PayPal, Lenovo spearhead effort to kill passwords

PayPal, Lenovo spearhead effort to kill passwords

Summary: FIDO Alliance aligns smart devices, authentication but will its scope be broad enough and its appeal wide enough.


An alliance including PayPal and PC-maker Lenovo Tuesday introduced a new authentication system designed to eliminate passwords and add tighter security to online accounts. 

FIDO, short for Fast Identity Online, is an alliance formed last July to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services.

In general, FIDO gives devices such as smart phones a much more central role in authentication and uses cryptographic methods to pass information to back-end servers so log-in data is neither sent over the wire or stored on the back-end where it can be stolen.

The recent plague of password thefts from services such as Twitter and LinkedIn and retailers such as Apple and Zappos have highlighted the vulnerabilities and weaknesses of traditional user names and passwords for online authentication.

Observers say FIDO needs to adequately define its scope and its value, and that it will face an uphill battle rallying the industry to its technology.

On Tuesday, the Fido Alliance released its Reference Architecture, which spells out fundamentals of its system.

Later this year, the alliance will unveil the FIDO protocol, which it hopes to eventually standardize through an existing standards-body such as the Internet Engineering Task Force or the World Wide Web Consortium.

The protocol is designed to fuel interoperability, which the alliance hopes leads to large-scale acceptance among vendors and end-users.

The alliance's technical leadership team is working now to develop use cases and focus on interoperability testing.

In order for FIDO to prosper, companies would have to load FIDO on their servers and get end-users to do the same on their devices. Alternatively, Web and mobile developers could build the software into their applications.

The technology is designed to work with Web browsers and Web-based applications.

The FIDO protocol would leverages existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support two-factor authentication.

Web sites use dynamic discovery to determine a device is FIDO-enabled and what authentication methods it supports.

"Once the client piece is in place, it will let the [Web site] know what types of authentication is available," said Ramesh Kesanupalli, vice president of the FIDO Alliance.

In addition, server-side FIDO software provisions a secret into the device that is then used to establish trust. In this way, the alliance contends FIDO is unlike Transport Layer Security (TLS), which assumes a pre-trust relationship with clients and servers.

The alliance plans to align its protocol with existing authentication and authorization standards, including OAuth 2.0 and OpenID Connect. The group said it will not tackle federated identity management, but will seek to complement that technology.

To succeed, the FIDO alliance will have to sign up significantly more members beyond the six initial co-founders (PayPal, Lenovo, Agnitio, Validity, Nok Nok Labs, Infineon). And it will have to contend with authentication systems already being developed by behemoths such as, Google and Facebook.

The alliance includes good pedigree in FIDO President Michael Barrett, CIO of PayPal. Barrett, then vice president of internet strategy with American Express, was instrumental in the early-days success of the Liberty Alliance, which is now part of the identity industry organization the Kantara Initiative.

"It appears to be a good effort, but my two concerns are its small ecosystem and that it may not serve a larger audience," said Ian Glazer, an analyst with Gartner. He said FIDO could potentially align with the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is aimed at creating an identity layer for the Internet.

"I think the real hurdle is conceptual," said Stephen Wilson, founder of the Lockstep Group, identity consultants and researchers based in Australia. "The identity problem needs to be re-cast. I hope more details are coming but on its face, FIDO doesn't bring new insights." Wilson says mobile devices are a once-in-a-generation opportunity to cement really good hardware-based security for the next 20 years. "Chipped devices - cards, SIMs, MIMs, smartphones and the like - are the technologies that solve the human-machine interface problem, and are natural containers for as many non-replayable credentials as we like. Some of the FIDO founders play in these smart technologies, so I hope they can work to lift the bar across the board. "

Topics: Security, Networking, Smartphones


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So now I can't login to the server farm without a smart phone?

    Right now, I have a pseudo-random-number-generator dongle to keep things secure, and sometimes I forget to bring it with me, and then need to drive back home to get it.

    One of my co-workers had his phone break and needed to send it back for repairs/replacement.

    There must be a better way.
  • Interesting article,

    I'm not sure how easy this will be to implement though. As "mheartwood" mentions, forgetting, losing, or having a device break or stolen might result in significant hassle. Researchers already showed that facial recognition snans can be bypassed...., it will be interesting to see what method(s) eventually do come out that are reliable and more secure than the present password systems currently in use.
  • PayPal/PreyPal ...

    The ugly reality for consumers, particularly smaller payees, dealing with the clunky, unscrupulous PayPal ...
    Philip Cohen
  • So...

    All I have to do is take your smart phone instead of having to beat the passwords out of you? Cool, should save a lot of time.
  • So, not really a universal situation

    First, you have to get the client to not only install this software on their servers, but the client then has to convince their customers to install it on their systems.

    Then, the client has to pick the type of hardware authentication they're going to use with it, and again convince their customers that the cost of that additional hardware is worth the supposed security it brings.

    And therein lies the rub: "supposed" security. It's like they're making this out to be the equivalent of a timelocked bank vault, when it's really going to be like a deadbolt lock. Sure, deadbolts are harder to open than standard door locks...but they're not impossible to defeat (lock picks, drills, crowbars, or even just brute force kicking it down...especially if the door frame, door hingers, or even the door itself aren't very sturdy). Someone stole your passkey dongle? Now they have access to your password. Misplace your smartphone? Now someone not only has access to your email/contacts/apps & web history, but they can use the NFC chip to rack up charges just like if they'd stolen your credit card. Need to access a particular website, but you left your TPM-equipped laptop at home? Sorry, Charlie, you can't access it now, *even though you actually are who you say you are*. As for biometrics...unless technology has progressed to the point of being able to distinguish a) someone's "real" fingerprint vs. someone who's super-glued a copy of the other person's fingerprints onto their fingertips, b) a recording of someone's voice saying a particular passphrase -- or even someone using a digital voice synthesizer to mask their own voice & make it sound like someone else's based on sound samples -- vs. the actual person's real voice (especially given the digital distortion you tend to get from telephones, especially cellphones), and c) can distinguish between a prerecorded webcam feed vs. a live webcam feed, and be able to do all 3 of these 100% of the time, it's not going to provide any more security than you can get with stringent password policies.
  • The button and the finger.

    Any button, any finger. The button doesn't know what or who has just pressed it. The far end is ignorant and happy that it got a correct response. So, what make me, me?
  • think of it

    as long as you are asleep with your cell phone next to you - on plane, in a waiting room - someone can take your phone, position it in front of your face - and bingo - they are in.
  • If PayPal has anything to do with it....

    I don't want any part of it, PayPal has very bad customer service and is not a good company in my opinion.
  • Re-casting the identity problem

    Full disclosure: I represent the FIDO Alliance.

    Stephen Wilson brings out an important point and one the FIDO Alliance achieves: re-casting the identity problem. The FIDO open authentication standard does this elegantly by concentrating the power and information to authenticate on the client side. The FIDO algorithm is fitted as a “secure element” wherever a small execution space and key storage place can be accommodated, as in certain classes of fingerprint and other biometrics sensors, NFC Chips, SIM cards. That “secure element” –the FIDO algorithm--communicates all the way to the back-end server where a Relying Party, like PayPal or any website, has access as they need it to authenticate users or challenge user authentication…but only as needed. This isn’t shared or revealed information, but client-side stored, protected identity verification that is available only as needed in the authentication process or challenge. By storing the user information only on the client-side, the user information is never exposed or at risk of compromise. This approach positions FIDO as a new paradigm in authentication. Mr. Wilson is correct about the need, and FIDO does “recast the identity problem.” In fact, FIDO is so different, we realize it’s going to take some investigation by the experts to understand the changes we’re making. We’ve invited Mr. Wilson to talk and are doing so in a few hours.
    The FIDO Alliance
  • It's a nice dream...

    I run an enterprise. It's nice to think of 1,000 people all remembering to bring in their security-devices...but the idea - at least for the enterprise - isn't grounded in reality.

    Out of a thousand workers, quite a large number forget their password each day. No problem, we just reset and they re-authenticate with new credentials. But lost or forgotten hard-tokens are a very different animal; I would have to give them temporary "soft-credentials" (which defeats the purpose), or else I have to issue them a new hard-token, or else I have to log them on several times that day.

    Then there is the inevitable: "Did you lose the security-device, or forget it?"...."Ummmm...I'm not sure...I think I left it at McDonalds"
    • Don't can become your own authenticator

      It may be in many enterprises, that if employees want to walk through the front door, they would have to remember to bring a token, but on online and mobile authentication using computer or phone, FIDO Authenticators are likely to be built-in, per Lenovo, at least. Employees should be able to just look at their webcams or speak or lay their finger on a reader...easy, no remembering, no forgetting.
    • If someone forgets their key, what do you REALLY want to do?

      I think we're at a relatively early stage of the evolution of human factors engineering for infosec. We harbor uncertainties and preconceived notions about information security and we're still shaking them out. It's a bit like what happened with ATMs. Before we actually had much experience of them, many were skeptical. They asked 'what if I leave that plastic card behind?' or 'what if I forget the PIN?'. They catastrophised scenarios that turned out to be (a) rare once we were habituated to new ways of working, and (b) not fatal anyway. We're at a similar stage with authentication.

      With computer security, I say we should look back on real world security. We conspicuously take far less care with computer log-on than we do with car keys or house keys. Yet the resources tied up in online accounts are comparable to our real world assets. Indeed, for most of us, all our money is online. With good old physical keys we get security and convenience at the same time. And we have a form factor that has remained the same over 100+ years while being steadily improved with copy protection features.

      So if we review real world security practices, what do you REALLY think should happen if someone leaves their authenticator (key) at home? Maybe they should have to go home and get it? They'll probably learn a lesson.

      Think about car keys. Of course it's a total pain in the arse to lose your keys, but the very difficulty represents security. You don't want to be to trivially easy to jemmy or to re-key a car lock. We are in dire straits with computer security precisely because it's unreal how easy it is to re-key a password.

      [By the way, the fatal problem with biometrics is it's *impossible* to "re-key" a biometric lock in the event someone clones or synthesises your trait.]
  • That is why

    we are going to using a chip enabled ID card, you have to have it to get on site, and soon to login to your computer, we all have card readers connected, pull the card and your system is locked. My only problem is how is an 8 digit number that secure? Sure it would take a while for someone sitting at the computer trying combinations. It is just like trying to figure out a laptop cable lock combination and it is only 4 digits! Usually people use a combination that has meaning to them, and that can be found out by a serious thief/hacker.
  • by the time they implement it...

    the hackers will have already found a workaround

    having said that, perhaps it will be an improvement... won't know until it hits the street
  • Gonna need a lot more than "re-casting."

    Gonna need a lot more than "re-casting." Gonna need lots of buy-in.

    Which, if previous attempts at some sort of universal authentication is any indication, is very difficult to get.

    Good luck, have fun. I won't be holding my breath, though.
  • Plenty of new insights after all!

    Ok, so I just got off a teleconference with FIDO Alliance. They graciously gave me a lot of time and access to their brains trust. Evidently they are doing something quite different, creating a technological chain of accountability that will allow users to swap pretty freely between approved authentication devices.

    I gladly retract my earlier remark that there are no fresh insights here. It seems to me that FIDO is sticking to the technology problems -- and that is really fresh! I understand there are to be no new real time intermediaries between User and Relying Party. Instead, the FIDO server is a piece of software integrated at the RP back-end that allows the RP to validate client side technologies and to receive metadata about the client side environment. The FIDO protocols seem to provide something of an extra channel to tell RPs more about the client side condition; in and of itself that could do a lot to help boost security and privacy. The basic aim is to prove to the back-end that the user is presenting one of a family of approved technologies.

    It's interesting actually to reflect on the psychology of how we react to new technologies. My initial skepticism was shaped by a great deal of baggage I have (we all have) in identity. I think we've been trained over the years to regard "ecosystems" and IDM diagrams in a particular way. When I see an ellipse in a diagram labelled "Validation Service", linked to a website and a user, I presume that ellipse is a real time intermediary. And from there I assume we're talking about yet another third party coming in to complicate all the nice stable existing arrangements. If you know my work, you'll know I think the problem with IDM is it usually turns technology problems into intractable business problems.

    It looks like FIDO is a lot more elegant than that. Their diagrams may need some re-work to avoid some of the loaded visual language, but if the alliance does indeed avoid messing with the way business is done between service providers and their customers, then this initiative could be really good.


    Steve Wilson, Lockstep Group, Sydney.
  • PayPal closed my account and kept my money..

    I would never, ever use a service PayPal is a part of based on personable experience. Lets all pray FIDO never materializes.
    After applying for a PayPal debit card, PayPal closed my account and told me I have to wait 6 months to get the $2300 dollars I had. I was told my account was closed due to my credit score. So, I tried to log in last month to withdraw my funds after the 6 months had passed and my account was gone as if it never existed. Poof! Now you see it, now you don't.. Looking for answers, I called PayPal on the phone and was unsuccessful in getting any useful answer. I called PayPal again on the phone to find out where my money is as it has been over 7 months now. A young girl answered and said I could subpoena them if I want. This is not an acceptable response. I want to know why I can no longer access the balance on my PayPal or get my money out. The cost to retain a lawyer is double the $2300 they are holding from me.
    If anyone has had a similar experience and could assist me with some answers, please contact me at my email,