Fwd: Exciting news about StrongAuth and FIDO

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Fwd: Exciting news about StrongAuth and FIDO

Arshad Noor
I would normally consider this to be spam, but I want to express my thanks to the BouncyCastle team for what they do - without it, the software we build would be very difficult to create.  Thank you.

Arshad Noor
StrongAuth, Inc.

-------- Forwarded Message --------
Subject: Exciting news about StrongAuth and FIDO
Date: Thu, 13 Aug 2015 16:56:29 -0700
From: StrongAuth Inc. [hidden email]

Dear Friends,

We wanted to take a moment to give you some exciting news: this week, StrongAuth's open-source StrongKey CryptoEngine (SKCE) software was certified by the FIDO Alliance as a FIDO Certified U2F Server. What does this mean?

  • If you haven't heard of the FIDO Alliance, it is a group of more than 200 companies worldwide, working to replace the dreaded userid/password with strong-authentication using new protocols. FIDO protocols use hardware Authenticators (aka Tokens) with Elliptic Curve Cryptography (ECC) to enable digitally signing challenges sent by web-applications. Some Authenticators blend in biometrics to authenticate users locally before using the ECC keys - all require the presence of a human user to activate the Authenticator before it can be used;

  • StrongAuth has been a FIDO Alliance member since early 2014, and built an open-source implementation of the FIDO Universal 2nd Factor (U2F) protocol as a module within StrongKey CryptoEngine. After successfully completing a certification test with dozens of FIDO Authenticators, we earned the official FIDO Certified label;

  • If you have a web-application currently using userid/passwords, you know you are sitting on a potential land-mine. Not any more! You can now FIDO-enable your web-applications in less than 2 days each, by connecting them to the SKCE for FIDO processing (using our simple SOAP or REST webservices). Once connected, your employees, partners and customers are free to use any FIDO Certified U2F Authenticator (ranging from $6 to $25 on Amazon) and register cryptographic keys generated on the Authenticator with your website. These cryptographic keys strongly authenticate that individual when they visit your website;

  • Eliminating the risk of password-breaches becomes a reality because FIDO protocols only store public-keys on the server. An attacker compromising your user database will only see raw keys that are of little use without the private-key in the Authenticator;

  • Eliminating the risk of users getting phished becomes a reality too, because FIDO protocols associate a cryptographic key-pair with a website's origin. During key-registration, ECC keys are generated for, and associated with, your site's origin. An attacker masquerading as your website cannot phish your user-community since the FIDO Authenticator will refuse to respond to the attacker's challenge no matter how much it might look like your site - even if the attacker uses an actual copy of your database with authentic FIDO public-keys in them - your users cannot be phished because the link between the private-key and the website's origin is verified inside the Authenticator;

  • Users who choose not to use FIDO Authenticators can still continue authenticating to your web-applications using (sigh) userid/passwords. Your web-applications can support both methods of authentication during the transition, as you encourage your user-community to protect themselves by using FIDO authentication to access your web-applications.

If you have/get a FIDO U2F Token, you can test it with StrongKey CryptoCabinet (SKCC), our open-source, FIDO-enabled web-application to encrypt files with centralized, on-premises key-management and cloud-storage integration. Instructions for how to use the FIDO Token with SKCC are at:

FIDO Demo User Guide

The FIDO Token you have/get can also be used to secure your Gmail account - Google is one of the first public sites to support the FIDO U2F protocol - as well as Dropbox.

Download the SKCE and SKCC binaries and/or source and give it a spin. Check out the wiki on the download site for details on how to install the software and how to FIDO-enable your web-applications for strong-authentication using the SKCE. If you have any questions about any of the above, please don't hesitate to contact us.


StrongAuth, Inc.
(408) 331-2000
[hidden email]


To unsubscribe from future emails, please respond to this email with "unsubscribe" in the subject line.