Users don't want to type cumbersome passwords on their mobile device (especially when they keep fumbling along with big thumbs on small keys). They don't want to log in and provide personal data to every site and service. Yet they do want to be secure. Companies would like to support stronger or multi-factor authentication, but they don't want to make it so difficult on users that customers give up and go elsewhere. Unfortunately, implementing some authentication schemes can be difficult and expensive.
Those are the problems that the FIDO Alliance aims to solve. Today, FIDO (which stands for Fast Identity Online) published its final Universal Authentication Framework (UAF) standard and Universal 2nd-Factor (U2F), version 1.0. This brings them closer to getting UAF and U2F accepted as IETF standards by the Internet Engineering Task Force.
This is the technology behind Google's new Security Key two-factor authentication. It is what makes it possible for Samsung Galaxy users to make PayPal purchases with a fingerprint.
What UAF does is enable businesses to support strong authentication without getting hung up on the login mechanism. Regardless of whether it's a fingerprint scanner, facial recognition software, or hardware token, the authentication mechanism is simply there to kick off a PKI interaction.
Through a method of their own choosing, a user logs in to a FIDO-Ready authentication application installed on their device. The application generates a private key and a public key. It stores the private key securely on the device, and issues the public key to whatever service is demanding authentication.
Nok Nok Labs is one of the six founding members of the FIDO Alliance, along with PayPal and Lenovo, and today announced the closing of $8.25 million in a Series C financing, which will help expand commercial offerings. Nok Nok Labs offers a FIDO-Ready authentication suite, and describes the example of a consumer using a mobile phone to purchase something online, in this video:
The user maintains more privacy, because they need only provide their personal login data to their device -- not to every site and service under the sun. The user saves herself the effort of typing in long, unique passwords over and over again.
The Web service she logs into doesn't have as much personal data to lose, because all they need is that public key. The browser does most of the work.
Phillip Dunkelberger, president and CEO of Nok Nok Labs and co-founder and former CEO of the PGP corporation, has been involved in the project from the beginning. He says that this technology could be an important tool for securing the Internet of Things, because it takes some of the pressure off the hardware manufacturers and relies more on the chip makers and software developers.
It could also help IT departments manage BYOD better, he says, because as long as the user's device supports the app, it doesn't really matter what the device is.
The project has backing from big household names. The FIDO Alliance started with six members (including PayPal and Lenovo), and now has over 150 members, including Microsoft, Samsung, BlackBerry, VISA, Mastercard, and Wells Fargo.
Today, Nok Nok Labs released new versions of its S3 Authentication Suite that supports the final UAF standards. It also released software development kits to help third-party authenticators, and applications make their products FIDO-enabled.
For more about FIDO-Ready products, visit fidoalliance.org.