Final specification for Fido password-killing protocol imminent

The specification for a password-killing authentication protocol is imminent, says a founding member of the Fido Alliance

The final technical specification for a new password-killing authentication protocol is imminent, said Phil Dunkelberger, chief of Nok Nok Labs and a founding member of the Fido Alliance.

“Expect the final implementation spec very soon, which will lead to a lot of product announcements by mid-2015,” he told Computer Weekly.

In February 2014, the Fido Alliance published the draft Online Security Transaction Protocol (OSTP), which is aimed at eliminating passwords by enabling interoperability between strong authentication devices.

Based on the draft specification, members of the alliance have developed 35 “Fido-Ready” products, including client-server products from Nok Nok Labs.

Google announced the most recent “Fido-ready” product with the release of its USB Security Key based on Fido’s universal second factor authentication (U2F) specification.

Google Chrome was the first web browser to support Fido Alliance authentication standards.

“For many people, the Google announcement made the Fido concept real overnight, but it has been years in the making with a lot of serious work being done,” said Dunkelberger.

“Anything that ever mattered in internet identity did not happen overnight, and that is why we have taken time with the OSTP spec – to get it right, because authentication is a core pillar of the internet,” he said.

Dunkelberger said the Google Security Key will help drive interest around the Fido Alliance’s authentication protocol, which he describes as “essential plumbing” for better online authentication.

“No-one was particularly excited about SSL [secure sockets layer protocol] until it was used as a way of connecting an online shopping cart to a shopping site’s back-end systems,” he said.

However, despite the publicity around Google implementation of the draft OSTP, Dunkelberger points out that the first implementations at scale have been by PayPal and Alibaba’s AliPay, which alone has 600 million users.

IP review to finalise

The public consultation period is now closed, but Fido Alliance members have to conduct an intellectual property review before the OSTP specification can be finalised, adopted and published.

“For this reason it is impossible to say exactly when the final spec will be available, as it is impossible to know if there will be any revisions necessary and how long that will take,” said Dunkelberger.

However, he believes it will prove a catalyst for scores more Fido-compliant devices and services coming to market.

Dunkelberger also believes the Fido Alliance has every chance of succeeding where other attempts to solve the challenges of online authentication have failed.

The Fido Alliance is a consortium of IT, internet and financial services firms, working together to develop specifications that define an open, scalable, interoperable set of protocols and mechanisms.

“They all want to fix the authentication problem for the good of the internet and to enable innovation, which they believe will be rewarded by the market,” said Dunkelberger.

“This is a joint effort that is not dominated by any single organisation, and the technical working group is made up of people of many different nationalities, who all bring national issues to the table,” he said.

Apple's contribution

Although Fido Alliance members include heavyweights such as Google, PayPal, Microsoft, Dell and the Alibaba Group, Apple has yet to become a member.

“Whether or not Apple joins Fido is really unimportant because Apple has already done so much to popularise alternative authentication methods such as biometrics,” said Dunkelberger.

“This is great for Fido because the specification is all-encompassing and supports a wide range of authentication technologies including fingerprint readers, iris scanners and voice recognition.

“Apple has also done a good job of popularising the four principles of the Fido Alliance, to make authentication low-cost, frictionless and secure, while enabling users to retain the keys.”

Dunkelberger said Apple will drive demand for the kind of authentication technologies that Fido enables in the same way it did for the computer mouse and the personal digital music player.

Security predictions

Despite the “jaundiced view” that industry is not good at anything – especially developing standards – he said that, in just three years, Fido had gone from a concept to an alliance of more than 140 organisations.

“The Fido Alliance has done well in just a few years in terms of the top objectives, and the next step is publishing the final implementation specification,” said Dunkelberger.

He is confident this will grow membership and support at an even faster rate and enable a raft of new secure ways for internet users to authenticate themselves online.

“This will have a marked impact in reducing phishing, man in the middle attacks, fraud and calls to helpdesks for password resets,” said Dunkelberger.

Secure authentication online is a key problem to solve. It is vital for the continued growth of the online industry. Fido Alliance members have a keen interest in finding a solution, and they believe they have found it.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Many people shout that the password is dead or should be killed dead. The password could be killed only when there is an alternative to the password. Something belonging to the password (PIN, passphrase, etc) and something dependent on the password (ID federations, 2/multi-factor, etc) cannot be the alternative to the password. Neither can be something that has to be used together with the password (biometrics, auto-login, etc). What can be killed is the text password, not the password.

At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close