Fido Alliance launches authentication standards certification

The Fido Alliance, which seeks to eliminate the world’s dependency on password-based security, has launched a certification programme

The Fido Alliance, which seeks to eliminate the world’s dependency on password-based security through open and interoperable standards, has launched a certification programme.

The certification ensures the interoperability of products and services that support the Fast IDentity Online (Fido) authentication standards, marking another milestone for the industry initiative.

In December 2014, the consortium of IT, internet and financial services firms published the final versions for the first open specifications for universal-strong authentication.

Fido Alliance members include PayPal, Samsung, Lenovo, Microsoft, Google and MasterCard.

The Fido 1.0 specifications are made up of the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocol.

The UAF is a set of standards aimed at enabling the password replacement use case by enabling an authenticator to verify a user to a device, and enabling the device to use asymmetric (public key) cryptography to authenticate the user to an online service.  

This means that credentials can never be stolen because credentials are not stored by the service, nor are they given to the service. The authenticator merely verifies possession by a registered user.

Similarly, the U2F standard enables second-factor Fido authentication security to be added to password-based systems through an authenticator such as a Fido-compliant USB key.

“Where passwords are still used, the Fido authenticator supplants the security dependence on the password, which is then just an identifier,” said Fido Alliance executive director Brett McDowell.

Read more about the Fido Alliance

“Security shifts to the U2F device, and it is much easier to use than any other two-factor authentication method available before Fido 1.0,” he told Computer Weekly.

Announcing the certification programme, the Fido Alliance said 31 suppliers have already passed Fido certification for existing products and services.

These include Google’s login service that uses a USB security key as a simpler, stronger alternative to the six-digit, one-time passcodes (OTPs) used by its 2-Step Verification facility.

Previously, Google’s second-factor authentication relied on OTPs by text message, but this approach had several challenges, such as when users lost their mobile phone.

Suppliers that adopt Fido standards and pass certification testing may apply to use the Fido Certified logo on their products, services and websites.

The logo signals to consumers, customers and partners that a product is part of a range of Fido-based authentication systems that are interoperable.

The certified testing programme is open to members and non-members of the Fido Alliance, and uses industry-standard best practice to make objective evaluations of technical implementations of the Fido 1.0 specifications.

Moving beyond passwords

According to the Fido Alliance, the growing ecosystem of Fido-compliant products and services enables companies, organisations and individuals to move beyond using just passwords, or to eliminate them altogether.

“Fido certification satisfies a need to ensure that implementations of the Fido specification are uniform across products and that those products are interoperable,” said McDowell.

With major data breaches escalating, so is demand for strong authentication and for certified authentication solutions

Steve Wilson, Constellation Research

“The Fido Certified programme offers the type of oversight that vertical industries need to hasten the adoption of strong authentication products that stretch across enterprise boundaries and the range of mobile and other devices key in today’s computing environment,” he added.

Constellation Research principal consultant Steve Wilson said the certification of serious security components and sub-systems is absolutely essential to ensure they perform as expected.

“With major data breaches escalating, so is demand for strong authentication and for certified authentication solutions,” he said.

According to Wilson, a standards-based authentication system is only as good as its conformance to those standards.

“The new Fido Certified programme is well thought through, and isn’t just another box-ticking exercise. It complements and reinforces the alliance’s rigorous specifications development from incubation right through to standardisation,” he said.

The first Fido Certified testing sessions were conducted on 29 April and 30 April 2015 at events in San Jose and Mountain View in California.

The Fido Alliance said future testing sessions will occur at least every 90 days or as demand dictates. Fees apply to both Fido Alliance members and non-members using the testing program.

Read more on Mobile apps and software