Authentication is important for governments seeking solutions for improved security, privacy, interoperability, and better customer experiences. With modern authentication approaches entering the market, the FIDO specifications are offering governments better options for strong authentication. But government policy needs to evolve as the technology evolves. That’s the takeaway from a recent webinar hosted by the FIDO Alliance.
Brett McDowell, executive director of the FIDO Alliance, began with an understatement. “The world has a password problem.”
As data breaches mount – costing millions of dollars per breach to the enterprise – the need to find an alternative to passwords becomes more pressing. SMS for one-time passcodes comes with reliability challenges and delays, confusion to some users and credentials that are still phishable. “The new model is FIDO – Fast Identity Online,” McDowell says. “This is public key cryptography applied to online authentication in a way that delivers true interoperability between web sites and devices, web browsers and dedicated security devices.”
There was a time when enhanced security meant a decrease in convenience – or vice versa. McDowell says that can change with the introduction of the FIDO authenticator into the architecture. “We knew you couldn’t solve this problem with a single product. It doesn’t matter how big you are, how much market penetration you have,” McDowell says. “The password problem is too big for any one stakeholder – even any one government to solve on their own. It had to be done with open standards.”
The non-profit FIDO Alliance was launched in early 2013 with 6 members. Its purpose: develop standards that address the lack of interoperability among strong authentication devices and address problems surrounding usernames and passwords. Deployments of FIDO-compliant devices and servers began the following year. The FIDO certification program launched last year, and many FIDO-certified smartphones and tablets are now being shipped. The Alliance has grown to more than 250 companies in its membership.
“Right out of the box, a FIDO credential is privacy enhancing,” says Paul Grassi, senior standards and technology advisor at the National Institute of Standards and Technology. “It’s built into the spec that there’s no way to track and profile user behavior online.” Given the fact that FIDO is now commercially available, Grassi says NIST is looking at having a FIDO server run alongside a PKI server for strong interoperability.
“Now we have a strong authentication solution that defeats the most common attacks like phishing, defeats the vulnerability of a data breach because there’s no secrets on the server that can be reused if there is a data breach, and it delivers what we’ve been waiting for all this time which is a better user experience,” McDowell says. “So now there’s actual market demand to put this in place.”
Governments around the world are focusing on identity and authentication requirements for their own systems as well as those systems or industries that they regulate. The UK government recently launched Gov.UK Verify, offering secure identities using FIDO. There still needs to be some education, however. “We find a lot of governments are not aware of FIDO or don’t properly understand it,” says Jeremy Grant, managing director of the Chertoff Group and former senior executive advisor for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Grant says governments should know that:
- Two-factor authentication no longer brings higher burdens or costs. FIDO specifically addresses these cost and usability issues.
- Technology is now such that two secure, distinct authentication factors can be enabled in a single device – particularly with mobile.
- Strong authentication needs to be the “right” kind. Some solutions are better than others as innovation happens.
- FIDO is designed to enhance privacy. It supports the Privacy Principles of the European Data Protection Directive and other government privacy initiatives. There are no third parties involved, no secrets in the server, and biometric data never leaves the device.
“The Alliance mapped its privacy principles against the Identity Ecosystem Steering Group requirements,” Grant says. “FIDO from a policy perspective and a market perspective enables better security for online services, reduces cost for the enterprise, and at the end of the day it’s simpler and safer for consumers.”