PayPal, Lenovo spearhead effort to kill passwords

Summary:FIDO Alliance aligns smart devices, authentication but will its scope be broad enough and its appeal wide enough.

An alliance including PayPal and PC-maker Lenovo Tuesday introduced a new authentication system designed to eliminate passwords and add tighter security to online accounts. 

FIDO, short for Fast Identity Online, is an alliance formed last July to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services.

In general, FIDO gives devices such as smart phones a much more central role in authentication and uses cryptographic methods to pass information to back-end servers so log-in data is neither sent over the wire or stored on the back-end where it can be stolen.

The recent plague of password thefts from services such as Twitter and LinkedIn and retailers such as Apple and Zappos have highlighted the vulnerabilities and weaknesses of traditional user names and passwords for online authentication.

Observers say FIDO needs to adequately define its scope and its value, and that it will face an uphill battle rallying the industry to its technology.

On Tuesday, the Fido Alliance released its Reference Architecture, which spells out fundamentals of its system.

Later this year, the alliance will unveil the FIDO protocol, which it hopes to eventually standardize through an existing standards-body such as the Internet Engineering Task Force or the World Wide Web Consortium.

The protocol is designed to fuel interoperability, which the alliance hopes leads to large-scale acceptance among vendors and end-users.

The alliance's technical leadership team is working now to develop use cases and focus on interoperability testing.

In order for FIDO to prosper, companies would have to load FIDO on their servers and get end-users to do the same on their devices. Alternatively, Web and mobile developers could build the software into their applications.

The technology is designed to work with Web browsers and Web-based applications.

The FIDO protocol would leverages existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support two-factor authentication.

Web sites use dynamic discovery to determine a device is FIDO-enabled and what authentication methods it supports.

"Once the client piece is in place, it will let the [Web site] know what types of authentication is available," said Ramesh Kesanupalli, vice president of the FIDO Alliance.

In addition, server-side FIDO software provisions a secret into the device that is then used to establish trust. In this way, the alliance contends FIDO is unlike Transport Layer Security (TLS), which assumes a pre-trust relationship with clients and servers.

The alliance plans to align its protocol with existing authentication and authorization standards, including OAuth 2.0 and OpenID Connect. The group said it will not tackle federated identity management, but will seek to complement that technology.

To succeed, the FIDO alliance will have to sign up significantly more members beyond the six initial co-founders (PayPal, Lenovo, Agnitio, Validity, Nok Nok Labs, Infineon). And it will have to contend with authentication systems already being developed by behemoths such as Salesforce.com, Google and Facebook.

The alliance includes good pedigree in FIDO President Michael Barrett, CIO of PayPal. Barrett, then vice president of internet strategy with American Express, was instrumental in the early-days success of the Liberty Alliance, which is now part of the identity industry organization the Kantara Initiative.

"It appears to be a good effort, but my two concerns are its small ecosystem and that it may not serve a larger audience," said Ian Glazer, an analyst with Gartner. He said FIDO could potentially align with the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is aimed at creating an identity layer for the Internet.

"I think the real hurdle is conceptual," said Stephen Wilson, founder of the Lockstep Group, identity consultants and researchers based in Australia. "The identity problem needs to be re-cast. I hope more details are coming but on its face, FIDO doesn't bring new insights." Wilson says mobile devices are a once-in-a-generation opportunity to cement really good hardware-based security for the next 20 years. "Chipped devices - cards, SIMs, MIMs, smartphones and the like - are the technologies that solve the human-machine interface problem, and are natural containers for as many non-replayable credentials as we like. Some of the FIDO founders play in these smart technologies, so I hope they can work to lift the bar across the board. "

Topics: Security, Networking, Smartphones

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.