Fido publishes final spec of password-killing protocol

The Fido Alliance has published the final technical specification of its password-killing authentication standards

The Fido Alliance has published the final technical specification of its password-killing authentication standards.

The Fido Alliance is a consortium of IT, internet and financial services firms, working together to develop specifications that define an open, scalable, interoperable set of protocols and mechanisms.

Members of the alliance include industry heavyweights such as Google, PayPal, Microsoft, Dell and the Alibaba Group.

The announcement of the final versions for the first open specifications for universal strong authentication is expected to lead to a wave of product announcements in the coming months. 

The Fido 1.0 specifications, including the Universal Authentication Framework (UAF) protocol and Universal Second Factor (U2F) protocol, are aimed at eliminating passwords by enabling interoperability between authentication devices.

Security needs standards

Publication of the final specification comes after public consultation and an intellectual property review by alliance members.

“With authentication failures resulting in massive, costly breaches such as Target and Home Depot, the need for these new Fido standards is clear,” said Phil Dunkelberger, chief of Nok Nok Labs. 


“As a founding member of Fido Alliance, Nok Nok Labs recognises the demand in the market for a unified solution to allow for a more secure, yet simpler experience.

“This announcement is about the industry coming together to solve a major problem and showing that a 50-year-old convention has outlived its usefulness,” he said.

The Fido Alliance was launched in February 2013 with six founding members – Nok Nok Labs, Lenovo, Infineon, PayPal, Agnitio and Validity.

The non-profit corporation now has more than 150 members worldwide in the areas of mobile devices, banking, operating systems, authentication technology, healthcare and many more. 

Fido specification benefits

According to Dunkelberger, the new standards bring four key benefits: lower implementation costs, strong consumer privacy, end-to-end security enhancements and reduced user friction.

In October, he told Computer Weekly that he was confident the publication of the final spec would grow Fido Alliance membership and support at an even faster rate and enable a raft of new secure ways for internet users to authenticate themselves online.

“This will have a marked impact in reducing phishingman-in-the-middle attacks, fraud and calls to helpdesks for password resets,” said Dunkelberger.

“Secure authentication online is a key problem to solve. It is vital for the continued growth of the online industry. Fido Alliance members have a keen interest in finding a solution, and they believe they have found it,” he said.

Software development kits

Nok Nok Labs has upgraded its S3 Authentication Suite to support the finalised Universal Authentication Framework (UAF) standard.

The company has also released software development kits (SDKs) to simplify the process of Fido-enabling third-party authenticators, web applications and mobile applications.

An Android SDK is available for qualified early access customers, with SDKs for other platforms, including iOS, to follow in early 2015.

The S3 Authentication Suite has already seen deployments at PayPal and Alipay. Both online payment firms have been processing payments using fingerprint sensor-enabled authentication based on Nok Nok technology. 

Further pilots are in progress at banks, mobile network operators, healthcare solution integrators and trading networks. 

Nok Nok’s NNL Multifactor Authentication Server (MFAS) deployed at these customers uses the Fido-compliant Multifactor Authentication Client (MFAC) on the latest Samsung Galaxy smartphones and tablets.

“From the incubation of the idea behind the Fido Alliance in 2012, it’s very satisfying to see solutions hit the market that adhere to our standards,” said Michael Barrett, president of the Fido Alliance.

“Nok Nok Labs’ solution is putting into practice the framework we’ve architected, and it’s paving the way towards a vastly improved authentication ecosystem,” he said.

Read more on Privacy and data protection