FIDO Alliance – Better Multi-Factor Authentication

A day doesn’t go by without an information security incident in news about a large website being hacked and user 1000’s (if not millions) of accounts being compromised.  The recent discovery of over 1 billion passwords in the hands of cybercriminals is a perfect case in point.  Passwords are a nearly 60 year old authentication technology that is commonly failing us and the beg for a better solution. Passwords only offer you one factor (way or method) to authenticate verses many other less frequently deployed options. Thankfully, there are more secure alternatives such as multi-factor authentication. Multi-factor authentication goes well beyond the simple password by offer several more ways for us to authenticate while improving security. But before we continue let’s define multi-factor authentication:

Wikipedia defines multi-factor authentication as:
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inherence factor (“something only the user is”).

MFA of the Past

MFA has been around for a long time. The problem was there were expensive, difficult to deploy, non-standardized and based on closed source proprietary technology. Economics, lack of interoperability and openness made these MFA options a choice only for medium and large organizations with huge budgets to support it. No so anymore.

Enter FIDO

An industry consortium called the FIDO (Fast Identity Online) alliance is endeavoring to solve this issue by make web authentication easier, less expensive and more secure. Stronger, simpler authentication via an open industry standard with a myriad of devices. Among the members are: ARM, Bank of America, BlackBerry, Google, Lenovo, Mastercard, Microsoft, PayPal, RSA, Samsung, Visa, Yubico.

The FIDO alliance adeptly describes it self in its mission statement:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the Specifications.
  • Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.

Standards Based, Open, Interoperable, Many Options

These parties are attempting to envision a world where authentication is easier and more secure than past single factor drab, hackneyed password. To that end they are working with many different companies in the security space such as biometrics, tokens, TPM (Trusted Platform Modules, eSE (embedded security elements), smart cards, or even your smartphone.

Authentication for Tomorrow

The FIDO alliance represents an opportunity for market forces, open standards and inexpensive hardware/software to re-imagine authentication. Many FIDO MFA options are currently supported and many are on the way. Keep an eye out for support on your devices and ask those cloud providers and websites you work with everyday to support this promising technology. Together we hopefully see the move toward a simpler and more secure future.  Learn more about FIDO at their website.

7 thoughts on “FIDO Alliance – Better Multi-Factor Authentication”

  1. I’ve been experimenting with a number of different authentication methods to improve the overall security of my site and those who use it, and I see just how crucial it is to have a form of MFA active. In the past, I’ve been subject to numerous attacks, which left my site in turmoil and my registered users very displeased to say the least. Not to mention the amount of apology and explanation letters I needed to create to assure that everything was being done to revert the damage done. Now that I’ve invested into a more secure MFA system, I hope to prevent further instances of these attacks from happening. I will be sure to check out FIDO in the upcoming months, especially since the system I’m utilizing currently is rather expensive and somewhat a pain to setup and manage.

  2. I must admit that I’ve previously put off using MFA due to the expense of using such a system, as well as the problems I faced when trying to set it up initially. I will however, give MFA another go as the added security is surely worth the extra effort, and by the sounds of things FIDO should simplify the process somewhat. Thanks for the recommendation!

  3. Benjamin Taylor

    With all that it promises, FIDO seems to be a viable option should I decide to opt for MFA. I do think that given the recent rise in cyber attacks and hackers that MFA is becoming increasingly a necessity to keep your website secure and ensure that your user’s information is safe. MFA is without question something I will be utilising for my site in the future, but currently, I need to find a solution that I’m capable of setting up and managing. So far I have not looked into too many different options, but FIDO is going to be the next one I explore.

  4. Samantha Lindsay

    The way I see it, if you’re not keeping up to date with the latest security measures such as MFA then you are compromising your website’s security and the privacy of your users. I always try to make sure that I make a hacker’s job of compromising my website near to impossible, while it can be a hassle for the user, it does provide them with heightened security. FIDO isn’t a solution I’ve heard of before, but since I’m looking to upgrade my current system, I shall be considering it. With some luck, they won’t be as expensive as my current provider.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top