Future Ecosystems for Secure Authentication and Identification
Username/Password is still the prevailing authentication mechanism for internet based services – but it is not secure! We show how new authentication and identification mechanisms focused on usability and security can change this and which role the FIDO A
- PDF / 215,246 Bytes
- 10 Pages / 476.22 x 680.315 pts Page_size
- 24 Downloads / 207 Views
rt 1 | A brief outline of the FIDO approach Malte Kahrs MTRIX GmbH, Stadtkoppel 23a, 21337 Lüneburg [email protected]
1 Today’s Authentication Infrastructure: Security vs. Usability In today’s authentication infrastructure with dozens of different passwords to remember, most users choose weak passwords or utilize the same e-mail address and password combinations on multiple websites. Thereby online fraud is easier and attackers are able to use the stolen login credentials to log into several websites associated with their victims. In the end online service providers are faced with constantly increasing costs caused by online fraud. Therefore strong online authentication has become a more and more important requirement. Unfortunately most solutions for strong security are complex, expensive and harder to use – especially with mobile devices. As a result of the poor usability most users/employees don’t utilize strong authentication methods if they can avoid it. Enterprises on the other hand have to face huge costs for strong authentication mechanisms and then are tied to one vendor. So ideally, a future ecosystem for secure authentication and identification has to meet all these requirements from consumers, online service providers and enterprises at the same time: strong authentication methods, privacy, usability as well as interoperability among different authentication devices. In the light of these issues the FIDO (Fast IDentity Online) Alliance was formed in July 2012.
© Springer Fachmedien Wiesbaden 2015 H. Reimer, N. Pohlmann, W. Schneider (Eds.), ISSE 2015, DOI 10.1007/978-3-658-10934-9_2
Future Ecosystems for Secure Authentication and Identification
13
2 FIDO – Simpler and stronger Authentication The FIDO Alliance is a non-profit organization nominally formed in July 2012 with the goal of revolutionizing online authentication with an industry-supported, standards-based open protocol which not only brings users more security but is also easy and convenient to use. This new standard for security devices and browser plugins permits any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices. The core ideas driving the FIDO Alliance’s efforts are: • Making strong authentication secure and easy to use • Protecting consumers privacy (for more information please see „The FIDO Alliance: Privacy Principles Whitepaper“1) • Reducing costs resulting from exposure to breaches for online service providers • Lowering infrastructure costs and complexity for enterprises Within the final 1.0 specifications, published in December 2014, there are two FIDO protocols that reflect different use cases – UAF (a passwordless user experience) and U2F (a second factor user experience). While they have been developed in parallel and are separate within the final 1.0 specifications, it can be expected that the two different protocols will harmonize in the future. (For more information on FIDO Authentication and the 1.0 specifications please see „The FIDO Alliance: December 2014 Whi
Data Loading...
