The Faster Identity Online Alliance has established its first user-experience guidelines and delivered new standards designed to more quickly move authentication processes past traditional username-and-password combinations.
“Eliminating the reliance on passwords is now a major objective for everyone offering online services — both to provide a more seamless yet secure access to consumer services, as well as to address the growing threat from sophisticated attacks targeting distributed workforces and systems," Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance, said in a press release Wednesday.
A key enhancement is called enterprise attestation, providing a company's IT team with improved management of FIDO authenticators used by employees. It enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and PIN management, and the biometric enrollment required in the enterprise.
In addition, cross-origin iFrame support allows web-based e-commerce transactions to be completed with pop-up windows on a browser. This new standard eliminates earlier fears that using a pop-up window would make potential man-in-the-middle and man-in-the-browser attacks more prevalent.
iFrame support provides a secure, encrypted process for the transactions without revealing data pulled from multiple domains such as the originating vendor, the user's bank account or a credit card issuer. It would also help in situations when users are connecting via bandwidth-limited processes such as Bluetooth or poor Wi-Fi signals to keep the authentication workflow moving without a lot of back-and-forth network traffic and latency delays.
Other updates include a stronger process for biometric enrollment and management, including the setting of minimum PIN lengths. The standard allows FIDO to stay current as more mobile devices include facial and fingerprint recognition.
FIDO is also adding support for Apple's method of doing attestation on their devices using web authentication protocols.
A process called discoverable credentials has also been added, enabling passwordless workflows to re-authenticate a user. The authentication dialog automatically finds and applies an existing credential and asks for user confirmation.
FIDO's user-experience guidelines will complement the new standards through an effort to get more consumers to understand FIDO and to register for its protections.
