January 28, 2016

FIDO TechNotes: There is No Privacy Without Security

Today is Data Privacy Day 2016 and, as a Champion organization, we want to join in the conversation on the importance of respecting user privacy online, and the ways FIDO authentication standards do just that. To this end, we have released today the ”FIDO Privacy White Paper,” which describes how privacy has been taken into account in the design of the FIDO protocols, and how they can help meet privacy requirements from certain regulatory authorities.

To understand why FIDO authentication standards were designed with a user-privacy focus, it’s important to first understand how privacy relates to security in the context of accessing online services.

Good privacy is intrinsically dependent on good security. In fact, there is no privacy without security. It’s very difficult to keep the personal information you share with an online service private if that information isn’t being properly safeguarded. Data breaches are the most common way that user privacy is put at risk online, and 95% of web app attacks make use of stolen password credentials. And, passwords are still the most commonly-used form of online authentication.

These password credentials are what we call a “shared symmetric secret;” both the online service provider and the user must know the same secret. Because passwords are human-readable shared secrets, they have many security limitations. Phishing attacks, social engineering and keystroke logging malware are just some of the ways that attackers are able to obtain passwords and use them to access their victims’ online accounts, putting consumers’ personal and financial data at risk.

With over a billion stolen passwords in circulation, it’s clear that password credentials aren’t so secret anymore. Fortunately for users, our industry has been responding to password-based attacks for quite some time with additional security measures like risk-based authentication and/or optional two-factor authentication such as a one-time password sent to a trusted device.

That being said, online security leaders know that these long-standing additional security measures are losing ground in the cybercrime battle because they share many of the same vulnerabilities as passwords, most fundamental being that they are subject to scalable attacks targeting thousands of users at once.

To get ahead of the cybercriminals, industry leaders are collaborating in the FIDO Alliance to build a set of technologies and standards for strong authentication. FIDO standards enable device-based, easy-to-use strong authentication to make scalable attacks on user credentials a thing of the past and better protect user privacy.

To accomplish this, FIDO strong authentication standards were designed with end-user privacy in mind. The protocols do not provide information that can be used by different online services to correlate and track a user across their services, because of these features:

  • There is no third party in the protocol
  • There are no “secrets” generated or stored on the server side
  • Biometric data (if used) never leaves the device
  • There is no linkability between services and accounts
  • Users can de-register at any time
  • There is no release of information without consent

To sum up, when FIDO authentication is implemented according to the specifications following the FIDO privacy principles, online service providers have reduced risks in the case of data breaches because no credential “secrets” are stored on their servers.

In the spirit of Data Privacy Day, follow us on Twitter @FIDOalliance all day today as we tweet about privacy and protecting data using the hashtag #PrivacyAware.

MORE Buying, Building & Partnering