FIDO boss sees group settling into authentication stride

Challenges ahead, but three major deployments have consortium feeling it is in right place at right time with right ideas
Written by John Fontana, Contributor

Two years out from a promise to eclipse passwords, FIDO Alliance president Michael Barrett says conceptual roadblocks to success have vanished and progress in the next 6-12 months will bring legitimate strong authentication to the enterprise, help choke off major password hacks plaguing the Internet, and see hundreds of millions of FIDO-ready devices in the possession of people worldwide.

Michael Barrett, president of the FIDO Alliance, has big plans for 2015.

They are lofty expectations fraught with challenges, but Barrett's optimism, refreshed at FIDO's annual Plenary meeting earlier this month in Seoul, South Korea, is strong despite critics and buoyed by three recent and marquee FIDO deployments by Internet giants, Google, PayPal and Alipay, China's leading online payment service.

Fast Identity Online (FIDO) is targeted at making devices and servers talk the same authentication language (as defined by open specifications) thus supporting an Internet authentication layer. Constellation Research analyst Steve Wilson has compared the consortium's goal as doing for authentication what Ethernet did for networking.

"What was barely more than a wild idea in 2012 of a few guys who thought authentication could improve through standards is now turning into reality," said Barrett.

He's also passing around credit, saying end-users are clearly voicing their displeasure and feeling like they've been taken hostage by password maintenance.

"We have all gotten so used to what the password regime looks like, so not much of the world understands what [strong authentication] needs to look like," Barrett said.

In an interview with ZDNet, Barrett focused on that picture. He discussed challenges still facing the 140-member consortium, getting FIDO specifications prepped for prime time, what ingredient is most needed in the membership mix, where FIDO fits in the larger picture of identity and access management, and why a password redo might actually work this time.

"The last time anybody tried to fix authentication through standards was x.509 and PKI," says Barrett. "PKI was a brave experiment. You had to have a Ph.D. to install it, but it had a lot of good characteristics. It was just what it didn't do very well, which was end-user authentication."

Another obstacle is the fact FIDO is not a standards body, but as critics point out, a consortium of like-minded companies pushing specifications. It's a modern model for standards work and very unlike traditional Internet Engineering Task Force procedures that vetted and approved most of the Web's underpinnings.

Meanwhile, Barrett believes FIDO is poised to prove its worth from a starting line in the enterprise.

"Talk to any CISO about internal authentication and what they will tell you is current strong authentication is too expense and too painful for users," says Barrett. "FIDO's U2F protocol solves both, it is cheap and easy to use."

Support for FIDO's Universal Second Factor (U2F) is what Google added to its Chrome browser last week, giving Gmail users another level of protection against password hacks.

Barrett says criticism toward FIDO comes in the form of questions concerning the time it has taken the consortium to hone its specifications; U2F and the Universal Authentication Framework (UAF), which is at the heart of the PayPal and Alipay rollouts. Both specs are still in a draft stage.

"It has taken longer than what I had hoped for," Barrett admits. But he adds it is important for it to be right "than rush something out that doesn't work and has security holes."

The Google, PayPal and Alipay rollouts validate for him that FIDO is on the right track.

He said the focus in 2015 will be supporting adoption work, working with end-users, user groups, and special interests focusing on specific use cases. The Alliance also will work on supporting those deploying the specs, help guide reference implementations, promote case studies, and educate regulators on the technology.

"There are buckets of work to do," he said.

There are hopes and plans to attract more mobile operators (currently there is only SK Telecom) to FIDO's growing list of relying parties. "I would also like to get more health care organizations in the U.S., and we're eyeing other industry verticals," he said.

By the end of next year, Barrett says FIDO should see hundreds of millions of devices in the market without breaking a sweat.

"If we meet that number, it is hard to see how the world does not change," he said.

As far as aiding the overall identity and access management landscape, Barrett says adding a standard strong authentication layer will be rocket fuel for federated identity, which allows entities to share identity across security boundaries.

Barrett is no stranger to these standards efforts. He led the Liberty Alliance, which groomed the Security Assertion Markup Language (SAML) into acceptance. SAML is now the standards foundation for enterprise federated identity.

And he's no stranger to the enterprise side, having been vice president of security and privacy strategy at American Express and chief information security officer at PayPal.

"I'm saying this as someone who use to be custodian of hundreds of millions of online identities. Yes, you can protect those central data stores, but it takes an almost super-human effort to do it," says Barrett. "The FIDO model takes away that single giant target so all those attacks where criminals steal 50 million identities, they go away under FIDO."

Disclaimer: My employer is a member of the FIDO Alliance

Editorial standards