“Fido” in Latin translates as “to trust”, but it more commonly evokes thoughts of man’s most loyal companion. Abraham Lincoln had a dog named Fido, and among the most recognized (non-fictional) dogs in history was named Fido. He was a street dog that became famous in Italy in the 1950s for unwavering loyalty to his adoptive caretaker. Fido showed up to meet him at the bus stop every day for fourteen years after his death. That’s the kind of loyalty that earns trust, and the name.
And so the FIDO® Alliance acronym (Fast IDentity Online) is more apt than initially meets the eye. Broad industry support makes FIDO’s specifications for secure online authentication our best hope of ending our reliance on passwords. They recently announced its latest additions to its list of FIDO® Certified products, bringing the total to over 200.
Other recent news comes from W3C, the international standards body for the World Wide Web. They have derived the first draft of a new web authentication specification from the FIDO 2.0 specifications draft to enable web applications with strong authentication.
Passwords have clearly outworn their welcome as our de facto authentication mechanism. They have become too numerous and complex for us to remember, so we dumb them down, diluting their security. In response, our relying parties require us make them even more complex, particularly where used to access private information and financial transactions. And just about when you’ve finally remembered them, you’re going to be asked to change them. We all know the drill, all too well.
FIDO has opened the door to more secure and convenient options such as biometrics to authenticate online. It’s a good example of how standards can fuel innovation, particularly with strong leadership from industry and cooperation between both technology suppliers and consumers. By dividing the problem into logical (i.e. market driven) parts and defining how those parts will work together, standards broaden access to a market exponentially, and adoption happens where healthy competition is enabled.
FIDO’s UAF (Universal Authentication Framework) standards define three categories of functionality and how each interacts with the other: Client, Authenticator, and Server. That approach enables just about anyone with a secure and interoperable authentication mechanism to throw their hat into the ring. Note that FIDO didn’t overprescribe with a modality requirement (e.g. face, fingerprint, eye, voice, keystroke, etc.), which likely would have had the opposite effect of commoditizing and stagnating the technology.
The FIDO Alliance has a great website that discusses the approach and architecture, but one feature of FIDO that stands out and draws some discussion, at least from the biometrics perspective, is that the authentication mechanism takes place on the device or PC and not on the server, another alternative for biometric authentication. In the FIDO model, authentication occurs on the device and releases a private key used to satisfy a PKI challenge/response across the network between the device and the server. In the case of biometrics, this means that no biometric samples ever leave the device, and there’s no biometrics stored in a central database.
There’s debate over the pros and cons of client- vs. server-based biometric authentication, but most experts would probably tell you that each is suitable for different applications and environments. If you’re an enterprise that wants to maximize control of employee access to highly sensitive digital resources, the flexibility and configurability of a server-based approach might outweigh the risks of storing biometric data centrally. If you’re an online retailer that wants to give millions of shoppers an alternative to passwords, FIDO is likely the way to go.
Both approaches will gain adoption, perhaps one at work and one at home. Aware offers solutions for both, with server-based authentication for enterprises and also a family of FIDO® Certified products called FIDO® Suite that includes a Face Authenticator, Client, and Server, that together enables someone to use their face to biometrically authenticate online from a mobile phone or computer. It’s looking like we’ll soon be able to stop having to commit all those complex passwords to memory, and typing them with our thumbs.