Internet Security is a growing priority for Americans with a January Pew Research Center Poll indicating that 64% of U.S. adults had experienced at least one form of data intrusion. In March, Congress opened the floodgates for ISPs rights to sell user data, a move met with widespread public hostility, followed by further contempt from established politicians. Following this trend, companies like Facebook, Google, and other internet giants have begun pledging user privacy as a top priority.
“Well, you know, nobody has got to use the internet,”
— Rep. Jim Sensenbrenner (Wis-R)
Enter Internet Security Alliance FIDO
FIDO with 250+ members including: American Express, Bank of America, Google, Microsoft, PayPal, and many other giants of tech, pioneered two standards that will likely come to dominate the online privacy debate, Universal Second Factor (U2F) and Universal Authentication Framework (UAF).
Universal Second Factor (U2F)
U2F gives you piece of mind by taking part of your security outside of your device. The protocol is built into a number of web browsers, most notably Google Chrome through Google Passwords. Users need only carry their U2F key with them.
Since U2F keys carry part of your identity on the password, services need not require long passwords with complicated specifications. You just insert the key and tap the button on its face, or in the case of NFC-enabled devices, just tap it against the contact.
Universal Authentication Framework (UAF)
While U2F is designed to make services using passwords more secure, UAF is designed to replace them altogether. UAF enables users to sign in using their fingerprint, retina, facial, or voice scans in order to validate their identity. These methods all use hardware currently in place on laptops, tablets, and phones, so imagining the transition to these means of security a simple task.
Under the hood
Both methods rely on a popular method of encryption called Public Key Cryptography (PGP), so signing up with either method is actually just registering a public address. The device (in the case of U2F) or biometric scan (in the case of UAF), sends your private key validating your ownership of the public key.
What differentiates this process from PGP is that you do not maintain your private key yourself. The FIDO protocol manages the private keys, your authentication choice whether U2F or UAF, releases your private key from their secure protocol, completing the sign-in process without the worry of managing your key or possibly exposing it to lurking hackers.
Why are FIDO’s Authentication tools superior?
U2F and UAF were not created without purpose. They are intentionally designed to improve upon authentication methods already in place. As many as 80 percent of mobile phones now sold are capable of supporting these standards.
Existing login authentication methods fall into three types:
- One-Time Passwords via text or apps
- TLS Certificates
One-time passwords sent through texts or in apps are at risk of being intercepted by third parties. Once your phone number is compromised, attackers only need your password to gain access to your accounts.
Smartcards require access to a computer with specialized hardware built-in or that users supply their own card reader accessory.
TLS certificates offer reasonable protection but effectively using them requires considerable knowledge of individual users. Once a host of these certificates is hacked, your information is completely vulnerable.
FIDO’s standards for internet security are likely to stick with us for some time, solving major issues in account authentication while remaining easy to use. In one Google Engineer’s words:
“Security Keys were designed from the ground up to be practical: simple to implement and deploy, straightforward to use, privacy preserving, and secure against strong attackers”
Show Comments (0)