The draft technical specifications for a new authentication protocol, which could eliminate the use of passwords in the future, have been released.
According to Forrester Research, the online services industry is seeing more than $200bn in annual losses from password breaches, while the Verizon 2013 Network Investigations Data Breach Report states that 76% of network intrusions exploit weak or stolen credentials.
The Fido Alliance protocol is aimed at helping companies eliminate passwords in favour of a much stronger multifactor identity checks using a variety of alternatives.
These include biometrics, Trusted Platform Modules (TPMs), USB security tokens, embedded secure elements (eSEs) and smart cards.
The open specifications are designed to be extensible and accommodate future innovation, as well as protect existing investments in authentication technologies.
Fido specifications allow device-specific authentication capabilities to be used by online services within an interoperable infrastructure, giving service providers and users a choice of authentication methods.
More on Fido Alliance
The improved user authentication enabled by Fido specifications can also be federated using existing industry standards such as OpenID and SAML.
In the year since its launch, the Fido Alliance has grown from six founding members to almost 100, including Google, Mastercard, Microsoft, Nok Nok Labs, PayPal, RSA, Lenovo and Dell.
“With the public release of the review draft specifications, we especially welcome and anticipate new types of members coming from various enterprises,” said Michael Barrett, president of the Fido Alliance and CISO at PayPal.
“Furthermore, we encourage relying parties to begin testing their unique Fido authentication needs with the commercial solutions already available from many Fido member companies,” he said.
“There is a real interest in an industry in which it has always been difficult to get anyone to agree on anything,” said Phil Dunkelberger, CEO of Nok Nok Labs and a founding member of the Fido Alliance.
The publication of the draft technical specification for public comment demonstrates real progress, with version 1.0 expected to be finalised by the second half of 2014, he told Computer Weekly.
Dunkelberger believes that publication of the draft specification will help build momentum in adoption of the protocol, and that enterprises will soon begin using Fido-enabled means of authentication.
There is a real interest in an industry in which it has always been difficult to get anyone to agree on anything
“Many enterprise laptops are equipped with fingerprint readers, and I expect to see companies starting to turn these on and use them within the next three months,” he said.
This approach solves a big problem by enabling authentication at scale in user-friendly ways that use whatever is available on devices such as cameras, TPMs and fingerprint readers, said Dunkelberger.
“It is more secure and easier to use, which means it could be a game changer, with initial adoption this year, but with the real trajectory becoming apparent in 2015,” he said.
Dunkelberger expects Fido-enabled authentication to have steep adoption curve similar to that of Wi-Fi. “Nothing else enables risk-based decisions on the fly,” he said.
Now that the draft specification has been published, he predicts that within 18 months there will be between 200 and 400 million devices available with the Fido software client.
In October 2013, The Fido Alliance began a certification program with Fido Ready branding for implementations passing conformance and interoperability testing to early draft specifications.