Authenticate Day 2 Highlights Identity, IoT and the Passwordless Future
By: FIDO ALLIANCE STAFF
After a busy and eventful first day of sessions of the Authenticate conference, the second day continued the trend with a full lineup of insightful speakers and sessions.
Multiple speakers including those from CVS, NTT Docomo and Intuit outlined their respective efforts using FIDO standards as a base to improve authentication and move toward a passwordless future.
Looking beyond user authentication, the co-chairs of the FIDO Alliance Identity Verification and Binding Working Group (IDWG) outlined how the Alliance is expanding its efforts to help enable identity verification as well. FIDO2 WebAuthn was the topic of discussion during a Lunch and Learn session, providing technical details on how FIDO works from the developer perspective. Looking to the future, members of the FIDO Alliance IoT working group detailed how the future of IoT device onboarding and authentication might work with FIDO.
A key theme throughout the day’s sessions was about the value that organizations, individuals as well as industries as a whole, can gain from FIDO Alliance efforts.
In a morning session, Dr. Rae Rivera, certification director for the FIDO Alliance outlined the benefits of FIDO certification and the path to get there, in a way that enables interoperability and market differentiation.
“We have found that organizations have seen around a 30% saving in their purchase operation when buying products that have been developed against industry standards,” Rivera said.
The FIDO Fit for Identity Verification
Authentication is at the core of what the FIDO Alliance and its specifications are all about. There is however another class of issues that are related to authentication where FIDO might soon be playing a key role. That area is in identity proofing which comes into play for account creation and account recovery activities. Within the FIDO Alliance, this work is led by the Identity Verification and Binding Working Group (IDWG)
“The work we are doing in the IDWG is identity-proofing as opposed to authentication,” commented Rob Carter Director, Product Development for Identity Solutions, Mastercard and co-chair of the IDWG . “There is a gap with account recovery and IDWG is trying to help close that gap.”
Carter explained that part of the IDWG’s efforts are to define acceptance criteria for identity document verification and then building test programs to support the adoption of those criteria. Additionally, the IDWG will be working on defining acceptance criteria for facial similarity match, an approach more commonly known as “selfie match.” With both the selfie and document match, a user has to provide the information or live picture to prove that they are who they say they are to confirm identity.
IDWG co-chair Hsin Hau Hanna explained that a key part of the ID proofing process is also verifying the integrity of the process that validates a given identity.
“The ultimate goal of having these ID proofing mechanisms in place is really to go back to enabling the FIDO authentication mechanism,” Hanna said. “So there’s a very important step in between those two which is how to make sure that we bind the ID proofing ourselves to the FIDO authenticator.”
FIDO for IoT
Another key area where FIDO Authentication will play a key role in the future is with the Internet of Things (IoT).
Intel’s Richard Kerslake who co-chairs the IoT working group explained during a session that one of the key goals of the group is to develop a standardized solution that automates the whole challenge of onboarding devices. Kerslake noted that it typically takes 20 minutes or more to onboard a new device.
“We want companies to be able to drop ship their device to the point of installation, have a semi skilled technician present to connect it to the network, and then then have all of the provisioning handled in a secure and automated fashion,” Kerslake said.
A key part of the effort to enable secure authentication with IoT devices is with the Secure Device Onboard (SDO) project which was started by Intel and is now part of the Linux Foundation’s LF Edge organization. Giridhar (Giri) Mandyam Chief Security Architect – IoT and Automotive, Qualcomm and co-chair of the IoT working group explained that the SDO project is effectively an open source implementation of the FIDO IoT standards. While much has been done, he emphasized that it’s still a work in progress that won’t be finalized until early 2021.
“Solving the challenge of secure device onboarding in the IoT world we believe is critical to the safe growth of IoT,” Mandyam said. “The FIDO Alliance, and its members, are really making great progress here.”
Moving Toward a Passwordless Future with FIDO
Among the end user organizations that spoke on the second day of Authenticate was CVS Health. Amy Ulrich, security advisor at CVS Health commented during a session that her company is on a path to help make its consumer authentication experience not only secure, but easier to use. CVS Health is also on a path toward enabling passwordless experiences for consumers wherever possible.
Cisa Kurian, senior security advisor at CVS Health said that her company is building out an authentication platform to provide passwordless authentication capabilities in its web, mobile, IoT and voice applications.
“Our goal is to increase friction for a potential threat actor, while enabling ease of use for the legitimate user,” Kurian said.
NTT Docomo is also on a journey to create a passwordless experience for its users in Japan. Koichi Moriyama, Senior Director of Security Service and Platform at NTT DOCOMO detailed his organization’s FIDO adoption path beginning with the deployment of UAF 1.0 standards in 2015 and more recently moving to support FIDO2 standards.
“NTT Docomo is on a journey to create a world without passwords,” Moriyama said.
Intuit is also on the passwordless journey to help the customers of its various platforms including Turbotax, Quickbooks and Mint. Marcio Mello, Head of Product for Identity and Profile Platform & Solutions at Intuit, emphasized that consumers just want to get their own jobs done and don’t want to be wasting time with authentication. Reducing the friction associated with authentication, while still maintaining the highest levels of security is critical for Intuit.
Mello explained how Intuit has embraced FIDO standards to help reduce authentication friction for users. The end result has been a measurable improvement to Intuit’s operations.
“Identity and authentication, instead of being a source of pain and drop is actually a source of reduction of costs and increase of customer satisfaction,” Mello said. “So we are now part of the success of the company.”
Authenticate Day 3 is Jam Packed
Coming up for day 3 of Authenticate is another packed slate of informative sessions. The opening session will see speakers from MassMutual and HYPR providing insight into how passwordless is taking the center stage for the next generation of authentication… We’ll also see more companies detail how they are leveraging FIDO Authentication to protect their customers and employees including PNC Financial Services and Target, among others. The day will close out with a great panel session on the topic of standards and the future of payments – we can’t wait to see you there!