In our last post, we discussed how so-called “aftershock” attacks are driving the need for multifactor authentication (MFA). Because most users rely on a handful of slightly varied passwords to access multiple sites and accounts, cybercriminals often use stolen passwords in hacking attempts. MFA adds an extra layer of protection by requiring more than a password for authentication.
Traditionally, MFA has been implemented using a hardware token, such as a smart card-enabled USB device or a “key fob” with a built-in screen that displays a PIN. Because these tokens can be expensive and cumbersome to implement, more organizations are turning to mobile apps that send a one-time PIN to a user’s smartphone. Nevertheless, MFA solutions are often proprietary, making it difficult to integrate them with existing identity and authentication platforms.
Some solutions, however, are based on the Initiative for Open AuTHentication (OATH), a standards-based reference architecture that leverages widely adopted protocols such as LDAP and RADIUS. OATH enables secure credentials to be provisioned and verified by disparate software and hardware platforms, removing barriers to widespread adoption of MFA. OATH has limitations, though, as it was designed for one-time password (OTP) authentication, which is vulnerable to phishing and man-in-the-middle attacks.
This brings us to the FIDO (Fast IDentity Online) Alliance, an open industry association with more than 250 members dedicated to creating an ecosystem of standards-based authentication solutions. By implementing FIDO MFA solutions that are non-proprietary and based on a flexible protocol, organizations can reduce costs, maximize their investments, and support broad adoption of secure authentication.
Formed in 2012 by leading Internet companies, system integrators, and security providers, the FIDO Alliance has developed protocols based on public key cryptography that are strongly resistant to phishing attempts. Specifications from the FIDO Alliance support a full range of technologies, including biometrics such as fingerprint scanners and voice and facial recognition, as well as existing authentication solutions and communications standards.
FIDO’s Universal Second-Factor Authentication (U2F) works with USB and near-field communication (NFC) tokens, while its Universal Authentication Framework (UAF) works with a user’s mobile device to create a password-less experience. Upon registration, the user’s device generates a cryptographic key pair, retains the private key, and registers the public key with the online service. To use the private key for authentication, the user unlocks it on the local device by entering a PIN, using a fingerprint reader, or through some other simple method. Once the private key is unlocked, authentication proceeds automatically.
FIDO-compliant smartphones, tablets, PCs, and laptops can relieve password dependency by automatically and transparently providing user credentials when they’re required. FIDO’s standards-based approach detects when a FIDO-enabled device is present, and offers users the option to replace passwords with authentication methods that are more secure and easier to use. Separate credentials can be established for each user account.
The FIDO protocol allows security options to be tailored to the distinct needs of each user and organization. It is designed to be extensible and accommodate future innovation, as well as protecting existing investments. Because users are free to select any FIDO-compliant token type, even devices previously considered proprietary can be adapted for use.
For more information on FIDO Alliance Specifications or MFA, please reach out to us via email at (firstname.lastname@example.org).