Open authentication spec from FIDO Alliance moves beyond passwords

09.12.2014
An open industry alliance of 150 members that includes many of the world's biggest vendors -- but notably, not Apple -- released specifications Tuesday that promise to secure online communications without using passwords.

The group, called the FIDO (Fast IDentity Online) Alliance includes Microsoft, Google, PayPal, Bank of America, MasterCard and Visa. Also included are device manufacturers such as Dell, Samsung and BlackBerry, and even enterprises offering various services such as Aetna and Netflix.

Apple, with its iPhone 6 and iPhone 6 Plus smartphones, already deploys fingerprint scanning technology that is complemented by Near-Field Communications (NFC) technology for use in Apple Pay mobile payments.

But members of the FIDO Alliance said they interested in expanding use of various biometric sensing technologies, like fingerprint scans, and would use portable hardware tokens and perhaps other approaches for authenticating users for payments and other purposes. Such approaches would go beyond Apple products to be used with Android and other platforms on a variety of browsers and devices.

The new specifications are not protected by FIDO member patents, meaning that members and non-members, including Apple, are free to deploy solutions using the specs. The final 1.0 draft specs are called the Universal Authentication Framework and the Universal 2nd Factor. FIDO is also working on extensions to them that incorporate NFC and Bluetooth capabilities.

One of the founding members of FIDO, Nok Nok Labs, said it has already deployed software called the S3 Authentication Suite and announced support of the FIDO UAF standard in a server that will ship to some customers in December. The suite is already being used by PayPal and Alipay of China and both have been processing payments using fingerprint sensor authentication based on Nok Nok's technology.

Nok Nok has also provided multifactor authentication clients on recent Samsung Galaxy smartphones and tablets. The company now has 18 major pilots with other companies that use its server or client technology.

Nok Nok CEO Phillip Dunkelberger said conventional authentication failures have resulted in massive costly breaches, like those at Target and Home Depot, which makes industry-wide acceptance of newer technologies a necessity.

In an interview, Dunkelberger called the FIDO standards a "watershed" for security and privacy.

Nok Nok is one of the smallest companies in the FIDO Alliance and has just over 50 employees, Dunkelberger said. He said Nok Nok servers are highly scalable for use by millions of users such as the 620 million customers in Alipay. Pricing for Nok Nok's server products can be as little as 5 cents to 20 cents per user, per year for companies serving 30,000 to 50,000 end users, he said.

(www.computerworld.com)

Matt Hamblen