On the seminar held recently in Tokyo, FIDO (Fast IDentity Online) Alliance announced that tens of millions of FIDO-based devices are now in use to protect end-user and enterprise accounts with strong, cryptographic-based authentication at major relying parties such as Google, PayPal, NTT DOCOMO, INC., Bank of America, Dropbox, and GitHub.
The modern FIDO authentication system is backed by nearly 250 Alliance member organizations from around the world including the US, the UK and German government agencies, and more than a dozen trade association partners. The system is coming to replace outdated passwords.
Unlike password databases, FIDO stores users' PIIs-like biometrics data exclusively on the users' device. That is one of the advantages of FIDO's solution as it addresses the security concerns about personal data being stored externally (in the cloud, for example). FIDO has two specifications: the Universal Authentication Framework (UAF) for passwordless user experience and the Universal Second Factor (U2F) for adding a second factor to authentication. UAF allows users to register the device by selecting a local authentication mechanism such as biometrics, PIN, etc. The UAF protocol allows the service to select which mechanisms are presented to the user. With U2F, the user presents the second factor during registration by pressing a button on a USB device or tapping over NFC. FIDO U2F device can be used across all online services that support the protocol.
As the company announced, to carry this momentum into 2016, the FIDO Alliance submitted a set of three technical specifications to the World Wide Web Consortium (W3C) (the international standards organization for the World Wide Web). These technical specifications are required to define a standard Web-based API designed to increase FIDO’s existing desktop, Chrome, Android and iOS reach to support other platforms. This FIDO-built Web API is intended to ensure standards-based strong authentication across all Web browsers and related Web platform infrastructure. The FIDO Alliance’s W3C submission is the first time the Alliance has chosen to submit their specifications to an external SDO (Standard Development Organization).
Dustin Ingalls, President of FIDO Alliance, shared the company's mission and his vision of the future of authentication on the official website: “The mission of the FIDO Alliance has always been stronger, simpler authentication: stronger to help protect data, and simpler to address the problems users face trying to create and remember multiple usernames and passwords. In order to achieve this mission, FIDO authentication needs to be available everywhere… On all the devices you use and with all of the apps & services you use. With FIDO support in the browser and in the platform, it will be easier than ever for apps and services to take full advantage of FIDO authentication helping to free the world from passwords.”
The submission to W3C is part of FIDO Alliance's goal to produce technical specifications that define an open, scalable, interoperable set of mechanisms that will potentially replace passwords as a way to authenticate users. The goal fits into the overall strategy of worldwide adoption of the FIDO specifications.
Commenting on the strategy, Brett McDowell, Executive Director of the FIDO Alliance, said, “The FIDO Alliance’s strategy has always hinged on the idea that every device you purchase will come with FIDO standards support built-in, just as we see today with standards like Bluetooth or Wi-Fi. The FIDO 2.0 work is very well aligned to that strategy, and we encourage OEMs to begin planning their device support for these capabilities.”
One of the FIDO Alliance board members and companies that deployed FIDO's solution is NTT DOCOMO, Inc. Koichi Moriyama, Senior Director of Product Innovation at NTT DOCOMO, Inc. shared his experience working with FIDO, “It’s been a pleasure to work with, and within, the FIDO Alliance to create a world that is no longer dependent on passwords. FIDO standards have been working extremely well for DOCOMO-branded devices and services since our commercial launch in May. We are very excited about the prospect of providing more FIDO-enabled devices and services to our customers through the extended reach of FIDO 2.0 and W3C. We will definitely continue to work with FIDO Alliance to realize the vision of delivering a superior end-user experience by eliminating passwords with FIDO authentication-enhanced security features.”