Open authentication spec from FIDO Alliance moves beyond passwords

An open industry alliance released specs Tuesday that promise to secure online communications without passwords.

An open industry alliance of 150 members that includes many of the world's biggest vendors -- but notably, not Apple -- released specifications Tuesday that promise to secure online communications without using passwords.

The group, called the FIDO (Fast IDentity Online) Alliance includes Microsoft, Google, PayPal, Bank of America, MasterCard and Visa. Also included are device manufacturers such as Dell, Samsung and BlackBerry, and even enterprises offering various services such as Aetna and Netflix.

Apple, with its iPhone 6 and iPhone 6 Plus smartphones, already deploys fingerprint scanning technology that is complemented by Near-Field Communications (NFC) technology for use in Apple Pay mobile payments.

But members of the FIDO Alliance said they interested in expanding use of various biometric sensing technologies, like fingerprint scans, and would use portable hardware tokens and perhaps other approaches for authenticating users for payments and other purposes. Such approaches would go beyond Apple products to be used with Android and other platforms on a variety of browsers and devices.

The new specifications are not protected by FIDO member patents, meaning that members and non-members, including Apple, are free to deploy solutions using the specs. The final 1.0 draft specs are called the Universal Authentication Framework and the Universal 2nd Factor. FIDO is also working on extensions to them that incorporate NFC and Bluetooth capabilities.

One of the founding members of FIDO, Nok Nok Labs, said it has already deployed software called the S3 Authentication Suite and announced support of the FIDO UAF standard in a server that will ship to some customers in December. The suite is already being used by PayPal and Alipay of China and both have been processing payments using fingerprint sensor authentication based on Nok Nok's technology.

Nok Nok has also provided multifactor authentication clients on recent Samsung Galaxy smartphones and tablets. The company now has 18 major pilots with other companies that use its server or client technology.

Nok Nok CEO Phillip Dunkelberger said conventional authentication failures have resulted in massive costly breaches, like those at Target and Home Depot, which makes industry-wide acceptance of newer technologies a necessity.

In an interview, Dunkelberger called the FIDO standards a "watershed" for security and privacy.

Nok Nok is one of the smallest companies in the FIDO Alliance and has just over 50 employees, Dunkelberger said. He said Nok Nok servers are highly scalable for use by millions of users such as the 620 million customers in Alipay. Pricing for Nok Nok's server products can be as little as 5 cents to 20 cents per user, per year for companies serving 30,000 to 50,000 end users, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags mastercardpaypalretail ITnetflixBlackberryDellAppleFIDO AllianceBank of AmericaGooglesecurityvisaMicrosoftbiometrics

More about AppleBank of AmericaBlackBerryDellGalaxyGoogleHome DepotMicrosoftNetflixNFCPayPalSamsungVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place