Got a smartphone? FIDO and Bluetooth SIG want to use it for online authentication

Why carry a dedicated USB key to prove your online identity when your Bluetooth-enabled smartphone can do it for you?
Written by Kevin Tofel, Contributor on

You might have seen USB keys that act as U2F, or Universal Two-Factor, tools to authenticate your online identity. They're handy little devices that add a second layer of protection to your web-based desktop or laptop activities. They're also easy to lose.


Why bother carrying a small authentication dongle when you can use something else that you likely already have with you? That's the question the Fast IDentity Online (FIDO) Alliance and Bluetooth SIG ask and answer with a simple solution: Why not just use your phone?

The two groups announced Wednesday that the FIDO Alliance has entered into a memorandum of understanding to enable handsets to act as a U2F authentication device over Bluetooth.

The concept makes sense because phones typically already have some level of security and identity built into them. Typically, your phone is your phone and represents a digital version of your personal information:

"Mobile devices carry a full range of personal information and are being outfitted with simpler, stronger local device authentication. Currently, options to secure or "lock" mobile devices are a PIN, a gesture, or biometric authentication. The FIDO Alliance and Bluetooth SIG MOU looks to use the local device for online authentication, adding full FIDO U2F security to any over-the-air connection."

Since the two groups are only announcing their effort to work together, your smartphone can't yet authenticate your identity in Gmail, Facebook or other web consumer and enterprise web services.

For now, FIDO and the Bluetooth SIG are collaborating on standards to implement Universal Two-Factor authentication over Bluetooth.

There has been precedent towards this approach, however. For several months, I've used my Android handset to unlock my Chromebook, for example. The Apple Watch can be wireless unlocked from a paired iPhone as well. Both implementations use Bluetooth.

But these methods are for physical device unlocking -- not for online usage -- and that's really what the two groups are working towards: Using a smartphone to verify and authenticate your identity while online.

Good, I say: Remembering various passwords of varying lengths for every website or service needs to become a thing of the past.

Editorial standards