Ending the tyranny of passwords
Eliminating the hassle of entering multiple passwords to navigate secure sites online will spark heavier public use, possibly affecting federal networks down the road.
The developers of emerging commercial, collaborative electronic password-free and two-factor authentication standards say internal networks and public-facing websites could benefit from the capabilities, but not right away.
The FIDO (Fast IDentity Online) Alliance, and open industry consortium, began working two years ago to develop specifications for simpler, stronger authentication methods for secure commercial Internet ecosystems. The group has 150 members lead by heavy-tech hitters including Google, Samsung, Alibaba and PayPal. The alliance released the 1.0 versions of the two specifications in December, aimed at spurring password-free, two-factor authentication for commercial financial and other password-protected transactions conducted over the Internet. The alliance doesn't make products using the standard, but licenses it to companies that do.
The specifications, according to the alliance, set a new security standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any website or cloud application can interface with a broad variety of existing and future FIDOenabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organizations of all types.
The specifications are in the early-adopter phase in the commercial sector, but FIDO Alliance Executive Director Brett McDowell told FCW in an interview that the specifications' ability to help eliminate the hassle of entering multiple passwords online will spark heavier public use, possibly affecting federal networks down the road.
As the standards are implemented more widely, McDowell said, federal agencies could see users accessing public-facing federal websites using technology based on the specs. There could also be future internal use by agencies' IT departments looking to streamline password protections, while bolstering security, he said.
The National Institute of Standards and Technologies is watching development of the specs with interest, said Jeremy Grant, head of NIST's National Strategy for Trusted Identities in Cyberspace. Grant has said passwords are a big problem for user convenience and perseverance. On a panel at the Jan. 15 FIDO Alliance event in Washington, D.C., he called the specs a "terrific marketplace response" posed by the long term security problems posed by vulnerable password protections.
A limited -- but growing -- variety of products incorporating the specifications are already in use in commercial trials. McDowell, who also spoke at the FIDO briefing, said Google's Chrome browser supports the standards, allowing users to log in to Google accounts and sites with FIDO-based security technology.
Grant said the near-term impact of the specifications on federal agencies will likely be "minimal," but noted that the effort echoes President Barack Obama's October call for multi-factor authentication capabilities for consumer and federal employee financial transactions.