FIDO is een nieuwe authenticatiestandaard met een indrukwekkende lijst bedrijven die het steunen. FIDO moet het makkelijker gaan maken om niet (alleen) gebruikersnaam/wachtwoord te gebruiken voor authenticatie. Met name kan een gebruiker een authenticatiemiddel dat hij al heeft gebruiken bij vele websites. Denk hierbij aan een losse USB token of de vingerafdruk sensors van een smartphone, bijvoorbeeld betalen bij Paypal met de Samsung S5 vingersensor. FIDO is beperkt tot authenticatie: de website moet op een andere manier vaststellen welke gebruiker (naam etc) bij dat authenticatiemiddel hoort. Dit is tegenstelling tot DigiD, eID Stelsel, SURFconext en andere afsprakenstelsel/federaties. Het gaat bij FIDO over Bring-Your-Own-Authentication, niet om Bring-Your-Own-Identity. Op een drukbezocht PIMNseminar afgelopen vrijdag (23 januari 2015) heb ik mijn perspectief gepresenteerd op FIDO, zie onderstaande Engelstalige blogpost voor meer details hierover.

FIDO and its place in the eID ecosystem

FIDO stands for Fast Identity Online. FIDO is a new authentication specification that makes it easier to integrate with and re-use non-password authentication means: what-you-have and what-you-are. The specification was published in a v1.0 version last December by the FIDO Alliance, which unites an impressive list of large companies (e.g., Microsoft, Google, Samsung) and smaller authentication companies (e.g., Authasas, Yubico, Nok Nok Labs) to “define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.

Last Friday (23 January 2015) PIMN organized a seminar on FIDO,  which was fully booked with a waiting list even. In this blogpost I’ll summarize what I learned and what I presented on “FIDO and its place in the identity ecosystem”. There were presentations also by Nok Nok Labs (heavily involved in the standard), Yubico (U2F token vendor), Authasas (authentication middleware vendor), OneGini (mobile security vendor), NXP (use case) and SURFnet (by Joost van Dijk, who also showed a demo of U2F!).

First, let me explain how FIDO works. FIDO actually consists of two (sets of) specifications. Universal Authentication Framework (UAF) is about reusing authentications means in-device. A good example is the fingerprint sensor in high-end smartphones and how to use it in an app (like Samsung and Pay Pal are doing), or leveraging Trusted Execution Environments in smartphones. Universal Second Factor (U2F) is about using a hardware token as a second factor, typically through USB, NFC or Bluetooth low energy. FIDO allows a user to re-use his authentication means with several relying parties (websites). Thus a keychain with 2nd factor tokens can be avoided. To enable this, FIDO specifies how a user can select which authentication means to use (i.e., discovery), from within a list of FIDO compliant authentication means that the relying party trusts. At the core of the specification is public-private key crypto, with no biometric or shared key information at the server. FIDO is not suitable for passwords (but, local PINs can be used) and not for one-time-password authentication. For more information I recommend the architecture descriptions of UAF and U2F.

The main benefits of FIDO I see are:

  • The above mentioned re-use of embedded and separate authentication means including biometrics.
  • Relying parties can easily integrate with a lot of different authentication means.
  • No ‘spillover’ of hacks from one relying party to another since there are no shared secret (passwords) stored at the server. And no biometric data at the server either.

The point I stressed most in my presentation is that FIDO is about authentication and not about identity, even if the name Fast IDentity Online may suggest otherwise. Verification of attributes, issuing processes etc. which are essential for identity solutions like the eID Framework NL, NSTIC etc. are not covered by FIDO. I summarized this point by saying FIDO is about Bring-Your-Own-Authentication and not about Bring-Your-Own-Identity. The most comparable standard is probably Oath and not SAML, OAuth, or OpenID Connect.

A second major point I made is that support by browser and mobile OS vendors is crucial, without this I’m afraid FIDO will not take off. Support by Google (Chrome, Android) seems ok. My guess is that support by Mozilla/Firefox will come. There are rumors that Microsoft will support FIDO in Windows 10 as well, but I haven’t seen committed dates. If, and if so when, Apple (Safari. iOS) will support FIDO, I have no idea.

My presentation can be viewed here.