Fido wants the IoT to be password free
July 2, 2019
Open standard authentication group the Fido Alliance has announced two standards and certification initiatives to remove password authentication from the IoT.
The identity verification and IoT initiatives build on the alliance’s focus on driving the efficacy and market adoption of Fido authentication by addressing adjacent technologies that leave security vulnerabilities on the web.
Specifically, the alliance aims to strengthen identity verification assurance to support better account recovery, and automate secure device onboarding to remove password use from the IoT.
The alliance has formed two working groups: the Identity Verification & Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas. The alliance will continue to focus on development and adoption of its user authentication standards and related programmes and use them as a foundation for this expanded work, featuring contributions from current members and new industry participants.
“The Fido Alliance has catalysed a diverse set of stakeholders who have collaborated to answer the industry’s password problem through the standardisation of Fido authentication, which has grown from concept to global web standard supported in leading browsers and platforms in just seven years,” said Andrew Shikiar, executive director and chief marketing officer of the Fido Alliance. “As we look at the threat vectors in the marketplace, however, it has become apparent that there’s a gap between the high assurance provided by Fido authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication. This gap can be most effectively addressed through industry collaboration and standardisation rather than siloed, proprietary approaches.”
For accounts protected from phishing and other credential-based attacks with Fido authentication, the account recovery process when a Fido device is lost or stolen becomes critical to maintaining the integrity of the user’s account. Validating a user’s identity with high assurance is an important aspect of this process, as well as for account onboarding processes, meeting know your customer (KYC) and anti-money laundering (AML) requirements.
The alliance has identified newer remote, possession-based techniques including biometric selfie matching and government-issued identity document authentication as having the potential to improve the quality of identity assurance for account onboarding and account recovery. The alliance has also determined a market need for authoritative guidance, performance evaluation and certifications for their use.
The alliance has created the IDWG to fill this need. The IDWG will define criteria for remote identity verification and develop a certification programme and educational materials to support the adoption of those criteria.
The IDWG is led by co-chairs Rob Carter from Mastercard and Parker Crockford from Onfido. Other participating organisations include Aetna, Google, Idemia, Lenovo, Microsoft, Nok Nok Labs, NTT Docomo, OneSpan, Phoenix Technologies, Visa, Yahoo! Japan, Yubico and the UK Cabinet Office.
The IoT TWG aims to tackle the problem of a lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding, which leave devices, and the networks they operate on, open to large-scale attacks. It will do this by providing a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the alliance – passwordless authentication.
The working group will develop use cases, target architectures and specifications covering:
- IoT device attestation and authentication profiles to enable interoperability between service providers and IoT devices;
- Automated onboarding, and binding of applications and/or users to IoT devices; and
- IoT device authentication and provisioning via smart routers and IoT hubs.
The Fido (Fast IDentity Online) Alliance was formed in 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple user names and passwords. The alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords.