FB pixel

FIDO Alliance asks NIST for more effective phishing-resistant digital ID authentication measures

Calling for stronger classifications of tools
Categories Access Control  |  Biometrics News  |  Trade Notes

cybersecurity online authentication

The industry consortium FIDO Alliance has published comments on digital identity authentication submitted to the National Institute of Standards and Technology (NIST) in response to its proposed digital ID guidelines.

In the blog post, the Alliance calls for stronger differentiation related to phishing-resistant authentication tools, such as the biometrics or physical token-based solutions in line with its specifications, in response to NIST’s comment request on the next version of its Digital Identity Guidelines SP 800-63-4.

NIST issued a call in June for feedback on its proposed new guidelines for digital identity, hoping to receive input on biometric liveness and behavioral biometrics for user authentication.

The recommendations are divided into three different points, exploring specific phishing resistant tools and encouraging a stronger partnership between NIST and the FIDO Alliance.

Three points

The first recommendation for SP 800-63-4 is related to the differentiation between tools that are phishing resistant and those that are not.

“Today, a variety of authenticators based on shared secrets – including Look-Up Secrets, Out-of-Band Devices (i.e., Push), and OTP apps and tokens – are given the same weight in AAL2 as authenticators based on asymmetric public-key cryptography, such as FIDO,” reads the blog post. AAL stands for Authenticator Assurance Level.

However, according to the Alliance, given how attackers have caught up with the first group of technologies, it no longer makes sense to combine these two types of authenticators under a single designation.

“Doing so misleads implementers into thinking these two categories of authenticators are equivalent in strength or resiliency.”

To address this issue, the Alliance has provided several ideas for how it can adjust the AALs to provide more differentiation between the two categories.

The second and third point of FIDO’s recommendations suggests NIST to engage with FIDO Alliance more consistently to explore other alternatives to enable FIDO authenticators in order to meet AAL3 requirements.

The blog post also encourages NIST to provide more direct references to FIDO, as according to the Alliance, the SP 800-63B description of Requirements by Authenticator Type would be inconsistent in how it points to standards that support that type.

An expanding partnership: Crayonic joins the FIDO Alliance

The FIDO Alliance currently has published three sets of specifications for stronger authentication measures: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF), and FIDO2.

The standards are used by an increasing number of biometrics and authentication companies, and earlier this month, for example, LoginID has partnered with Ipsidy to integrate FIDO2 authentication to fight digital fraud.

More recently, Crayonic Partners, provider of behavioral biometrics solutions, has joined the Alliance.

The partnership will see Crayonic becoming an Associate Member of FIDO, thus enhancing the Alliance’s capabilities in the field of zero-trust security and decentralized identities.

The FIDO Alliance has also published a Japanese-language interview with Kazuhide Kurosawa, general manager of software developer Runsystem, which has implemented FIDO-certified biometric authentication for its internet cafe and coworking space customers.

FIDO Alliance will hold a webinar titled ‘Leverage digital identity and passwordless access to extend your business’ this Wednesday, September 16 at 10:00 CEST. The webinar will feature representatives of AdNovum and other experts discussing how to put well-engineered identity and access management in place.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


DHS awards SVIP contract to Procivis for decentralized identity software

Procivis AG, a subsidiary of Swiss institution Orell Füssli, has been awarded a tender through the U.S. Department of Homeland…


IDnow rides online betting wave from UEFA Euro Championship

IDnow is capitalizing on UEFA European Football Championship fever, registering over eight times more identity verification requests on sports betting…


Android 15 integrates biometric security across the board

In the latest Android 15 Beta 3 release, significant progress has been made in the area of biometric authentication. In…


Vote begins on biometric injection attack standard

Europe’s standard for biometric data injection attacks is on track to be published in October of this year, and could…


Police Scotland engages public on biometric data rights amid cloud storage concerns

Police Scotland has commenced the distribution of an information leaflet to all individuals in police custody who have their biometric…


‘Facial recognition is the easy part’: digital travel ID pilot results are in

Air travel has been getting more complicated. From security and passport checks to special documents such as COVID-19 certificates, passengers…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events