Giving FIDO A Longer Leash To Eliminate Web Passwords

New alliance gaining momentum in push to develop open architecture for authentication interoperability

Dark Reading logo in a gray background | Dark Reading

A new alliance of industry device makers, online relying parties, authentication vendors, and security experts is gaining steam as all interested parties seek a universal and open architecture approach to improve the way we authenticate online. Officially launched at RSA just a few months ago, the FIDO (Fast IDentity Online) Alliance has more than doubled its membership, gained new strategic board members in the form of Crucial Technologies and Google, and moved closer to its goal of achieving the Web security holy grail: eliminating dependence on usernames and passwords.

Though the specification isn't directly aimed at enterprise identity and access management (IAM), proponents of the alliance believe that its efforts could ripple over to make some of the core building blocks of IAM cheaper and easier to implement.

As it stands at the moment, Web authentication is one of the thorniest security problems the technology industry faces. Data from the past few years of data breaches should make that evident, says Michael Barrett, current president of FIDO and the CISO for PayPal, which is one of the founding members of the alliance.

"Most consumers pick poor passwords and then use those passwords across multiple sites on the Internet, thereby lowering the security of all of those customers accounts to the least secure place that they have ever visited," he says. "At the same time, criminals are able to rapidly defeat many of the classic defenses against password theft because of the development of GPU-based rainbow crackers."

[Can you see the error of your IAM ways? See 7 Costly IAM Mistakes.]

It's a miserable combination, says Emilio Martinez, a founding member of the alliance and CEO of Agnitio, a biometrics firm and first associate member of the alliance. He explains that a lack of security and user friendliness gives us "the worst of both worlds."

And while companies like PayPal may have the wherewithal to develop advanced risk-based authentication solutions for its customers, those larger relying parties are the exception rather than the rule, Barrett says.

FIDO aims to tackle the problem by creating an open architecture specification designed to act as the glue between on-device technology, strong-authentication devices and software, and the relying parties' server infrastructure. The intention is to create a platform for FIDO-enabled devices to smooth the way for interoperability between all existing and future products that make up the authentication ecosystem.

"We say use what you've got, use what's on the device, use what you've already deployed -- you can just deploy more of it faster, better, and easier using this," says Phil Dunkelberger, another board member and the CEO of Nok Nok Labs, a founding member of the alliance that recently launched specifically to develop software built on the impending specification. "You get an ecosystem benefit from which the relying parties benefit, end users benefit, device manufacturers benefit, and integrators benefit. Everybody wins because we're not out there goring anybody's ox. We don't pick winners on any of those things in the stack."

This open architecture approach is what drew Lenovo to the alliance, says Clain Anderson, director of software for Lenovo, another founding member. A longtime supporter of a similar push through the Trusted Computing Group (TCG) for the development of trusted computing modules to provide client-side device assurance, Lenovo backed FIDO because it solved a problem TCG couldn't.

"TCG accomplishes a lot of great things in terms of making sure the platform works well and you can trust the boot process," Anderson says. "But it never really got around the problem of how can you be sure of the authentication process? We like open standards, and this is the same kind of approach. There are a wide range of companies contributing, and so the chance of something weird or proprietary happening becomes pretty small."

It's likely the reason why the alliance has experienced such rapid growth in its ranks during the past few months and continued to convince heavy-hitters to join its board. The most recent coup was the addition of Google last week, which reported it joined to help build on internal efforts it has made to build out "strong, universal second-factor tokens," according to Sam Srinivas, product management director for information security at Google.

Such additions are critical for FIDO's success, Barrett says, because the FIDO specification still needs input and work from volunteers with a strong foundation in authentication technology.

"It’s vitally important that the specification is simple to implement, secure and simple, and that implementations are provably interoperable," he says. "This doesn’t come without a lot of work, and the additional members of the alliance are helping move the work forward quickly and at high quality."

Barrett says that beyond membership growth, FIDO has aggressive goals in 2013 to roll out a workable early version of the specification and to hopefully help manufacturers release millions of FIDO-enabled devices by the end of the year. As the alliance starts to achieve its long-term goals beyond that, enterprises could potentially see ripple-over benefits for corporate IAM.

"The FIDO Alliance is not directly aimed at the IAM space. However, enterprise authentication will significantly improve once the FIDO specifications become widely implemented, as the same problems exist in the enterprise space as do in the consumer space," he says. "The net impact is therefore likely to be that IAM-driven costs, such as account recovery, will be significantly reduced in a FIDO-enabled world."

Dunkelberger says he sees the residual IAM benefits for enterprises working much in the same way that Ethernet helped local area networking.

"Very similar to Ethernet, it's common plumbing, and it does it in a standard way, regardless of authentication technology, regardless of single sign-on, or any of those things," he says. "All we do is make it easier for you to hook up and be used by back-end systems. That's a big benefit because that is truly one of the biggest costs of turning on multifactor authentication."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights