Taking biometrics mainstream with FIDO (the Apple Pay alternative)

FIDO (Fast Identity Online) is essentially Apple Pay for non-Apple Devices. It is backed by an impressive list of companies including Google, Microsoft and Amazon and already has 360 certified products. Using FIDO devices such as mobile phones, laptops or browsers, users can authenticate users securely without needing to transmit any personal security data (for instance all biometrics are kept on the device). This week FIDO has been in Sydney for meetings and I was at the opening day (Monday the 25th Sept).

According to Google 76% of account vulnerabilities were due to weak or stolen passwords. The FIDO vision is to provide a secure, privacy-sensitive method that will largely eliminate the need to remember passwords. It will be flexible to accommodate new biometric modalities, have no central biometric store, be secure against most attacks and be available across all devices. The FIDO website, in my option, is a little less clear, but puts describes the mission like this:

The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords. (https://fidoalliance.org/about/what-is-fido/)

There are a confusing array of (often insecure) options available when companies want to authenticate users. Hence FIDO addresses a huge global problem by providing both a solid technical core and market momentum. This makes FIDO worth taking very seriously. One of the most impressive videos shown was from DOCOMO the Japanese telecommunications giant – which gave an excellent flavour of the upsides of this protocol in terms of convenience across different handsets and biometric types.

The major issues that I believe will confront adoption are:

  • Certification and Evaluation: There is an active process in place around certification of FIDO compliant devices with the higher levels requiring accredited lab certification. This certification, however, is around the security protocols not around biometric accuracy and vulnerabilities. Issues to do with Presentation Attack Detection (PAD) and accuracy are being handled in a release soon. The lead on this activity is Stephany Shuckers from Clarkson University and she is a safe pair of hands to build protocols around this complex area. I will be most interested to see however how this develops as it is obviously a particular focus of mine,
  • Re-enrollment: One of the major tenets of the new standard is that any biometrics are locked into the device so if you upgrade your handset, lose your handset or move to another device your enrollments do not move with you (they can’t as they are securely held inside the device). Never-the-less there are ways of providing a more seamless transition including some forms of automated re-enrollment. According to discussions, Google is working on just such a protocol. I believe this will be an essential component to drive adoption.
  • Audit and Logging: The FIDO standard contains a metadata service, however, the amount of specified data through is service is quite basic currently. I would like to see this expanded to include additional information, for instance around the acquisition quality score.
  • Apple: The elephant in the room is will Apple ultimately make its Apple Pay standard compatible. It’s worth pointing out that iOS Apps can use FIDO on Apple devices – it’s just that there is no native support and Apple Pay uses a different eco-system.

The relevance for government agencies is increasingly around both the internal security for staff and the external authentication for the public. This has at least four driving factors: expectations (it’s good enough for Google why can’t we use it here); the increasing sophistication (and frequency) of attackers at breaking systems; bring your own device movement (smartphone penetration is extremely high) and consistency/federation (why do I need different login techniques at different departments).

It should be clear that passwords are not a medium-term viable solution to security (at least not as they are used now), and hackers are increasingly more sophisticated in breaking other two-factor security techniques such as SMS one-time passwords (Google did a nice demo at the conference on how easy it is to take over an account when relying on SMS as a second factor). Currently, the only large-scale standards-based answer, backed by almost all the major players (except Apple) is FIDO. There will still be many teething issues to address but if you are involved in authentication and security you need to know how this technology will affect your operations in the future.