The Fraud Blog with Tracy Kitten

Strong Authentication: Standards Coming?

New Consortium Developing Specifications

Online authentication practices that rely on usernames and passwords are weak, easily broken and too often to blame for account takeovers and other online compromises.

See Also: Securing Microsoft 365: 10 Reasons Organisations Choose Proofpoint to Protect Their Cloud Deployment

But a new consortium is attempting to pave the way for wider use of more sophisticated forms of authentication, with a goal of reducing reliance on passwords. The group, known as the FIDO Alliance, is developing technical specifications that define an open, scalable, interoperable set of mechanisms for advanced authentication.

Advancements in security hinge on innovation, not just regulation. That's why consortium members deserve credit for their efforts. 

FIDO hopes to unveil its initial set of specifications for online authentication by early next year. Ultimately, it will submit those specs to a standards-setting body for approval.

Today's Greatest Online Payment Risk

Established in February, the alliance, which started out in February with just six founding member companies out of Silicon Valley, already has grown to include more than 50 members, ranging from small tech companies to MasterCard and Google.

Representatives from the Federal Reserve banks of Boston and Atlanta are closely watching how FIDO's authentication standards might enhance e-commerce security.

The consortium's goals are ambitious; gaining widespread adoption of new standards won't be easy. But its ongoing efforts are worth watching.

Open Standards

The group is working toward open standards for use in all sectors that support a broad range of authentication approaches, such as biometrics, trusted platform modules, USB security tokens, smart cards and near-field communication, says Sebastien Taveau, chief technology officer of online security firm Validity and one of the alliance's founding board members.

The consortium believes that for advanced authentication to become ubiquitous, devices used for e-commerce or electronic banking need to be equipped with standards-based authentication mechanisms that are interoperable.

Under FIDO's proposed model, devices would register the user to a server. To authenticate the user, the device would communicate directly with the server using a private key.

The FIDO Alliance expects to complete its first set of specifications in early 2014. Then, products that will enable websites and devices to accommodate stronger, more flexible authentication will be available in the market. These products, delivered by FIDO member companies, will be interoperable and will promote many options for easy widespread adoption of strong authentication. FIDO's goal is to publish these specifications as an open standard in the future.

Will FIDO Prove Practical?

Will the consortium's approach prove practical? Only time will tell.

"Until the standards are released, and implementations actually appear, it is anyone's guess as to what the adoption rate might be," says Peter Tapling, president and CEO of Authentify, an out-of-band authentication provider. Although his firm is a FIDO Alliance member, Tapling is not speaking on the alliance's behalf.

Advancements in security hinge on innovation, not just regulation. That's why consortium members deserve credit for their efforts. Even if FIDO's efforts don't result in widely used standards, the collaboration FIDO has encouraged across industries is bringing attention to ways online authentication can be enhanced.

I'll be reporting more about this group's efforts in the months to come. FIDO's initiative to develop online authentication standards is definitely worth watching - even if this effort proves to be just a stepping stone toward a better solution.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.