Getty Images

Fido Alliance announces new standards

Fido Alliance announces new identity verification and IoT initiatives to expand the reach and impact of Fido authentication, which seeks to eliminate the world’s dependence on password-based security

The Fido (Fast IDentity Online) Alliance, a consortium of technology industry partners working to establish standards for strong authentication, has announced two new standards and certification initiatives in identity verification and the internet of things (IoT).

The initiatives build on the alliance’s ongoing focus on driving the efficacy and market adoption of Fido authentication by addressing adjacent technology areas that introduce online security vulnerabilities.

The latest initiatives aim to strengthen identity verification assurance to support better account recovery, and automate secure device onboarding to remove password use from the IoT.

To support these initiatives, the alliance has formed two new working groups – the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas.

The alliance plans to continue to focus on development and adoption of its user authentication standards and use them as a foundation for the expanded work, featuring contributions from current members and new industry participants.

Andrew Shikiar, executive director and chief marketing officer of the Fido Alliance said: “The Fido Alliance has catalysed a diverse set of stakeholders who have collaborated to answer the industry’s password problem through the standardisation of Fido Authentication – which has grown from concept to global web standard supported in leading browsers and platforms in just seven years.

“As we look at the threat vectors in the marketplace, however, it has become apparent that there is a gap between the high assurance provided by Fido Authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication. This gap can be most effectively addressed through industry collaboration and standardisation rather than siloed, proprietary approaches.”

Identity Verification and Binding Working Group (IDWG)

For accounts protected from phishing and other credential-based attacks with Fido Authentication, the account recovery process when a Fido device is lost or stolen becomes critical to maintaining the integrity of the user’s account. Validating a user’s identity with high assurance is an important aspect of this process, said the alliance, as well as for account onboarding processes, meeting know your customer (KYC) and anti-money laundering (AML) requirements. 

The Fido Alliance has identified newer remote, possession-based techniques including biometric “selfie” matching and government-issued identity document authentication as having the potential to greatly improve the quality of identity assurance for new account onboarding and account recovery. The alliance said it has also determined a market need for authoritative guidance, performance evaluation and certifications for their use.

The alliance has created the IDWG to fill this need. The working group will define criteria for remote identity verification and develop a certification program and educational materials to support the adoption of those criteria, the alliance said.

The IDWG is led by co-chairs Rob Carter of Mastercard and Parker Crockford of Onfido. Other participating organisations include Aetna, Idemia, Lenovo, Microsoft, Nok Nok Labs, NTT DOCOMO, OneSpan, Phoenix Technologies, Visa, and Yubico.

IoT Technical Working Group (IoT TWG)

Analyst firm Gartner has predicted that 15 billion connected things will be in use by 2021, opening up opportunities for increased efficiencies and innovation across industries. Yet the lack of IoT security standards and typical processes, such as shipping with default password credentials and manual onboarding, leaves devices, and the networks they operate on, open to large-scale attack

The IoT TWG aims to tackle this issue by providing a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the alliance, which is passwordless authentication.

The working group will develop use cases, target architectures and specifications covering:

  • IoT device attestation/authentication profiles to enable interoperability between service providers and IoT devices.
  • Automated onboarding, and binding of applications and/or users to IoT devices.
  • IoT device authentication and provisioning via smart routers and IoT hubs.

The IoT TWG is led by co-chairs Marc Canel of Arm Holdings and Giridhar Mandyam of Qualcomm. Other participating organisations include Idemia, Intel Corporation, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies and Yubico.

Read more about the Fido Alliance

Read more on Privacy and data protection