Apple is among the last tech bigwigs to join FIDO, whose members now include Amazon, Facebook, Google, Intel, Microsoft, RSA, Samsung, Qualcomm and VMware. The group also boasts more than a dozen financial service firms such as American Express, ING, Mastercard, PayPal, Visa and Wells Fargo.
“Apple is not usually up front in joining new organizations and often waits to see if they gain enough traction before joining in. This is fairly atypical for them,” said Jack Gold, president and principal analyst at J. Gold Associates. “Apple is often trying to present [its] own proposed industry standards for wide adoption, but is generally not an early adopter of true multi-vendor industry standards.
“FIDO now has enough momentum that I assume Apple is feeling the pressure to join in,” he said. “Especially in a cloud-based world, FIDO is a key initiative to authentication that companies really can’t ignore.”
Formed in 2012, FIDO’s purpose is to push two-factor authentication for services and apps because passcodes are innately insecure. Research backs the group’s claim, as 81% of all security breaches from hackers can be traced to stolen or poor passwords, according to Verizon’s Data Breach Investigations Report.
“If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned,” Verizon said in its report.
Along with W3C, FIDO wrote and is using the emerging Web Authentication API (better known as WebAuthn). The WebAuthn specification is already supported – to different degrees – by major browsers such as Google’s Chrome, Mozilla’s Firefox and Microsoft’s Edge. Those browsers also support cloud credential creation using a U2F Token, which can use Bluetooth, NFC or USB to provide two-factor authentication to online services and apps.
In 2018, Apple announced it was adding “experimental” support for the WebAuthn protocol on Safari. In December, Apple added native support for FIDO-compliant security keys, such as those from Yubicoand Feitian, which use the WebAuthn standard over near-field communication (NFC), USB, or Lightning in iOS 13.3.
“FIDO is like Bluetooth for authentication – meaning that we have a number of devices with features and functions that can be used to provide authentication,” said Mahdi.
For example, Mahdi said, mobile devices or laptops may use fingerprint readers or facial recognition technology to enable log-in. Either technology could be leveraged for authentication, but without a common language, it was difficult to do and required proprietary drivers and software.
“As such, it was much more complex to reliably enable strong authentication,” Mahdi said. “FIDO, like Bluetooth, allows application developers and security leaders that want to enable strong authentication (say, in a mobile app or a website) to cover a wide range of authentication methods that are available in devices with minimal code [and without having to worry about many proprietary drivers].”
Overall, FIDO’s specification means digital services from banks, ecommerce sites and others can recognize users through their devices, rather than with usernames and passwords. For example, users could register for an online service, create a username, register their devices, and select a preferred authentication method (i.e. finger, or face, and/or PIN). No password would be needed, Mahdi said.
How FIDO’s spec works
FIDO’s specification works by enabling anyone using it to gain access to an app or online service with a private and public key pair.
When a user registers with an online service, such as PayPal, the authenticator device (a server) creates a unique private/public key pair. The private key is stored on the user’s device, while the public key becomes associated with that device through the online service or app.
Authentication is performed by the client server sending an electronic challenge to the user’s device. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a secure action such as a biometric reader (i.e., a fingerprint scan or facial recognition), entering a PIN, speaking into a microphone, or inserting a second–factor device.
U2F is an open-authentication standard that enables internet users to securely access with one security key instantly and with no drivers or client software needed, according to FIDO member and authentication vendor Yubico. FIDO2 is the latest generation of the U2F protocol.
Last April, Google joined the Alliance as part of its creation of new online identity management tools. Google added two-factor authentication through FIDO’s specification for Android 7 and above devices.
Jamf, a provider of multi-factor enterprise authentication management software for the Mac platform, joined FIDO last month.
“As we were supporting a lot of these multi-factor devices and different identity providers, it got to be complicated pretty quickly,” said Joel Rennich, director of Jamf Connect, an Apple Mac authentication and identity management product. “And we still had the problem that we needed to go back to having a password. On the Mac, there’s no built-in way of supporting your user credentials without typing in a password. However, Apple does have a pretty robust smart card installation.”
Rennich said Jamf is embracing the FIDO authentication protocol because it’s “incredibly” secure and allows a lot of flexibility because of wide-ranging industry support. In particular, because of FIDO’s use of highly-secure elliptical curve cryptography – the same used by Apple Secure Enclave – Jamf can now leverage the technology to create enterprise-class access to the iPhone, for example.
“So, we can use that hardware already in the device to work with the FIDO protocols with minimal amount of effort. …That made the development really quick,” Rennich said.
While it’s not yet shipping, Jamf also created a virtual smart card that allows users to sign into Mac devices from the cloud using elliptic-curve cryptography pairing keys in the same way FIDO’s specification does.
“We’re not here to speak for Apple…, but certainly you can see they’re doing a lot more work in this environment. I do think it’s a solid base. It’s a great standard,” Rennich said. “We do hope Apple does more with it. But in the meantime, we expect to be able to bring log-in at the log-in window with a FIDO authenticator to the Mac.”
Read More Articles
What is AR (augmented reality) Cloud ?
The AR Cloud is a live real-time 4D guide of the world, overlayed onto this present geolocated reality.
It empowers data, ideas and encounters to be expanded, common, and attached to explicit physical areas to happen and endure across applications and gadgets.
Think about always on and telecommunications companies, cable companies, retail and e-commerce and more offering this Augmented reality service bundled in with a wireless plan package (or offering it as a separate, standalone subscription), to WiFi on the fly services to in-app Easy clickable Button purchases, and more. This is a substantial new stream of revenue.
Retail and e-commerce businesses will spring up alongside it: or inside of it. The overlay of a man easy ‘Buy This Item Now’ button on top of your physical store would open up many avenues.
Reddit Launches some loot tokens for reputation and rewards on ethereum.
2 new types of loot tokens have been created. It’s a token on the Ethereum blockchain that is earnable within a community rather than purchased. They signaled that their plan to pivot the company’s monetization strategy more towards crypto. Interesting tidbit. And This overall initiative is referred to as “Community Points” and builds on the early experiments from /r/Ethtrader donuts.
What are the two loot tokens called?
Reddit launched “Moons” ($MOONS)
for /r/Cryptocurrency and
“Bricks” ($BRICKS) for /r/ForniteBR
I wonder how they plan on getting away with “bricks” considering LEGO uses bricks and such and doesn’t really like when people use their lingo for business revenue.
The tokens are available on specific subreddits on the new Reddit theme and in the app.
Users will be able to access the tokens in their Reddit “vault” an in-app ERC20 wallet available on both iOS and Android.
Basically a crypto wallet in a sense.
Reddit will distribute these tokens initially based on Reddit Karma to represent compensation for the value that users have contributed to the community overtime.
Reddit itself will keep a portion of the tokens in each subreddit, and award a small portion to the community moderators for managing the subreddit.
On the launch day there will be an initial distribution of 50M tokens covering previous activity in the subreddit, and then the remaining tokens will be distributed month over month diminishing with each monthly distribution until it hits its cap of 250M tokens for each individual subreddit.
Reddit has indicated that the community will also have some ability to govern the model of distribution with in each independent subreddit.
What can you do with Reddit Loot ?
The Community Points Program issues a type of loot token on the Ethereum blockchain. So you can earn loot in the community as well as redeem it within the same community.
One major usage is using these tokens to tip other users. You can also buy badges and awards, take part in weighted polls, or buy a special membership to each particular subreddit (that gives you a colored user name, specialty loyalty badges, and the ability to embed gif replies in your comments.)
Economics of the loot tokens
The economic model has three key points:
1) Number of tokens issued diminishes over time, and can only be earned from human effort.
2) All future human effort earns less tokens than all prior human effort. There is a hard cap of 250M tokens in a subreddit. There will never be more than 250M $MOON tokens.
3) Every time $MOON tokens are used to buy badges, memberships or for any other action on Reddit, they are burned. (destroyed !).
The price of an asset increases as supply lowers and demand increases
So the more active a community is and the more value it creates for its users, the less tokens will exist over time.
Tokens will have a lower supply, but, a greater demand.
Any other usages ?
Moons and Bricks are both ERC20 tokens on the Ethereum blockchain, you can do whatever you want with them.
In the Reddit app your wallet is a full Ethereum wallet that has a private key and recovery phrase. You are able to use that wallet anywhere you would normally use an Ethereum wallet by exporting it.
This means that once you claim your tokens you own them and no one else has access to them. Not even Reddit.
While these tokens started their journey with Reddit, they ultimately represent value created within a specific interest group, and could start to proliferate across other mediums.
If you want to list your tokens on exchanges to sell, you can do that too.
While Reddit is very likely to continue exploring new features to redeem these tokens for, the tokens are fully decentralized and can be used by anyone in anyway.
Interesting stuff and use case.
- Zcash Foundation plans to bring its privacy features to the Cosmos ecosystem.
- The project will utilize “pegzones” to add an anonymity layer to cross-chain transactions.
- This will allow shielding assets, transfers and staking across blockchains.
- It will be possible to move Zcash from one blockchain to the other.