Saying Goodbye to Passwords

By October 15, 2015CCG Catalyst

The sound you hear is the death knell for passwords, which are extremely ineffective as authenticators and awkward to use on mobile devices with their confined keyboards. Plus users continue to create weak passwords and or reuse old ones because they are difficult to manage.

The FIDO (Fast IDentity Online) Alliance a non-profit organization formed in July 2012 is trying to push passwords out the door. FIDO seeks to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. One study revealed that the average person has passwords for 19 different accounts.

The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that replace user reliance on passwords for secure authentication. This new standard for security devices and browser plug-ins allows any website or cloud application to interface with a wide assortment of current and forthcoming FIDO-enabled devices.

Before FIDO, when people wanted to log into multiple apps, users might have had to use many kinds of authentication mechanisms, such as one-time password tokens, smartphone apps and text message confirmations.

What FIDO proposes is to use something that people already have in their possession, such as a fingerprint or phone, and digitize these assets in such a way that the information isn’t shared with any of the providers or application vendors.

This has another advantage; each individual doesn’t have to keep track of the actual authentication procedure. This is one of the issues with single sign-on (SSO). Typically, the SSO system stores this information centrally.

Membership in the FIDO Alliance has grown beyond 200 companies, including Netflix and Microsoft, and government agencies.

FIDO standards authenticate every segment and use case, but financial services urgently need a better authentication method because accountholders demand privacy, security and convenience in all transactions. That explains the addition of financial service organizations such as Wells Fargo, Goldman Sachs, JP Morgan Chase Bank of America, Discover, MasterCard, PayPal, ING Bank, USAA and Visa to FIDO.

The FIDO effect is starting. Security vendors began implementation of draft standards published by the group. This includes the ability to use the Yubico USB touch-sensitive keys to authenticate Google Docs and Dropbox accounts.

Built-up demand in mobile payments markets accelerated the first deployment of FIDO authentication when PayPal, Samsung, Synaptics, and NokNok Labs joined forces to meet the need. FIDO board members Alibaba and NokNok Labs partnered to deliver FIDO authentication for securing mobile payments for 600 million Alipay users.

One of the largest impediments to the adoption of mobile banking has been security concerns on the part of consumers. Samsung has built its latest Galaxy phones with fingerprint sensors that support FIDO protocols, as well.

In another sign of things to come, NTT DOCOMO, INC., Japan’s market leading mobile network operator became the first telecom carrier to expand FIDO authentication into its network.

Recently DOCOMO integrated the authentication standards into its FIDO-Certified devices and extended into it its carrier billing services. The six DOCOMO smartphones feature biometric authentication supported by FIDO.

FIDO doesn’t solve every authentication issue. For example, users have to use something other than the FIDO protocols to verify the identity of the person attached to a fingerprint and guarantee access is granted to the given application. There are currently other vendors working on that solution.

In spite of the stumbling blocks, it represents a good beginning towards a more uniform approach to identity management and a well-deserved good-bye to passwords.

Paul Schaus is CEO & President at CCG Catalyst. Follow CCG Catalyst on Twitter and LinkedIn.