Identity thieves are getting quite sophisticated when it comes to stealing your username and password. We might be wary of an unsolicited email containing a link but what if it came from a friend's email account? This happened to my wife recently - her friend's PC had been taken over and was sending believable emails to all her contacts (the PC was later encrypted by the hackers and held to ransom for bitcoins). If you clicked the link up would pop a window purporting to be from Google asking you to login with your username and password... . Then there is the issue of having to remember too many long and complex passwords for the different web services we all use. I think most of us would agree that passwords aren't safe and they are painful to use.
Fortunately the combination of a new authentication protocol called FIDO (Fast ID Online) and biometrics is changing the landscape rapidly. The FIDO Alliance is a group of approximately 200 companies working together to create a new protocol that provides simpler, stronger authentication. It can work with many different types of authenticator such as fingerprint sensor, iris scanner or trusted PIN entry. The device (not the remote sever) creates a public/private key pair for each combination of user/device/relying party during registration and provides the public key to the relying party. The sensitive parts of the algorithm e.g. crypto, matching, key stores need to be protected from scalable attacks. Fortunately ARM based applications processors usually implement a TrustZone based Trusted Execution Environment consisting of isolation hardware, authenticated trusted boot and a small Trusted OS. The TEE is being standardised by GlobalPlatform who are working on a security certification scheme so that it will soon be possible for platforms to be tested by 3rd party labs. The attached white paper looks at how the TrustZone based TEE is being used with FIDO based systems to protect assets and accelerate the revolution to a world without passwords.
The link address can be accessed now, thanks.