Fintech Security

Fido needs more vision for digital identities

Fido needs more vision for digital identities. Image: Freepik
Written by Chris Skinner

Fido is a good thing, says Chris Skinner, but appears to be addressing online identity issues with standards of the past rather than the future.

The real way to crack onboarding and criminal activity is to create strong and secure digital identities. We are moving in that direction, but it’s a long, slow process. For ages now, I’ve written about getting rid of passwords and improving authentication using mobile technologies.

Again, it just goes to show what a perennial subject identity is. In fact, it’s so meaty a subject that Dave Birch writes a blog about it, and even a whole book. In the book, Dave suggests that the security offered by tokenization via mobile, combined with everyone building online identities via social networks, will get rid of cash. I agree with him, though not necessarily on the last bit. Cashless is another huge debate. However, it’s evident that the investment we’re all making in our online social identities is paying off. For example, Sophos recently tracked down the gang who created the Koobface malware via their social networking activity.

Anyway, the reason I’m writing about it again is after my discussion about client onboarding and the massive overhead this creates, particularly the KYC process, for banks. There have been lots of attempts to crack this – the KYC Exchange, Swift’s shared KYC program, Counterparty Link and PEP databases – but nothing has succeeded so far. Now, a new alliance has been put together and, as no one knows you’re a dog on the internet, it’s called Fido: Fast Identity Online Alliance.

Fido (woof!) is suggesting that you should have multi-factor authentication standards using something you know (PIN, password), something you have (card, phone, token) and something you are (biometric). I came across Fido thanks to this week’s Economist, which provides a neat summary of what it’s all about. Looking through its website reveals some interesting ideas. For example, the mission of the Fido Alliance is to change the nature of online authentication by:

  • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords to authenticate users.
  • Operating industry programs to help ensure successful worldwide adoption of the specifications.
  • Submitting mature technical specification(s) to recognized standards development organization(s) for formal standardization.

The origins of the Fido Alliance go back over eight years, and were prompted by PayPal’s frustrations with multi-factor authentication. The issue is that additional security keys increase security but also irritate the user. How do you get around that? By creating a new standard, the characteristics of which would include:

  • a general purpose authentication standard, not just confined to fingerprint biometrics, or even just biometrics
  • a considerable commercial element in play; that an ecosystem would have to be bootstrapped in order for this idea to become successful, requiring tight coordination between supply and demand
  • a new organization to write this new technical standard, applying best practices from other such organizations.

All well and good, and they’ve got Google, Bank of America, Samsung, PayPal, MasterCard, Microsoft, Lenovo, Visa and more in the mix to develop this new standard. It all sounds so wonderful, but then I read what the new standard is all about and sat there afterwards feeling a little disappointed. This new alliance has developed two standards y’see. One is a password-less standard and the other is a multi-factor authentication.

The Fido experience

Passwordless UX (UAF)

  • User carries client device with UAF stack installed
  • User presents a local biometric or PIN
  • Website can choose whether to retain password.

The password-less Fido experience is supported by the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, and so on. The UAF protocol enables the service to select which mechanisms are presented to the user. Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint plus PIN.

Second Factor UX (U2F)

  • User carries U2F device with built-in support in web browsers
  • User presents U2F device
  • Website can simplify password (eg four-digit pin).

The second factor Fido experience is supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords (eg four-digit PIN) without compromising security.

During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their Fido U2F device across all online services that support the protocol leveraging built-in support in web browsers.

Fido doesn’t mention blockchain

On the one hand, I applaud this alliance for actually trying to do something. What they’ve achieved so far seems laudable and is based on what can be achieved using current state technologies. On the other hand, my disappointment is that it doesn’t lay out a vision for a future state. In fact, the challenge with the two standards outlined is that, in both cases, the new standard involves the user doing something. They either have to plug in a dongle, enter a PIN, stick their finger onto a device or something like that. My disappointment is that I really want a digital identity that involves me doing nothing.

I’ve already blogged about this recently – Why the blockchain will radically alter our future – Fido doesn’t mention the blockchain, and I honestly don’t believe that in 10 years’ time, we will be actively authenticating our identities; it will be automatic and sensed.

The Fido Alliance is a good thing for now, but it appears to be addressing the online identity issues with standards of the past rather than the future. Where’s the new standard for an online identity that has some vision?

This article is reproduced with kind permission. Some minor changes have been made to reflect BankNXT style considerations. You can read the original article here.

About the author

Chris Skinner

Chris Skinner is an independent commentator on the financial markets through the Finanser, and chair of the European networking forum the Financial Services Club, which he founded in 2004. He is an author of numerous books covering everything from European regulations in banking through to the credit crisis, to the future of banking.

Leave a Comment