Light Dark
October 5, 2015 By David Strom 2 min read
Identity & Access

The Fast Identity Online (FIDO) Alliance was founded in the summer of 2012 by several vendors, including PayPal and Lenovo, with the goal of bringing a series of technical specifications to the strong authentication market. These specifications go under the names Universal Authentication Framework (UAF) and Universal Second Factor (U2F). The former isn’t necessarily stronger auth, but rather specifications for a software stack that can support better methods.

Up until now, using strong auth methods was a very fragmented area, with numerous methods employed by vendors in different spaces, such as software-as-a-service (SaaS) applications, directory-based tools for on-premises apps and federated identities. The big win is having a piece of modular plugin software that can handle local auth so that apps can leverage what is available on each user’s device.

What FIDO Standards Do

The FIDO standards attempt to solve this fragmentation by giving you the ability to use any authentication method supported by your local device. This unifies the different providers and enables secure access to many applications. What FIDO proposes is to use something that you already have in your possession, such as your fingerprint or phone, and digitize these assets in such a way that the information isn’t shared with any of the providers or application vendors.

This has a side benefit: Each player doesn’t have to keep track of the actual auth mechanics. This is one of the issues with single sign-on (SSO) federation: Typically, the SSO stores this information centrally. Think of it like how Google and Apple Wallets have made payments easier but keep your credit card accounts private. For example, this means if a retailer is breached, all the login credentials divulged won’t do anyone any good since the criminals won’t have — and, more importantly, wouldn’t be able to obtain — the additional auth information.

Before FIDO, when we wanted to log into multiple apps, we might have had to use many kinds of authentication mechanisms, such as one-time password tokens, smartphone apps and text message confirmations. That was a lot of effort just to benefit from the stronger authentication, and it often involved some custom programming, too. With FIDO, we still can use these multiple mechanisms. But if they’re FIDO-ready, apps can use authentication methods supported by the local device rather than having to code their own authentication routines to support the multiple methods themselves. That is a big step forward.

How FIDO Authentication Helps

Since FIDO was founded, the organization has grown by leaps and bounds. There are now more than 100 members, among them major businesses such as Bank of America, Netflix, MasterCard and Microsoft, along with numerous security vendors. Samsung has built its latest Galaxy phones with fingerprint sensors that support FIDO protocols, as well. The group has published a series of draft standards that have also started being implemented by the security vendors, including the ability to use the Yubico USB touch-sensitive keys to authenticate to both Google Docs and Dropbox accounts. Interested individuals can find further explanations on how to set this up.

FIDO doesn’t solve every authentication issue. For example, you will have to use something other than the FIDO protocols to verify the identity of the person attached to that fingerprint and ensure he or she has been granted access to the given application. There are currently other vendors working on that solution. Despite the drawbacks, it represents a good start towards a more standardized approach to identity management.

 |  |  | 
David Strom
Security Evangelist

More from Identity & Access
October 23, 2023

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

September 13, 2023

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

August 1, 2023

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature