FIDO Alliance

I am not happy with the FIDO Alliance and their FAQ do not eliminate my concerns.

The major concern beeing: "Why isn't this going straight to a standards body?"
Their answer:

The FIDO authentication protocol needs to be part of a standardized, interoperable ecosystem to be successful. Building this ecosystem requires the active commitment of everybody from hardware chipset vendors, to the manufacturers of back-end server systems. Coordination across the divergent interests of these players is a complex affair, and one that current technical standards bodies are not well suited to handle.

The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to implement.

This is what standardization bodies working groups are for. Work on protocols and formats. Work on security considerations. Use the experience of "the community".

So FIDO is developing a protocol and will then present it to one standardization body...
Meanwhile it is a closed thing and it costs relevant amounts of money to join the alliance.
This neither free nor open.

During IIW there were several sessions on FIDO (1, 2). Each full of good intentions and marketing speek but no substance. No real information. You have to join the alliance to get that. Well, ...

Somebody at Nok Nok Labs convinced somebody at Paypal to hire them and found FIDO. Why Google joined despite Google's support for the W3C WebCrypto group I have no idea.

The W3C WebCrypto group is were this belongs. This might need rechartering of the group. But that is doable. Especially if the proposal is backed by a prototype implementation. Especially if it is backed by by Paypal, Lenovo, Google, Nxp and others.

I believe that we need better authentication methods beyond username and password. I think that bring your own (hardware) identiy might work to that goal. I believe that mobile phones, and SIM cards and NFC help to achieve this. I believe that the mobile wallet is the right user interface to choose your identity.

I believe that doing it in a closed group is not the right way.

Playing Around with Microsoft Tags

Some see visual tags as a danger to NFC's breakthrough... Well, maybe; but only for a subset of NFC use cases.

Reason enough to try it out. So I created a tag at Microsoft. Had to login with liveid/password. Wondering when Information Card support will be there at liveid... And here it is:

Now we need the software from gettag.mobi. Hmm. Android not available yet for my G1. Symbian S60 is there but my S60 phones (E60 and E61) don't have a camera. My 6131-NFC (well) has a camera. I downloaded the j2me-unlocked program and installed it on the 6131 using Nokia's PC Suite's application installer. I was able to start the tagreader application and it successfuly decoded the tag on this page... but the phone has not valid internet connection settings...

Hm. Enough playing around. I might try it again when an Android G1 tagreader is available.

BTW: the tag points to the openinfocard download area. Well, to be more exact: it points to a Microsoft server that points to the openinfocard download area. So Microsoft is a man-in-the-middle. Do I want that? No.

openid with smartcard support

Today I learned about TrustBearer (thanks Berend). TrustBearer combines openid authentication with smartcard authentication. Setting this up is very easy.

1) sign up for an openid at http://openid.trustbearer.com/

2) pair your cert with the new account

You have to install a Firefox extension that does the certificate stuff.

3) logged in and ready to go

4) try it at a openid consumer

5) present your openid and smartcard

6) nice

Still what I like most in this use case is that the certificate is on the mobile phone. (We integrated these technologies during our project "CardSpace for Telcos" for Deutsche Telekom Laboratories.)

True, these phones are not very much available today but e.g. every New Yorker who participates in the metro field trial can now use the mobile phone not only to pay his metro ticket but also to make the authentication a little bit more secure (no password involved here. Wait: no information card involved either. doh. No Anti-Phishing, no unlinkability, no untracebility).

Anyway, nice.