James Thew - Fotolia
Passwords that are insecure, re-used and stolen are still a big problem and a top issue the technology industry has to address, according to a panel of industry representatives.
“We need to move away from passwords, and this is something the whole industry can rally around to drive things forward,” said Google Germany public policy manager Sandro Gianella.
But in the face of several failed attempts by individual companies to eliminate passwords, a growing number of large companies are joining the the Fast Identity Online (Fido) Alliance, the panel told the ISSE 2015 security conference in Berlin.
The cross-industry consortium counts among its members heavyweights in the technology, e-commerce, mobile and financial sectors, including Google, Microsoft, Intel, Samsung, Lenovo, Alibaba Group, PayPal, NTT Docomo, American Express, Bank of America, Visa and MasterCard.
In June 2015, the alliance introduced a government membership programme, with the UK and US governments being among the first to join.
The Fido Alliance seeks to eliminate the world’s dependency on password-based security through open and interoperable authentication standards, and has launched a certification programme that ensures the interoperability of Fido-compliant products and services.
“There are several big implementations already and early adopters include PayPal, Samsung, Google, DropBox and Github,” said Malte Kahrs, chief executive of MTRIX in Germany.
“One of the primary drivers for PayPal was to free itself from supplier lock-in because using an open standard means it is possible to move to other compliant suppliers without changing anything,” he added.
Ginanella said that because the Fido specification is publically available, it can be implemented by any organisation, including non-members of the alliance such as DropBox.
“Fido proves a good, scalable way of solving the password problem and has moved forward quickly, but we need other industry players to join us and meet the growing demand by consumers of goods and services for greater security,” he said.
Read more about Fido
- The Fido Alliance has published the final technical specification of its password-killingauthentication standards
- Google’s Security Key is the first deployment of the universal second-factor authentication standard published by the Fido Alliance
- Before Fido was launched, there were limited kinds of two-factor authentication tools
- The Fido Alliance adds government support
The long-term vision is to enable a single, secure means of logging in to all online services, said Microsoft Germany head of information security Michael Kranawetter.
“Users are looking for an easier way to access all their services that is usable in multiple environments, and Fido provides that while improving security at the same time, but we need the whole industry to align with Fido,” he said.
The greater the number of Fido partners, said Kranawetter, the greater the likelihood of driving acceptance as more users benefit from greater convenience.
Fido a move in the right direction
Fido is a move in the right direction, said Bernd Kowalski from Germany's federal office of information security.
“We need a strong identity token that is not part of a closed system, but based on publically available open standards like Fido that circumvents the problem of technical integration,” he said.
For this reason, Kowalski said Germany is planning to implement Fido for a project aimed at promoting e-ticketing for public transport.
Security has tended to focus on technology, but Fido focuses on usability first. “In reality, there is nothing new in Fido. This could have been done 10 years ago, but finally we have the chance to enable a universal token,” said Kowalski.
“Finding new and interesting areas to deploy Fido will help drive global acceptance of the Fido platform.”
Tord Fransson, Yubico's vice-president of sales in Europe, said it is important to note that although a single Fido-compliant token can be used for multiple Fido-compliant applications, each enrolment is unique.
“This means security is guaranteed and a single token can be used safely for both business and personal applications, and could usher in a new era of bring your own authenticator,” he said.
“There are a lot of benefits to using the Fido standards, and I am sure we will continue to see increasing numbers of implementations. I believe Fido is here to stay, but the biggest challenge is those suppliers who chose to do nothing to solve the problem of passwords.”
In closing, panel moderator Kahrs said Fido represents an unprecedented industry movement, and he encouraged all technology and online service providers to have a look and get informed about how Fido could improve usability, increase security and potentially provide a market differentiator.