PayPal, Lenovo spearhead effort to kill passwords
Summary: FIDO Alliance aligns smart devices, authentication but will its scope be broad enough and its appeal wide enough.
An alliance including PayPal and PC-maker Lenovo Tuesday introduced a new authentication system designed to eliminate passwords and add tighter security to online accounts.
FIDO, short for Fast Identity Online, is an alliance formed last July to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services.
In general, FIDO gives devices such as smart phones a much more central role in authentication and uses cryptographic methods to pass information to back-end servers so log-in data is neither sent over the wire or stored on the back-end where it can be stolen.
The recent plague of password thefts from services such as Twitter and LinkedIn and retailers such as Apple and Zappos have highlighted the vulnerabilities and weaknesses of traditional user names and passwords for online authentication.
Observers say FIDO needs to adequately define its scope and its value, and that it will face an uphill battle rallying the industry to its technology.
On Tuesday, the Fido Alliance released its Reference Architecture, which spells out fundamentals of its system.
Later this year, the alliance will unveil the FIDO protocol, which it hopes to eventually standardize through an existing standards-body such as the Internet Engineering Task Force or the World Wide Web Consortium.
The protocol is designed to fuel interoperability, which the alliance hopes leads to large-scale acceptance among vendors and end-users.
The alliance's technical leadership team is working now to develop use cases and focus on interoperability testing.
In order for FIDO to prosper, companies would have to load FIDO on their servers and get end-users to do the same on their devices. Alternatively, Web and mobile developers could build the software into their applications.
The technology is designed to work with Web browsers and Web-based applications.
The FIDO protocol would leverages existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support two-factor authentication.
Web sites use dynamic discovery to determine a device is FIDO-enabled and what authentication methods it supports.
"Once the client piece is in place, it will let the [Web site] know what types of authentication is available," said Ramesh Kesanupalli, vice president of the FIDO Alliance.
In addition, server-side FIDO software provisions a secret into the device that is then used to establish trust. In this way, the alliance contends FIDO is unlike Transport Layer Security (TLS), which assumes a pre-trust relationship with clients and servers.
The alliance plans to align its protocol with existing authentication and authorization standards, including OAuth 2.0 and OpenID Connect. The group said it will not tackle federated identity management, but will seek to complement that technology.
To succeed, the FIDO alliance will have to sign up significantly more members beyond the six initial co-founders (PayPal, Lenovo, Agnitio, Validity, Nok Nok Labs, Infineon). And it will have to contend with authentication systems already being developed by behemoths such as Salesforce.com, Google and Facebook.
The alliance includes good pedigree in FIDO President Michael Barrett, CIO of PayPal. Barrett, then vice president of internet strategy with American Express, was instrumental in the early-days success of the Liberty Alliance, which is now part of the identity industry organization the Kantara Initiative.
"It appears to be a good effort, but my two concerns are its small ecosystem and that it may not serve a larger audience," said Ian Glazer, an analyst with Gartner. He said FIDO could potentially align with the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is aimed at creating an identity layer for the Internet.
"I think the real hurdle is conceptual," said Stephen Wilson, founder of the Lockstep Group, identity consultants and researchers based in Australia. "The identity problem needs to be re-cast. I hope more details are coming but on its face, FIDO doesn't bring new insights." Wilson says mobile devices are a once-in-a-generation opportunity to cement really good hardware-based security for the next 20 years. "Chipped devices - cards, SIMs, MIMs, smartphones and the like - are the technologies that solve the human-machine interface problem, and are natural containers for as many non-replayable credentials as we like. Some of the FIDO founders play in these smart technologies, so I hope they can work to lift the bar across the board. "
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
So now I can't login to the server farm without a smart phone?
One of my co-workers had his phone break and needed to send it back for repairs/replacement.
There must be a better way.
Interesting article,
PayPal/PreyPal ...
So...
So, not really a universal situation
Then, the client has to pick the type of hardware authentication they're going to use with it, and again convince their customers that the cost of that additional hardware is worth the supposed security it brings.
And therein lies the rub: "supposed" security. It's like they're making this out to be the equivalent of a timelocked bank vault, when it's really going to be like a deadbolt lock. Sure, deadbolts are harder to open than standard door locks...but they're not impossible to defeat (lock picks, drills, crowbars, or even just brute force kicking it down...especially if the door frame, door hingers, or even the door itself aren't very sturdy). Someone stole your passkey dongle? Now they have access to your password. Misplace your smartphone? Now someone not only has access to your email/contacts/apps & web history, but they can use the NFC chip to rack up charges just like if they'd stolen your credit card. Need to access a particular website, but you left your TPM-equipped laptop at home? Sorry, Charlie, you can't access it now, *even though you actually are who you say you are*. As for biometrics...unless technology has progressed to the point of being able to distinguish a) someone's "real" fingerprint vs. someone who's super-glued a copy of the other person's fingerprints onto their fingertips, b) a recording of someone's voice saying a particular passphrase -- or even someone using a digital voice synthesizer to mask their own voice & make it sound like someone else's based on sound samples -- vs. the actual person's real voice (especially given the digital distortion you tend to get from telephones, especially cellphones), and c) can distinguish between a prerecorded webcam feed vs. a live webcam feed, and be able to do all 3 of these 100% of the time, it's not going to provide any more security than you can get with stringent password policies.
The button and the finger.
think of it
If PayPal has anything to do with it....
Re-casting the identity problem
Stephen Wilson brings out an important point and one the FIDO Alliance achieves: re-casting the identity problem. The FIDO open authentication standard does this elegantly by concentrating the power and information to authenticate on the client side. The FIDO algorithm is fitted as a “secure element” wherever a small execution space and key storage place can be accommodated, as in certain classes of fingerprint and other biometrics sensors, NFC Chips, SIM cards. That “secure element” –the FIDO algorithm--communicates all the way to the back-end server where a Relying Party, like PayPal or any website, has access as they need it to authenticate users or challenge user authentication…but only as needed. This isn’t shared or revealed information, but client-side stored, protected identity verification that is available only as needed in the authentication process or challenge. By storing the user information only on the client-side, the user information is never exposed or at risk of compromise. This approach positions FIDO as a new paradigm in authentication. Mr. Wilson is correct about the need, and FIDO does “recast the identity problem.” In fact, FIDO is so different, we realize it’s going to take some investigation by the experts to understand the changes we’re making. We’ve invited Mr. Wilson to talk and are doing so in a few hours.
It's a nice dream...
Out of a thousand workers, quite a large number forget their password each day. No problem, we just reset and they re-authenticate with new credentials. But lost or forgotten hard-tokens are a very different animal; I would have to give them temporary "soft-credentials" (which defeats the purpose), or else I have to issue them a new hard-token, or else I have to log them on several times that day.
Then there is the inevitable: "Did you lose the security-device, or forget it?"...."Ummmm...I'm not sure...I think I left it at McDonalds"
Don't worry....you can become your own authenticator
If someone forgets their key, what do you REALLY want to do?
With computer security, I say we should look back on real world security. We conspicuously take far less care with computer log-on than we do with car keys or house keys. Yet the resources tied up in online accounts are comparable to our real world assets. Indeed, for most of us, all our money is online. With good old physical keys we get security and convenience at the same time. And we have a form factor that has remained the same over 100+ years while being steadily improved with copy protection features.
So if we review real world security practices, what do you REALLY think should happen if someone leaves their authenticator (key) at home? Maybe they should have to go home and get it? They'll probably learn a lesson.
Think about car keys. Of course it's a total pain in the arse to lose your keys, but the very difficulty represents security. You don't want to be to trivially easy to jemmy or to re-key a car lock. We are in dire straits with computer security precisely because it's unreal how easy it is to re-key a password.
[By the way, the fatal problem with biometrics is it's *impossible* to "re-key" a biometric lock in the event someone clones or synthesises your trait.]
That is why
by the time they implement it...
having said that, perhaps it will be an improvement... won't know until it hits the street
Gonna need a lot more than "re-casting."
Which, if previous attempts at some sort of universal authentication is any indication, is very difficult to get.
Good luck, have fun. I won't be holding my breath, though.
Plenty of new insights after all!
I gladly retract my earlier remark that there are no fresh insights here. It seems to me that FIDO is sticking to the technology problems -- and that is really fresh! I understand there are to be no new real time intermediaries between User and Relying Party. Instead, the FIDO server is a piece of software integrated at the RP back-end that allows the RP to validate client side technologies and to receive metadata about the client side environment. The FIDO protocols seem to provide something of an extra channel to tell RPs more about the client side condition; in and of itself that could do a lot to help boost security and privacy. The basic aim is to prove to the back-end that the user is presenting one of a family of approved technologies.
It's interesting actually to reflect on the psychology of how we react to new technologies. My initial skepticism was shaped by a great deal of baggage I have (we all have) in identity. I think we've been trained over the years to regard "ecosystems" and IDM diagrams in a particular way. When I see an ellipse in a diagram labelled "Validation Service", linked to a website and a user, I presume that ellipse is a real time intermediary. And from there I assume we're talking about yet another third party coming in to complicate all the nice stable existing arrangements. If you know my work, you'll know I think the problem with IDM is it usually turns technology problems into intractable business problems.
It looks like FIDO is a lot more elegant than that. Their diagrams may need some re-work to avoid some of the loaded visual language, but if the alliance does indeed avoid messing with the way business is done between service providers and their customers, then this initiative could be really good.
Cheers,
Steve Wilson, Lockstep Group, Sydney.
PayPal closed my account and kept my money..
After applying for a PayPal debit card, PayPal closed my account and told me I have to wait 6 months to get the $2300 dollars I had. I was told my account was closed due to my credit score. So, I tried to log in last month to withdraw my funds after the 6 months had passed and my account was gone as if it never existed. Poof! Now you see it, now you don't.. Looking for answers, I called PayPal on the phone and was unsuccessful in getting any useful answer. I called PayPal again on the phone to find out where my money is as it has been over 7 months now. A young girl answered and said I could subpoena them if I want. This is not an acceptable response. I want to know why I can no longer access the balance on my PayPal or get my money out. The cost to retain a lawyer is double the $2300 they are holding from me.
If anyone has had a similar experience and could assist me with some answers, please contact me at my email, johnkel223344@gmail.com