FIDO progress on passwords

Since the early iterations of user names and passwords, the road to creating a simple but secure online experience has been a long and winding one. With the advent of mobile devices has come considerable additional pressure on the industry to come up with ways to provide a seamless user experience while delivering flawless security. Biometrics (mainly in the form of fingerprint and iris scanning) have long been considered a preferred authentication method, but efforts to date have tended to be proprietary and hence siloed.

This barrier to the adoption of consistent approaches to security is the impetus behind the formation of the FIDO (Fast Identity Online) Alliance. Launched in 2012 to address the lack of interoperability in authentication methods, the Alliance now boasts more than 200 members, including Google, Microsoft, Intel, Qualcomm, Samsung, PayPal, Lenovo, MasterCard and Visa.

FIDO’s stated mission is “to develop technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.” The hope is that a new standard for securing devices and browser plugins will enable any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user uses to negotiate the online world.

Mike Lynch, chief strategy officer, InAuth
Mike Lynch, chief strategy officer, InAuth

Mike Lynch, chief strategy officer for InAuth, a mobile security company and member of the FIDO Alliance, said that if FIDO is successful in getting all companies to agree to a common biometric authentication standard for mobile and desktop devices, it will herald a huge change in the authentication world. “In time we may get beyond passwords and user IDs to using just fingerprint or iris scanner, which is easier and more secure for users. It would be nice if instead of Bank A working in a silo or Bank B – or vendor A or B for that matter – [they used the same methods.] Authentication would be easier and more secure if we could make sure everyone is doing it the right way.”

FIDO has completed work on two v1.0 protocols, which were published in December 2014: the password-less protocol called Universal Authentication Framework (UAF); and the second factor protocol called Universal 2nd Factor (U2F). In 2015, FIDO’s focus turned to addressing authentication need in technologies that have been brought to market. Future work will be focused on ensuring that major software platforms have FIDO built ­in to ensure that users have an intuitive, simple experience right out of the box.

As with any drive for universal standards, the mission may be sound, but the execution presents significant challenges. Despite its best efforts, Lynch contended that FIDO can only drive the promise of consistent authentication so far. The rest is up to the vendors, financial institutions and other organizations who will have to respond to consumer demand. “Customers are clearly frustrated with vulnerabilities – and that’s a good thing. Once they try out biometric authentication, they will expect other providers to offer the same capabilities. In order to compete, device manufactures and others will have to follow suit.”

As hard as FIDO tries, universal authentication won’t happen overnight, Lynch said. “Eliminating passwords may take years. But I do believe when the options are presented to customers, adoption can be quite fast. We introduced two authentication solutions for Samsung and iPhone with fingerprint reading capabilities and adoption was around 50 percent. And once customers use it, they never want to go back to using a password.”

Vendors for their part are not averse to putting in the effort needed to certify their products today, he said. “As vendors come out with devices with built-in fingerprint readers or biometric scanners, that will help drive adoption as will software-based solutions. Microsoft, for example, has already introduced a FIDO solution in [the Anniversary edition of] Windows 10.”

FIDO is currently in the stages of finalizing its v2.0 specification, which has been delayed until February of 2017 according to the latest updates – a factor that could influence uptake. “Right now people are left with the dilemma of whether to use 1.0 or wait for 2.0, if and when it comes into being,” Lynch said.

Bob O’Donnell, president and chief analyst, TECHnalysis Research
Bob O’Donnell, president and chief analyst, TECHnalysis Research

Bob O’Donnell, president and chief analyst with TECHnalysis Research, in an article entitled The digital identity dilemma, has espoused a bright future for virtual ID “cards” that will dramatically change how quickly and easily we use web services, transact business online and protect ourselves from fraud or identity theft. In it he provides a compelling case for the role FIDO will play in bringing about the age of the “portable digital identity.”

While it may take years to abolish the password, O’Donnell believes the FIDO Alliance represents an important step. “The beauty of what the FIDO Alliance is that it is trying to provide something that can be translatable to real people in an understandable way,” he said in a recent interview. “If you dig into security and authentication, it has always been messy and proprietary and often only a portion of a solution. The idea of pulling together a whole bunch of different elements into a more complete solution – that’s what will drive the portable digital identity.”

He admitted that there are multiple layers of issues that need to be solved to make it work across multiple devices and operating systems. “Issue number one is that it has to cross platforms. Second, it need to focus on multi-factor authentication – either both biometric or a combination of biometric and password. The final piece will be the ability to extend it beyond a single device or platform to other devices and even onto the web.”

Where data is stored (locally or in the cloud) is another significant factor, he added. “People increasingly want the ability to do fingerprint [scanning] and have that data cached, encrypted and stored on the device. In that way, a digital copy of the fingerprint does not get transferred to the web, but is instead converted into a one-time-use key that has no value if stolen.”

In O’Donnell’s view, the biggest news coming out of the Alliance is the submission of the FIDO 2.0 Web APIs to the W3C Internet standards body. This move is part of an effort to allow digital identity and authentication credentials to be passed from device to device, and even device to website. “You will be able to authenticate yourself on a FIDO-enabled device using a biometric mechanism, and those credentials can be passed via Bluetooth or other transfer method to your PC so you can do online banking or other transactions without ever having to enter a password,” he explained.

“All in all, it’s a more robust and safer way do things than passing along that identity to other devices and services. Moving it to the web and making it transferable is a huge step that is already starting to happen. That’s where things will get very exciting.”

1 COMMENT

LEAVE A REPLY