The new standard of security FIDO combines biometrics and asymmetric encryption to simplify access to online services, without however degrade the security level. To the delight of users.
Tools are becoming increasingly complex and sophisticated, but there is one thing that does change only very slowly: it is identification/authentication. In the majority of cases, we still use good old login and password, whereas this is more really adapted to the uses of today.Actually happens to remember 20 passwords completely abstract to be log in to its various online services?
To exceed this anachronism, many high-tech giants - including Google, Paypal, Visa, Mastercard, Samsung and Microsoft - got together to imagine a new way to authenticate. A first result has just been released yesterday, as the very kennel "FIDO 1.0" (Fast login Online). This new standard wants to take advantage of biometric capabilities of our aircraft for or do disappear (FIDO UAF) password stage, or supplement it by a second factor of authentication (FIDO U2F).
Fingerprint, voice biometrics, facial recognition...
How does FIDO UAF? The user of a FIDO-compatible online service chooses, depending on the hardware that it has available, local authentication technology. This may be a fingerprint reader, a camera for facial recognition, a microphone for voice recognition, a USB security key, etc.
During the first use, the FIDO application installed on the device (called the "authenticator") will capture the characteristic data from selected technology - for example - fingerprint template to generate a private key and a public key. The private key and the footprint is stored securely on the device, the public key is transmitted to the servers of the online service.
In the future, when the user wants to log, it will read its footprint, which will have the effect of sending to the service online an authentication message signed with the private key. This signature will be validated using the public key, and hop, open sesame. In the case of the FIDO U2F standard, it is pretty much same except that the user must additionally inform his password. A procedure rather reserved for particularly sensitive actions: connection from an unknown position, a financial transaction, etc.
An open technology
The beauty of FIDO, it is that this standard is very open and can work with any service and any terminal. On a smartphone, the authenticator FIDO can be integrated directly into the mobile app of the service in question. On a fixed computer, it may take the form of a browser extension. Furthermore, it should be noted that biometric data never come out of the appliance, only trade with the online service are through the asymmetric encryption algorithm.
Google was the first to integrate FIDO in his service. Now, it is possible to use a USB dongle as a second factor of authentication. The company Nok Nok Labs, for its part, offers web sites a baptized platform S3 Authentication Suite allowing to implement authentication type FIDO UAF, and particularly through the footprint of the Samsung Galaxy S5 or the iPhone reader.
It's also quite amusing, because Apple does not part of the alliance FIDO. And for a good reason: the firm hopes to disseminate its own technology of authentication, based on Touch ID.
0 Comments