Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards

[MacRumors]

Apple has joined the Fast Identity Online (FIDO) Alliance, an open industry association whose mission is to develop and promote stronger authentication standards and help reduce the world's over-reliance on passwords.

Apple joins existing members Amazon, Facebook, Microsoft, Samsung and others in a common goal to secure online connections and support the adoption of the U2F authentication standard, which the alliance hosts.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or near-field communication (NFC) devices based on similar security technology found in smart cards. U2F security keys can be used as an additional method of two-step verification in online services that support the U2F protocol, such as Google, Dropbox, and Facebook.

Chrome, Firefox, Edge, and Opera browsers natively support U2F. With iOS 13.3, Apple's Safari also supports FIDO2-compliant physical security keys like the Lightning-equipped YubiKey.

With Safari support, the YubiKey 5Ci is a useful tool that can be more convenient than software-based two-factor authentication because there's no need to enter a security code -- you simply plug it in to an iPhone or Mac (there's also a USB-C connector) to authenticate. Support for FIDO2-compliant USB security keys using WebAuthn was previously added to Safari 13 in macOS.

FIDO was founded in 2013 by a group including Lenovo and Paypal to address the lack of interoperability among strong authentication. MacGeneration was first to spot Apple's logo added to the list of board members.

Article Link: Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards

 

[gnasher729]

As long as the outcome is something that (1) I need to have only once and can use safely with any device I might use, (2) that is convenient for me to take anywhere where a computer/phone could be that I use, and (3) that I and only I can disable from anywhere.

 

[Velin]

How about a basic connector standard? We're sick of USB-A, USB-C, Lightning port and dongle roulette.

 

[nvmls]

How about a basic connector standard? We're sick of USB-A, USB-C, Lightning port and dongle roulette.

Stockholders wouldn't want that.

 

[Velin]

Stockholders wouldn't want that.

I wish they simply would stick with Lightning ports and connectors on iPhones and iPads, more robust than USB-C.

 

[zombierunner]

FOMO

 

[nylonsteel]

too many passwords - the bane of modern computing

 

[Shirasaki]

I will wait for a more advanced and secured standard that has many built in loopholes to replace our password and security questions.

 

[needsomecoffee]

Been pressing my bank to do this for years (as have many other customers - there is a Q/A thread on this topic many pages long at their site). Maybe this will help convince them. Why force reliance on passwords when FIDO is an option ?? The bank is so progressive and great, yet fails so badly here.

 

[cmaier]

How about a basic connector standard? We're sick of USB-A, USB-C, Lightning port and dongle roulette.

No “we” aren’t.
[automerge]1581429482[/automerge]

Been pressing my bank to do this for years (as have many other customers - there is a Q/A thread on this topic many pages long at their site). Maybe this will help convince them. Why force reliance on passwords when FIDO is an option ?? The bank is so progressive and great, yet fails so badly here.

FIDO is a second factor, not a replacement for the first factor (password).

 

[Jsfrederick]

FIDO is a second factor, not a replacement for the first factor (password).

Actually, FIDO2 is single factor as well.

It supports the following methods:

• Single Factor - Username + FIDO2 Credential
• Second Factor - Username + Password + FIDO2 Credential
• Passwordless Single Factor - FIDO2 Resident Key Credential
• Passwordless MFA - FIDO2 Resident Key Credential + PIN

 

[cmaier]

Actually, FIDO2 is single factor as well.

It supports the following methods:

• Single Factor - Username + FIDO2 Credential
• Second Factor - Username + Password + FIDO2 Credential
• Passwordless Single Factor - FIDO2 Resident Key Credential
• Passwordless MFA - FIDO2 Resident Key Credential + PIN

Thanks for the info.

 

[ElectricPotato]

Just skip to the final solution: DNA scanners everywhere checking against a global database. Utopia, here we come!

 

[Mick-Mac]

about time...

 

[jonf3n]

How about a basic connector standard? We're sick of USB-A, USB-C, Lightning port and dongle roulette.

Usb-C (with / without lightning) IS the universal standard.

 

[Gaspode67]

As long as the outcome is something that (1) I need to have only once and can use safely with any device I might use, (2) that is convenient for me to take anywhere where a computer/phone could be that I use, and (3) that I and only I can disable from anywhere.

I have U2F on a number of account using one of the options. I have two keys that cost me a total of £30 (approx $42). One stays at home as a backup in case I need it. The other lives on my keyring. It connects through NFC, Bluetooth or USB (Micro USB on the fob that you can connect any cable to. I only need to use it on a machine once unless I choose to logout from a service. If I do, I simply have to log into the service again (including the p/w for that service) then when asked connect the key in whatever way I want & press the button on top. Works a treat...

 

[cmaier]

I have U2F on a number of account using one of the options. I have two keys that cost me a total of £30 (approx $42). One stays at home as a backup in case I need it. The other lives on my keyring. It connects through NFC, Bluetooth or USB (Micro USB on the fob that you can connect any cable to. I only need to use it on a machine once unless I choose to logout from a service. If I do, I simply have to log into the service again (including the p/w for that service) then when asked connect the key in whatever way I want & press the button on top. Works a treat...

View attachment 893632

To me this is a horror. I finally got to the point where I no longer have to carry any keys!

 

[[AUT] Thomas]

too many passwords - the bane of modern computing

password... modern computing? That's an oxymoron.

Passwords should have gone extinct 10 years ago. You can make a 5000$ purchase with your bank card by putting in the card + PIN. Yet for onlinebanking you need to login with a username+passwords then enter an SMS code as 2FA and another SMS code for the actual transaction. That's ridiculous.

SmartCards existet for the past 20 years if not longer...

 

[mi7chy]

Just build it in the phone like Google Pixel so people don't have to buy and carry around yet another dongle.

https://www.blog.google/products/pixel/titan-m-makes-pixel-3-our-most-secure-phone-yet/

 

[konqerror]

Passwords should have gone extinct 10 years ago. You can make a 5000$ purchase with your bank card by putting in the card + PIN. Yet for onlinebanking you need to login with a username+passwords then enter an SMS code as 2FA and another SMS code for the actual transaction. That's ridiculous.

Even with smartcards, bankcard terminals are highly secure, locked down hardware with internal tamper resistance that only run certified software. Every few years, bankcard terminals have to be thrown out and replaced due to new standards (PCI).

If you don't want to apply the same level of lockdown to your PC, you'll need to do additional steps.

 

[dwaite]

No “we” aren’t.
[automerge]1581429482[/automerge]

FIDO is a second factor, not a replacement for the first factor (password).

U2F is a second factor only, but is the older version. FIDO 2 (CTAP2 + WebAuthn) allows for being a full passwordless authentication replacement.

 

[dwaite]

Actually, FIDO2 is single factor as well.

It supports the following methods:

• Single Factor - Username + FIDO2 Credential
• Second Factor - Username + Password + FIDO2 Credential
• Passwordless Single Factor - FIDO2 Resident Key Credential
• Passwordless MFA - FIDO2 Resident Key Credential + PIN

To elaborate - you 'register' a 'FIDO authenticator' like a key fob at account creation time or while managing your account, which generates a cryptographic key pair. The public key gets associated with your account, while the private key never leaves hardware.

You can then use that key in the future to log in to that account. FIDO2 can associate save additional information such as an account identifier at registration time, allowing you to log in without providing any additional information. No typing in a username or password; just a tap/click to choose to authenticate, and then the action on the authenticator (button press?) to continue.

Older U2F models (and the equivalent flows for FIDO2 keys) require the site to present user-specific information in order to use the key after registration, because they don't necessarily have internal storage, or want to preserve limited hardware storage for private keys. For these cases, you have to identify the user first in order to get that user-specific information from the site - which is why these keys are only used for secondary authentication.

FIDO 2 allows you to use biometrics or a PIN code to do user verification on the hardware device, to do multi-factor authentication entirely by the hardware. You generally want to do multi-factor with FIDO (either on the hardware or in concert with a separate username/password), since otherwise you are only proving possession of the hardware.

 

[CarlJ]

I ... can't hear "Fido" in a computer context without thinking "FidoNet".

 

[[AUT] Thomas]

Even with smartcards, bankcard terminals are highly secure, locked down hardware with internal tamper resistance that only run certified software. Every few years, bankcard terminals have to be thrown out and replaced due to new standards (PCI).

If you don't want to apply the same level of lockdown to your PC, you'll need to do additional steps.

That is absolutely correct. https://directrm.com/da-pin-pad-smart-card/ would solve the problem. That way the PIN is not entered on the devices keyboard. That should be secure enough for what the average person does. For even higher security the data to be signed would need to be displayed on the secure device (in that case the card itself).
But that's just an example that we could have had a solution for that problem long ago...with barely any additional effort.

 

[konqerror]

That should be secure enough for what the average person does. For even higher security the data to be signed would need to be displayed on the secure device (in that case the card itself).

Not really. Those PIN solutions solve the issue of password compromise. PIN cards like those, and even the EMV standard do not solve the problem of MITM attacks which have become prevalent. A simple phishing attack can defeat PIN cards and OATH tokens. FIDO U2F and FIDO2 solve this, but require hooking into the browser to obtain domain information.

The second problem that FIDO solves is one of privacy. The protocol is specifically designed so that the same token can be used by multiple users in combination with multiple sites without the ability to correlate use. In contrast, PIN cards and smart cards had the issue of "wallet explosion" in which security concerns meant that every account needed a different card by a different vendor.