Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

New Security Industry Alliance, Startup Company Promise Revolution In Authentication

Fast IDentity Online Alliance, Nok Nok Labs attack password problem with proposed standard protocol

A new security industry alliance says it may finally have the answer to the password problem, and a startup company is the first to offer the proposed technology solution.

Led by PayPal, Lenovo, Infineon Technologies, and several pioneers of authentication, the Fast IDentity Online (FIDO) Alliance Monday proposed a new, open authentication protocol (PDF) that is designed to give users and devices a standard method of identifying themselves, no matter what authentication tools they use to log on.

The first provider of FIDO-enabled authentication services will be Nok Nok Labs, a startup company headed by former PGP CEO Phillip Dunkelberger and launched on Monday.

FIDO and Nok Nok Labs are attacking the decades-old problem of definitively confirming the identities of end users before allowing them onto a website or network application. Passwords are often forgotten or stolen, and the myriad second-factor authentication tools -- including tokens, biometrics, and phone-based methods -- are generally proprietary and available only to pockets of users.

Under the proposed protocol, every device would be enabled with FIDO, a small bit of code that definitively identifies the user by the device he/she is using and inventories the methods of authentication that might be available, and which method would be the most secure.

A FIDO server such as Nok Nok Labs then enrolls the user and issues a symmetric key, placing one half of the key on the end user's device and the other half on the destination server. The end user half of the key can be unlocked by whichever authentication tool the end device might have, including fingerprint sensors, facial recognition, or the Trusted Platform Module (TPM) chips found in most PCs.

Once authentication tool vendors add the FIDO API, and servers and end user devices are FIDO-enabled, the protocol could become part of the "handshake" between a device and a server, potentially eliminating the need to track and remember passwords, FIDO Alliance members say.

"By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality," says Michael Barrett, president of the FIDO Alliance and CISO at PayPal. "We want every company, vendor, and organization that needs to verify user identity to join us."

The new standard has been in the making for two years, receiving input from authentication experts such as Taher Elgamal, one of the inventors of the SSL authentication protocol. A number of "very large" corporations and service providers are preparing to announce support for FIDO in the near future, Barrett says.

As with all new standards, the chief obstacle will be in getting organizations, vendors, and devices on the Web to implement it, experts say. While the endpoint code will be broadly offered for free, it will require a service provider such as Nok Nok to enroll the devices and broker the encryption between the user and the server.

"It's not going to happen overnight -- it will take time for people to wrap their heads around it and to get the devices FIDO-enabled," Dunkelberger says. "At the same time, we think it will be very easy for whole enterprises to deploy it because it's not difficult to install." Nok Nok already has more than 400 customer requests for the technology, he says.

The FIDO technology could provide a path for enterprises to authenticate devices that users buy and bring in from home, Dunkelberger notes. BYOD devices would use FIDO to authenticate to the corporate servers, and corporations could require employees to FIDO-enable any device they want to use at work.

Over the longer haul, FIDO could provide a path for consumers and end users to build a single identity that would enable them to use a common method to access all of the websites and servers they use during the day. One of the founding FIDO Alliance members is Infineon, which provides identity protection services for many of the major banks and financial services vendors across the globe.

"Today we're identified as different users by all of the sites and applications we use, but I'm the same person, whether I'm using Amazon or my corporate server," Dunkelberger says. "This gives us a way to cut down some of those barriers between our different identities."

The technology may help enterprises to cut through the confusion of authentication technologies, Barrett says. "Since 2005, the number of authentication has grown from about 20 to more than 100," he notes. "Each of them might have the best thing since sliced bread, but at PayPal we can't easily pick just one of them and then make a transition to another. With FIDO, potentially, we won't have to."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1448
PUBLISHED: 2020-07-14
A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1446, CVE-2020-1447.
CVE-2020-1449
PUBLISHED: 2020-07-14
A remote code execution vulnerability exists in Microsoft Project software when the software fails to check the source markup of a file, aka 'Microsoft Project Remote Code Execution Vulnerability'.
CVE-2020-1450
PUBLISHED: 2020-07-14
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1451, CVE-2020-1456.
CVE-2020-1451
PUBLISHED: 2020-07-14
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1450, CVE-2020-1456.
CVE-2020-1454
PUBLISHED: 2020-07-14
This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server, aka 'Microsoft SharePoint Re...