Password-free online authentication a step closer

The draft technical specifications for a new authentication protocol, which could eliminate the use of passwords in the future, have been released.

The Online Security Transaction Protocol (OSTP) was developed by the Fast IDentity Online (Fido) Alliance, an open industry consortium delivering standards for simpler, stronger authentication.

According to Forrester Research, the online services industry is seeing more than $200bn in annual losses from password breaches, while the Verizon 2013 Network Investigations Data Breach Report states that 76% of network intrusions exploit weak or stolen credentials.

The Fido Alliance protocol is aimed at helping companies eliminate passwords in favour of a much stronger multi-factor identity checks using a variety of alternatives.

These include biometrics, Trusted Platform Modules (TPMs), USB security tokens, embedded secure elements (eSEs) and smart cards.

The open specifications are designed to be extensible and accommodate future innovation, as well as protect existing investments in authentication technologies.

Fido specifications allow device-specific authentication capabilities to be used by online services within an interoperable infrastructure, giving service providers and users a choice of authentication methods.

PayPal CISO Michael Barrett bullish on password alternative standard
IT industry group releases password-killing standard
Forgot your password? FIDO Alliance works on authentication alternatives
PayPal CISO hopes FIDO Alliance can help replace weak passwords
The improved user authentication enabled by Fido specifications can also be federated using existing industry standards such as OpenID and SAML.

In the year since its launch, the Fido Alliance has grown from six founding members to almost 100, including Google, Mastercard, Microsoft, Nok Nok Labs, PayPal, RSA, Lenovo and Dell.

“With the public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises,” said Michael Barrett, president of the Fido Alliance and CISO at PayPal.

“Furthermore, we encourage relying parties to begin testing their unique Fido authentication needs with the commercial solutions already available from many Fido member companies,” he said.

“There is a real interest in an industry in which it has always been difficult to get anyone to agree on anything,” said Phil Dunkelberger, CEO of Nok Nok Labs and a founding member of the Fido Alliance.

The publication of the draft technical specification for public comment demonstrates real progress, with version 1.0 expected to be finalised by the second half of 2014, he told Computer Weekly.

Dunkelberger believes that publication of the draft specification will help build momentum in adoption of the protocol, and that enterprises will soon begin using Fido-enabled means of authentication.

There is a real interest in an industry in which it has always been difficult to get anyone to agree on anything
“Many enterprise laptops are equipped with fingerprint readers, and I expect to see companies starting to turn these on and use them within the next three months,” he said.

This approach solves a big problem by enabling authentication at scale in user-friendly ways that use whatever is available on devices such as cameras, TPMs and fingerprint readers, said Dunkelberger.

“It is more secure and easier to use, which means it could be a game changer, with initial adoption this year, but with the real trajectory becoming apparent in 2015,” he said.

Dunkelberger expects Fido-enabled authentication to have steep adoption curve similar to that of Wi-Fi. “Nothing else enables risk-based decisions on the fly,” he said.

Now that the draft specification has been published, he predicts that within 18 months there will be between 200 and 400 million devices available with the Fido software client.

Fido Alliance members are already developing Fido Ready products and services based on early draft specifications. These include AGNITiO, Go-Trust, Nok Nok Labs, NXP Semiconductors, and Yubico.

In October 2013, The Fido Alliance began a certification program with Fido Ready branding for implementations passing conformance and interoperability testing to early draft specifications.

Fido members are featuring Fido Ready products at this month’s Mobile World Congress 2014 (MWC 2014), RSA Security Conference and FIDO Public Forum Event in Palo Alto California.


Leave a Reply