Are usernames and passwords soon to be a thing of the past? If advancements in cryptography proceed at their recent pace, they might be. The Mountain View, California-based FIDO Alliance, an industry group pushing for an alternative to username and password logins, this week published final specifications of a universal standard for accessing sites and online services more securely.
Using the efforts of current and former executives from such tech giants as Google, PayPal and eBay, FIDO (short for Fast IDentity Online) would like to see a world of products that allow users to log in with the use of public key cryptography protocols that are far tougher difficult to hack than username and password.
FIDO published final 1.0 drafts of its two specifications: Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). FIDO 1.0 mandates interoperability between the hardware that verifies the user's identity, such as a phone or a USB device, and the back-end software run by the site the user is logged into. It would work similar to the way USB and Wi-Fi certification allows devices from numerous vendors to work seamlessly together.
"The fact that the FIDO Alliance was able to develop complete specifications so quickly and with such broad support is evidence that they are tackling a pervasive industry pain point," said Steve Wilson, vice president and principal consultant at Constellation Research.
"What's most impressive is the FIDO Alliance's focus on the authentication plumbing. The protocols enable trusted client devices to trade just the right data about their users. FIDO specifications aren't tangled up in messy identity policy decisions. It should drive a lot of the classic complexity out of the identity management space."
A Verizon Data Breach Investigations Report recently reported that weak or stolen login credentials were a factor in more than 76 percent of the breaches analyzed. Related reports say that the volume and severity of data breaches is continuing to rise, with centralized data sets of personal and sensitive information being the most targeted and most vulnerable to scaled attacks.
FIDO said that by responding to the risk and loss perpetuated by prevailing password systems, its specifications define an open, scalable, interoperable set of strong authentication mechanisms that reduce tech users' decades-long reliance on single-factor username and password logins.
The specifications outline a new standard for devices, servers and client software, including browsers, browser plug-ins, and native app subsystems. Any Web site or cloud application can interface with several existing and future FIDO-enabled authenticators such as biometrics and hardware tokens. Those can then be used by consumers, enterprises, service providers and other organizations.
The core 1.0 specifications are final. FIDO said it is almost done with extensions that will incorporate near-field communication and Bluetooth into the range of FIDO capabilities. The organization that said evolving specifications based on new requirements and deployment experience will help guarantee ongoing alignment of FIDO standards with demands in the consumer devices, online services and enterprise markets.
Posted: 2014-12-10 @ 12:02pm PT
As long as Google, PayPal and eBay do not use the data to track users, it could be a good idea.