Ending the tyranny of passwords

Featured eBooks
Cyber Workforce
Read Now

Law Enforcement Tech

Read Now

AI in the Workplace

Read Now
Insights & Reports
Document Automation & E-Signature for the Public Sector
Presented By Carahsoft
Download Now
By Mark Rockwell

By Mark Rockwell

|

Eliminating the hassle of entering multiple passwords to navigate secure sites online will spark heavier public use, possibly affecting federal networks down the road.

Shutterstock image: password security.

The developers of emerging commercial, collaborative electronic password-free and two-factor authentication standards say internal networks and public-facing websites could benefit from the capabilities, but not right away.

The FIDO (Fast IDentity Online) Alliance, and open industry consortium, began working two years ago to develop specifications for simpler, stronger authentication methods for secure commercial Internet ecosystems. The group has 150 members lead by heavy-tech hitters including Google, Samsung, Alibaba and PayPal. The alliance released the 1.0 versions of the two specifications in December, aimed at spurring password-free, two-factor authentication for commercial financial and other password-protected transactions conducted over the Internet. The alliance doesn't make products using the standard, but licenses it to companies that do.

The specifications, according to the alliance, set a new security standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. Any website or cloud application can interface with a broad variety of existing and future FIDO­enabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organizations of all types.

The specifications are in the early-adopter phase in the commercial sector, but FIDO Alliance Executive Director Brett McDowell told FCW in an interview that the specifications' ability to help eliminate the hassle of entering multiple passwords online will spark heavier public use, possibly affecting federal networks down the road.

How FIDO would work

The Universal Authentication Framework (UAF) protocol stack, according to the alliance, can be loaded onto user devices that use a local authentication mechanism such as swiping a finger, iris ID, voice print, or PIN. The device can be registered to FIDO-ready servers or websites, eliminating the need to enter passwords multiple times.

The alliance's universal second factor protocol is aimed at creating a wider Web ecosystem of browsers, online service providers, operating systems that can authenticate users equipped with a strong second factor to user logins. The strong second factor allows the service to simplify its passwords, such as a four-digit PIN, without compromising security.

Instead of entering a password, according to the alliance, during registration and authentication, users presents the second factor by pressing a button on a USB device or tapping over near field communications on their mobile devices.

As the standards are implemented more widely, McDowell said, federal agencies could see users accessing public-facing federal websites using technology based on the specs. There could also be future internal use by agencies' IT departments looking to streamline password protections, while bolstering security, he said.

The National Institute of Standards and Technologies is watching development of the specs with interest, said Jeremy Grant, head of NIST's National Strategy for Trusted Identities in Cyberspace. Grant has said passwords are a big problem for user convenience and perseverance. On a panel at the Jan. 15 FIDO Alliance event in Washington, D.C., he called the specs a "terrific marketplace response" posed by the long term security problems posed by vulnerable password protections.

A limited -- but growing -- variety of products incorporating the specifications are already in use in commercial trials. McDowell, who also spoke at the FIDO briefing, said Google's Chrome browser supports the standards, allowing users to log in to Google accounts and sites with FIDO-based security technology.

Grant said the near-term impact of the specifications on federal agencies will likely be "minimal," but noted that the effort echoes President Barack Obama's October call for multi-factor authentication capabilities for consumer and federal employee financial transactions.

NEXT STORY: Official North Korean News Site Injects Spyware into Visitors’ Computers