IT industry group releases password-killing standard

A consortium of IT companies, including PayPal and Lenovo, publishes new set of standards that could rid users of usernames and passwords

A consortium of IT companies, including PayPal and Lenovo, has published a set of new technology standards that could rid users of usernames and passwords.

The FIDO Alliance (Fast IDentity Online) hopes to revolutionise online authentication with an industry supported standards-based open protocol that will address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords.

The protocol is aimed at making online accounts more secure by eliminating password theft and re-use, and giving PCs and mobile devices a bigger role in authentication.

A company using the FIDO standards could get proof of a person’s device by checking the Trusted Platform Module (TPM) security chip or using the device’s microphone, fingerprint scanner and camera for biometric checks.

This approach makes it impossible to compromise accounts by stealing passwords, which has been a problem for thousands of users of services like Twitter and LinkedIn. 

 “FIDO is significant because it helps to move us into a world where credentials are much more bound to the device and it’s much harder for the criminal to abscond with them,” said Michael Barrett, chief information security officer (CISO) at PayPal and a cofounder of the FIDO Alliance.

Companies that opt to use the new approach will have the option of requiring a password and a secondary authentication method tied to a device, or dispensing with the password altogether.

For a company to adopt the FIDO approach it must put the necessary software on its servers and persuade customers to install new software on the devices they use to access their accounts.

The technology on the user’s end could be included in a mobile app or offered as a browser plug-in.

The FIDO method is more secure than current methods because no password of identifying information is sent out; instead, it is processed by software on the end user’s device that calculates cryptographic strings to be sent to a login server.


“The challenge with authentication has always been the cognitive load that it places on users,” Phil Dunkelberger, chief executive of Nok Nok Labs told Computer Weekly.

His new Palo Alto-based startup, which has $15 million in funding, has developed software that enables companies to secure their accounts using the FIDO standards.

Nok Nok Labs is backed by Dunkelberger’s experience as founder and former CEO of encryption firm PGP and an advisory board made up of executives from Vodafone, the Ponemon Institute, and the Cloud Security Alliance.

As networks and systems have become more complicated, he said, passwords have become longer and more complex, and are often supplemented by cards, tokens and one-time passcodes.

Named after the classic “knock, knock” jokes, Nok Nok Labs’ mission is to enable systems to know “who is there” in a way that is easy to implement and easy to use, said Dunkelberger.

Nok Nok Labs founder and FIDO co-founder, Ramesh Kesanupalli worked with PayPal CISO Michael Barrett, who saw the potential to revolutionise authentication and the potential benefit for online computing.

Named after the classic 'knock, knock' jokes, Nok Nok Labs’ mission is to enable systems to know 'who is there'

Taher Elgamal, the "father of SSL", joined the efforts of Kesanupalli and Barrett, who all recognised the limits of today's authentication technology.

Dunkelberger said Nok Nok Labs was not created to build just a point product but to deliver innovative solutions that are: more secure and easier to use; scalable to meet enterprise needs; able to unify existing technologies; and cost-efficient by building on and enabling legacy technologies.

"By creating an authentication infrastructure that leverages existing technologies, such as fingerprint scanning and webcams, Nok Nok Labs is giving businesses the opportunity to authenticate anyone, anywhere and on any device," said Barrett.

"Given the billions of connected internet devices and future growth of online commerce, PayPal sees a critical need to implement strong, yet flexible, authentication solutions,” he said.

Although it seeks to solve many long-running log in problems, if FIDO is to succeed, industry pundits say it will have to attract other large web companies such as Facebook and Google – which is exploring its own alternatives to passwords.

Read more on Identity and access management products