FIDO2 specification has been adopted by many of the world's leading companies. For example, Microsoft, Google and Facebook have used the FIDO keys as their authentication mechanisms when deploying IoT and cloud services. In addition, ITU (International Telecommunication Union) recently approved to recognize FIDO2 as a part of international standards. With these ongoing trends, it is expected to accelerate the advent of the new era of online authentication.
According to a market research report, the overall biometrics market will reach US$30 billion by 2021, and the main drivers are from the consumer electronics and FinTech applications. These facts have brought new issues to the Taiwanese industry and government departments, since they are currently lagging behind in the global trend. In order to promote the new authentication technology, FIDO Alliance introduced the latest solutions and use cases around the world at the 2018 FIDO Taipei Seminar held recently.
Replacing risky passwords with biometric authentication
"With the rampant data breaches, phishing attacks, and other cybersecurity incidents, the traditional way to authenticate with password has created many problems. The industry is in urgent need of a more secure alternative solution," Brett McDowell, Executive Director of FIDO Alliance, said. FIDO Alliance uses the technologies such as security modules and biometrics to eliminate the need for passwords, and the FIDO certification programs are now supported by many leading companies from the consumer electronics, finance, and security industries. Currently, its board members in China and Taiwan include Lenovo, Feitian, Egis Technology, and Alibaba.
There are many FIDO UAF and U2F certified products in the market. Also, earlier this year, FIDO Alliance cooperated with W3C to combine the FIDO Client-to-Authenticator Protocol (CTAP) with W3C's Web Authentication (WebAuthn) specification in the FIDO2 standard. This has paved the way for using biometrics such as fingerprints, irises or face recognition to log into various browsers on the desktops and mobile devices, including Chrome, Edge and Firefox. In addition, FIDO's security protocol is now backed by several widely adopted hardware security modules TPM (Trusted Platform Module), SE, TEE, as well as Android and Windows 10 operating systems.
Brett McDowell also disclosed at the event that ITU has made an announcement on November 28 that it has recognized FIDO UAF and FIDO2 CTAP2/U2F as its official standard, which will definitely boost the broad deployments of FIDO2 applications. He emphasized that FIDO is committed to providing open and interoperable standards for various websites and mobile services, and its ecosystem is continuing to thrive. It is hoped that Taiwan industry can keep abreast of the latest trend and take actions. FIDO Alliance will be more than happy to provide the necessary supports.
FIDO Standard deployed in banking services, telecommunications and consumer electronics around the world
Regarding the deployments of FIDO standard around the world, it is seen that the widespread applications in Korea are contributed by the strong government support, and the applications in Japan are driven by the enterprises, while in the United States and India, banking services are the main focus, with some FIDO2 use cases being implemented for better security.
Ming Chen, Lead Research of EWS, said that EWS, which is a joint venture of several US banks, aims to provide identity, authentication, and payment solutions for banks and financial service organizations. Currently, FIDO has been used to replace login password or as second login factor for transaction authentication. As FIDO2 is ready, it will be expanded to online banking on PCs. In addition, the company is now considering to connect the FIDO-enabled mobile phone with ATM through NFC or BLE for the logging operation, in a bid to expand the FIDO use cases.
Anthony Nadalin, Partner Architect of Microsoft, explained that the use cases enabled by FIDO standard include: 2nd factor authentication, which requires both password and biometrics as the second-factor authentication, re-authentication, which requires either password or biometrics, and 1st authentication, which only uses biometrics. By reducing the reliance on passwords, a better user experience can be achieved. FIDO2 standard is already implemented on Windows 10 and Edge browsers. In addition, Microsoft accounts including Xbox, Skype, Outlook and other services can also support FIDO2. It is expected that passwordless login will become more popular in the future.
Dongpyo Hong, Vice Chairman of FIDO Korea WG, said that there are 31 companies joining the FIDO Alliance in Korea. Thanks to the active promotion by the government and mobile operators, Korea is the largest country who has lots of FIDO-certified products, followed by the United States, China and Japan. Since 2013, it has been deployed in finance, communications, education, business, and government departments. There are many use cases, including mobile payment for Samsung mobile phones, local credit card company BC card, e-commerce SK Planet, and telecom operator KT. Next, an integrated authentication platform based on FIDO combined with various security technologies will be developed in Korea. Moreover, eyeing on the future trend of decentralization, the applications for blockchain-based DID (decentralized identification code) and FIDO-based authentication will also be developed.
According to Koichi Moriyama, Chairman of FIDO Japan WG and Senior Director of Product Innovation at NTT DOCOMO, Yahoo Japan has taken the lead in deploying FIDO2 standard in October this year, while NTT DOCOMO was the first mobile operator in Japan to support FIDO UAF standard in 2015. NTT DOCOMO provides users with the ability to log into their accounts with biometric technologies such as iris or fingerprint recognition and further expands to its Dmarket services. Next, it will implement the FIDO UAF applications on Android 8.0 or later devices without any OS customizations.
Soranun Jiwasurat, Deputy CEO of ETDA , introduced the Digital ID program promoted by the Thai government and the new Digital Economy Law. ETDA is responsible for setting Digital ID standards and defining different IAL (identity assurance level) and AAL (authentication assurance level). Currently, ETDA is developing a mobile app prototype based on FIDO UAF with the highest AAL level (AAL3), which will work with "ETDA Connect", an OpenID Connect Platform, to complete the picture of digital identity authentication platform in Thailand.
Vijay Kumar, CTO of India-based eMudhra, said that the FIDO Alliance has teamed up with Indian PKI Forum to drive strong authentication and security standards. eMudhra is the largest e-signature solution provider in India. Its emAS identity system has been widely used by Internet banking platforms and government platforms, supporting UAF and U2F standards, and FIDO2 solutions are ready for the future.
How should Taiwan promote FIDO applications: Developing convenient e-services
The panel discussion of 2018 FIDO Taipei Seminar was hosted by IC Liu, CEO of Next Bank Preparation Office and the panel guests included Wei-Bin Lee, Director, Department of Information Technology, Taipei City Government, Sheng-Lin Chou, Secretary General of TAICS, Brett McDowell, Executive Director of FIDO Alliance, Soranun Jiwasurat, Representative of APKIC, and Jason Hsu, Legislator, exploring how Taiwan should use the experience of other countries to accelerate the implementation of the new passwordless authentication applications.
First, Brett McDowell pointed out that the FIDO standard has proven to have significant benefits in reducing online fraud and increasing service transaction volumes. Currently, in addition to the leading players in various industries, several countries, including the United States, the United Kingdom, Israel, and Germany, have also joined the FIDO Alliance's government program, showing that FIDO standard has gained strong traction in both the public and private sectors. For Taiwan, with its strength in the ICT industry, Taiwanese manufacturers will be able to establish unique advantages by combining IoT and FIDO key management. As for the public sector, FIDO can be used as an alternative to e-signature/PKI. By gradually supporting biometric authentication technology, Taiwan government should be able to build its own use cases.
IC Liu also echoed that biometrics is crucial for e-commerce and financial services. If Next Bank obtains the online banking license in the future, it will adopt FIDO standard and make use of the successful experiences in other countries, in bid to make Taiwan catch up with the latest trend.
According to Wei-Bin Lee, every local government has legacy information systems and solutions to provide different services, making it difficult to integrate and introduce new technologies. This is the main bottleneck for the implementation of new standards. Therefore, the comprehensive specifications and proposals are required, and the deployment must be done step by step without affecting the use of existing Citizen Digital Certificate and e-signature systems.
Sheng-Lin Chou said that the government should play a leading role in promoting the implementation of this new concept. In addition to improving the experience and security of the current Citizen Digital Certificate for the public, it is believed that FIDO standard can also be a good solution for credit card, mobile payment and other applications. Therefore, the important issue will be how to unite local players and to establish the consensus.
Finally, Brett McDowell suggested that FIDO is one of many authentication standards. Local government should first consider it as one of the options, allowing the public to enjoy more convenient e-services first, and then move toward passwordless approach. There are already many successful use cases around the world, so Taiwan should be more actively involved in the discussions to understand the deployments in other countries and to formulate appropriate policies. In terms of participating in international organizations, Egis, a board member of FIDO Alliance, has fully demonstrated its leadership in setting standards. It is hoped that more Taiwanese companies join together to form the critical mass, so as to expand the applications of FIDO standard in Taiwan.
Brett McDowell, Executive Director of FIDO Alliance
Todd Lin, COO of Egis
Ming Chen, Lead Researcher of EWS
Anthony Nadalin, Partner Architect of Microsoft
Dongpyo Hong, Vice Chairman of FIDO Korea WG & Chief Alliance officer in RaonSecure
Koichi Moriyama, Chairman of FIDO Japan WG & Senior Director of Product Innovation at NTT DOCOMO
Soranun Jiwasurat, Deputy CEO of ETDA
Vijay Kumar, CTO of eMudhra
2018 FIDO Taipei Seminar
DIGITIMES' editorial team was not involved in the creation or production of this content. Companies looking to contribute commercial news or press releases are welcome to contact us.
