James Thew - Fotolia

Passwords still a top issue the tech industry has to deal with, says panel

In the face of several failed attempts by individual companies to eliminate passwords, a growing number of large companies are joining the Fido Alliance, ISSE 2015 conference in Berlin told

Passwords that are insecure, re-used and stolen are still a big problem and a top issue the technology industry has to address, according to a panel of industry representatives.

“We need to move away from passwords, and this is something the whole industry can rally around to drive things forward,” said Google Germany public policy manager Sandro Gianella.

But in the face of several failed attempts by individual companies to eliminate passwords, a growing number of large companies are joining the the Fast Identity Online (Fido) Alliance, the panel told the ISSE 2015 security conference in Berlin.

The cross-industry consortium counts among its members heavyweights in the technology, e-commerce, mobile and financial sectors, including Google, Microsoft, Intel, Samsung, Lenovo, Alibaba Group, PayPal, NTT Docomo, American Express, Bank of America, Visa and MasterCard.

In June 2015, the alliance introduced a government membership programme, with the UK and US governments being among the first to join.

The Fido Alliance seeks to eliminate the world’s dependency on password-based security through open and interoperable authentication standards, and has launched a certification programme that ensures the interoperability of Fido-compliant products and services.

“There are several big implementations already and early adopters include PayPal, Samsung, Google, DropBox and Github,” said Malte Kahrs, chief executive of MTRIX in Germany.

“One of the primary drivers for PayPal was to free itself from supplier lock-in because using an open standard means it is possible to move to other compliant suppliers without changing anything,” he added.

Ginanella said that because the Fido specification is publically available, it can be implemented by any organisation, including non-members of the alliance such as DropBox.

“Fido proves a good, scalable way of solving the password problem and has moved forward quickly, but we need other industry players to join us and meet the growing demand by consumers of goods and services for greater security,” he said.

Read more about Fido

The long-term vision is to enable a single, secure means of logging in to all online services, said Microsoft Germany head of information security Michael Kranawetter.

“Users are looking for an easier way to access all their services that is usable in multiple environments, and Fido provides that while improving security at the same time, but we need the whole industry to align with Fido,” he said.

The greater the number of Fido partners, said Kranawetter, the greater the likelihood of driving acceptance as more users benefit from greater convenience.

Fido a move in the right direction

Fido is a move in the right direction, said Bernd Kowalski from Germany's federal office of information security.

“We need a strong identity token that is not part of a closed system, but based on publically available open standards like Fido that circumvents the problem of technical integration,” he said.

For this reason, Kowalski said Germany is planning to implement Fido for a project aimed at promoting e-ticketing for public transport.

Security has tended to focus on technology, but Fido focuses on usability first. “In reality, there is nothing new in Fido. This could have been done 10 years ago, but finally we have the chance to enable a universal token,” said Kowalski.

“Finding new and interesting areas to deploy Fido will help drive global acceptance of the Fido platform.”

Tord Fransson, Yubico's vice-president of sales in Europe, said it is important to note that although a single Fido-compliant token can be used for multiple Fido-compliant applications, each enrolment is unique.

“This means security is guaranteed and a single token can be used safely for both business and personal applications, and could usher in a new era of bring your own authenticator,” he said.

“There are a lot of benefits to using the Fido standards, and I am sure we will continue to see increasing numbers of implementations. I believe Fido is here to stay, but the biggest challenge is those suppliers who chose to do nothing to solve the problem of passwords.”

In closing, panel moderator Kahrs said Fido represents an unprecedented industry movement, and he encouraged all technology and online service providers to have a look and get informed about how Fido could improve usability, increase security and potentially provide a market differentiator.

Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Incidentally, biometrics are dependent on passwords in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. Passwords will stay with us for long.

It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).
"In the face of several failed attempts by individual companies to eliminate passwords" it's time to try again, not quit. When did good tech try to solve problems by walking away from them...? Passwords are inherently insecure; we need a new solution. We DESERVE a new solution, not a retreat.