Dec 06 2013

FIDO Alliance Strives to Set Up Biometric Security Standards

Technology to replace passwords and PINs received a lot of attention when Apple released the iPhone 5s, with its Touch ID fingerprint sensor, earlier this fall.

Biometrics have been deemed by some to be the ultimate alternative to passwords and PINs. The technology received a high-profile boost when Apple introduced the iPhone 5s back in September, and the timing couldn’t have been better. Earlier this year, the FIDO Alliance was created with the sole purpose of aiding in the development of a common set of standards to simplify, secure and encourage the adoption of biometric technology.

Apple’s latest top-of-the-line iPhone features a fingerprint scanner, called Touch ID, which is ingeniously integrated into the smartphone’s home button. Word of mouth as well as reviews indicate that Touch ID, which is directly linked to iOS 7 for unlocking and purchasing purposes, is the user-friendliest application of biometrics thus far. However, since there’s currently no API, employers and third parties, for example, cannot yet take advantage of the sensor’s functionality.

In order for biometric security to gain widespread adoption, however, all stakeholders (e.g., hardware, software and security vendors; financial institutions; retailers) must agree on a common set of standards for the implementation and support of the technology.

Enter the FIDO Alliance.

An Authentication Guard Dog

Founded last February and led by such companies as MasterCard, CrucialTec, Google, Lenovo, Nok Nok Labs, NXP Semiconductors, PayPal and Yubico, FIDO Alliance membership has swelled to more than 50 from an initial half dozen.

“The rapid growth of the FIDO Alliance and the quality of our membership reflect a thriving awareness of the demands for better authentication,” said Michael Barrett, FIDO Alliance president, in a statement. “We welcome our new members, and we continue to invite all who recognize the value of enabling the broad range of strong authentication methods and devices to join the Alliance and explore this emerging technology.”

In addition to biometrics such as fingerprint and iris scanners, FIDO Alliance specifications will support additional authentication technologies, including voice and facial recognition. Existing security solutions and communications standards, such as trusted platform modules, USB security tokens, embedded secure elements, smart cards and near field communication, will also be compatible with the biometric standard, according to the organization. Furthermore, the specifications are being designed to be extensible and futureproof and to protect existing investments.

FIDO Alliance’s plan is to provide what it calls Relying Parties with a variety of choices to realize better authentication methods that overcome today’s prevailing reliance on passwords. The specifications will also emphasize a device-centric model, where authentication over the wire happens using public-key cryptography.

One of the chief goals of the biometric standard is to enable a person to use the same biometric sensor to unlock any account or access a website, for example, while keeping an end user’s biometric data private. It works by registering a user’s device on a server via a public key. Authentication happens when the device, which could be biometric or gesture-based (even), meets a challenge from the server with the private key it holds. For privacy purposes, the key issued by a user’s device to each account on each server is unique in order to avoid linkability between accounts.

Security and Convenience, Balanced

Fingerprinting is no longer the sole domain of law enforcement agencies, explained Cross Match Technologies senior vice president for standards and architecture Greg Cannon, in an interview with USA Today. Cross Match specializes in certified fingerprint capture technology and software.

“The adoption of the fingerprint swipe to log on to your laptop or Apple's latest iPhone 5s biometric security feature will continue to demonstrate the advantages of biometrics in our lives,” said Cannon. “The right combination of security and convenience supports overcoming the public perception that fingerprinting is only done for criminal applications.”

Furthermore, the idea of having a single identification method that users can never forget has become attractive to consumers and security experts alike, especially in light of how much fraud there has been of late. And the adoption of a common biometric standard, as pushed by the likes of the FIDO Alliance, would go a long way toward enabling the widespread use of biometric and gesture-based security solutions.

Also featured in the USA Today article was Shahar Blekin, chief technology officer at FST21, another biometric systems vendor. “The FIDO Alliance can help push the market forward into accepting the technology as a standard,” he said. “Eventually, biometrics and the industry as a whole will be standardized. Whether it's by groups like the FIDO Alliance or by governments, or even as a de-facto standard implemented by the technology providers, it's a necessary next step.”