Can FIDO Save Our Online Security?
This Post discusses Online Security and the efforts of the FIDO Alliance to eliminate the password.
It’s no surprise with all the news headlines regarding breaches that online security today is inadequate. Massive breaches once shocked us, and are now commonplace every day events. Here are but a few of the biggest online security breaches to refresh your memory, along with the number of users affected according to Information Is Beautiful:
- Ebay – 145M
- Heartland Payment Processor – 130M
- US Military – 76M
- Sony PSN – 160M
- Health Insurer Anthem – 80M
- Home Depot – 56M
- JP Morgan Chase – 76M
- Target – 70M
- TJ MAXX – 94M …
What is the main reason for so many massive breaches? Because it’s easy, and the main culprit, the password.
The outdated online security scheme of protecting a web site with a username and password is obsolete. The main problem is the site must store all the passwords on its servers to authenticate users. Even with encryption, passwords are quite vulnerable to hacking with the advent of nearly unlimited processing power. For greater detail on this, see Your Password is too damn short on codinghorror.com, which does an excellent job of breaking down the technical details of passwords and their weaknesses. The short of it is that unless the password is very long your toast in minutes. It makes the idea of a password manager a no-brainer so you don’t have to type or remember it.
So what is the solution to improving online security? Eliminate the password. While it may sound undoable, it’s already underway and the FIDO Alliance is leading the charge.
FIDO stands for Fast Identity Online, which is an alliance of many of the world’s best online security experts and more importantly many of the World’s biggest companies, which is helping to drive adoption of its standards.
FIDO was formed in 2012 to help address the password issues that are causing massive problems for online security. They have released two standards specifications defining U2F and UAF.
U2F (Universal 2nd Factor) doesn’t target eliminating the password, but takes a big step forward in making online security stronger. It adds an additional layer that makes the process far more secure. It does this by taking the access out of the online provider’s hands and sharing it with the user. All of this is accomplished with matching encrypted public and private keys.
The typical U2F authentication process will first challenge the user with a username and password. If successful, a second request is made to your FIDO U2F capable device. The U2F device receives the request and digitally signs it with its private key. The signed request can only be validated with its matching public key stored on the servers of the authenticating web site. The public key was established at the time of registration and is useless without its private key, which never leaves the user’s device.
The big advantage is that the private key stays safely on the device, rendering the public key useless without it. This prevents the massive breaches for stolen passwords from being effective since there are no passwords on the server to steal. This scheme not only enhances online security but also has the benefit of increased privacy of the user.
Standards Make the Difference
Why is the release of a standard by FIDO so important? After all, this kind of online security has been around for years. Banks have made available devices, often supplied through RSA, that provide a number sequence that changes frequently on the device that can be entered as a second factor validated through encryption methods.
The problem of course is that the device would only work for your bank and carrying around a separate device for each bank, financial company or web site is unpractical and costly. Online Security is only strengthened when the solution does not place a high burden on the user.
However, if a standard such as FIDO U2F is widely adopted you can now have a single device that can be used across all online supporters of that protocol. FIDO is gaining a lot of support as seen by the large number of members that have joined and that are continuing to join. While there are too many to name them all, many of the big boys have joined such as PayPal, Google, Alibaba, BOA, Discover, Master Card, VISA, RSA, Microsoft, Intel and many more names you will recognize. This means that FIDO will likely achieve widespread adoption and bring support for that FIDO compliant device you purchase.
FIDO does more than just release standards. They also have a FIDO certification process to make sure a device is FIDO compliant. This is critical to the credibility of the security standards and the devices sold under the FIDO compliance claim.
Early on we discussed the elimination of the password, not just enhancing it. This is where the UAF (Universal Authentication Framework) specification comes in. The authentication process for a UAF authentication is even simpler than U2F. The user goes to the site and makes an authentication request. The user’s FIDO compliant device receives the request to authenticate and the user allows access by using the biometric capability of the device. This triggers the device to cryptographically sign the authentication request with its private key. Which again can only be validated with the matching Public key established at registration. The password is eliminated in this process because the UAF biometric device ensures that the user is the individual in question.
Of course, the loss of the device is not an online security risk since it has no value without the fingerprint, voiceprint, human eye or other biometric identifier.
Up until now we haven’t talked much about the FIDO compliant devices themselves because we wanted to focus on the online security problem, the solution and the FIDO Alliance. The good news is that some FIDO products are already shipping and available that you can begin using today. In an upcoming post we will discuss some of the available devices, their capabilities and cost.
You may also be interested in: Third Wave Trend: The Internet of Everything
Third Wave is a boutique software development company located in Boca Raton, Florida. Our business acumen, agile development solutions, and perfected continuous development process offer unmatched levels of expertly crafted software and development services. Our team is dedicated to helping companies break into the new era of rapidly changing business trends with adaptive technology that provides sophisticated business solutions.
Third Wave also offers Cloud CDE, a fully automated cloud based Continuous Delivery Environment “in a box”. Cloud CDE and our consulting services provide a jump start to organizations that are ready to start transforming their culture to a high performing IT organization.