FIDO Alliance Says, 'Forget Passwords!'

If there's one thing that's become clear in the past several years, according to PayPal CISO Michael Barrett, it's that usernames and passwords--originally conceived in the era of centralized mainframes--have become more of a liability than a protection online.

"There have been a number of significant site breaches over the last couple of years," Barrett says. "Large quantities of user IDs and passwords have been stolen by criminals. We finally have a large corpus of reliable data about the scale of the problem with regard to how often users share their passwords across multiple sites on the Internet."

"The big thing is that we're building a protocol that all the authentication vendors can take advantage of. We're not trying to rebuild all the back-end systems. We're not trying to gore anyone's ox."

--Phillip Dunkelberger

CEO of startup Nok Nok Labs

(a founding member of the FIDO Alliance)

"It would seem as if two-thirds of the Internet users use the same password everywhere they go on the Internet," he adds.

[Related: Will Tech Industry Ever Fix Passwords?]

And that, of course, means users are far less secure than they may think. After all, their security is only as good as that of the least secure place on the Internet that they use. Reuse, malware and phishing leaves users and enterprises vulnerable to financial fraud and identity theft.

FIDO Alliance Aims to Replace Passwords

A number of Internet companies, system integrators and security providers have decided it's time to replace the 50-year-old password technology we rely on with more robust authentication methods. The Fast Identity Online (FIDO) Alliance is an organization with the goal of revolutionizing online authentication with an industry-supported, standards-based open protocol that not only makes users more secure but is also easy and convenient to use.

[Related: 6M LinkedIn Passwords Leaked: How to Change Your Password]

"The Internet--especially with recent rapid mobile and cloud expansion--exposes users and enterprises, more than ever before, to fraud," says Barrett, who is also the FIDO Alliance president. "It's critical to know who you're dealing with on the Internet. The FIDO Alliance is a private sector and industry-driven collaboration to combat the very real challenge of confirming every user's identity online."

"By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality," he adds. "We want every company, vendor and organization that needs to verify user identity to join us in making online authentication easier and safer for users everywhere."

The founding members of the FIDO Alliance include Agnitio, Infineon Technologies, Lenovo, Nok Nok Labs, PayPal and Validity, all of whom are developing the specification and FIDO-compliant products.

FIDO Will Interoperate With Existing Authentication Methods

This is not the first time an organization has formed to create an authentication standard. But Barrett and other FIDO Alliance members believe this time will be different, largely because of the FIDO Alliance's approach: Instead of reinventing the wheel (or authentication methods in this case), the FIDO Alliance wants to create an open protocol that is all-inclusive, embracing both existing and new authentication methods and hardware.

[Related: 6M LinkedIn Passwords Leaked: How to Change Your Password]

"The big thing is that we're building a protocol that all the authentication vendors can take advantage of," says Phillip Dunkelberger, CEO of startup Nok Nok Labs and formerly the founder and CEO of PGP Corp. Nok Nok, which launched Tuesday, is a member of the FIDO Alliance and seeks to provide a unified authentication infrastructure that leverages existing technologies like fingerprint sensors, webcams, Trusted Platform Module (TPM) chips or voice biometrics.

"We're not trying to rebuild all the back-end systems," Dunkelberger adds. "We're not trying to gore anyone's ox."

Barrett explains that the FIDO Alliance protocol will allow users a choice of authentication method while shifting control to providers who can make authentication user-transparent and limit the risk of fraud.

How FIDO's Authentication Protocol Works

Essentially, FIDO combines hardware, software and Internet services. A FIDO user will use a FIDO Authenticator or token that they've chosen or that's incorporated in their device; it could be a built-in fingerprint scanner, a USB memory drive with a password, a voice reader or something else.

When a FIDO Authenticator is connected to an online account, it establishes a relationship between the Authenticator, the relying party and the FIDO Validation Service. Once the relationship is established, the Authenticator and the validation service will only exchange one time passwords (OTP).

In addition, all browsers on a user's system would have a FIDO plug-in capable of recognizing available FIDO Authenticators connected to the user's system. The Authenticator Validation Service will bind the whole system together, serving as a clearinghouse for token information.

"At the core of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a call for the private sector to lead in developing open technology standards that will enable a more trusted and secure Identity Ecosystem," says Jeremey Grant, who is leading the implementation of NSTIC as senior executive advisor for Identity Management at the National Institute for Standards and Technology (NIST).

"The new FIDO Alliance has pledged to do just that," says Grant. "I am excited to see what the FIDO Alliance's members can do to deliver the kind of usable, cost-effective, privacy-enhancing, interoperable strong authentication innovations envisioned in the NSTIC."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for Follow Thor on Twitter @ThorOlavsrud. Follow everything from on Twitter @CIOonline, on Facebook, on Google + and on LinkedIn. Email Thor at

Join the CSO newsletter!

Error: Please check your email address.

Tags FIDO AlliancesecurityAccess control and authentication

More about FacebookGoogleInfineonInfineon TechnologiesIT SecurityLenovoMicrosoftPayPalPGPTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place