FIDO Alliance Password-less Authentication Spec.

2 minute read

[Edited 2015-02-02]
Last month, the FIDO Alliance released specifications that attempt to remove passwords from authentication. A few years ago, Google was already "declaring war on passwords", even publishing an interesting article in IEEE Security and Privacy: Authentication at Scale. While some improvements have been made, like Google Authentication for 2-factor authentication, it does not appear to be widely implemented.

The FIDO Alliance, however, is looking to change that with their Universal Authentication Framework (UAF) and Universal Second Factor (U2F) standards.

UAF and U2F process graphic from the FIDO Alliance

Apparently a device with the UAF stack accepts either biometric input or a pin code to authenticate to UAF. UAF itself apparently keeps the user's private key for associated websites. This key is used to send a login response when challenged.
A site or browser prepared to accept FIDO authentication can/will offer a user the option if a FIDO device is present. The first time a device is identified, a user will be offered the option to register their FIDO authenticator and use it. Subsequently, the registered device is automatically detected at the site and the user is presented with options for authentication, until/unless the user opts in or out. Please note that FIDO authentication is entirely device-centric. The authentication exchange occurs only between the FIDO device and the authenticating FIDO server, and the exchange is only in crypto.1
U2F is not much different. It appears to be a USB or similar device much like PAM USB. Because the authentication is device-centric, backup pass codes to unlock the device are not interesting to an attacker (unless they can get local access).
Though a U2F device may store a password (really, it can be a 4-digit PIN) as a fallback for a user to unlock their own device locally (to effect changes, for example), this application can use a very simple, fixed password or code. In this way, the U2F PIN is not at all like OTP. The PIN available to a U2F user never needs to change, because it never does anything but allow a user to unlock the device locally. The PIN is only relevant to the FIDO device, so there is never the need to share to a server or a network, such as OTP must do. It has no value to a hacker, because it is meaningless to the server.1
While this system may help with support for better authentication, of course there will have to be a 'fall back' method. Right now this comes in the form of backup one-time-passwords, which criminals have proven are easily stolen. Overall, this system appears to still be vulnerable to downgrade attacks (not every system will support this standard), and ultimately user error, but it does make things more difficult for mass attacks while still (potentially) being relatively easy for the end user.

Rightly, the FIDO Alliance answers the question "What makes FIDO different?" The answer being that they are providing on online crypto / authentication framework. Luckily, the FIDO Alliance has some big names that should be able to support large-scale standards like this for a long time. If not, basic passwords are better than security systems that can't be updated.

1 Clarification provided by Suzanne Matick

Leave a Comment