eBay Joins FIDO, Contributes Open-Source Authentication Server

The FIDO (Fast Identity Online) Alliance is gaining momentum, with eBay joining the effort and contributing a new open-source Universal Authentication Framework compliant server.

FIDO is a multistakeholder initiative whose aim is to enable stronger forms of authentication for online access. The big milestone event for FIDO occurred in December 2014 when the group announced the Universal Second Factor (U2F) and UAF 1.0 specifications.

With UAF, FIDO has built a specification that is designed to replace the need for traditional passwords by making use of other forms of authentication, including the use of biometrics—for example, a user’s fingerprint—to gain access. The U2F specification, in contrast, is all about enabling secure forms of two-factor authentication.

eBay is embracing FIDO to help solve a customer challenge that is increasingly growing.

Passwords

“We have some customer issues dealing with passwords, especially as our mobile app is growing at a fast rate,” Rajeev Angal, director of Trust and Identity Engineering at eBay, told eWEEK. “The mobile form factor is not an easy place to enter a password, and our customers have complained about it.”

Angal added that by embracing FIDO’s UAF, eBay could well find a way to get rid of passwords, replacing them with some more natural-like biometrics. Rather than attempting a unique vendor approach, he said eBay found FIDO’s UAF specification to be a powerful standards-based open-source model that works.

While eBay is embracing UAF, it is not yet embracing U2F as mobile is a primary paint point. Angal did add that eBay will likely be looking at U2F in the future as a possible option.

The eBay UAF effort is very much a work in progress and isn’t something that is generally available. The first key step, however, is making the UAF server open-source, where it is now publicly available for anyone to look at on GitHuband potentially contribute code. Angal demonstrated the eBay UAF server, including Android and iOS mobile clients, at a FIDO event in New York on March 31, where he said there was notable interest from new potential contributors. eBay will continue to test the UAF server for its own needs as well, while looking to build a community around it, he said.

eBay built the UAF server by looking at the UAF 1.0 specifications and then developing code.

“The eBay contribution is not only validation of the need for stronger authentication standards, but also it’s validation of the truly open standard that FIDO develops,” Brett McDowell, executive director at the FIDO Alliance, toldeWEEK. “An outside company [eBay] was able to read the specifications, build a server and a sample app, take it through testing and getting it formally certified while not being members of the FIDO Alliance.”

Looking forward, McDowell said FIDO is working on expanding the adoption of its specifications as well as improving the specifications.

“The next step is to get FIDO into the operating system of devices, and that is the ambition of FIDO 2.0, which is the next publication from us,” McDowell said.

Originally published on eWeek.