FIDO Alliance asks NIST for more effective phishing-resistant digital ID authentication measures
The industry consortium FIDO Alliance has published comments on digital identity authentication submitted to the National Institute of Standards and Technology (NIST) in response to its proposed digital ID guidelines.
In the blog post, the Alliance calls for stronger differentiation related to phishing-resistant authentication tools, such as the biometrics or physical token-based solutions in line with its specifications, in response to NIST’s comment request on the next version of its Digital Identity Guidelines SP 800-63-4.
NIST issued a call in June for feedback on its proposed new guidelines for digital identity, hoping to receive input on biometric liveness and behavioral biometrics for user authentication.
The recommendations are divided into three different points, exploring specific phishing resistant tools and encouraging a stronger partnership between NIST and the FIDO Alliance.
The first recommendation for SP 800-63-4 is related to the differentiation between tools that are phishing resistant and those that are not.
“Today, a variety of authenticators based on shared secrets – including Look-Up Secrets, Out-of-Band Devices (i.e., Push), and OTP apps and tokens – are given the same weight in AAL2 as authenticators based on asymmetric public-key cryptography, such as FIDO,” reads the blog post. AAL stands for Authenticator Assurance Level.
However, according to the Alliance, given how attackers have caught up with the first group of technologies, it no longer makes sense to combine these two types of authenticators under a single designation.
“Doing so misleads implementers into thinking these two categories of authenticators are equivalent in strength or resiliency.”
To address this issue, the Alliance has provided several ideas for how it can adjust the AALs to provide more differentiation between the two categories.
The second and third point of FIDO’s recommendations suggests NIST to engage with FIDO Alliance more consistently to explore other alternatives to enable FIDO authenticators in order to meet AAL3 requirements.
The blog post also encourages NIST to provide more direct references to FIDO, as according to the Alliance, the SP 800-63B description of Requirements by Authenticator Type would be inconsistent in how it points to standards that support that type.
An expanding partnership: Crayonic joins the FIDO Alliance
The FIDO Alliance currently has published three sets of specifications for stronger authentication measures: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF), and FIDO2.
The standards are used by an increasing number of biometrics and authentication companies, and earlier this month, for example, LoginID has partnered with Ipsidy to integrate FIDO2 authentication to fight digital fraud.
More recently, Crayonic Partners, provider of behavioral biometrics solutions, has joined the Alliance.
The partnership will see Crayonic becoming an Associate Member of FIDO, thus enhancing the Alliance’s capabilities in the field of zero-trust security and decentralized identities.
The FIDO Alliance has also published a Japanese-language interview with Kazuhide Kurosawa, general manager of software developer Runsystem, which has implemented FIDO-certified biometric authentication for its internet cafe and coworking space customers.
FIDO Alliance will hold a webinar titled ‘Leverage digital identity and passwordless access to extend your business’ this Wednesday, September 16 at 10:00 CEST. The webinar will feature representatives of AdNovum and other experts discussing how to put well-engineered identity and access management in place.