The Yahoo breach shows just how dangerous the old model of a centralised username and password database is: if a hacker gets inside a network millions of individual’s credentials are essentially served up to them on a silver platter.

Like a group of tethered climbers on a mountain slipping down one by one, if one database is hacked others are exposed.

Apple Pay
Solutions such as Apple Pay use biometric authentication.

It is this problem, and others, that the security standard Fast IDentity Online (FIDO) is hoping to address: not simply by getting rid of passwords or adding another layer of security on top, but by redesigning the entire architecture of security.

According to Phil Dunkelberger, CEO of Nok Nok Labs (one of the founding members of the FIDO Alliance) there are two main advantages of the FIDO standard: ease of use and security.

FIDO takes advantage of features on a smart device such as a fingerprint scanner, camera or microphone to allow the user to register their biometric or PIN to the device.

When the authentication is required, the user is authenticated by a client on the device itself and the encrypted key is sent to the server to authenticate the user.

This is both easier for the user, who doesn’t have to generate and memorise a password for every application they use, and more secure, since passwords can easily be intercepted or broken.

The use of a single standard for multiple authentication factors has a range of benefits.

For example, Nok Nok Labs has just launched the latest version of its authentication platform using the FIDO standard, which includes a new risk scoring feature. This uses risk signals such as geolocation, travel speed and device health to create a score for how likely the user is to be who they say they are.

Thanks to FIDO, the platform can use the risk profile to scale up the authentication required based on the risk profile. If the user’s geolocation seems out of the ordinary, additional factors of authentication can be requested.

Other features of the platform, called the Nok Nok S3 Authentication Suite – Premium Edition, include simplified integration support for access management solutions.

FIDO
Phil Dunkleberger, CEO of Nok Nok Labs.

Dunkelberger says that FIDO could be used to provide authentication for Internet of Things devices and systems: for example, if the user is authenticated on the smartphone they could use the smartphone to control the heating or lighting in a house.

In one implementation, Nok Nok Labs used FIDO to turn employee smartphones into widgets to provide access to their building.

These more advanced security features will be needed as the number of devices we interact with and hence the number of authentications needed increases. Ultimately, Dunkelberger sees FIDO as about more than using more secure ways of authenticating people, but about redesigning security overall.

He explains that today portability of authentication is done through usernames and passwords, which he says is a “good idea for user experience, bad for security.”

“The problem with Yahoo isn’t that they lost 500 million passwords; it’s what can they do with the passwords?” says Dunkelberger.

As he says, and as in the climbing example above, people will often have the same passwords for multiple accounts.

But storing biometric security information in centralised repositories creates much the same issue, which is why the authentication on the device is so important and the transmission of a key but not the biometric itself is so important.

FIDO
The FIDO protocol.

“You don’t want to create the same problem [as with passwords],” says Dunkelberger. “Let’s not defeat the new security model by putting all of the keys in a centralised location without proper safeguards.”

In many ways, losing your fingerprint is worse, since you can’t simply create a new one.

By using the device, this problem can be avoided. However, does this create a danger that we are becoming dependent on our devices for access to our resources, however?

According to Dunkelberger, it is for this reason that he focuses on the need for the whole security architecture to be redesigned, with technology companies making it easier for users to carry out back-ups of their data and the information on their devices.

As Dunkelberger notes, rarely do the likes of Google and Microsoft collaborate on a standard, so FIDO must be getting something right. With the backing of major industry, we can expect more and more of our security interactions to take place using the protocol.