Tag: FIDO Alliance

Article

FIDO Alliance could be having us move off passwords when we use online services

FIDO Alliance says it has finally killed the password • The Register

From the horse’s mouth

FIDO Alliance

Charting an Accelerated Path Forward for Passwordless Authentication Adoption – FIDO Alliance

My Comments

The FIDO Alliance and WebAuthN groups are moving towards a password-free authentication approach for online services. This is based around a device-local private authentication key associated with your username for that online service that is only released when you enter your device PIN / screen-unlock code or scan your fingerprint or face where your device supports it. A corresponding public key is stored in the user’s account record on the online service’s servers and used to “test” the private key to complete the user-verification process.

The smartphone will end up as a key authentication device especially if you sign in with your fingerprint or face

But there is a problem associated with the reality that most of us own multiple computing devices. This can typically manifest in us owning a smartphone, a mobile-platform tablet like an iPad and/or a regular desktop or laptop computer. There is also the fact that most of us will end up owning “connected-TV” equipment be it a smart TV, set-top device or games console that is a gateway to online video services. Or we may even end up using various smart-home platforms including Amazon Echo or Google Home.

The problem also includes lifecycle issues associated with today’s devices such as acquiring a new device or replacing a broken, lost or stolen device. Or it could include where one is using another device on a temporary basis like using a friend’s computer or a computer at a hotel business centre.

Then there is the issue of phishing even with multifactor authentication because there is no way of identifying whether a user is signing in to the real online service or not.

Solutions

Bluetooth as a means for authentication

Or you could authenticate online services from a laptop’s fingerprint reader or your smartphone

One factor being examined is the use of your smartphone as a roaming authentication device. Part of what will be looked at is using Bluetooth LE as a machine-to-machine link between the device you are signing in from and your phone to conditionally release online-service authentication keys.

This avoids you entering a one-time-password in to a phishing site for example because you are not transcribing information in to a site. The Bluetooth functionality is also about device proximity – your smartphone is close to the device you want to sign in from.

I also see the Bluetooth link appealing to client devices that have limited user interfaces like connected-TV devices, printers and the Internet Of Things. It avoids the need to log in to your online service to transcribe a “binding code” to use it with connected-TV devices or, at worst, “hunt and peck” a username and password to associate it an online service.

It will also support bare-bones provisioning to new devices irrespective of the platform such as when you, as an iOS or Android mobile-platform user, want to set up you Windows laptop to work with your online services.

As well, it could come in to its own with temporary-use scenarios like shared computers or equipment installed in places like hotels. It could even include adding one’s online video service account to smart TVs or set-top devices installed in hotels, holiday home or common rooms for temporary use.  I could even see this earn its keep as an alternative to cards for authentication at kiosk-type setups like ATMs.

Multi-device authentication

The multi-device approach would be on the likes of Apple, Google and Microsoft coming to the party. This is because it would be based on device operating systems and associated cloud-driven account services like Apple ID (MacOS, iOS, tvOS), Google Account (Android, ChromeOS) and Microsoft Account (Windows, XBox).

In some cases, it may extend to device vendors or other entities who run their own cloud-driven account services and want them as the login of choice for your online world. Even account services typically managed by businesses or education establishments could become “primary” account services typically for large fleets of organisation-owned devices.

Even smart displays like the Amazon Echo Show 10 could be in on the action

This approach would have the operating system create and use the authentication key and store these with your account on the cloud-driven account service. It would come in to its own if you are adding a device that works with the same platform as what you were using, for example onboarding an iPad to the same Apple ID as your iPhone.

The system can distinguish between an extant device and a newer device through another device-bound authentication key that underscores that you are authorised to use the service with that physical device. Here, it can be about deeming that particular new device as trusted and under your control or some corporate setups may use it as a way to constrain use of the service to devices they have control over.

Online services would have to support a number of authentication keys for the same username with these associated with different computing platforms an end-user is likely to use. As well, another requirement that would be expected is to have one authentication key able to work across a vendor’s different operating systems such as a mobile OS and a desktop OS. This is due to vendors architecting their mobile operating systems for battery efficiency while the desktop operating systems are maintained for performance.

Situations

Moving between devices or platforms

.. as could the likes of connected-TV and set-top-box setups like the Apple TV

If you are moving your online life between devices of the same platform, the multi-device authentication would  have all the platform-level authentication keys moved across similar to what happens with a password vault app.

The Bluetooth authentication approach will come in to play if you have devices of a different platform. But you have to have one of the devices still alive and in your possession for this to work properly.

What really may happen is that you may use Bluetooth authentication to “enrol” other computing devices and have them seen as trusted devices once one or more of your devices support the necessary standards. Then, whichever one of them that is “alive” like, per se, your regular computer or your mobile-platform tablet would be used to authenticate your replacement smartphone to your secure online circle even if this was to replace a lost, stolen or damaged phone.

If you intend to completely move off a platform, you can simply delete from your online services all the credentials associated with that particular platform. This may be through account management options offered by the online service where you revise what platforms you are logged in from.

Multiple-platform setups

Most of us are likely to operate a multiple-platform setup for our online lives. This will typically range from an iPhone and a Windows or Macintosh computer through an Android phone, an iPad and a Windows computer.

Online services will be likely to keep with your username, multiple sets of access credentials for each computing platform you are using. There will still be the ability to keep a platform-specific authentication key for your devices that operate a particular platform along with another for a different platform.

Gaps yet to be filled

One gap that needs to be filled is software-to-software authentication like what is expected for email or document-contribution setups or even the Internet of Everything. Such setups typically rely on stored credentials to authenticate the user with their account on that service along with client software like email clients having continual access to that service.

This may have to be about adapting protocols like IMAP4 or XML-RPC to device-generated authentication credentials and supporting multiple sets of these credentials for one user account. This would be important where multiple client devices are being used for the same online service such as a smartphone and a laptop for an email service.

Conclusion

Even the common reality of users operating multiple devices or using a highly-portable device like a smartphone as an authentication device will not escape the goal of a password-free online-service future. Here it would primarily be about authenticating with a device-local PIN or your fingerprint

You soon may not need to remember those passwords to log in to the likes of Facebook

The traditional password that you use to authenticate with an online service is in the throes of losing this role.

This is coming about due to a lot of security risks associated with server-based passwords. One of these is for us to use the same password across many online services, leading towards credential reuse and “stuffing” attacks involving “known” username/password or email/password pairs. As well, the password is also subject to brute-force attacks including dictionary attacks where multiple passwords are tried against the same account. It also includes phishing and social-engineering attacks where end-users are tricked in to supplying their passwords to miscreants, something I had to rectify when an email account belonging to a friend of mine fell victim to phishing. This is facilitated by users creating passwords based on personal facts that work as aide-memoires. Passwords can also be stolen through the use of keyloggers or compromised network setups.

Managing multiple passwords can become a very user-unfriendly experience with people ending up using password-vault software or recording their passwords on a paper ore electronic document. As well, some applications can make password entry very difficult. Examples of these include connected-TV or games-console applications where you pick each character out using your remote control’s or game controller’s D-pad to enter the password.

You will be able to set your computer up to log you in to your online services with a PIN, fingerprint or other method

The new direction is to implement passwordless authentication where a client device or another device performs the authentication role itself and sends an encrypted token to the server. This token is then used to grant access to the account or facilitate the transaction.

It may be similar to multifactor authentication where you do something like enable a mobile authenticator app after you key in your online service’s password. But it also is very similar to how a single-sign-on or social-sign-on arrangement works with the emphasis on an authenticated-session token rather than your username and password as credentials.

The PIN will be authenticated locally nd used to enable the creation of a session token for your online service

There will be two key approaches which are centred around the exchange of an asymmetric key pair between the client and server devices.

The first of these will be the primary client device like your laptop computer or a smartphone that you are using the online service on. Or it can be a secondary client device like your smartphone that is holding the private key. You authenticate with that device using a device-local PIN or password or a biometric factor like your fingerprint or face.

The same holds true for your Android or other smartphone

The second will involve the use of a hardware token like a FIDO2-compliant USB or Bluetooth access key or an NFC-compliant smart card. Here, you activate this key to pass on the credentials including the private key to the client computer for your online session.

It is being facilitated through the use of FIDO2, WebAuthN and CTAP standards that allow compliant Web browsers and online services to implement advanced authentication methods. At the moment, Windows 10 is facilitating this kind of login through the use of the Windows Hello user-authentication functionality, but Android is in the process of implementing it in the mobile context.

There is effectively the use of a form of multifactor authentication to enable the cryptographic key pair between the client and server devices. This is based around the device you are using and the fact you are there to log in.

The fingerprint reader on this HP Elitebook and similar laptops will become more important here

If the authentication is to take place on the primary client device like a laptop or smartphone, the device’s secure element like a TPM module in a laptop or the SIM card in a smartphone would be involved in creating the private key. The user would enter the device-local PIN or use the fingerprint reader to enable this key which creates the necessary session token peculiar to that device.

On the other hand, if it is to take place on a secondary device like a smartphone, the authentication and session-token generation occurs on that device. This is typically with the user notified to continue the authentication on the secondary device, which continues the workflow on its user interface. Typically this will use a Bluetooth link with the primary device or a synchronous Internet link with the online service.

The online service has no knowledge of these device-local authentication factors, which makes them less likely to be compromised. For most users, this could be the same PIN or biometric factor used to unlock the device when they switch it on and they could use the same PIN across multiple devices like their smartphone or laptop. But the physical device in combination with the PIN, fingerprint or facial recognition of that user would be both the factors required to enable that device’s keypair and create the session token to validate the session.

A hardware token can be in the form of a USB or Bluetooth security key or a NFC smart card. But this device manages the authentication routines and has private keys kept in its secure storage.

There will be the emphasis around multiple trusted devices for each service account as well as the same trusted device supporting multiple services. Some devices like hardware tokens will have the ability to be “roaming” devices in order to do things like enabling a new device to have access to your online services or allow ad-hoc use of your services on shared equipment such as the public-use computers installed at your local library. They will also work as a complementary path of verification if your client device such as a desktop PC doesn’t have all the authentication functionality.

Similarly, when you create a new account with an online service, you will be given the option to “bind” your account with your computer or smartphone. Those of us who run online services that implement legacy-based sign-in but are enabled for passwordless operation will have the option in the account-management dashboard to bind the account with whatever we use to authenticate it with and have it as a “preferred” authentication path.

Some of the passwordless authentication setups will allow use with older operating systems and browsers not supporting the new authentication standards by using time-limited or one-use passwords created by the authentication setup.

Questions that will arise regarding the new passwordless Web direction is how email and similar client-server setups that implement native clients will authenticate their sessions. Here, they may have to evolve towards having the various protocols that they work with move towards key-pair-driven session tokens associated with the particular service accounts and client devices.

There will also be the issue of implementing this technology in to dedicated-purpose devices, whether as a server or client device. Here, it is about securing access to the management dashboards that these devices offer, which has become a strong security issue thanks to attacks on routers and similar devices.

IT WILL TAKE TIME TO EVOLVE TO PASSWORDLESS

Articles

Bluetooth and NFC will allow keyfobs, cards and mobile devices to work as authentication devices for each other

FIDO Alliance adds authentication support for NFC and BLE | NFC World

From the horse’s mouth

FIDO Alliance

Press Release

My Comments

Soon it will be feasible for Bluetooth and NFC “touch-and-go” authentication to play a part in open-frame multiple-factor authentication thanks to FIDO Alliance. This is primarily to court those of us who are using mobile devices and want the same level of security as valued with regular computers.

The main goal of the FIDO Alliance was to get the USB transport interface working properly but then to have it work across other transports like Bluetooth and NFC? This is due to most mobile devices including an increasing number of laptops and “2-in-1” computers, coming with Bluetooth including Low-Energy (Bluetooth Smart Ready) and NFC functionality along with Android and Windows exploiting NFC functionality fully at the operating system level.

Example applications made feasible with Bluetooth and NFC in the second-factor authentication sphere include:

• use of a “touch-and-go” card or a Bluetooth keyfob as your second factor for authenticating to a service from your regular computer or your mobile device – the device doesn’t need a standard USB socket
• a smartphone that uses a software “second-factor” authentication program like Authy could transmit the second-factor code to your regular computer or tablet by Bluetooth or NFC “touch-and-go”.

As well, the fact that smartphones have a hardware (SIM-based) or software secure element means that they can become as much a strong partner in your data-security arsenal. The concept is also being extended to the idea of devices like smart locks and cars having the Bluetooth and / or NFC abilities along with an onboard secure element of some form.

Similarly the U2F and UAF specifications could earn their keep as a transport for other dedicated-purpose devices like smart locks which typically are implementing Bluetooth Low Energy and/or NFC technology as part of their presence in the Internet Of Everything. This can open up paths of innovation for integrating such devices in a personal-security web of trust.

Article

Microsoft to support Fido biometrics | NFC World

From the horse’s mouth

Microsoft

Windows For Your Business blog post

FIDO (Fast IDentity Online) Alliance

Press Release

My Comments

Microsoft is to enable Windows 10, which is the next version of Windows, to work with the FIDO (Fast Identity Online) Alliance standards for its authentication and authorisation needs.

But what is this about? FIDO is about providing a level playing field where authentication and authorisation technologies like biometrics, electronic keys and the like can work with applications and sites that support these technologies.

The goal with FIDO is to remove the need for drivers, client-side software and certificate-authority setups for 2-factor authentication or password-free authentication. As well, one hardware or software key can be used across compatible services and applications without user parameters being shared between them.

There are two standards that have been defined by FIDO Alliance. One is UAF which supports password-free login using biometrics like fingerprints; USB dongles; MiFare NFC cards; Bluetooth-linked smartphones and the like as the key to your account. The other is U2F which allows these kinds of keys to serve as a “second factor” for a two-factor authentication setup.

But what could this mean? With a UAF setup, I could set things up so I could log in to Facebook using my fingerprint if the computer is equipped with a fingerprint reader but not have to worry about using a password vault that plays nicely with that fingerprint reader. With a U2F setup, I could make sure that I have a tight two-factor login setup for my Website’s management account or my bank account but use a preferred method like a USB key or a smartcard reader that reads my EMV-compliant bank card.

The current implementation tends to ride on client-side software like browser plugins to provide the bridge between a FIDO-enabled site and a FIDO U2F-compliant key and this can impair the user experience you have during the login. It is because of you having to make sure that the client-side software is running properly and you use a particular browser with it before you can interact with the secure site. There is also the risk that the software may be written poorly thus being more demanding on processor and memory resources as well as providing an inconsistent user interface.

Microsoft will bake these authentication standards in to Windows 10 for the login experience and authentication with application-based and Web-based services. This will cut down on the client-side software weight needed to enhance your Internet security and allows those who develop the authentication methods to focus on innovating with them, just as Microsoft has done with other functionality that it has baked in to the various Windows versions. It will apply to Azure-based cloud-hosted Active Directory services and on-premises Active Directory services for business users; along with the Microsoft Account which is used for home and small business users with Windows 8 login and Outlook.com (Hotmail).

The question yet to raise with FIDO UAF and U2F functionality is whether this will be provided for application-based “client-to-server” authentication for situations like word-processors being used to upload blog posts or native clients for online services like Dropbox and Evernote. Similarly, would this technology allow a device to serve as a temporary or conditional authentication factor such as a smart lock that has just been used with your electronic key; or allow a card like a SIM card already installed in our smartphone or a MiFARE-compliant transit pass to serve as an electronic key for our Webmail.

Personally, I find that Windows implementing FIDO Alliance standards will allow us to make more use of various authentication technologies on our home or business computers.