Everyone agrees it’s time to kill the password to better the overall identity ecosystem, but the question of “with what” makes things a bit trickier. FIDO Authentication standards are touted by the public and private sectors as the best tools to get us there. 

This presentation will help you to understand the importance of the authentication piece of the identity puzzle, find out about the latest trends and standards for simpler and stronger authentication, and learn what we all need to do to reduce the world’s reliance on passwords on a global scale.

Speaker: Andrew Shikiar, Executive Director and CMO, FIDO Alliance

The post Video: Stronger Authentication; Stronger Identities: The State of the Industry’s Path to Passwordless appeared first on FIDO Alliance.

Enterprises and governments around the globe are turning to modern online authentication solutions featuring FIDO specifications based on public key cryptography. Governments and industries have embraced FIDO as the preferred way to deliver high-assurance MFA to consumers. Notably, the Cybersecurity & Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security (DHS), refers to FIDO security keys as the gold standard of MFA¹. 

Several governments globally have deployed and/or supported FIDO authentication for citizens to securely conduct government transactions, including making tax payments and applying for and accessing government benefits. Governments leveraging FIDO authentication solutions have realized reduced operational costs and increased consumer satisfaction.

This white paper provides guidance for policymakers and department/agency heads seeking to learn about FIDO authentication to support or deploy FIDO for e-government services.

The post White Paper: FIDO for e-Government Services appeared first on FIDO Alliance.

The post FIDO Masterclass appeared first on FIDO Alliance.

The post The State of Strong Authentication appeared first on FIDO Alliance.

The post Authenticate 2021: Welcome Address appeared first on FIDO Alliance.

The post Video: PSD2 Requirements and Regulatory Technical Standards appeared first on FIDO Alliance.

The financial services focused event included speakers from eBay, Financial Data Exchange, Gemini, Google, Javelin Strategy and Research, Mastercard, JP Morgan Chase, StrongKey, Trusona and Visa, with topics spanning from the future of authentication to best practices on how to optimize the authentication experience for users.

The post Video: Authenticate Financial Services Summit appeared first on FIDO Alliance.

This Authenticate Summit will bring together leading financial services executives, regulatory experts, merchants, solutions providers and industry analysts to discuss the state of authentication in Europe in light of regulations like PSD2 SCA, eIDAS and GDPR, open banking and the COVID-19 pandemic.

The post Video: Authenticate Virtual Summit: Focus on Europe appeared first on FIDO Alliance.

“The FIDO Device Onboard standard released today builds on the Alliance’s ongoing efforts to help close the security gaps that currently exist on the web, by expanding this work into IoT applications,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Businesses recognize the huge potential of the IoT and the enormous benefits it can bring to manufacturing, retail, healthcare, transportation, logistics and more. The paradigm needs to shift immediately so we can move IoT technologies ahead with safer, stronger and more secure means of authentication for these important uses in industrial and commercial environments.”

Find the presentation here. 

The post Webinar: Introducing FIDO’s IoT Specification: FIDO Device Onboard appeared first on FIDO Alliance.

“The FIDO Device Onboard standard released today builds on the Alliance’s ongoing efforts to help close the security gaps that currently exist on the web, by expanding this work into IoT applications,” said Andrew Shikiar, executive director and CMO of the FIDO Alliance. “Businesses recognize the huge potential of the IoT and the enormous benefits it can bring to manufacturing, retail, healthcare, transportation, logistics and more. The paradigm needs to shift immediately so we can move IoT technologies ahead with safer, stronger and more secure means of authentication for these important uses in industrial and commercial environments.”

Find the video here. 

The post Webinar: Introducing FIDO’s IoT Specification: FIDO Device Onboard appeared first on FIDO Alliance.

Today, this onboarding process is usually done manually by a technician – a process that is slow, expensive, and insecure. Industry sources have said that it is not uncommon for the cost of installation and setup to exceed the cost of the device itself. Although multiple companies have worked to automate the onboarding process, there wasn’t a widely accepted industry standard. Also, many proprietary solutions that do exist require that the end customer be known at the time of the device manufacture so that the device can be pre-configured. This creates friction and cost in the supply chain. 

The FIDO Alliance stepped up in the summer of 2019 to address this industry challenge. With its broad membership of leading cloud service providers, semiconductor companies and security companies, the Alliance is well positioned to bring together those that create and supply the technologies in the IoT ecosystem. The FIDO Alliance formed its IoT Technical Working Group (IoT TWG) with these stakeholders to define a new standard for automated, secure IoT onboarding. Less than 2 years after the working group formed, the FIDO Alliance is now releasing to the industry the FIDO Device Onboarding (FDO) specification.

Read the paper for a full introduction to FDO.

The post FIDO Device Onboard: A Specification for Automated, Secure IoT Provisioning Technology appeared first on FIDO Alliance.

The post Webinar: Catch Up with FIDO Plus Open AMA Session appeared first on FIDO Alliance.

The post Webinar: Catch Up with FIDO Plus Open AMA Session appeared first on FIDO Alliance.

The post FIDO Alliance: The FIDO Story appeared first on FIDO Alliance.

The post FIDO Alliance: The Liability and Risk for Businesses Story appeared first on FIDO Alliance.

The post FIDO Alliance: The New FIDO UX Story appeared first on FIDO Alliance.

The post FIDO Alliance: The FIDO Tech Story appeared first on FIDO Alliance.

The post Webinar: FIDO Alliance Account Recovery Needs appeared first on FIDO Alliance.

The post Webinar – Introduction to FIDO’s Identity Verification & Binding Initiative appeared first on FIDO Alliance.

The post Introduction to FIDO’s Identity Verification & Binding Initiative appeared first on FIDO Alliance.

The post Webinar: Introduction to FIDO Authentication (Portuguese language) appeared first on FIDO Alliance.

The post Introduction to FIDO Authentication (Portuguese) appeared first on FIDO Alliance.

The post The State of FIDO appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., September 26, 2018 — FIDO2 browser support and first certified products are now available to reduce password use on the web, the FIDO Alliance announced today. Now, any website can leverage FIDO2 strong authentication protocols from the W3C and FIDO Alliance to replace passwords with cryptographically secure logins using convenient alternatives like on-device biometrics and FIDO Security Keys.

Google Chrome, Microsoft Edge and Mozilla Firefox browsers now support FIDO2, a big advancement since the standards were introduced last April. Between this support and newly certified products supporting a wide variety of use cases, service providers have all of the tools needed to roll out FIDO Authentication for their websites and applications. FIDO Authentication has been proven to protect against the phishing and security risks associated with passwords, provide better user experiences over remembering and typing passwords, and lower authentication support costs.

“With FIDO2, the tech industry has, for the first time, established a technology standard for strong, phishing-resistant authentication on the web that promises better security and a better user experience. These announcements today of certified products and leading web browser support deliver on that promise by bringing these new capabilities to market,” said Brett McDowell, executive director of the FIDO Alliance. “Any web application — consumer or enterprise, mobile or desktop — can now be enabled to take advantage of these innovations at internet scale with the full confidence that comes from an independent certification program designed and governed by their peers.”

Organizations that have achieved FIDO2 certification for security key and biometric authenticators, clients and servers include: CROSSCERT: KECA (Korea Electronic Certification Authority); Dream Security Co., Ltd. Korea; ETRI; eWBM Co., Ltd.; IBM; Infineon Technologies; INITECH Co., Ltd.; Nok Nok Labs (Universal Server); OneSpan; Raonsecure; Samsung SDS; Singular Key; Whykeykey Inc.; Yahoo Japan Corporation; Yubico. Products are certified for FIDO2 by the FIDO Alliance to ensure compliance with the specifications, as well as interoperability among FIDO products. Today’s announcement also includes the first certified FIDO Universal Server, which a service provider can use to ensure compatibility with authenticators based on all FIDO specifications (FIDO UAF, FIDO U2F and FIDO2).

FIDO2 Details

FIDO2 is comprised of the W3C’s Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. Collectively, these standards enable users to leverage common devices to more easily authenticate to online services through mobile and desktop browsers. FIDO2 supports a variety of authentication use cases and experiences, including passwordless, second-factor and multifactor for the highest levels of assurance. Password-only logins can now be replaced with easy user gestures using embedded biometrics (facial recognition, iris scan, fingerprint swipe) and/or portable security keys.

These simple user experiences are backed by strong cryptographic security that is transparent to the user and protects against phishing, man-in-the-middle and attacks using stolen credentials. FIDO2 web browsers and online services are also fully backward compatible with all previously certified FIDO U2F Security Keys.

Visit the FIDO Alliance website to get more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program.

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Supporting quotes from certified companies:

CROSSCERT: KECA (Korea Electronic Certification Authority), David Ahn, Director

“Our FIDO Certification service is credited for its strong security and convenience in the market, and the cumulative number of domestic users exceeded 280 million as of September. We will lead the biometric authentication market with the FIDO2 Simplified Cloud Authentication, the next-generation authentication technology.”

eWBM Co., Ltd., Stephen Oh, Ph.D., CEO

“The eWBM Golden Gate (model eFA500), the FIDO2-certified fingerprint authenticator, opens the door to the world of biometric authentication web access. It is a compact and portable security device that provides a superior user experience, thanks to its no-ID and no-password authentication functions.”

IBM Security, Shane Weeden, Senior Technical Staff Member

“IBM’s strong and alternative-to-password authentication strategy will benefit significantly from the WebAuthn and FIDO2 standards. These specifications bring convenient, frictionless strong authentication services to the mainstream web with consumer privacy as a primary consideration.”

Infineon Technologies, Joerg Borchert, VP of Chip Card and Security

“We are very happy to provide the industry’s first FIDO2 certified Reference Design based on the SLE78 single-chip solution. Infineon’s reference design serves as development kit for fast and low risk FIDO2 USB and USB/NFC token designs prepared to reach highest security levels. Certification according to the specifications of the FIDO2 standard increases interoperability of the token and reduces production and support costs on the manufacturer side.”

Nok Nok Labs, Phillip Dunkelberger, CEO and President

“Every day there is news of a new phishing or other scalable attack, caused by the use of weak and stolen passwords. Our breadth of experience as the most broadly deployed FIDO-based platform puts us in a unique position to deliver phishing-resistant, privacy-conscious authentication in a passwordless user experience. We look forward to bringing these solutions and benefits to our customers and partners as we deliver on our vision of fixing the security and ease of use flaws on the internet.”

OneSpan, Scott Clements, CEO

“OneSpan has joined tech leaders such as Google and Microsoft in embracing the FIDO2 standard, most recently with the certification of our Digipass 785 authenticator. Rapid adoption of the FIDO2 standard spells good news for the unification of the authentication industry and for the security of consumers online.”

Raonsecure, Lee Soon-hyung, CEO

“Considering South Korea’s PC-oriented business environment, it is expected that there are demands for FIDO2 for business systems such as groupware, ERP, CRM and others.”

Samsung SDS, Sean Im, Senior Vice President of solution business division

“By acquiring FIDO2 certification, Samsung SDS now offers secure and convenient Nexsign solution to PC users as well as mobile users. In business perspective, a stepping stone has been prepared to target the domestic and overseas B2B authentication markets.”

Singular Key, Hitesh Kalra, Founder

“Today’s announcement is a significant milestone towards a safer internet by eliminating the use of passwords and shared secrets. FIDO provides agility for evolving user authentication flows and digital journeys. Singular Key is committed to make it easy to deploy high assurance authentication at scale with its cloud-based FIDO Authentication Service.”

Yahoo Japan Corporation, Shinya Sugawara, Vice President, ID Solution Division

“Yahoo! JAPAN launches a FIDO2-certified authentication service that has been officially accredited by FIDO Alliance at the first FIDO2 conformance test. This innovative service ensures simpler and more secure authentication, lessening the reliance on traditional passwords for users. Yahoo! JAPAN contributes to enhancing users’ passwordless experiences aligned with FIDO’s effort towards simpler, stronger authentication on the Web.”

Yubico, Stina Ehrensvard, CEO and Founder

“Our mission has always been to drive open standards and ecosystem adoption by creating technical specifications, open source components, and the gold standard for authenticators. With the YubiKey 5 Series FIDO2 Certification and growing momentum towards a passwordless world, we’re proud to see our vision of one single security key to any number of services becoming a reality.”

The post Tech Industry Leaders Ship FIDO2 Certified Solutions to Reduce Password Use on the Web appeared first on FIDO Alliance.

When PSD2 is deployed in Europe, users will be able to take advantage of services offered by Third Party Providers (TPPs) to trigger payments or to view account information. These users will typically start interacting on the TPP’s user interface. However, at the point when a TPP will request from an Account Servicing Payment Service Provider (ASPSP) access to a user’s account(s), the PSD2 Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) require that the user be strongly authenticated by the ASPSP and demonstrate that he/she has provided consent for the operation that the TPP is requesting to execute.

The Strong Customer Authentication requirement introduces challenges in the customer experience as there are no longer just two parties involved, the user and its bank, but three: The end user journey starts and ends on the TPP’s user interface.

TPPs will interface with the ASPSPs via open APIs. A number of standardization bodies have released drafts of such Open APIs, for example, the Open Banking Implementation Entity (OBIE) in the UK, STET in France and the Berlin Group for various European countries.

These specifications describe how Strong Customer Authentication should be implemented and several models have been defined, if not (yet) fully specified: the redirection, decoupled and embedded models. At the time of this paper’s release, a potential delegated model is also being discussed. These models vary in the way the user interacts with the TPP and the ASPSP and have a deep impact on both the user experience and the security of the user’s financial accounts.

This paper examines the advantages and drawbacks of the different SCA compliant authentication models and outlines how FIDO compliant solutions deliver the best user experience in any of these models, in a way that meets the needs of TPPs and ASPSPs.

The post White Paper: FIDO & PSD2 – Providing for a Satisfactory Customer Journey appeared first on FIDO Alliance.

The post Krebs on Security: Google: Security Keys Neutralized Employee Phishing appeared first on FIDO Alliance.

The post White Paper: FIDO Authentication and the General Data Protection Regulation appeared first on FIDO Alliance.

MOUNTAIN VIEW, Calif., and https://www.w3.org/ — April 10, 2018 – The FIDO Alliance and the World Wide Web Consortium (W3C) have achieved a major standards milestone in the global effort to bring simpler yet stronger web authentication to users around the world. The W3C has advanced Web Authentication (WebAuthn), a collaborative effort based on Web API specifications submitted by FIDO to the W3C, to the Candidate Recommendation (CR) stage. The CR is the product of the Web Authentication Working Group, which is comprised of representatives from over 30 member organizations. CR is a precursor to final approval of a web standard, and the W3C has invited online services and web app developers to implement WebAuthn.

WebAuthn defines a standard web API that can be incorporated into browsers and related web platform infrastructure which gives users new methods to securely authenticate on the web, in the browser and across sites and devices. WebAuthn has been developed in coordination with FIDO Alliance and is a core component of the FIDO2 Project along with FIDO’s Client to Authenticator Protocol (CTAP) specification. CTAP enables an external authenticator, such as a security key or a mobile phone, to communicate strong authentication credentials locally over USB, Bluetooth or NFC to the user’s internet access device (PC or mobile phone). The FIDO2 specifications collectively enable users to authenticate easily to online services with desktop or mobile devices with phishing-resistant security.

“With the new FIDO2 specifications and leading web browser support announced today, we are taking a big step forward towards making FIDO Authentication ubiquitous across all platforms and devices,” said Brett McDowell, executive director of the FIDO Alliance. “After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications.”

Google, Microsoft, and Mozilla have committed to supporting the WebAuthn standard in their flagship browsers and have started implementation for Windows, Mac, Linux, Chrome OS and Android platforms. Both the WebAuthn and CTAP specifications are available today, enabling developers and vendors to get a jumpstart on building support for the next generation of FIDO Authentication into their products and services.

“Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” stated W3C CEO Jeff Jaffe. “WebAuthn will change the way that people access the web.”

The completion of the FIDO2 standardization efforts, promotion of WebAuthn along the W3C standards track, and the commitment of leading browser vendors to implementation opens a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.

Enterprises and online service providers looking to protect themselves and their customers from the risks associated with passwords — including phishing, man-in-the-middle attacks and the abuse of  stolen credentials — can soon deploy standards-based strong authentication that works through the browser or via an external authenticator. Deploying FIDO Authentication enables online services to provide choice to users from an interoperable ecosystem of devices people use every day like mobile phones and security keys.

The standardization of the new FIDO2 specifications in browsers and operating systems will further expand the reach of FIDO Authentication, which is referenced by regulators and standards-setting bodies worldwide and is already available on hundreds of millions of devices and offered to more than 3.5 billion user accounts worldwide through services from companies such as Google, Facebook, NTT DOCOMO, Bank of America and many more. The new specifications complement existing passwordless FIDO UAF and second-factor FIDO U2F use cases, and expand the availability of FIDO Authentication. FIDO2 web browsers and online services are fully backwards compatible with all previously certified FIDO Security Keys.

FIDO will soon launch interoperability testing and will issue certifications for servers, clients and authenticators adhering to FIDO2 specifications. The conformance test tools are available on FIDO’s website. Additionally, FIDO will introduce a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP).

WebAuthn and FIDO2 Project Benefits
W3C’s WebAuthn API, a standard web API that can be incorporated into browsers and related web platform infrastructure, enables strong, unique, public key-based credentials for each site, eliminating the risk that a password stolen from one site can be used on another. A web application running in a browser loaded on a device with a FIDO Authenticator can easily call to a public API to enable simpler, stronger FIDO Authentication of users with cryptographic operations in place of, or in addition to password exchange, delivering many advantages to service providers and users alike:

• Simpler authentication: users simply log in with a single gesture using:
  • Internal or built-in authenticators (such as fingerprint or facial biometrics) in PCs, laptops and/or mobile devices
  • Convenient external authenticators, such as security keys and mobile devices, for device-to-device authentication using CTAP, a protocol for external authenticators developed by the FIDO Alliance that complements WebAuthn
• Stronger authentication: FIDO Authentication is much stronger than relying only on passwords and related forms of authentication, and has these advantages:
  • User credentials and biometric templates never leave the user’s device and are never stored on servers
  • Accounts are protected from phishing, man-in-the-middle and replay attacks that use stolen passwords
• Developers can get started on creating apps and services that leverage FIDO Authentication on FIDO’s new developer resources page.

Quotes from Supporting Browser Vendors

Sam Srinivas, Product Management Director, Google Cloud Security
“Google Chrome is dedicated to building a better web, and allowing developers to interact with secure keystores in a structured way helps us continue this mission. As a founding member of the U2F and FIDO2 working groups within FIDO, we’re excited for the launch of these standards and look forward to our continued collaboration.”

Dave Bossio, Group Program Manager, Operating System Security, Microsoft
“Providing a password alternative that works across devices, apps, browsers, and websites delivers on our commitment to a future without passwords. We are excited to announce that we will add support for WebAuthn API, currently in the approval process stage, and W3C, in Microsoft Edge thanks to our work with the FIDO Alliance.”

Selena Deckelmann, Senior Director of Engineering, Firefox Runtime, Mozilla
“With Web Authentication, we’re giving people using Firefox the opportunity to add another layer of security to their browsing experience. Giving people greater control over how they manage their security online and making the internet safer is central to Mozilla’s mission to keep the web open and accessible to all.”

More quotes from FIDO members supporting today’s announcement can be found on the FIDO2 Project webpage.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

About the W3C
The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C develops well known specifications such as HTML5, CSS, and the Open Web Platform as well as work on security and privacy, all created in the open and provided for free and under the unique W3C Patent Policy.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 Member organizations and dozens of industry sectors. W3C is jointly hosted by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China.

FIDO Alliance PR Contacts
Mike Smith or Adrian Loth
Montner Tech PR
203-226-9290
fidopr@montner.com

W3C PR Contact
Amy van der Hiel
W3C Media Relations Coordinator
w3t-pr@w3.org
+1.617.253.5628 (US, Eastern Time)

The post FIDO Alliance and W3C Achieve Major Standards Milestone in Global Effort Towards Simpler, Stronger Authentication on the Web appeared first on FIDO Alliance.

The FIDO Alliance congratulates our members and partners in the W3C Web Authentication Working Group for today’s much anticipated announcement that Web Authentication (WebAuthn) has reached the Candidate Recommendation (CR) milestone, meaning W3C now believes it has been widely reviewed, satisfies the Working Group’s technical requirements and is ready for commercial implementation. WebAuthn is part of the FIDO2 Project to ensure widespread interoperability within the authentication ecosystem among devices, clients, and servers.  This new specification from W3C defines how web browsers enable websites to offer simpler, stronger FIDO authentication to users with devices implementing FIDO2 Client to Authenticator Protocol (CTAP).

You can read more details on this exciting development on the W3C blog.

The post W3C Hits Milestone with Web Authentication specification appeared first on FIDO Alliance.

MOUNTAIN VIEW, CA, MARCH 20, 2018 — The FIDO Alliance, the 250+ member association developing specifications and certification programs for simpler, stronger authentication, announced today the expansion of its certification program to include multi-level security evaluations for authenticators such as physical security keys and biometrics in mobile devices and PCs. The Alliance also announced the first products certified under the new Authenticator Certification Levels program.

The new authenticator certifications will further increase consumer, enterprise and service providers’ confidence that user credentials housed in standards-based FIDO Authentication devices are protected from targeted attacks against a user’s FIDO device. The new program incorporates traditional FIDO functional certification, which measures compliance and ensures interoperability among products and services that support FIDO specifications.

“Our new multi-level evaluation program addresses an increasingly critical market requirement for a more transparent view into the security of FIDO Certified authenticators,” said Brett McDowell, executive director of the FIDO Alliance. “This new certification program, used in combination with the FIDO Metadata service, enables enterprises and online services to make better informed risk management decisions when registering credentials from FIDO-enabled devices, resulting in more accurate and reliable “scores” on the back-end while delivering better user experiences on the front end due to lower instances of intrusive “step up authentication” challenges.”

Available levels and security requirements

The FIDO Alliance is now offering testing and certification for two security levels for all published specifications: FIDO Certified Level 1 (L1) Authenticator and FIDO Certified Level 2 (L2) Authenticator. Additional levels covering a full range of security requirements will be introduced at a later date.

All FIDO Certified L1 Authenticators must pass interoperability testing for compliance with the FIDO specifications. They also must pass a design review against FIDO Certification Requirements to ensure the authenticator uses the best security practice for the operating system it is running on.

The FIDO L2 Security Certification Requirements mandate that authenticators implement a restricted operating environment such as a Trusted Execution Environment (TEE) or Secure Element (SE) to protect biometric data and authentication credentials against operating system compromises that arise from app downloads, malicious website content or similar threats. FIDO Certified L2 Authenticators also must pass a comprehensive design review by a FIDO-accredited third-party security certification laboratory. As with L1 Certification, the authenticator must pass interoperability testing.

Benefits to consumers, web service providers and technology providers

FIDO specifications for strong authentication incorporate public key cryptography and simple user experiences to help the world reduce its reliance on passwords. The use of public key cryptography, where the private key is stored on and never leaves the device, ensures that FIDO credentials are not susceptible to scalable attacks such as phishing — the most common form of attack against password credentials. This makes all FIDO Certified implementations inherently more secure than password-based systems.

FIDO Authenticator Certification levels take strong security even further by ensuring that authenticators keep cryptographic key “secrets” (and in some cases, biometric information) safe and confirm privacy principles are met.

Web service providers that accept FIDO credentials for strong authentication benefit from an expanded program that allows them to easily assess, set requirements for, and increase their level of assurance in the FIDO authenticators used by consumers. Technology providers with FIDO authenticators on the market report with confidence that their implementations meet service providers’ requirements and elevate their products in the marketplace. Today, service providers including Aetna, Facebook, Google, eBay and Bank of America are enjoying the benefits of FIDO Authentication.

Newly-certified companies, accredited labs and additional resources

Organizations announced today that have achieved L1 and L2 certifications include:

FIDO Certified L1 Authenticator: AuthenTrend Technology Inc.; CANVASBIO; i-Sprint Innovations Pte Ltd; PixelPin LTD; SHARP CORPORATION; Shenzhen National Engineering Laboratory of Digital Television Co., Ltd.
FIDO Certified L2 Authenticator: Feitian Technologies Co., Ltd.

Labs accredited to perform L2 certifications are: Applus+ Laboratories; Beijing Unionpay Card Technology Co.,Ltd; Brightsight B.V.; DPLS Lab; Telecommunications Technology Association (TTA); and UL Verification Services Inc. The FIDO Alliance is currently accepting applications for additional labs seeking accreditation. To view the process, visit https://fidoalliance.org/certification/accredited-security-laboratories/.

To learn more about the FIDO Authenticator Certification levels, costs, and to submit a product for certification, visit https://fidoalliance.org/certification/authenticator-certification-levels/.

For more information about the FIDO Alliance, FIDO specifications and FIDO Certified products, visit https://fidoalliance.org.

About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO authentication is stronger, private, and easier to use when authenticating to online services.

Contact:

press@fidoalliance.org

The post FIDO Alliance Extends Certification Program to Further Strengthen Trust in Standards-based Authentication Devices appeared first on FIDO Alliance.

The FIDO ecosystem – the world’s largest for interoperable, standards-based authentication – keeps growing with new deployments (Facebook! eBay!) and new FIDO® Certified products hitting the market. We’re happy to announce more growth on the certification front, with FIDO Certified products now up to 335.

FIDO Certified products and solutions are diverse and flexible, providing some truly innovative user experiences – and this latest round of products is no different. Organizations with new FIDO Certified products announced today include: AhnLab; Dayside; FacePhi Biometria, SA; HYPR CORP; Mobile-ID Technologies and Services Joint Stock Company; Shenzhen Excelsecu Data Technology Co., Ltd.; and SMART TECHNOLOGIES INVESTMENT AND DEVELOPMENT Co.,Ltd (STID).

In our last certification update, we talked about the global consensus around the value of FIDO certification. Now, we want to give a few suggestions on how both deploying organizations and technology providers can make the most of FIDO certification.

For deploying organizations, perhaps the biggest benefits of deploying FIDO Certified products and solutions are out-of-the-box interoperability and access to the broad FIDO ecosystem of authenticators and other devices. You also should strongly consider including FIDO certification as a requirement in your RFP. This is the most straightforward way to ask for stronger, simpler authentication, and be assured that products conform to the FIDO specifications and truly interoperate with each other.

For technology providers, here are a few tips to make the most out of FIDO certification:

• Use the FIDO Certified logo in your marketing materials. FIDO certification is a key differentiator from other authentication solutions. Overwhelmingly, we hear from deploying organizations that they are looking for that logo when reviewing spec sheets, brochures and websites, and visiting trade shows.
• Join the  FIDO Alliance. While certification is open to any organization whether they are a member or non-member, membership does have its privileges. These include certification discounts and early access to new specifications. Perhaps most important, it gives organizations the ability to connect with deploying organizations – some of the biggest in the world – at FIDO Alliance plenary meetings, networking events, and other activities.  
• Join the FIDO Certified Showcase. Just launched earlier this year, the showcase provides deploying organizations with a one-stop shop to learn more about the companies and products that can bring FIDO Authentication to their users. It also provides technology vendors with a powerful marketing platform. Visit https://fidoalliance.org/showcase-submission/ to learn more about how you can be featured in the FIDO Certified Showcase.

Getting started with FIDO certification is as easy as signing up to receive the test tools. And watch this space – announcements about new certification programs are coming very shortly.

The post FIDO Certified Products Reach 335: How to Make the Most out of Certification appeared first on FIDO Alliance.

The post ComputerWeekly: Facebook ups security with FIDO two-factor authentication appeared first on FIDO Alliance.

The post USA Today: Yahoo breach shows fast-food mentality of digital data is a problem appeared first on FIDO Alliance.

At the conference, the FIDO Alliance joined with nine of its member companies (Egis Technology, Ledger, mSIGNIA, Samsung SDS America, Sensory, Inc, StrongAuth, Inc., SurePass ID, Synaptics and OneSpan) to raise awareness of these issues and to showcase the evolution towards stronger, simpler authentication backed by FIDO protocols.

Let’s have a look at the key takeaways from the show:

Passwords still rule payments, but change is on the way.
It was resoundingly clear from the conversations we and our members had on the show floor that passwords are still king for authentication related to payments online.  However, more and more merchants are coming to terms with the risks associated with letting customers get by with weak credentials — that can’t protect the  customer’s data and increase the exposure to risks and liabilities.  Likewise, companies are becoming more attuned to the tie between weak enterprise credentials and the risk of data breach. (According to the recently released Verizon Data Breach Investigation Report, a staggering 63% of breaches were caused by weak credentials).

Stronger authentication is desired, but education is required.
Of the hundreds of attendees who stopped by the FIDO Pavilion, it was interesting to find that many understood the need to  move towards stronger authentication, but they didn’t know how to start down that path.  A common misconception was that authentication solutions can’t have  have both greater security and usability.  It was fascinating to see the ‘a-ha’ moment that people had when experiencing the ease-of-use of facial, voice and biometric authentication — and also the understanding that there’s a vibrant, interoperable ecosystem of FIDO® Certified servers and authenticators.

Mobile payments are an ideal application for FIDO solutions.
Mobile payments are no longer the wave of the future — they are here and they are rapidly growing in number, both for remote (online) mobile payments as well as for in-store proximity payments.  The rapid growth in devices with biometric capabilities is leading to a corresponding spike in biometric authentication for transactions. Some of the most forward-thinking attendees who stopped by the FIDO Pavilion were those developing and running mobile payment solutions, such as ongoing work by FIDO Founding member PayPal as was detailed further at the conference. Many companies are already leveraging FIDO for passwordless authentication using built-in fingerprint sensors and other biometric capabilities.   

TRANSACT education track attendees saw that FIDO is real, and is global.
In the pre-conference education track session hosted by FIDO Executive Director Brett McDowell’s, attendees learned not only about the ins and outs of FIDO’s approach to strong authentication, but also got a bird’s-eye view of real-world FIDO mobile payment solutions from BC Card and Ledger.  (BC Card will also be presenting their case study at the upcoming FIDO Seminar in Berlin on May 9, 2016). You can view all slides from the education track session here.

ETA is a great supporter of FIDO.
ETA is an official Liaison Partner of FIDO and a dedicated supporter of our mission. We are grateful for their ongoing commitment, hospitality and enthusiasm. Check out an archive of their Facebook Live broadcast tour of the solutions that were on display in the FIDO Security Tech Zone.

The post FIDO Alliance Bringing Stronger Authentication to Payments appeared first on FIDO Alliance.

The proliferation of mobile devices leaves U.S. government agencies with a tough balancing act between security, usability and effectively performing their missions. How can they accommodate an increasingly mobile workforce that wants to use all of their devices to access online services, while adhering to a plethora of security policies and directives?

To answer the call, the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) have provided agencies with exceptional options, such as derived PIV credentials (guidelines for which are outlined in NIST SP 800-157). Derived PIV credentials allow the issuance of PKI credentials, based on having a PIV smart card (and being identity-proofed prior to obtaining a PIV) on users’ mobile devices, giving them secure and flexible options to access critical apps and information.

However, deployment of these secure mobile authentication options has not matched demand. We still aren’t seeing wide deployment of mobile credentials that meet NIST guidelines and the risk profiles of agencies. In addition, the U.S. government has not consistently adopted the biometric capabilities built into most mobile device platforms as the private sector has.

There’s good news for government – FIDO authentication standards, and the devices with FIDO capability built-in, provide additional options to help agencies go mobile while staying secure and adhering to important standards and guidelines.

Going Mobile with FIDO: Usable, Secure and Private
The FIDO Alliance is improving online authentication by developing open, interoperable industry specifications that leverage device-based user verification for better usability and proven public key cryptography for stronger security. With FIDO, agencies don’t have to sacrifice usability and efficiency to obtain strong authentication for mobile access to online services.

For better usability, FIDO standards support a range of interoperable authentication factors and modalities, including biometrics built into many mobile devices today for strong authentication. For example, with FIDO, the user need only touch something (fingerprint sensor) or look at something (iris or facial recognition) on their mobile device to securely access apps and data. While these examples use biometrics, there are other non-biometric modalities supported that are still interoperable – such as a security token using Near Field Communication (NFC) – should a portion of the workforce not choose a biometric option.

There is already a rich set of products ready for FIDO deployment – more than 150 products have been tested and FIDO Certified from over 60 different companies, including leading mobile device manufacturers such as Samsung, Lenovo, Sony and LG. This is thanks to the FIDO certification program, which ensures different FIDO implementations interoperate with each other on a technical level and that the technical specifications are adhered to.

To match the usability with the required strong authentication needed in government, FIDO standards utilize industry standard, tested and vetted cryptographic algorithms and security mechanisms in significant use by the public and private sectors. With FIDO, you can achieve the security benefits of public key cryptography without the traditional and costly certificate authority (CA) model. In other words, it’s public key without the “infrastructure.” Additionally, if a biometric authenticator is your choice, rest assured, FIDO mandates that the biometric NEVER leaves the device, increasing privacy and security by effectively limiting the chance of a massive breach of credentials.

How FIDO Registration Works

Registration:
As detailed in the image above, registration is completed as follows:

• User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
• User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
• User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
• Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.

How FIDO Fits In: Government Use Cases
FIDO is an excellent option for any use case in which government agencies need to provide simple, fast and secure multi-factor, mobile-based authentication to digital services. Some opportunities in federal and local governments for access to government applications include:

• Derived PIV credentials
• Public safety and first responder credentials
• Emergency communications personnel credentials
• International partner credentials
• Business partner credentials
• Citizen or beneficiary access to government services
• Credentials for contractors and employees that aren’t eligible for a PIV but need secure access to online services
• Physical access control applications, i.e. using FIDO along with NFC on a mobile device

FIDO can provide the necessary usability, security, privacy and utility for all of these use cases, while helping government agencies meet security policies and directives including:

• OMB M-04-04. FIDO specifications can be implemented on platforms that support all of the levels of assurance defined in OMB M-04-04. FIDO provides one unified specification; government agencies can support FIDO-based authenticators across a range of levels of assurance (LOA) while deploying a single server-side infrastructure that supports any client-side device.
• NIST SP 800-63-2 Electronic Authentication Guidelines. With FIDO, agencies can comply with a host of token types defined in 800-63-2. In addition, FIDO authenticators that use biometrics meet the requirements of the NIST 800-63-2 Electronic Authentication Guidelines because FIDO credentials are used locally only to unlock a strong cryptographic key, and the biometric sample and template never leave the device.
• NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. FIDO authentication standards meet most of the technical requirements of NIST 800-157, and the workflow specified in 800-157 does not need to be modified to support a FIDO-compliant derived PIV credential. The only difference between a FIDO-compliant solution and the specifications within SP 800-157 is the usage of PKI.

Looking deeper at FIDO for derived PIV credentials, most of the challenges associated with such a deployment will be associated with business process, not technology. Specifically, agencies will need to define workflow that allows a user to associate a FIDO authenticator, specifically the public/private key pair, to their enterprise digital identity – just like they would for a PKI certificate. Due to the way that FIDO creates public/private key pairs in support of privacy, the agency would need to invoke the key generation process as part of an overarching identity and access management framework to ensure the public key is used for all FIDO-compliant applications, e.g. mobile applications.

In this example, the issuing entity would serve as the identity provider and the public key would need to be registered with the digital identity record of the user. From that point on, the user can use the FIDO derived PIV credential. With this type of approach, a FIDO derived PIV credential can operate in parallel and with no disruption to existing PIV- and PKI-based solutions.

FIDO for Citizens, Too
FIDO’s combination of usability, security and privacy also makes it a good option for citizen access to government online services. For citizen-facing services, EO 13681 requires agencies that make personal data available online to utilize two-factor authentication. With FIDO, agencies can meet this requirement by allowing citizens to “bring their own authenticator,” thus allowing them to use their FIDO-compliant mobile device or desktop browser to simply and strongly authenticate themselves to government services such as filing taxes, managing social security benefits, applying for student loans or submitting health insurance claims. This is not only a win for the citizen – they use what they like and already have to securely authenticate to government services. This is a win for the government too, as they don’t need to issue specialized credentials just to offer secure, privacy-enhancing multi-factor authentication for the services they provide.

Conclusion
For agencies looking to optimize security, usability, privacy, and effectively perform their missions, deploying mobile authentication for access to online services can be achieved without reinventing the wheel. FIDO’s open, interoperable industry specifications can help them obtain the best of all worlds – device-based user authentication for better usability and proven public key cryptography for stronger security and privacy.

The post How FIDO Can Help The US Government Go Mobile appeared first on FIDO Alliance.

Hak5 on FIDO U2F and Google’s 2-step verification

The post Hak5 on FIDO U2F and Google’s 2-step verification appeared first on FIDO Alliance.

(Editor’s note. A consortium of 150 companies called the FIDO Alliance is pushing for adoption of a new technical specification that could be the basis for biometric sensors, and other devices, to begin to widely replace passwords for accessing online accounts and services. FIDO stands for Fast IDentity Online. The alliance is led by PayPal, Samsung, Lenovo, Google and MasterCard. In this guest essay, Ramesh Kesanupalli, founder of Nok Nok Labs, outlines the significance of Alibaba recently embracing FIDO.)

Recent events have made the security shortcomings of passwords painfully clear. Not only are passwords easily stolen, phished and guessed, they can also be hard to remember and difficult to type on mobile devices. And because people often use the same password for multiple accounts, a single attack can compromise several sites or applications.

For roughly the past two years, the FIDO Alliance has been making progress on a solution for the long haul. FIDO refers to a new technical specification for strong authentication that is more secure, private and easier-to-use than passwords. FIDO standards leverage the unique characteristics stored on a security chip, biometric sensor or hardware device to authenticate the identity of an individual.

FIDO could pave the way for wider use of a variety of biometric systems to affirm one’s identity. Last February, FIDO consortium members PayPal, Samsung, Synaptics, and Nok Nok Labs introduced an innovative service that shows the promise of this new approach. Synaptics incorporated its FIDO Ready biometric fingerprint sensors in Samsung’s latest line of mobile devices. And PayPal stepped forward to became the first company to implement secure payments using FIDO authentication with Nok Nok Labs servers. This service is available to PayPal users on a range of Samsung devices, starting with the Galaxy S5.

Last week marked another major advance in FIDO adoption. China’s Alibaba Group joined the FIDO Alliance, following the previous announcement that Alipay; an Alibaba group company, had launched a pioneering FIDO authentication service.

Alipay is one of the world’s largest online markets, and will leverage Nok Nok Labs’ FIDO Ready solution to deploy secure payments, based on FIDO authentication, to 600 million users.

Alibaba recognizes the opportunity to usher in the next evolution of Internet commerce, moving beyond the insecurity of passwords that threaten to impede the adoption of online and mobile platforms.

This is a major milestone. It signifies Asia’s awakening to the value of standards-based strong authentication, and it is a validation of the critical need for FIDO authentication.

The realms requiring user authentication are rapidly expanding – from Internet to mobile and POS, (Point of Sale) and on to smart buildings and the Internet of Things. FIDO authentication is ready for the interoperable future of authentication that must accommodate a veritable world of user choice and context-aware security.

Companies prepared with FIDO authentication are poised to take advantage of future authentication mechanisms, new devices and opportunities without undertaking the pain of deploying new authentication infrastructure.

Already, two of the world’s foremost payments providers – PayPal and Alipay – are demonstrating how to take advantage of vast FIDO capabilities already available in the marketplace.

There are hundreds of millions of FIDO Ready user devices and products in the marketplace, including face, voice, or fingerprint biometrics and hardware tokens, all ready to be leveraged to eliminate the pain and insecurity of traditional passwords.

It will be fascinating to see who becomes the next to move beyond passwords to implement FIDO authentication.

NOTE: The FIDO Alliance will be in Asia for the first time, hosting seminars for prospective members in Seoul, Korea and Tokyo, Japan on October 6th and 10th respectively.

More on emerging best practices

3 steps for figuring out if your business is secure

Encryption rules ease retailers’ burden

Tracking privileged accounts can thwart hackers

Impenetrable encryption locks down Internet of Things

The post China’s online giant Alibaba endorses FIDO authentication appeared first on FIDO Alliance.