The British government recently became the first nation-state customer for a new form of two-factor identity authentication standard, and now the group behind the standard is pushing it in the U.S., too.
The FIDO Alliance, short for Fast Identity Online, has been working on the new standards since 2012. The idea is to get past the password — a method for securing identity online that is universally ridiculed as a “shared secret” by security experts.
“Shared secret is when the individual knows the information and tells it to the device they are entering, what many know as the username and password setup,” said Brett McDowell, executive director of the FIDO Alliance, keynoting a webinar Wednesday.
Passwords can easily be stolen or cracked, especially if they use dictionary words. And reusing passwords across multiple accounts — some more secure than others — as most everyone does, makes them doubly vulnerable.
The FIDO Alliance has developed technical specifications for an open source, scalable and interoperable set of programs or other tools that can replace the reliance on passwords to authenticate users. The group currently has two sets of standards it’s promoting: U2F — a token that can be used alongside a password; and UAF — a biometric standard that can be used to replace the password altogether.
Wednesday’s webinar focused on how these standards help users through employing biometrics, public key cryptography and other authentication technology.
The FIDO Alliance has been working with governments in multiple countries including the United States, Germany and the United Kingdom. Last month, the UK became the first national government to adopt FIDO standards — and the U2F-aligned Yubikey token — for online ID authentication for citizen services through its Gov.uk Verify service.
Governments in the U.S. have been slow to adopt FIDO standards, although that may be changing soon, speakers in the webinar said.
Emergency responders were mentioned as a candidate to get improved FIDO standard devices with varied biometric safeguards. However, the different needs of firefighters, for example, as opposed to police or EMS teams, have been a barrier.
Additionally, it was mentioned that more FIDO-related safeguards similar to the personal identity verification, or PIV, keycards held by many government personnel are being developed. However, there are challenges to implementing this software among deployed and contracted staff.
“One problem is contractors and employees not eligible for PIV cards, or it is not accepted, in the current mission space,” said Paul Grassi, senior standards and technology adviser for NIST.
One obstacle has been that two-step authentication has been cited as too expensive by other sources. Over the course of the webinar, FIDO Alliance officials explained that it was actually more expensive to integrate an old authentication system instead of adopting the FIDO 2.0 system.
The FIDO Alliance has also worked with the World Wide Web Consortium as well as many online retailers to help ensure secure transfer of information and payment. This has played a role in getting devices to come FIDO certified which would allow mobile government personnel to be able to retain all usability without sacrificing security. This setup is ideal for just about every agency within the government, and it looks as if the switch to a FIDO heavy system may begin soon in the government.