The Fido (Fast IDentity Online) Alliance, an open industry consortium delivering standards for simpler, stronger authentication, achieved a historic milestone today by releasing its first public review draft technology specifications.
These open technologies have been collaboratively developed by a rapidly increasing number of the most innovative companies in the world to enable simpler, stronger authentication to scale in the market.
The Q1 2013 Forrester Wave(TM): Enterprise Fraud Management asserts the online services industry is seeing upwards of $200B in annual losses from password breaches and related hacks that exploit the vulnerabilities inherent in single-factor password systems. According to the Verizon 2013 Network Investigations Data Breach Report, 76 percent of network intrusions exploit weak or stolen credentials. According to Gartner, 20 to 50 percent of all help desk calls are for password resets. Forrester Research estimates help desk labor cost at $70 per password reset*. In Mobile Consumer Insights, Jumio reports that 68 percent of smartphone and tablet owners have attempted to make purchases on their device. Due to problems during the payment process, 66 percent of that group abandon transactions, and 47 percent of these said they abandoned transactions that took too long. Upon its first-year anniversary, the FIDO Alliance demonstrates momentum that attests to pent-up demand for simpler, stronger authentication that must scale, as only open industry standards can deliver.
"It is with pride that the FIDO Alliance releases the review draft specifications to the public today, before our first anniversary of starting the long overdue revolution in authentication. Congratulations to our members for their insights, expertise, and tireless dedication to delivering better authentication that is more secure, private and easier-to-use than prevailing password schemas," said FIDO Alliance president, Michael Barrett. "With today's public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises. Furthermore, we encourage Relying Parties to begin testing their unique FIDO authentication needs with the commercial solutions already available from many FIDO member companies."
The FIDO Alliance also announces that its membership is approaching 100 strong, with Aetna, ARM, Dell, Discretix, IdentityX, Netflix, Next Biometrics, Oesterreichische Staatsdruckerei GmbH, Salesforce, SafeNet, Sonavation, STMicroelectronics, and Wave Systems being among the most recent companies to join as Sponsor members of the Alliance. Launched in February 2013 with six founding members, the alliance has grown rapidly with representation from every continent and every industry.
"When I first started discussing the need for a strong authentication protocol with Michael Barrett, Taher Elgamal and others many years ago, we knew we had something big on our hands," said Ramesh Kesanupalli, founder of Nok Nok Labs and FIDO visionary, "and the progress we've seen in a single year in attracting membership and delivering draft specifications signifies the need for a drastic change in the marketplace and a collective determination to accomplish it. As a founding member, Nok Nok Labs is proud to be delivering FIDO Ready solutions based on these new specifications."
FIDO standards address industry and consumer pain points by ensuring that users and online service providers have a variety of choices to select from when adopting simpler, stronger authentication alternatives to today's prevailing reliance on single-factor passwords.
"It is incumbent upon Enterprise IT to begin moving away from the world of basic username/password authentication, and we are excited to join the FIDO Alliance in shaping the future of strong authentication," said Mike D. Kail, VP of IT Operations, Netflix. "We look forward to collaborating with various sectors and industry experts and contributing experience and guidance on best security and authentication practices for Enterprise IT."
The FIDO specifications emphasize a device-centric model that reflects the Alliance's thoughtful dedication to usability, privacy and security. FIDO specifications will support a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as further enable existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). The open specifications are being designed to be extensible and to accommodate future innovation, as well as protect existing investments. FIDO specifications allow device-specific authentication capabilities to be leveraged by online services within an interoperable infrastructure, enabling authentication choice to meet the distinct needs of users and organizations. The FIDO specifications complement and add value to identity federation. The improved user authentication enabled by FIDO specifications can be federated using existing industry standards such as OpenID and SAML. Committed to core privacy principles, the FIDO Alliance today published a reference whitepaper. The FIDO Alliance will continue to develop and mature the specifications with additional features and refinements based on interoperability testing and real-world deployment experience.
"Increased awareness of identity protection and the associated complexities of securely authenticating users across diverse devices and environments underscore the need for a universal authentication framework," commented Andrew Young, VP Product Management, Authentication at SafeNet. "To this end, one of the clear advantages of the FIDO approach is that it offers users a consistent experience across multiple services and user devices, a range of multi-factor schemes, and maintains privacy by using distinct authentication keys for different services. The FIDO Alliance, by helping to standardize multi-factor practices, will contribute to the formation of a broader identity framework based on greater trust and better security in both consumer and enterprise environments."
"As a leading provider of trusted identity and authentication networks and sponsor member of FIDO Alliance, SecureKey enthusiastically supports the principles of interoperable, simple and strong authentication for consumer-scale deployments, said Stu Vaeth, VP of Products, SecureKey. We look forward to delivering FIDO Ready solutions based on this specification to our customers and partners, leveraging our briidge.net(TM) Connect cloud-based authentication service."
"At PayPal the security of our customer's personal and financial information is our top priority, which is why we co-founded the FIDO Alliance," said Brett McDowell, FIDO Alliance vice president, and eBay Inc. Head of Ecosystem Security. "The open standards and best practices we develop in collaboration with other members of the Alliance provide our industry with an interoperable, scalable framework for delivering simpler, stronger authentication to our customers."
FIDO specifications allow device-specific authentication capabilities to be leveraged by online services within an interoperable infrastructure, enabling authentication choice to meet the distinct needs of users and organizations. The FIDO Alliance will continue to develop and mature the specifications with additional features and refinements based on interoperability testing and real world deployment experience.
"IDC Financial Insights believes that most successful financial institutions in 2014 will be those that can deliver an engaging, omnichannel experience for their customers and prospects. Simple, convenient, and strong authentication is the foundation to convenience, and contributes to a channel-less experience for the end-user. The finalization and adoption of the FIDO Alliance draft specifications, shared today, can play an important role in delivering convenience," said Michael Versace, Global Research Director at IDC Financial Insights.
FIDO Alliance members are already developing FIDO Ready(TM) products and services based on early draft FIDO specifications. In October 2013, The FIDO Alliance began a certification program with FIDO Ready(TM) branding for implementations passing conformance and interoperability testing to early draft specifications. The 2014 Consumer Electronics Show (CES) revealed the first demonstrations of FIDO Ready products. Members are shaping the marketplace with FIDO specifications already in play in products like FingerQ with FIDO Ready(TM) components from Synaptics and FIDO Ready products from AGNITiO, Go-Trust, Nok Nok Labs, and Yubico.
FIDO members are featuring FIDO Ready products at this month's Mobile World Congress 2014 (MWC 2014), RSA Security Conference and FIDO Public Forum Event in Palo Alto California. Online Service providers who want to assess FIDO technologies are encouraged to look for the FIDO Ready(tm) certification on vendor implementations. The FIDO Certification program will continue to advance in scope and depth as the specifications mature, while adhering to a core principal of backward compatibility of FIDO infrastructure to ensure ongoing interoperability with all FIDO certified authenticators in the market.
Rob Coombs, Director of Security Marketing, ARM said: "Last year, our partners shipped over ten billion ARM-based microprocessors, the vast majority in internet-enabled devices. With the growing need to connect people and products securely to cloud services it is clear that we need to move beyond passwords for authentication. The FIDO alliance provides an excellent forum for industry to work together to provide a scalable verification architecture that can make the lives of consumers more convenient and help cloud-based services manage risk."
"Discretix' Passwordless and Second Factor User Authentication solutions are hardware-assisted and utilize the device's Trusted Execution Environment. These solutions leverage our expertise in deploying field-proven, mass-market solutions for mobile, particularly on Android devices," said Roni Sasson, Director Product Marketing at Discretix. "Simple and strong authentication is a key enabler for premium mobile services, and Discretix fully endorses the FIDO Alliance's specification and certification initiatives, and we are pleased to be an active contributor."
"As a long-time leader in semiconductors for trust and data security, STMicroelectronics recognizes the value and fully endorses the FIDO Alliance's efforts to develop an open and standardized solution for strong authentication," said Laurent Degauque, Embedded Security Marketing Director. "ST is committed to bringing its security expertise, products and solutions to bear to help the deployment of FIDO-enabled devices."
"FIDO specifications establish an authentication perimeter, so only content by consent can be accessed. As more 'things' proliferate in the Internet of Things (IoT), an authentication perimeter becomes very important to managing our world. Beyond addressing the need for password and PIN alternatives, FIDO authentication flips the model and increases both security and convenience, while ensuring privacy by placing local authentication controls entirely in the hands of the true owner. This control is essential to managing increasingly connected devices as they demand access to our data and personal content," said Tim Bajarin, president, Creative Strategies. "Generating a local signature understood by a remote service that protects both consumer and service provider from unauthorized access to owners and their data is unique. FIDO specifications flip the authentication model from user subjugation to user control with this truly revolutionary capability."
The FIDO Alliance invites all interested organizations to join and contribute their use cases and expertise to these open industry standards that will enable the next generation of authentication to online and cloud services.