The FIDO Alliance announced two new standards and certification initiatives in identity verification and the Internet of Things (IoT). These initiatives build upon the Alliance’s ongoing focus on driving the efficacy and market adoption of FIDO Authentication by addressing adjacent technology areas that leave security vulnerabilities on the web.
Specifically, the Alliance aims to strengthen identity verification assurance to support better account recovery, and automate secure device onboarding to remove password use from IoT.
The Alliance has formed two new working groups: the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas.
The FIDO Alliance will continue to focus on development and adoption of its user authentication standards and related programs and use them as a foundation for this expanded work, featuring contributions from current members and new industry participants.
“The FIDO Alliance has catalyzed a diverse set of stakeholders who have collaborated to answer the industry’s password problem through the standardization of FIDO Authentication – which has grown from concept to global web standard supported in leading browsers and platforms in just seven years,” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance.
“As we look at the threat vectors in the marketplace, however, it has become apparent that there’s a gap between the high assurance provided by FIDO Authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication.
“This gap can be most effectively addressed through industry collaboration and standardization rather than siloed, proprietary approaches.”
Identity verification and binding working group overview
For accounts protected from phishing and other credential-based attacks with FIDO Authentication, the account recovery process when a FIDO device is lost or stolen becomes critical to maintaining the integrity of the user’s account.
Validating a user’s identity with high assurance is an important aspect of this process, as well as for account onboarding processes, meeting Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements.
The FIDO Alliance has identified newer remote, possession-based techniques including biometric “selfie” matching and government-issued identity document authentication as having the potential to greatly improve the quality of identity assurance for new account onboarding and account recovery.
The Alliance has also determined a market need for authoritative guidance, performance evaluation and certifications for their use.
The FIDO Alliance has created the IDWG to fill this need. The IDWG will define criteria for remote identity verification and develop a certification program and educational materials to support the adoption of that criteria.
The IDWG is led by co-chairs Rob Carter, Mastercard and Parker Crockford, Onfido Ltd. Other participating organizations include Aetna, Google, Idemia, Lenovo, Microsoft, Nok Nok Labs, NTT DOCOMO, OneSpan, Phoenix Technologies Ltd., Visa Inc., Yahoo! JAPAN, Yubico and the UK Cabinet Office.
IoT technical working group overview
Gartner forecasts that 20.4 billion connected things will be in use by 2020, opening up opportunities for increased efficiencies and innovation across industries. Yet, lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices, and the networks they operate on, open to large-scale attack.
The IoT TWG aims to tackle this issue by providing a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the Alliance – passwordless authentication.
The working group will develop use cases, target architectures and specifications covering:
- IoT device attestation/authentication profiles to enable interoperability between service providers and IoT devices
- Automated onboarding, and binding of applications and/or users to IoT devices
- IoT device authentication and provisioning via smart routers and IoT hubs
The IoT TWG is led by co-chairs Marc Canel, ARM Holdings and Giridhar Mandyam, Qualcomm, Inc. Other participating organizations include Google, Idemia, Infineon Technologies, Intel Corporation, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies Ltd., Yahoo! JAPAN and Yubico.