Passwords are considered one of the weakest links in IT security: Users fail to create secure ones, forget them, fail to regularly change them or give them away in phishing scams.
On Tuesday the Fast IDentity Online Alliance (FIDO) a consortium of some of the biggest names in the industry released open specifications they say will bring passwords to an end by enabling authentication through biometrics and hardware tokens.
The alliance hopes the standard will be adopted by hardware and software vendors and cloud service providers for accessing everything from cloud computing Web sites, mobile devices, servers and client software. However, for it to be effective biometric-enabled devices — like fingerprint readers on smart phones — will have to be more widespread.
“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” alliance president Michael Barrett, said in a statement. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce.”
Alliance members include handset makers BlackBerry and Samsung Electronics; Google; RSA; chipmaker Qualcomm; mobile chip designer ARM Holdings; Microsoft; Lenovo; Toronto-based authentication provider SecureKey ; Bank of America; PayPal and Visa.
Version 1.0 of the two specifications, which can be downloaded here. One is a protocol for creating biometric authentication, while the other enables the use of second factor devices users carry such as USB tokens. The alliance says the protocols are based on public key cryptography and “are strongly resistant to phishing.”
“It represents an awesome first step at a co-operative standard for doing good stuff with passwords,” James Arlen, Hamilton, Ont., based director of risk and advisory services with Leviathan Security Group, said in an interview. But there still needs to be widespread integration of biometric authentication devices. The proof of the alliance’s success, he said, will be how soon a big vendor or Web site that is not a member of the group adopts the protocols.
The passwordless protocol is called the Universal Authentication Framework (UAF) protocol. A user registers their device to an online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic or entering a PIN. Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. Multiple authentication mechanisms such as fingerprint plus PIN can be enabled.
The Universal Second Factor (U2F) protocol lets a user log in with a username and password plus demand a second factor device — a secure USB device or a device using Near Field Communications (NFC). The strong second factor allows the service to simplify its passwords without compromising security, says the alliance.
NFC and Bluetooth extensions will be added soon, the alliance says.
The alliance was created in February, 2013 to get around proprietary authentication solutions it says are either costly to manage or insufficient to scale.