The faster the increase in the number of digital processes, the greater the demand for security. This development means that the issue of straightforward, yet secure authentication is becoming increasingly important. Studies show that more than two thirds of all users worldwide use just one password to protect their digital identities, surf the net or buy online. This is often detrimental to security. The FIDO Alliance (Fast IDentity Online) has set itself the task of revolutionizing online authentication and establishing uniform global standards for it. The Munich-based technology group Giesecke & Devrient (G&D), a specialist in secure communication and identity management, has now joined the FIDO Alliance.
The more processes take place on the Internet and the more personal content is saved on mobile devices, the greater the need that personal and business users have for straightforward, but secure authentication.
This is the objective of the FIDO Alliance. The international industrial consortium aims to simplify online authentication and make it more convenient for users while maintaining the highest standards of security. The collective development of open, scalable, and interoperable mechanisms is expected to reduce dependence on passwords and allow secure authentication for online services. Websites or cloud applications can use the unified standard to connect easily to a range of FIDO-compatible devices.
This simplifies a large number of processes, such as those in m-commerce or mobile payments. For example, consumers only have to register with PayPal once. A key pair is then generated on the device, ideally on a smart card. The private key remains on the device, while the public key is sent to the service provider. By means of a special "challenge–response" process, authentication can take place simply and securely without the need for a username or password. This approach rules out two major attack scenarios by cybercriminals, namely phishing and server-side attacks. For each additional service provider that the user registers with, a separate key pair is generated.
It is important to note that authentication always takes place from the end device to the service provider, never through a central FIDO server used by multiple providers. The best way of handling the private keys securely on the device is with a smart card.
Axel Deininger, Head of the Enterprise Security/OEM division at Giesecke & Devrient, comments: "G&D is the expert in authentication services and management, a leader in the field of secure elements, supplies smart cards and SIMs, and takes on its customers' full life cycle management in the security sector. We bring our expertise as a recognized authentication expert to FIDO's work. We will make use of our smart card know-how to benefit the consortium and drive forward the use of open standards in our customers' interests in environments where security is critical. This will also further solidify our position as a global player in the authentication market."