Ending the tyranny of passwords

Shutterstock image: password security.

The developers of emerging commercial, collaborative electronic password-free and two-factor authentication standards say internal networks and public-facing websites could benefit from the capabilities, but not right away.

The FIDO (Fast IDentity Online) Alliance, and open industry consortium, began working two years ago to develop specifications for simpler, stronger authentication methods for secure commercial Internet ecosystems. The group has 150 members lead by heavy-tech hitters including Google, Samsung, Alibaba and PayPal. The alliance released the 1.0 versions of the two specifications in December, aimed at spurring password-free, two-factor authentication for commercial financial and other password-protected transactions conducted over the Internet. The alliance doesn't make products using the standard, but licenses it to companies that do.

The specifications, according to the alliance, set a new security standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any website or cloud application can interface with a broad variety of existing and future FIDO­enabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organizations of all types.

The specifications are in the early-adopter phase in the commercial sector, but FIDO Alliance Executive Director Brett McDowell told FCW in an interview that the specifications' ability to help eliminate the hassle of entering multiple passwords online will spark heavier public use, possibly affecting federal networks down the road.

How FIDO would work

The Universal Authentication Framework (UAF) protocol stack, according to the alliance, can be loaded onto user devices that use a local authentication mechanism such as swiping a finger, iris ID, voice print, or PIN. The device can be registered to FIDO-ready servers or websites, eliminating the need to enter passwords multiple times.

The alliance's universal second factor protocol is aimed at creating a wider Web ecosystem of browsers, online service providers, operating systems that can authenticate users equipped with a strong second factor to user logins. The strong second factor allows the service to simplify its passwords, such as a four-digit PIN, without compromising security.

Instead of entering a password, according to the alliance, during registration and authentication, users presents the second factor by pressing a button on a USB device or tapping over near field communications on their mobile devices.

As the standards are implemented more widely, McDowell said, federal agencies could see users accessing public-facing federal websites using technology based on the specs. There could also be future internal use by agencies' IT departments looking to streamline password protections, while bolstering security, he said.

The National Institute of Standards and Technologies is watching development of the specs with interest, said Jeremy Grant, head of NIST's National Strategy for Trusted Identities in Cyberspace. Grant has said passwords are a big problem for user convenience and perseverance. On a panel at the Jan. 15 FIDO Alliance event in Washington, D.C., he called the specs a "terrific marketplace response" posed by the long term security problems posed by vulnerable password protections.

A limited -- but growing -- variety of products incorporating the specifications are already in use in commercial trials. McDowell, who also spoke at the FIDO briefing, said Google's Chrome browser supports the standards, allowing users to log in to Google accounts and sites with FIDO-based security technology.

Grant said the near-term impact of the specifications on federal agencies will likely be "minimal," but noted that the effort echoes President Barack Obama's October call for multi-factor authentication capabilities for consumer and federal employee financial transactions.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2021 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

Stay Connected