FIDO announces FIDO2
FIDO (Fast IDentity Online) Alliance is now pushing further its objective to bring an ecosystem for standards-based, interoperable authentication. The alliance started with the definition of UAF (Universal Authentication Framework, based on a password) and U2F (Universal Second Factor, using a second factor authentication such as a physical device or biometrics) a few years ago. The FIDO specification, based on a Public Key architecture, provides models for registration and login functions.
FIDO’s strengths lies in its impressive list of supporters! FIDO Board Level members include Alibaba, Amazon, American Express, ARM, Bank of America, Gemalto, Google, Infineon, Intel, Lenovo, Line, MasterCard, Microsoft, NTT Docomo, NXP, Idemia, Paypal, Qualcomm, RSA, Samsung, Vasco, Visa among many others.
The standardization process goes along with the setup of a certification framework, conformance tools, labs, etc. leading to an extensive list of certified products including authenticators, clients and servers.
Now, in order to bring an even better security, the alliance is introducing FiDO2 that aims at providing improved user friendliness and security at the same time. FIDO2 is built to resist phishing attacks, be secure against server break-ins, manage identity connections between different machines, provide a cryptographic proof and allow for differentiation based on the client platform and the strength of authentication.
The FIDO2 protocol is to include the following functions:
FIDO Web API - defines a web API that allows web pages to access strong cryptographic credentials through browser JavaScript.
FIDO Client To Authenticator Protocol (CTAP) - defines an application layer protocol for communication between a personal device with cryptographic capabilities and a host computer, typically, CTAP will standardize the use of a handset as an authenticator,
FIDO Key Attestation - defines generic data structures that cover the semantics of FIDO attestation.
FIDO2 web part will be comprised of the WebAuthentication specification from the W3C.
A full environment is planned for FIDO2 that will include FIDO2 servers as well as all the test and certification framework.