Technology choices abound for stronger digital identity
Password replacement methods take many forms
22 September, 2014
category: Corporate, Digital ID, Financial, Library, Smart Cards
FIDO and universal authentication
The password-less FIDO experience is supported by the Universal Authentication Framework. Using this framework, the user registers a device to the online service by selecting a preferred authentication mechanism such as swiping a finger, looking at the camera, speaking into the microphone or entering a PIN.
Once registered, the user simply repeats the chosen authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. The Universal Authentication Framework also enables experiences that combine multiple authentication mechanisms such as fingerprint and PIN.
FIDO’s two factor experience is defined by the Universal Second Factor protocol. It enables online services to add security to their existing password infrastructure by adding an additional authentication factor.
The user logs in with a username and password as before, but the service then prompts for a second factor device at any time. The second factor enables the service to simplify its passwords – a four-digit PIN for example may suffice – without compromising security.
During registration and authentication, the user presents their preferred second factor – pressing a button on a USB device, tapping via NFC, presenting a biometric, etc. The user can use this FIDO Universal Second Factor device across all online services that support the protocol.
Bluetooth for access
Kenneth Weiss, developer of the token-based authentication technology that became RSA’s SecurID, is working on a smart phone app that would enable users up to three-factor authentication to a laptop or PC – with no additional hardware. “You’re protecting your device with something you already have,” says Weiss, now founder and CEO at Universal Secure Registry.
After downloading an app to a handset and computer, authentication is performed via Bluetooth, Weiss says. The individual authenticates to the handset and app with a PIN or passcode, which then authenticates to the computer for two-factor security. If the handset has a biometric reader it could actually reach three-factor security.
The handset sends a passcode to the computer via Bluetooth every 30 seconds offering continuous authentication, Weiss says. When out of range the computer is locked. The app can also be set up for mutual authentication, so not only is the handset authenticated to the computer but the computer is also authenticated to the handset.
While the app will initially be used for access to computers, there are plans to create an API so that it can be enabled for access to web sites and secure networks as well, Weiss says. Users could be automatically logged into sites and networks that accept the authentication technology.
Universal Secure Registry is working on apps for both iOS and Android and plans to release in mid-2014, Weiss says.
Toopher is touting invisible authentication but also may have one of the coolest tag lines for an identity company out there: “cool enough for James Bond and your mom can use it too.”
Once an enterprise enables a site for Toopher, a user’s mobile device can serve as a second factor of authentication, says Roman, Gonzalez, marketing director at the company.
A consumer logs in to a Toopher-enabled site and opts to enroll their mobile device. They are asked to download the Toopher app to their mobile, if they have not already done so.
A message is sent to the app, detailing the site to be added to the user’s Toopher chain. The consumer can choose to allow or deny the site. After approving the login request the individual would be logged on to the site.
After this enrollment has been completed, the invisible authentication takes over. Toopher uses the geolocation feature of the mobile device, learning where a user typically logs in to various sites. If a login comes from a location that is not typical, a request is sent to the mobile to further authenticate prior to allowing the transaction.
The system can also be used to authorize only specific transactions from a provider’s suite of services, Gonzalez explains. For example, if an individual is transferring funds or doing another high-risk transaction, Toopher can be used to authenticate the identity.
The idea is to make transactions more secure without having to pull out the mobile device for every login, Gonzalez says. “It’s an invisible user experience,” he adds.
Toopher is focusing on the financial services market for account access and also has a product that enables consumer to validate payment card transactions. The company also has products available for employee and enterprise access control.
Combating the threat
As the Verizon report shows, cybersecurity is more vulnerable than ever. Hackers aren’t going to stop going after weak user IDs and passwords. As breaches become increasingly common, the race to improve online authentication is in high gear.
The examples detailed above show that there are many approaches – from hardware to software and active to invisible. A rich ecosystem of companies is emerging to combat fraudsters and help both consumers and enterprises combat this growing threat.