The FIDO ("Fast IDentity Online") Alliance is an industry consortium launched in February 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. Nok Nok Labs, PayPal and Lenovo were among the founders.[1]
Members
By the end of September 2016, FIDO members totaled more than 260, including a Board made up of the Aetna, Alibaba Group, American Express, ARM, Bank of America, BC Card, Broadcom, CrucialTec, Daon, Egis Technology, Feitian, Google, Infineon, Intel, ING, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NTT DoCoMo, NXP Semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA, Samsung, Synaptics, USAA, Visa, Vasco Data Security and Yubico.[2] A full list of members is available on the official website.[3]
Specifications
FIDO's aim is that its specifications will support a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), smart cards, and near field communication (NFC).[4] The USB security token device may be used to authenticate using a simple password (e.g. four-digit PIN) or by pressing a button.[5] The specifications emphasize a device-centric model.[4] Authentication over the wire happens using public-key cryptography.[4] The user's device registers the user to a server by registering a public key.[4] To authenticate the user, the device signs a challenge from the server using the private key that it holds.[4] The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.[4]
FIDO specifications provide two categories of user experiences.[5] Which one the user experiences depends on whether the user interacts with the Universal Second Factor (U2F) protocol or the Universal Authentication Framework (UAF) protocol.[5] Both FIDO standards define a common interface at the client for the local authentication method that the user exercises.[5] The client can be pre–installed on the operating system or web browser.[5]
Timeline
FIDO v1.0 specifications were announced on December 9, 2014.[6][7]
On June 30, 2015, the FIDO Alliance released two new protocols that support Bluetooth technology and near field communication (NFC) as transport protocols for U2F.[8]
On November 20, 2015, the FIDO Alliance submitted to the World Wide Web Consortium (W3C) the Web API specification for accessing FIDO 2.0 credentials.[9]
On February 17, 2016, the W3C created the Web Authentication Working Group to define a client-side API that provides strong authentication functionality to Web Applications, based on the FIDO 2.0 Web APIs.[10]
References
- ^ "PayPal, Lenovo Launch New Campaign to Kill the Password". MIT Technology Review.
- ^ "FIDO Alliance Members". FIDO Alliance.
- ^ https://fidoalliance.org/membership/members/
- ^ a b c d e f "FIDO Alliance >> Specifications overview". FIDO Alliance.
- ^ a b c d e "Specifications Overview". FIDO Alliance. Retrieved 31 October 2014.
- ^ "FIDO 1.0 Specifications Published and Final". FIDO Alliance. Retrieved 31 December 2014.
- ^ "Computerworld, December 10, 2014: "Open authentication spec from FIDO Alliance moves beyond passwords"". Computerworld. Retrieved 10 December 2014.
- ^ "eWeek, July 1, 2015: "FIDO Alliance Extends Two-Factor Security Standards to Bluetooth, NFC"". eWeek. Retrieved 1 July 2015.
- ^ "W3C Member Submission, November20, 2015: "FIDO 2.0: Web API for accessing FIDO 2.0 credentials"". W3C. Retrieved March 14, 2016.
- ^ "PayPal Engineering Blog, February 17, 2016: "Acceptance of FIDO 2.0 Specifications by the W3C accelerates the movement to end passwords"". PayPal. Retrieved March 14, 2016.