Archive | février 19th, 2018

Fast Identity Online (FIdO)

Arrivera-t-on un jour à supprimer l’authentification p identifiant / mot de passe ? Je découvre ce jour FIdO.

Qui l’implémente aujourd’hui ? Le site de l’Alliance FIdO recence au  19/02/2018, 18 implémentation commerciales du standard parmi lesquelles DropBox, Pypal, Facebook …

FIDO (Fast ID Online) is a set of technology-agnostic security specifications for strong authentication. FIDO is developed by the FIDO Alliance, a non-profit organization formed in 2012.

FIDO specifications support multifactor authentication (MFA) and public key cryptography. Unlike password databases, FIDO stores personally identifying information (PII), such as biometric authentication data, locally on the user’s device to protect it. FIDO’s local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server in the cloud. By abstracting the protocol implementation with application programming interfaces (APIs), FIDO also reduces the work required for developers to create secure logins for mobile clients running different operating systems on different types of hardware.

FIDO supports the Universal Authentication Framework (UAF) protocol and the Universal Second Factor (U2F) protocol. With UAF, the client device creates a new key pair during registration with an online service and retains the private key; the public key is registered with the online service. During authentication, the client device proves possession of the private key to the service by signing a challenge, which involves a user-friendly action such as providing a fingerprint, entering a PIN, taking a selfie or speaking into a microphone.

With U2F, authentication requires a strong second factor such as a Near Field Communication (NFC) tap or USB security token. The user is prompted to insert and touch their personal U2F device during login. The user’s FIDO-enabled device creates a new key pair, and the public key is shared with the online service and associated with the user’s account. The service can then authenticate the user by requesting that the registered device sign a challenge with the private key.

The history of the FIDO Alliance

In 2007, PayPal was trying to increase security by introducing  MFA to its customers in the form of its one-time password (OTP) key fob: Secure Key. Although Secure Key was effective, adoption rates were low — it was generally used only by few security-conscious individuals. The key fob complicated authentication, and most users just didn’t feel the need to use it.

In talks exploring the idea of integrating fingerscanning technology into PayPal, Ramesh Kesanupalli (then CTO of Validity Sensors) spoke to Michael Barrett (then PayPal’s CISO). It was Barrett’s opinion that an industry standard was needed that could support all authentication hardware. Kesanupalli set out from there to bring together industry peers with that end in mind.

The FIDO Alliance was founded as the result and went public in February 2013. Since that time, many companies become members, including Google, Microsoft, ARM, Bank of America, Master Card, Visa, Microsoft, Samsung, LG, Dell and RSA. Today, FIDO authentication is guided by three mandates: ease of use, standardization and privacy/security.

strong authentication
multifactor authentication
public key
PII
biometric authentication
one-time password
strong password

Posted in Boulot0 commentaire