Recently Apple, which has long prided itself on its devices’ security, announced that it has joined the FIDO Alliance as a board member. While conversations around this move have largely focused on the consumer – enhanced security without passwords – businesses should also be aware of the benefits.
By joining the alliance and incorporating FIDO-based authentication, Apple has made it easier for businesses across the globe to roll out cost-effective identity management systems, using corporate managed or their employees’ own devices.
Using the browser independent web authentication (WebAuthN), a World Wide Web Consortium (W3C) global standard supported by all leading browsers and platforms, companies have an API that makes it simple to integrate strong authentication through apps, browsers and web-based platforms. This means that a FIDO credential issued by an organisation can be used by its employees to authenticate identity and access web-based corporate systems and resources.
For those pushing for seamless, secure user authentication that finally kills the password, it’s an exciting time as the momentum towards strong multi-factor authentication continues to build.
The FIDO Alliance was formed in 2012 with the goal of providing secure, convenient multi-factor authentication for everyone. It began by adopting a protocol (U2F) that used second factor hardware to augment username/password website logon with a USB token. This was then complemented by a second model, UAF, intended for mobile devices to authenticate without needing passwords at all.
Recognising that most remote transactions are based on essentially one-to-one trust, and that modern devices had high cryptographic key storage capacity, the protocol was designed to provide a high level of privacy by using distinct key pairs for each relying party. It places these keys under the control of the end user, with relying parties being responsible for maintaining the relationship between a user’s public key and their service account.
Of the two ‘FIDO 1.0’ protocols, UAF is by far the more functional, offering secondary features such as transaction signing. It was evident however that a unified approach was actually needed, which led to the development of FIDO 2.0 and the resulting W3C WebAuthn standard. This standard expanded the capabilities to embrace RSA signature keys, extended cryptographic module support and the use of ‘roaming’ authenticators such as smart cards or SIMs.
This is all great news for anyone who cares about security but doesn’t like the inconvenience of most existing alternatives.
However, FIDO-based authentication isn’t without its challenges. The burden of managing the keys and devices imposed on each of us, being chief among these.
The FIDO protocols define the raw registration and authentication protocols, but do not extend into vital areas such as lifecycle management, which makes the prospect of a lost or replaced phone a hurdle to overcome.
That situation becomes even more critical if FIDO credentials are being used in a corporate environment, along with numerous other means of authentication. Having a unified credential management system is therefore really important to the integrity and security of the organisation.
Choosing the right solution here can also give users and customers a near-frictionless experience.
However, where traditional means of authentication can be easily managed centrally, with ‘push’ models to provide updates and published credential status lists for 3rd party trust support, FIDO does not naturally lend itself to this.
The validation of a FIDO credential is well defined, but the assertion of the status of that credential is entirely dependent on the authentication service and corresponding identity and credential management system.
A solution growing in popularity
One solution to this dilemma is to include an authentication server that supports FIDO and other managed authenticator form factors for deployment within your enterprise. This can also be extended to receive delegated authentication requests from existing services such as ADFS.
This means that you can have all of the benefits of sophisticated lifecycle management for credentials (including renewals, recovery, replacements and multiple devices), coupled with roles and permissions to include in your OAuth tokens, all coordinated via a secure administration console.
For organisations looking to roll out policy-controlled self-service identity management operations, these types of system make it easy for your users to administer their own devices without placing high levels of demand on your help desk and service administrators.
Strong authentication, easy access
The range of consumer devices supporting FIDO-based security is increasing, such that the majority of employees could be expected to own such a device – typically as a personal or company-issued smartphone. Therefore, organisations looking to better manage who can authenticate on to their premises or network, have another cost-effective option open to them.
This makes rolling out strong multi-factor authentication easier and cheaper than many alternative solutions, which can otherwise involve purchasing large amounts of specialist hardware that are easily forgotten or misplaced. This employee-facing app is supported by a centralised console on the back-end to manage the credentials bound to employees – from creation, to changing access requirements as roles change, to decommissioning when employees leave the organisation or lose their device.
While in previous years this kind of technology was expensive and difficult to deploy in all but the biggest organisations with the largest budgets, recent innovation has made it much more affordable.
It has never been more important for IT leaders from organisations of all shapes and sizes to protect the data they hold, but with many multi-factor authentication vendors in the market, it’s become difficult for CISOs to know what the advantages and disadvantages are of each technology and what will work best for them. We will always champion the strongest methods of multi-factor authentication – thankfully new innovation and falling technology costs are making this even more employee-friendly.
So, whether you want to have strong authentication without running a Certificate Authority, or you want to manage trusted access for your supply chain alongside a full range of signing and encryption applications, it’s time to take a look at FIDO.
Dr Chris Edwards, Chief Technical Officer, Intercede