Ending the tyranny of passwords

Shutterstock image: password security.

The developers of emerging commercial, collaborative electronic password-free and two-factor authentication standards say internal networks and public-facing websites could benefit from the capabilities, but not right away.

The FIDO (Fast IDentity Online) Alliance, and open industry consortium, began working two years ago to develop specifications for simpler, stronger authentication methods for secure commercial Internet ecosystems. The group has 150 members lead by heavy-tech hitters including Google, Samsung, Alibaba and PayPal. The alliance released the 1.0 versions of the two specifications in December, aimed at spurring password-free, two-factor authentication for commercial financial and other password-protected transactions conducted over the Internet. The alliance doesn't make products using the standard, but licenses it to companies that do.

The specifications, according to the alliance, set a new security standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any website or cloud application can interface with a broad variety of existing and future FIDO­enabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organizations of all types.

The specifications are in the early-adopter phase in the commercial sector, but FIDO Alliance Executive Director Brett McDowell told FCW in an interview that the specifications' ability to help eliminate the hassle of entering multiple passwords online will spark heavier public use, possibly affecting federal networks down the road.

How FIDO would work

The Universal Authentication Framework (UAF) protocol stack, according to the alliance, can be loaded onto user devices that use a local authentication mechanism such as swiping a finger, iris ID, voice print, or PIN. The device can be registered to FIDO-ready servers or websites, eliminating the need to enter passwords multiple times.

The alliance's universal second factor protocol is aimed at creating a wider Web ecosystem of browsers, online service providers, operating systems that can authenticate users equipped with a strong second factor to user logins. The strong second factor allows the service to simplify its passwords, such as a four-digit PIN, without compromising security.

Instead of entering a password, according to the alliance, during registration and authentication, users presents the second factor by pressing a button on a USB device or tapping over near field communications on their mobile devices.

As the standards are implemented more widely, McDowell said, federal agencies could see users accessing public-facing federal websites using technology based on the specs. There could also be future internal use by agencies' IT departments looking to streamline password protections, while bolstering security, he said.

The National Institute of Standards and Technologies is watching development of the specs with interest, said Jeremy Grant, head of NIST's National Strategy for Trusted Identities in Cyberspace. Grant has said passwords are a big problem for user convenience and perseverance. On a panel at the Jan. 15 FIDO Alliance event in Washington, D.C., he called the specs a "terrific marketplace response" posed by the long term security problems posed by vulnerable password protections.

A limited -- but growing -- variety of products incorporating the specifications are already in use in commercial trials. McDowell, who also spoke at the FIDO briefing, said Google's Chrome browser supports the standards, allowing users to log in to Google accounts and sites with FIDO-based security technology.

Grant said the near-term impact of the specifications on federal agencies will likely be "minimal," but noted that the effort echoes President Barack Obama's October call for multi-factor authentication capabilities for consumer and federal employee financial transactions.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.