Ending the tyranny of passwords
- By Mark Rockwell
- Jan 16, 2015
The developers of emerging commercial, collaborative electronic password-free and two-factor authentication standards say internal networks and public-facing websites could benefit from the capabilities, but not right away.
The FIDO (Fast IDentity Online) Alliance, and open industry consortium, began working two years ago to develop specifications for simpler, stronger authentication methods for secure commercial Internet ecosystems. The group has 150 members lead by heavy-tech hitters including Google, Samsung, Alibaba and PayPal. The alliance released the 1.0 versions of the two specifications in December, aimed at spurring password-free, two-factor authentication for commercial financial and other password-protected transactions conducted over the Internet. The alliance doesn't make products using the standard, but licenses it to companies that do.
The specifications, according to the alliance, set a new security standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any website or cloud application can interface with a broad variety of existing and future FIDOenabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organizations of all types.
The specifications are in the early-adopter phase in the commercial sector, but FIDO Alliance Executive Director Brett McDowell told FCW in an interview that the specifications' ability to help eliminate the hassle of entering multiple passwords online will spark heavier public use, possibly affecting federal networks down the road.
As the standards are implemented more widely, McDowell said, federal agencies could see users accessing public-facing federal websites using technology based on the specs. There could also be future internal use by agencies' IT departments looking to streamline password protections, while bolstering security, he said.
The National Institute of Standards and Technologies is watching development of the specs with interest, said Jeremy Grant, head of NIST's National Strategy for Trusted Identities in Cyberspace. Grant has said passwords are a big problem for user convenience and perseverance. On a panel at the Jan. 15 FIDO Alliance event in Washington, D.C., he called the specs a "terrific marketplace response" posed by the long term security problems posed by vulnerable password protections.
A limited -- but growing -- variety of products incorporating the specifications are already in use in commercial trials. McDowell, who also spoke at the FIDO briefing, said Google's Chrome browser supports the standards, allowing users to log in to Google accounts and sites with FIDO-based security technology.
Grant said the near-term impact of the specifications on federal agencies will likely be "minimal," but noted that the effort echoes President Barack Obama's October call for multi-factor authentication capabilities for consumer and federal employee financial transactions.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.