FIDO Alliance Says, 'Forget Passwords!'
- — 12 February, 2013 19:40
If there's one thing that's become clear in the past several years, according to PayPal CISO Michael Barrett, it's that usernames and passwords--originally conceived in the era of centralized mainframes--have become more of a liability than a protection online.
"There have been a number of significant site breaches over the last couple of years," Barrett says. "Large quantities of user IDs and passwords have been stolen by criminals. We finally have a large corpus of reliable data about the scale of the problem with regard to how often users share their passwords across multiple sites on the Internet."
"The big thing is that we're building a protocol that all the authentication vendors can take advantage of. We're not trying to rebuild all the back-end systems. We're not trying to gore anyone's ox."
CEO of startup Nok Nok Labs
(a founding member of the FIDO Alliance)
"It would seem as if two-thirds of the Internet users use the same password everywhere they go on the Internet," he adds.
And that, of course, means users are far less secure than they may think. After all, their security is only as good as that of the least secure place on the Internet that they use. Reuse, malware and phishing leaves users and enterprises vulnerable to financial fraud and identity theft.
FIDO Alliance Aims to Replace Passwords
A number of Internet companies, system integrators and security providers have decided it's time to replace the 50-year-old password technology we rely on with more robust authentication methods. The Fast Identity Online (FIDO) Alliance is an organization with the goal of revolutionizing online authentication with an industry-supported, standards-based open protocol that not only makes users more secure but is also easy and convenient to use.
"The Internet--especially with recent rapid mobile and cloud expansion--exposes users and enterprises, more than ever before, to fraud," says Barrett, who is also the FIDO Alliance president. "It's critical to know who you're dealing with on the Internet. The FIDO Alliance is a private sector and industry-driven collaboration to combat the very real challenge of confirming every user's identity online."
"By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality," he adds. "We want every company, vendor and organization that needs to verify user identity to join us in making online authentication easier and safer for users everywhere."
The founding members of the FIDO Alliance include Agnitio, Infineon Technologies, Lenovo, Nok Nok Labs, PayPal and Validity, all of whom are developing the specification and FIDO-compliant products.
FIDO Will Interoperate With Existing Authentication Methods
This is not the first time an organization has formed to create an authentication standard. But Barrett and other FIDO Alliance members believe this time will be different, largely because of the FIDO Alliance's approach: Instead of reinventing the wheel (or authentication methods in this case), the FIDO Alliance wants to create an open protocol that is all-inclusive, embracing both existing and new authentication methods and hardware.
"The big thing is that we're building a protocol that all the authentication vendors can take advantage of," says Phillip Dunkelberger, CEO of startup Nok Nok Labs and formerly the founder and CEO of PGP Corp. Nok Nok, which launched Tuesday, is a member of the FIDO Alliance and seeks to provide a unified authentication infrastructure that leverages existing technologies like fingerprint sensors, webcams, Trusted Platform Module (TPM) chips or voice biometrics.
"We're not trying to rebuild all the back-end systems," Dunkelberger adds. "We're not trying to gore anyone's ox."
Barrett explains that the FIDO Alliance protocol will allow users a choice of authentication method while shifting control to providers who can make authentication user-transparent and limit the risk of fraud.
How FIDO's Authentication Protocol Works
Essentially, FIDO combines hardware, software and Internet services. A FIDO user will use a FIDO Authenticator or token that they've chosen or that's incorporated in their device; it could be a built-in fingerprint scanner, a USB memory drive with a password, a voice reader or something else.
When a FIDO Authenticator is connected to an online account, it establishes a relationship between the Authenticator, the relying party and the FIDO Validation Service. Once the relationship is established, the Authenticator and the validation service will only exchange one time passwords (OTP).
In addition, all browsers on a user's system would have a FIDO plug-in capable of recognizing available FIDO Authenticators connected to the user's system. The Authenticator Validation Service will bind the whole system together, serving as a clearinghouse for token information.
"At the core of the National Strategy for Trusted Identities in Cyberspace (NSTIC) is a call for the private sector to lead in developing open technology standards that will enable a more trusted and secure Identity Ecosystem," says Jeremey Grant, who is leading the implementation of NSTIC as senior executive advisor for Identity Management at the National Institute for Standards and Technology (NIST).
"The new FIDO Alliance has pledged to do just that," says Grant. "I am excited to see what the FIDO Alliance's members can do to deliver the kind of usable, cost-effective, privacy-enhancing, interoperable strong authentication innovations envisioned in the NSTIC."
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, on Google + and on LinkedIn. Email Thor at firstname.lastname@example.org