PayPal, Lenovo spearhead effort to kill passwords

FIDO Alliance aligns smart devices, authentication but will its scope be broad enough and its appeal wide enough.
Written by John Fontana, Contributor

An alliance including PayPal and PC-maker Lenovo Tuesday introduced a new authentication system designed to eliminate passwords and add tighter security to online accounts. 

FIDO, short for Fast Identity Online, is an alliance formed last July to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services.

In general, FIDO gives devices such as smart phones a much more central role in authentication and uses cryptographic methods to pass information to back-end servers so log-in data is neither sent over the wire or stored on the back-end where it can be stolen.

The recent plague of password thefts from services such as Twitter and LinkedIn and retailers such as Apple and Zappos have highlighted the vulnerabilities and weaknesses of traditional user names and passwords for online authentication.

Observers say FIDO needs to adequately define its scope and its value, and that it will face an uphill battle rallying the industry to its technology.

On Tuesday, the Fido Alliance released its Reference Architecture, which spells out fundamentals of its system.

Later this year, the alliance will unveil the FIDO protocol, which it hopes to eventually standardize through an existing standards-body such as the Internet Engineering Task Force or the World Wide Web Consortium.

The protocol is designed to fuel interoperability, which the alliance hopes leads to large-scale acceptance among vendors and end-users.

The alliance's technical leadership team is working now to develop use cases and focus on interoperability testing.

In order for FIDO to prosper, companies would have to load FIDO on their servers and get end-users to do the same on their devices. Alternatively, Web and mobile developers could build the software into their applications.

The technology is designed to work with Web browsers and Web-based applications.

The FIDO protocol would leverages existing device hardware such as TPM chips, Near-Field Communications and One-Time Passwords, along with biometric devices such as fingerprint readers, microphones, and cameras to support two-factor authentication.

Web sites use dynamic discovery to determine a device is FIDO-enabled and what authentication methods it supports.

"Once the client piece is in place, it will let the [Web site] know what types of authentication is available," said Ramesh Kesanupalli, vice president of the FIDO Alliance.

In addition, server-side FIDO software provisions a secret into the device that is then used to establish trust. In this way, the alliance contends FIDO is unlike Transport Layer Security (TLS), which assumes a pre-trust relationship with clients and servers.

The alliance plans to align its protocol with existing authentication and authorization standards, including OAuth 2.0 and OpenID Connect. The group said it will not tackle federated identity management, but will seek to complement that technology.

To succeed, the FIDO alliance will have to sign up significantly more members beyond the six initial co-founders (PayPal, Lenovo, Agnitio, Validity, Nok Nok Labs, Infineon). And it will have to contend with authentication systems already being developed by behemoths such as Salesforce.com, Google and Facebook.

The alliance includes good pedigree in FIDO President Michael Barrett, CIO of PayPal. Barrett, then vice president of internet strategy with American Express, was instrumental in the early-days success of the Liberty Alliance, which is now part of the identity industry organization the Kantara Initiative.

"It appears to be a good effort, but my two concerns are its small ecosystem and that it may not serve a larger audience," said Ian Glazer, an analyst with Gartner. He said FIDO could potentially align with the National Strategy for Trusted Identities in Cyberspace (NSTIC), which is aimed at creating an identity layer for the Internet.

"I think the real hurdle is conceptual," said Stephen Wilson, founder of the Lockstep Group, identity consultants and researchers based in Australia. "The identity problem needs to be re-cast. I hope more details are coming but on its face, FIDO doesn't bring new insights." Wilson says mobile devices are a once-in-a-generation opportunity to cement really good hardware-based security for the next 20 years. "Chipped devices - cards, SIMs, MIMs, smartphones and the like - are the technologies that solve the human-machine interface problem, and are natural containers for as many non-replayable credentials as we like. Some of the FIDO founders play in these smart technologies, so I hope they can work to lift the bar across the board. "

Editorial standards