Authenticating FIDO
Authenticating FIDO

The FIDO Europe Working Group launched today with the aim of accelerating the use of FIDO authentication standards in Europe.  SC Media UK spoke to Alain Martin at Gemalto, co-chair of the new FIDO Europe Working Group who explainedt he aims of the FIDO Alliance.

“The aim is to standardise authentication. It's a very focussed mission. To get rid of the password and use customer authentication.

FIDO started in the US, and so, Martin explained, it has traction in the US market, and quickly gained followers in some Asian countries. These were initially linked to the founding members of the Alliance, and it is thus very active in Japan and Korea, and is making progress in China among banks.

But Martin noted, “There is a lack of knowledge, promotion and deployment in Europe and South America, so our first focus is in Europe as there is a lot of work on regulations underway in the region.”

The specifications and certifications from the FIDO Alliance have led to a whole ecosystem of hardware, mobile and biometrics-based devices designed to enable web service providers or enterprises to more easily roll out strong authentication that is simpler and stronger than other options available today.

SC asked Martin, you are promoting a solution based on the device, but how does that work and how applicable is that to the IOT when some devices are little more than a sensor themselves?

Martin replied, “Our solution is based on the device as the device is one of those factors of two factor authentication – a possession.  It may be imbedded in chip sets that you don't even see, nevertheless it's there. FIDO uses the device to store verification data – a PIN code or biometric data, so it's a strong point. The data is stored locally and verified locally - on the device.”

According to FIDO's recent press release, once the user is registered, they no longer need to enter a password to be authenticated to a web service. They simply complete a single gesture with their device – swipe a fingerprint, look at a camera, etc – and are strongly authenticated to the service. The user  presents a second factor –a single gesture such as touching a security key – after their username and password is entered. The strong and simple sector factor allows services to simplify password requirements and still achieve strong security.

Martin adds, “The other aspect is cryptography – FIDO devices generate signatures on the devices. Its public key cryptography. There are no shared secrets.”

The current focus is on users, thus people authentication. “The IOT is another subject we are working on. In IOT you can have individual authentication to a devices. That would work.  IOT devices would have to work like a FIDO servcer. Another track, devices that authenticate to other devices, is part of work in progress.”

So, what are the downsides of a device based approach?

Martin commented, “Any downside – is not linked to Fido – it's the fact that you have to have a device. If you need a possession, what happens when you lose it? you are stuck.  We realise this, and are working on solutions and currently have a  white paper on account recovery.  It is a downside but there are  options to have a ‘spare' device like a spare key.  But then you get into ID federation.

“As a bank you may have a primary device such as a phone, you may also deploy a token.  FIDO standards don't prevent the bank or service provider allowing the user to use multiple devices – its a service provider decision.”

So what about the aims of the new FIDO Europe Working Group?

Martin told SC: “There was a realisation that FIDO is not well known in Europe and there are few deployments, so we wanted to bring on new members to be active in Europe. More importantly, there are three regulatory standards undergoing change – the introduction of  GDPR, which deals with the privacy of personal data; eIDAS  (electronic  IDentification,  Authentication and trust Services)  which handles electronic signatures, trust services, both private sector and government links, creating digital citizens with digital ids and signing. Then there are the open banking regulations under PSD2  (European Payment Services Directive) in force calling for strong customer authentication in shops or online.

“It's all coming together now eIDAS   technical standards are being agreed at the end of the month and banks decide on PSD2 which mandates two-factor authentication, so we will need a device to transact when paying online in Europe (when we shop, we are likely to have a card).  PSD2 is also aggregating banking information to provide a global view, and banks are deciding now what this will incude.”

Martin went on to note that the standards are freely available, but vendors are also invited to  join what he describes as a well organised structure, demonstrated in other countries, to lobby and promote, and benefit from that activity. “Our [standards] are very broad – products are certified for functionality and from a security perspective. So regulatory standards PSD2 have a notion of audit which has to be verified for compliance to standard, and FIDO does audit and certification , IDAS too.

“ [Another benefit of adopting FIDO standards is...] cost saving.  Or there is a lot of friction if everyone has bespoke systems, if every time you changed vendor you had to start again, thus its less flexible.  PSD2, introduces the notion of third party providers, eg fintech companies, that may connect to your accounts at various banks.  If an account aggregator wants to connect to three or four banks, potentially it will have to develop three or four authentication standards, a thousand across Europe and so it's an extremely important factor for scaling.”

“End user experience without standardisation becomes very complicated and painful.  While strong customer authentication and the need for a device, introduces come complexity overall we we aim to make transactions less complex, and more useable.”

Martin adds that there are also reasons why FIDO makes sense for GDPR: “You need to protect access to information, and need to identify users.  The level of security must  be proportionate to the sensitivity of the data, eg health data would want high level of security, so in future if you want to modify or allow access by a third party such as a doctor, you'll want want strong multifactor authentication, which is exactly what we do.  FIDO authentication is certified, so you will comply with GDPR – plus the authenticator itself  - your data is personal data to be protected, eg your fingerprint as a means of authentication. Privacy is by design, stored in the authenticator and nowhere else – and that's as true for the biometric data as for other keys of device,  its not shared.”

FIDO standards also address the European Banking Authority's Regulatory Technical Standards (RTS) by proposing fully defined specifications, compliant with the requirements of the RTS.

“Without standardisation, implementation of strong customer authentication in Europe will result in fragmented solutions, leading to higher costs and poor customer experience” said Martin.

Finally Martin notes that one of the benefits of the alliance is that it is backed by large associations, vendors, such as Microsoft and Google, on both the vendor and service side, Facebook, China, bringing credibility to the standards it supports.   The FIDO Alliance has more than 250 cross-industry, global leader member organisations.