FIDO Protocol To Support Two-Factor Authentication Over Bluetooth Smart


The Fast IDentity Online (FIDO) Alliance, which includes members such as Google and Microsoft, and Bluetooth Special Interest Group (SIG), have entered into a "memorandum of understanding" (MOU) to use Bluetooth Smart (LE) as an alternative to USB dongles for two-factor authentication.

“The FIDO Alliance is focused on developing unencumbered specifications to offer secure, private authentication that removes our reliance on passwords, which are cumbersome, inefficient, and vulnerable to many forms of scalable attack," said Brett McDowell, executive director, FIDO Alliance. “Standards produced by Bluetooth SIG are uniquely suited to extend the current reach of FIDO U2F security from the desktop to the increasingly ubiquitous mobile device."

When the FIDO Alliance created its U2F (Universal 2nd Factor) authentication protocol and version 1.0 of its specification, it only supported USB keys because that used to be the most well known physical medium for two-factor authentication mechanisms. After the specification was finished, the group started working on extending it with support for wireless technologies such as Bluetooth Smart and NFC.

This change will enable smartphones, as well as key fobs and other devices, to be used for two-factor authentication on PCs. It will also enable said devices to provide two-factor authentication for smartphones, which was previously impossible because you couldn't insert a typical USB key into a smartphone in order to authenticate with it.

With a second factor such as, for instance, a Bluetooth Smart-enabled smartwatch, you could log onto websites either on your smartphone or on your PC more securely, as even if hackers steal your passwords, they won't be able to login to your accounts without that second factor.

Unlike two-factor USB keys, which not too many people own, Bluetooth Smart is already quite ubiquitous on smartphones and other devices. The integration with the FIDO U2F protocol should allow many more people to use two-factor authentication enabled by some extra hardware rather an SMS sent to your phone number (which can be spoofed and intercepted by hackers) over poorly encrypted GSM channels.

“There are more than eight billion Bluetooth enabled devices in use today around the globe and more than 10 billion are projected to ship in the next three years. This near-universal presence and the strong security built into Bluetooth Smart make the technology a natural choice for this innovative approach to multi-factor authentication," said Errett Kroeter, senior director of marketing at the Bluetooth SIG. “We envision partnering with FIDO Alliance through this MOU will help provide the industry with a simple, yet powerful alternative for multi-factor authentication that is available to practically everyone," he added.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.