Endpoint //

Authentication

9/27/2018
10:25 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

FIDO2 Certified Solutions Ship

FIDO2 authentication standards enable websites to replace vulnerable passwords with cryptographically secure logins using convenient alternatives like biometrics and security keys

September 27, 2018 -- FIDO2 browser support and first certified products are now available to reduce password use on the web, the FIDO Alliance announced today. Now, any website can leverage FIDO2 strong authentication protocols from the W3C and FIDO Alliance to replace passwords with cryptographically secure logins using convenient alternatives like on-device biometrics and FIDO Security Keys.

Google ChromeMicrosoft Edge and Mozilla Firefox browsers now support FIDO2, a big advancement since the standards were introduced last April. Between this support and newly certified products supporting a wide variety of use cases, service providers have all of the tools needed to roll out FIDO Authentication for their websites and applications. FIDO Authentication has been proven to protect against the phishing and security risks associated with passwords, provide better user experiences over remembering and typing passwords and lower authentication support costs.

“With FIDO2, the tech industry has, for the first time, established a technology standard for strong, phishing-resistant authentication on the web that promises better security and a better user experience. These announcements today of certified products and leading web browser support deliver on that promise by bringing these new capabilities to market,” said Brett McDowell, executive director of the FIDO Alliance. “Any web application -- consumer or enterprise, mobile or desktop -- can now be enabled to take advantage of these innovations at internet scale with the full confidence that comes from an independent certification program designed and governed by their peers.”

Organisations that have achieved FIDO2 certification for security key and biometric authenticators, clients and servers include: CROSSCERT: KECA (Korea Electronic Certification Authority)Dream Security Co., Ltd. KoreaETRIeWBM Co., Ltd.IBMInfineon TechnologiesINITECH Co., Ltd.Nok Nok Labs (Universal Server); OneSpanRaonsecureSamsung SDSSingular KeyWhykeykey Inc.Yahoo Japan Corporation;Yubico. Products are certified for FIDO2 by the FIDO Alliance to ensure compliance with the specifications, as well as interoperability among FIDO products. Today’s announcement also includes the first certified FIDO Universal Server, which a service provider can use to ensure compatibility with authenticators based on all FIDO specifications (FIDO UAF, FIDO U2F and FIDO2).

FIDO2 Details

FIDO2 is comprised of the W3C’s Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. Collectively, these standards enable users to leverage common devices to more easily authenticate to online services through mobile and desktop browsers. FIDO2 supports a variety of authentication use cases and experiences, including passwordless, second-factor and multifactor for the highest levels of assurance. Password-only logins can now be replaced with easy user gestures using embedded biometrics (facial recognition, iris scan, fingerprint swipe) and/or portable security keys. 

These simple user experiences are backed by strong cryptographic security that is transparent to the user and protects against phishing, man-in-the-middle and attacks using stolen credentials. FIDO2 web browsers and online services are also fully backward compatible with all previously certified FIDO U2F Security Keys. 

Visit the FIDO Alliance website to get more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program. 

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

 

Supporting quotes from certified companies:

 

CROSSCERT: KECA (Korea Electronic Certification Authority), David Ahn, Director

“Our FIDO Certification service is credited for its strong security and convenience in the market, and the cumulative number of domestic users exceeded 280 million as of September. We will lead the biometric authentication market with the FIDO2 Simplified Cloud Authentication, the next-generation authentication technology."

 

eWBM Co., Ltd., Stephen Oh, Ph.D., CEO  

"The eWBM Golden Gate (model eFA500), the FIDO2-certified fingerprint authenticator, opens the door to the world of biometric authentication web access. It is a compact and portable security device that provides a superior user experience, thanks to its no-ID and no-password authentication functions."

 

IBM Security, Shane Weeden, Senior Technical Staff Member

"IBM's strong and alternative-to-password authentication strategy will benefit significantly from the WebAuthn and FIDO2 standards. These specifications bring convenient, frictionless strong authentication services to the mainstream web with consumer privacy as a primary consideration."

 

Infineon Technologies, Joerg Borchert, VP of Chip Card and Security

“We are very happy to provide the industry’s first FIDO2 certified Reference Design based on the SLE78 single-chip solution. Infineon’s reference design serves as development kit for fast and low risk FIDO2 USB and USB/NFC token designs prepared to reach highest security levels. Certification according to the specifications of the FIDO2 standard increases interoperability of the token and reduces production and support costs on the manufacturer side.”

 

Nok Nok Labs, Phillip Dunkelberger, CEO and President

“Every day there is news of a new phishing or other scalable attack, caused by the use of weak and stolen passwords. Our breadth of experience as the most broadly deployed FIDO-based platform puts us in a unique position to deliver phishing-resistant, privacy-conscious authentication in a passwordless user experience. We look forward to bringing these solutions and benefits to our customers and partners as we deliver on our vision of fixing the security and ease of use flaws on the internet.”  

 

OneSpan, Scott Clements, CEO

“OneSpan has joined tech leaders such as Google and Microsoft in embracing the FIDO2 standard, most recently with the certification of our Digipass 785 authenticator. Rapid adoption of the FIDO2 standard spells good news for the unification of the authentication industry and for the security of consumers online.”

 

Raonsecure, Lee Soon-hyung, CEO

"Considering South Korea's PC-oriented business environment, it is expected that there are demands for FIDO2 for business systems such as groupware, ERP, CRM and others."

 

Samsung SDS, Sean Im, Senior Vice President of solution business division

"By acquiring FIDO2 certification, Samsung SDS now offers secure and convenient Nexsign solution to PC users as well as mobile users. In business perspective, a stepping stone has been prepared to target the domestic and overseas B2B authentication markets."

 

Singular Key, Hitesh Kalra, Founder

“Today’s announcement is a significant milestone towards a safer internet by eliminating the use of passwords and shared secrets. FIDO provides agility for evolving user authentication flows and digital journeys. Singular Key is committed to make it easy to deploy high assurance authentication at scale with its cloud-based FIDO Authentication Service.”

 

Yahoo Japan Corporation, Shinya Sugawara, Vice President, ID Solution Division

“Yahoo! JAPAN launches a FIDO2-certified authentication service that has been officially accredited by FIDO Alliance at the first FIDO2 conformance test. This innovative service ensures simpler and more secure authentication, lessening the reliance on traditional passwords for users. Yahoo! JAPAN contributes to enhancing users' passwordless experiences aligned with FIDO's effort towards simpler, stronger authentication on the Web.”

 

Yubico, Stina Ehrensvard, CEO and Founder

"Our mission has always been to drive open standards and ecosystem adoption by creating technical specifications, open source components, and the gold standard for authenticators. With the YubiKey 5 Series FIDO2 Certification and growing momentum towards a passwordless world, we’re proud to see our vision of one single security key to any number of services becoming a reality."

 

Contact information

Gabriel Hedengren / Charlotte Martin

Finn Partners, on behalf of the FIDO Alliance

E: [email protected]

T: 020 7017 8421

 

---------------

 

Privacy Policy

RealWire’s privacy policy and GDPR policy are available on our website.

 

News Receiver Options – Changing Preferences

Receivers members area – the receivers members area allows you to amend your news category options and preferences, and access your own personal RSS feed of relevant news. Log in now or request log in details.

 

Unsubscribe

Should you wish to unsubscribe from RealWire’s distribution, please click here. We would very much value your feedback on why you wish to be removed in order for us to continue to improve and develop our service.

 

If you would still like to receive news from us, just not as much or on different topics, please contact Zoe at [email protected] or on +44 (0)1522 883640, and we can help to amend your news preferences.

 

PRFilter

PRFilter is a relevance engine that filters press releases for users based on a personal profile of their interests created from their publication's RSS news feed.

 

Releases marked with [PRFilter] in the subject line of RealWire release emails indicate PRFilter determined the release passed an individual’s relevance threshold.

 

This service is no longer available to new users.

 

Disclaimer:

Whilst RealWire Limited endeavour to ensure the accuracy of the information contained in this Release, RealWire Limited cannot accept any liability for:-

 

• the inaccuracy or otherwise of any information contained in this Release; or

• any loss liability or expense which may be suffered by any party in consequence of acting or omitting to act as a result of any information contained in or omitted from this Release; or

• any loss or suffering which may be caused by or to any party either as a result of the information contained in this Release or such information contained in this Release being inaccurate or otherwise misleading. 

 

In the event that any information contained in this Release is inaccurate or misleading then please contact RealWire.

 

RealWire:

The registered address of RealWire is:

Realwire Limited, Unit 1, Exchange Close, North Hykeham, Lincoln, LN6 3TR.

Realwire Limited is a company registered in England and Wales: 4026690

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20136
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Header or Body in the Layout Variables during new-page creation, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20137
PUBLISHED: 2018-12-13
XSS exists in FUEL CMS 1.4.3 via the Page title, Meta description, or Meta keywords during page data management, as demonstrated by the pages/edit/1?lang=english URI.
CVE-2018-20138
PUBLISHED: 2018-12-13
PHP Scripts Mall Entrepreneur B2B Script 3.0.6 allows Stored XSS via Account Settings fields such as FirstName and LastName, a similar issue to CVE-2018-14541.
CVE-2018-1817
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150021.
CVE-2018-1818
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 150022.