The Google-supported FIDO Alliance this week achieved a key milestone in its mission to end the use of passwords by releasing version 1.0 of its namesake open standard.
“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the alliance.
“FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era,” he noted, “which is already revealing new dimensions in Internet services and digital commerce.”
FIDO, which stands for “Fast IDentity Online,” consists of two specifications: Universal Authentication Framework and Universal 2nd Factor. Together, they aim to enable any website or cloud application to give users new password alternatives by interfacing with a broad variety of FIDO-enabled authenticators, including biometrics and hardware tokens.
Coming soon are extensions that will incorporate near-field communications and Bluetooth into the range of FIDO capabilities.
“The world needs a simpler and more secure login method for online services, and FIDO’s open specifications help achieve this,” said Andy Steingruebl, PayPal’s director of product and ecosystem security.
“PayPal has already deployed FIDO-based login with its mobile app when running on FIDO-ready devices such as the Samsung Galaxy S5,” he added.
Formed in 2012, the FIDO Alliance seeks both to address the lack of interoperability among strong authentication technologies and to help users overwhelmed by having to create and remember multiple usernames and passwords.
“The end of passwords cannot come soon enough,” Netlogx COO Nicholas Taylor told the E-Commerce Times.
“Passwords, both in terms of the number needed and the complexity required, have jumped the shark. The result is that people reuse the same password or write them down,” he said.
“The illusion of security through the use of passwords is awful,” Taylor added. “I’m very glad to see the FIDO efforts, and I am cheering them on. Killing the use of passwords may be the single biggest improvement in security in the last 15 years.”
Weak or stolen login credentials were a factor in more than 76 percent of the breaches analyzed in Verizon’s 2014 Data Breach Investigations Report, the FIDO Alliance noted.
Alibaba, PayPal, Google
Both of FIDO’s specifications are unencumbered by FIDO member patents.
Members remain free to implement and market solutions around FIDO-enabled strong authentication, and nonmembers can deploy those solutions as well. Implementations currently available include products from Nok Nok Labs, Synaptics, Alibaba, Samsung and Google, as well as PayPal.
Also represented on the FIDO Alliance board of directors are ARM Holdings, Bank of America, BlackBerry, Discover Financial Services, Lenovo, MasterCard, Microsoft, Qualcomm and Visa.
Open and Patent-Free
“It’s impressive to see a group such as this come together and invest the resources needed to take on one of the largest problems in security,” said McCall Paxton, a security consultant with Netlogx.
“It’s even more impressive that it is open and patent-free,” he told the E-Commerce Times.
“I can think of no better way to make it more secure and widely available than this. No doubt security concerns will be found, but with this being open and patent-free, they just increased their ability to detect and mitigate it a hundredfold,” Paxton observed.
FIDO “could become a de facto standard, allowing the migration away from numerous — and sometimes bulky — different [authentication] products currently used to secure environments,” he suggested.
FIDO’s Universal 2nd Factor specification, in particular, is “a solid improvement over existing second factor hardware tokens, and it’s just as secure as smart cards,” said Brian Kelly, principal product marketing manager at Duo Security, which was involved in the spec’s development.
“I’m encouraged to see adoption of it,” he told the E-Commerce Times. “I’m glad to see any improvements to multifactor authentication that allow for a wider adoption.”