Why FIDO Will Be Man's Best Friend
There's an emerging user authentication method for the web called FIDO. FIDO stands for Fast IDentity Online, and it portends to revolutionize the way consumers connect with their digital devices. When I say digital devices, I mean all of them. The point of FIDO is that it can leverage any hardware support available on a user device. That even covers things like microphones (via speaker recognition), cameras (via face recognition), fingerprint sensors, and my personal favorite, behavioral biometrics. This last item is a true sign that Artificial Intelligence is already upon us and has so many wonderful applications.
I think FIDO is an authentication method to watch for other reasons as well. For starters, it typically focuses on ease of use, security, and standardization. The primary objective is to enable online services and websites, whether on the open Internet or within enterprises, to leverage native security features of end-user computing devices for strong user authentication. Plus, let's not forget about the effort to reduce the problems associated with creating and remembering many online credentials. I know of no one who doesn't think having to retain multiple passwords is a royal pain!
Here's what the contributors of FIDO propose: First, to separate the user authentication method from the authentication protocol. That's a big step, but it makes an awful amount of common sense. They also propose to define an attestation method in order to proof the FIDO authenticator type to the relying party. That's a fancy way of saying it's an exceptionally secure method of keeping everything safe and preventing information from falling into the wrong hands.
Given this information, the relying party is able to infer the related assurance level. The assurance level can be fed into internal risk management systems. The relying party can then add implicit authentication methods as needed. That means you or your organization can essentially customize the system by making it more secure.
For instance, the FIDO authenticator could be implemented as a software component running on the FIDO user device. It might also be implemented as a dedicated hardware token, such as a smart card or a USB crypto device. It might even be implemented as software that leverages cryptographic capabilities or as software running inside a Trusted Execution Environment (TEE).
The neat features don't stop there. A user could conceivably implement any authentication method. Such methods can be optimized for particular use cases and for the devices they are running on. In some situations, the user authentication method should be non-intrusive, so continuous authentication could be an option. In other situations, a more precise user authentication method might be desirable (especially in corporate settings), so the use of fingerprints or dedicated hardware tokens such as smart cards might be more suitable.
There's no doubting that FIDO could be man's best friend - at least in the cyber-world. We get the convenience of separating user authentication methods and authentication protocols. We as consumers also get a change of the user method that doesn't have any impact on the authentication server. So as long as the assurance level is acceptable in the given context, FIDO can provide great flexibility to users and enterprises.