John Fontana

FIDO Aims at Standardized Strong Authentication

In the early 1990s, a company called Softswitch found itself at a strategic crossroads in that it held the key to integrating disparate electronic messaging systems.

So strategic, in fact, that Lotus Software paid $62 million to acquire the company and send a ripple of fear through its main email competitor Microsoft.

In a story on the acquisition, the New York Times described Softswitch as the maker of “switches that allow corporate users of electronic mail to send and receive mail from other systems. So someone in an office in San Francisco could send a note to someone with a different sort of computer, word-processing software and E-mail message system in New York.”

By today’s messaging norms, the need for such switches is laughable.

Companies providing integration of email systems have disappeared, made obsolete by standards such as SMTP, POP3 and IMAP that scaled email to its current state as a global backbone of electronic communication.

Standards are how the Internet scales to service a global community; numbering systems (IP), naming systems (DNS), protocols, and coding to highlight a few. Bodies such as the IETF and NIST are some of the most well-known standards organizations.

These global-scale benefits provided by standardization are what the FIDO Alliance hopes to achieve with the release last week of its 1.0 strong authentication specifications. While not yet standards, the hope is to create an Internet layer of authentication that reduces the reliance on passwords and aligns with the traditional stack of identity and access management tools, themselves going through a standardization transformation.

Standards will allow the largest collection of vendors, enterprises and consumers to adopt and integrate strong authenticators into their computer systems, which are under attack at an unprecedented scale.

For 2015, Gartner says “all roads to the digital future will lead through security.” But it won’t be a magic bullet or a monolithic defense that defines the norm. Security will be defined in the marriage of technologies. “Security-aware application design, dynamic and static application security testing, and runtime application self-protection combined with active context-aware and adaptive access controls are all needed in today’s dangerous digital world,” according to Gartner.

And when security is assembled, it shouldn’t need specialized middleware to hold it all together like email of the 1990s. That task will be accomplished with standard APIs and standard protocols that add scale and subtract as much complexity as possible.

One of FIDO’s stated goals since its inception two years ago has been to turn over to a standards body its work on both the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) specifications. Standardization of FIDO specifications, either de facto or by traditional means, is where FIDO will mark its work as finished.

Proof of initial success isn’t just in the 1.0 specifications, but in products and services available today from a number of FIDO members including Yubico with U2F support in FIDO U2F Security Key and NEO YubiKey. These keys are further simplified by not requiring drivers or client software, and providing a user identity independent of a third-party service.

Last week was an important milestone for FIDO, the next steps should be important for consumers and enterprises, and the final steps should deliver the connecting tissue needed to support strong authentication as a key tenet of future Internet security.

Today, we are one step closer to that reality.

Comments are closed.