James Thew - Fotolia

Password-killing Fido Alliance submits tech specs to W3C

The Fido Alliance has taken another step closer to defining a standard web-based API as industry support for its password-killing standards gains momentum

An industry alliance aimed at improving online security by eliminating the reliance on passwords has submitted three technical specifications to the World Wide Web Consortium (W3C).

The move takes the Fast Identity Online (Fido) Alliance another step closer to defining a standard web-based application programming interface (API).

The web API is designed to increase Fido’s existing desktop, Chrome, Android and iOS reach to support other platforms to ensure standards-based strong authentication across all web browsers and related web platform infrastructure.

Fido, which was set up in 2013 to revolutionise online security with open standards for simpler and stronger authentication, also announced in Tokyo that tens of millions of Fido-based devices are now in use to protect consumer and enterprise accounts with strong, cryptographic-based authentication at major relying parties such as Google, PayPal, NTT Docomo, Bank of America, Dropbox and GitHub.

The Fido Alliance seeks to eliminate the world’s dependency on password-based security through open and interoperable authentication standards, and has launched a certification programme that ensures the interoperability of Fido-compliant products and services.

With 72 Fido-certified products, nearly 250 member organisations from around the world – including US, UK and German government agencies – and more than a dozen trade association partners, deployment of Fido authentication to modernise outdated password systems is gaining momentum.

“Fido specifications define a unified mechanism to use cryptographic credentials for unphishable authentication on the web. The specifications enable a wide variety of user experiences and modalities,” said Sampath Srinivas, vice-president of Fido Alliance.

“We are very excited about this announcement and what it means for the future of ubiquitous unphishable Fido authentication on the web,” he said.

W3C, the international standards organisation for the World Wide Web, will now have change control of the API, with ongoing collaboration from Fido Alliance member companies and other web ecosystem stakeholders.

Freeing the world from passwords

W3C is proposing a new Web Authentication Working Group to its membership. The Fido Alliance will support the adoption of this W3C published web API through the established Fido Certification Program.

“The mission of the Fido Alliance has always been stronger, simpler authentication – stronger to help protect data, and simpler to address the problems users face in trying to create and remember multiple usernames and passwords,” said Fido Alliance president Dustin Ingalls.

The mission of the Fido Alliance has always been stronger, simpler authentication – stronger to help protect data, and simpler to address the problems users face in trying to create and remember multiple usernames and passwords
Dustin Ingalls, Fido Alliance

“To achieve this mission, Fido authentication needs to be available everywhere – on all the devices you use and with all the apps and services you use. With Fido support in the browser and in the platform, it will be easier than ever for apps and services to take full advantage of Fido authentication, helping to free the world from passwords,” he said.

According to Ingalls, Fido’s web APIs highlight the alliance’s mission to submit mature technical specifications to recognised standards development organisations (SDOs) for formal standardisation. The Fido Alliance’s W3C submission is the first time the alliance has submitted its specifications to an external SDO.

“Standardising strong authentication in the web platform will help us to improve user and application security by moving beyond passwords,” said Wendy Seltzer, W3C technology and society domain lead.

The submission to W3C also supports the alliance’s goal to produce technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users, and to operate industry programmes to help ensure successful worldwide adoption of the Fido specifications.

Fido authentication as standard

“What we submitted to the W3C are the web API components. The rest of the Fido 2.0 [specification] work remains within the Fido Alliance and is still in development,” said Brett McDowell, executive director of the Fido Alliance.

Fido 2.0 is aimed at expanding the first technical specifications Fido 1.0 published in December 2014 to include architectural optimisation for operating system level support and device to device capabilities, which will enable the Fido vision of using a single authenticator for multiple Fido-enabled devices and services.

“The Fido Alliance’s strategy has always hinged on the idea that every device you purchase will come with Fido standards support built-in, just as we see today with standards like Bluetooth or Wi-Fi. The Fido 2.0 work is very well aligned to that strategy, and we encourage manufacturers to begin planning their device support for these capabilities,” he said.

The industry consortium believes that the evolution of Fido protocols will further enhance the continuing roll-out and acceptance of Fido-backed strong authentication and will bring additional platforms and authentication form factors to the market.

Koichi Moriyama, senior director of product Innovation at NTT Docomo and Fido Alliance board member, said Fido standards have been working extremely well for Docomo-branded devices and services since their commercial launch in May 2015.

“We are very excited about the prospect of providing more Fido-enabled devices and services to our customers through the extended reach of Fido 2.0 and W3C. We will definitely continue to work with Fido Alliance to realise the vision of delivering a superior user experience by eliminating passwords with Fido authentication’s enhanced security features,” he said.

Read more about the Fido Alliance

Read more on Identity and access management products