industry supported standards-based open protocol. FIDO Alliance founding member organizations Agnitio, Infineon Technologies (News - Alert), Lenovo, Nok Nok Labs, PayPal, and Validity are developing the specification and FIDO-compliant products. New members joining the alliance throughout 2013 will have access and input to the development of the FIDO specification.

FIDO standards will enable better security and convenience for users. Users will be able to pick the authentication token type that best suits their needs, and that single token can be used to access all their Internet accounts. Because the FIDO token will send a unique, one time passcode to the relying party instead of a password, passwords are not reused across unreliable websites.

FIDO standards will give large websites and web services an authentication solution that can scale both in terms of cost and manageability. This will enable web services with 10 or 100 million accounts to authenticate beyond passwords for all their users, not just selected subsets.

FIDO in the Marketplace

FIDO tokens can be simple non-spoofable identifiers or can be a user authentication token that uses a PIN, finger, voice, etc. FIDO tokens can be built into the user’s system like a finger scan or a chip on the motherboard, or can be portable across systems like a USB or SD card. Because the relying party will have a single protocol to dynamically discover and invoke all different FIDO device types, it will be possible to support all types without customization for any.

Authentication token vendors will have easier access to the broader Internet market instead of custom silo applications. In addition, token vendors will not need to build, deploy and support a complete software stack for their devices. Similarly, integrators will not need to deploy a custom software stack for each vendor since the FIDO stack will provide a common interface for all.

The open FIDO protocol should be relatively easy to add to a variety of chips in a PC, phone, TV box, game console, etc. In many cases a non-spoofable identifier will be sufficient to allow a relying party, like PayPal (News - Alert) or any website, to create a streamlined (no login) experience. For example, a $20 transaction from your TV set in your living room or your mobile phone should not require a password, unless you want that additional security. Similarly, imagine that the next thumb drive you buy could be FIDO enabled. This gives users a portable strong authentication option with a device they are likely to have anyway.


How It Works

FIDO raises security and enhances privacy. The user authenticates locally to the FIDO authenticator with PIN, finger, voice, etc. Only then will the FIDO authenticator release a unique identifier for the account that can only be validated by the requesting Internet site or service. The user’s PIN, password or biometric information is never sent across the network. A FIDO-enabled authenticator can store unique identifiers for many Internet accounts, so even if one account is compromised other accounts cannot be attacked using this information.

At the relying party, such as PayPal, the information from the authenticator is validated using cached information that has been provided by each token vendor. When new tokens are produced the token maker will store a secret in each token and provide information to validate the token to a FIDO repository. A local copy of this information will be cached at the relying party site and new additions will be made as token vendors make more tokens. Note that the validation process happens locally so there is no Internet delay or reduced potential for attack.

With identifying factors stored only locally within the device, hacking becomes too expensive, too time consuming, and doesn’t scale. Among the challenges, hackers would need physical access to an individual’s device, as the hack would have to be done on premises, on the device itself. The victim of such an attack would be a very high value target, not one among the general masses of users. Hackers are very unlikely to proceed with such a high level of challenge and more likely to move on to easier targets.

Also, the compromise of any one token will not help attackers to compromise other tokens, because each token has its own unique secret. Similarly, the compromise of one relying party will not help attackers to compromise other relying parties because each relying party will store a unique identifier in the user’s token. 

What’s Next

The FIDO draft requirements were expected to be ready to share with prospective members in the near future with the FIDO Reference Architecture 1.0 planned in February of 2013 (before press time of this magazine). Protocol and compliance specifications work was under way, with public access to be available in the second half of FY 2013. Based on this schedule, FIDO -ompliant products could be available in the marketplace beginning 2014.

William Leddy, PayPal’s principle security strategist, is vice chair of the FIDO Alliance Marketing Working Group (

Edited by Stefania Viscusi