Multifactor authentication from FIDO


Open and Interoperable

Imagine, if you will, that the early Internet had been built on closed-source proprietary technologies that didn't interoperate. In nearly every case those closed non-standardized technologies would have failed and only gained meager adoption. Why? It's simple – open standards and technologies have economic benefits. The Internet is very much predicated on open technologies and standards. Anyone with an elemental understanding of the underpinnings of the Internet must acknowledge that the vast majority of it wouldn't exist without open standards and open source.

Brett McDowell, Executive Director of the FIDO Alliance, stated it succinctly in a recent interview: "There is simply no other plausible way to solve an Internet-scale problem other than open standards. It is entirely untenable to presume all the world's devices and Internet services are going to adopt a single authentication product from a single company."

He added: "Since FIDO itself doesn't define how to perform the device-side user identification, but rather performs the function to securely connect those devices to any Internet service or web site that can 'speak' the protocol, FIDO standards actually drive market demand for innovations and competition for the best products and methods in that arena, e.g. fingerprint or voice recognition, motion, gestures, etc."

FIDO is a natural expansion of this powerfully successful open model that will open up innovation in this much needed space. It changes the economics of authentication and focuses on interoperability and openness. FIDO also means real-world deployment and testing, which can only mean gradual improvement of this open technology standard.

Many Technologies/Many Options

The many players in the alliance are opening up multifactor authentication to innumerable options. Using technology ranging from biometrics (fingerprint, iris, voice, and facial recognition), tokens, Trusted Platform Modules (TPMs), embedded security elements (eSEs), smartcards, Bluetooth low energy (BLE), or even your smartphone, you can now deploy two-factor authentication.

This full range of authentication technologies across multiple services and devices means an interoperable infrastructure that can apply the multifactor technology of today and tomorrow. FIDO can use existing industry standards such as OpenID and SAML. The FIDO Alliance offers opportunities for improving the security of end consumers and enterprise IT as well. Next, I'll explore the basic FIDO protocols U2F and UAF.

U2F vs. UAF

The FIDO protocols U2F and UAF offer a variety of use cases and configurations. Based in public key cryptography, these protocols take the cost and complexity out of traditional public key infrastructure deployment. These two protocols offer very different user experiences.

The UAF (Universal Authentication Framework) protocol is the passwordless experience, whereby the user registers a FIDO Ready device to an online service. This can be a fingerprint, facial recognition, voice, PIN, and so on. The passwordless UX (User Experience) is explained in Figure 1.

Figure 1: User has a FIDO Ready device that runs the UAF stack. Users present their local biometric or PIN. The website doesn't have to retain passwords, and there are no centralized password databases to be hacked.

UAF allows online providers to configure the user experience they choose. This means any service provider can configure it to use the local biometric alone or biometric plus PIN combination. After a device is registered, a user can authenticate simply by using the registered authentication mechanism without any further complexity, which is quite a bit better than single-factor passwords.

The U2F (Universal Second Factor) protocol delivers strong multifactor authentication to online services. These services can still offer a user name and password but augment it with another factor, such as a USB or near-field communication (NFC)-capable USB device. Users simply register the second factor for the online service. When authenticating, they present this registered device by plugging in the USB device, NFC tap, or other FIDO Ready hardware. U2F is explained in Figure 2.

Figure 2: The user has a U2F FIDO Ready device and presents it. An online service can simplify the password without compromising security.

Browsers will build in support for the use of a variety of U2F options, enabling the protocol with a myriad of FIDO Ready MFA devices.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>


		<div class=