How FIDO on Samsung Galaxy could best Apple Pay
By Byron Acohido, ThirdCertainty, Oct. 23, 2014
A day after Apple successfully hyped the ability for iPhone 6 users to biometrically authenticate the purchase of a Big Mac, using Apple Pay and Touch ID, Google rolled out Secure Key, a new type of USB key based on the FIDO standard. Secure key can make your Gmail account nearly impossible to hack.
The two announcements are related. Both point the way to mainstream use of biometric sensors and other mechanisms for affirming you are who you say you are in digital communications and transactions.
ThirdCertainty asked Brett McDowell, Executive Director of the FIDO Alliance to handicap the competition to dominate the next generation of authentication technologies.
3C: In plain language, what is FIDO?
McDowell: FIDO stands for Fast IDentity Online. It’s a new set of industry standards, much like WiFi, Bluetooth and NFC. Any device manufacturer, software developer or online service provider can build support for FIDO standards into their existing products and services to make online authentication simpler and more secure.
The fact that this is all being standardized means the FIDO ecosystem can grow and scale. Any new implementation of the standards that pops up on the Internet will be able to immediately interoperate with any other implementation.
FIDO standards allow online service providers the option to set their own policies about what kind of authenticators they are willing to trust. That includes PIN codes, voice or face recognition software, fingerprint reader, Iris scanners, etc.
3C: What is the key distinction between how Apple is moving to popularize biometrically authenticated consumer purchases vs. the course the FIDO alliance is on?
McDowell: Apple Pay is a payment application, and just like every other application, it requires authentication. The Touch ID sensor, which is used as the authenticator for other applications, including but not limited to Apple Pay, is quite relevant to a discussion about FIDO standards.
To level set, the FIDO Alliance is an open industry consortium of nearly 150 companies, many peers or partners of Apple. Apple’s Touch ID sensor, like the sensors produced by some FIDO Alliance members, can be used as a FIDO authenticator.
Where Apple’s current systems differ is that they are not yet taking steps to make FIDO-enabling iOS 8 devices easy or convenient for their users.
3C: So who is?
McDowell: Samsung has embedded FIDO-enablement right into the menu structures of their Samsung Galaxy(R) products. But even on the Galaxy devices, FIDO-enablement still requires the user to download the FIDO cient, which is true today on iOS 8 as well. Samsung has simply made it easier for their customers to find this capability and make use of it, initially for PayPal payments and now also for Alipay in China.
3C: Apple Pay using Touch ID is easy to understand. PayPal using FIDO on Samsung Galaxy, not so much.
McDowell: FIDO’s mission is to revolutionize online authentication, not online payments. It is only coincidence that payments are the first applications to use FIDO authenticators and Touch ID authenticators. It is simply a historic artifact of online payment from mobile devices that the application has the greatest need for simpler, stronger authentication. Apple is attempting to enable these user experiences for only their own devices and their own application, and now other applications running on their own platform. That differs from the FIDO Alliance in that we are attempting to enable these user experiences universally—for all devices, all applications, and the web itself.
3C: Should ApplePay become a dominant form of biometric authentication, how would that impact FIDO adoption?
McDowell: Touch ID and fingerprint sensors like the Synaptics sensors
in Samsung Galaxy devices are arguably already a dominant form of biometric authentication, but they are not the only form factor by any means. These sensors offer a nice user experience, with similar device-centric security. Touch ID simply lacks support for FIDO standards out-of-the-box, but like Samsung devices, it can be FIDO-enabled through third-party developers.
But it is worth pointing out that the FIDO Alliance is full of innovative companies building all sorts of form factor authenticators like voice, face, eye, and wearables. Who knows what form factor users will ultimately prefer. That’s why it is so strategic to invest in a FIDO-compliant infrastructure so your services can work with whatever form factors work best for your users, under various circumstances.
3C: What might global commerce look like five years from now should FIDO win this horse race?
McDowell: There is nothing Apple is doing that is inconsistent with an end-state where all devices, including their own, can interoperate with online services and websites over FIDO standards. They simply are not the first to deploy support for the standard, but that should not be construed as being their long-term strategy in this space. Only Apple can speak to that.
More on emerging best practices
Encryption rules ease retailers’ burden
MORE Announcements
