Security group plans for a future without passwords

orange fingerprint
Credit: Thinkstock

Having to remember multiple passwords may soon be a thing of the past.

Setting the stage for a password-free future, an industry consortium has issued a set of instructions that specify a number of alternate ways that computers and devices can confirm a user's identity. The FIDO (Fast IDentity Online) Alliance, which issued the specifications Tuesday, is backed by a number of large companies in the IT and banking industries, including Microsoft, Google, PayPal, Bank of America, and MasterCard.

After two years of work, FIDO has issued the first fully completed drafts of two specifications -- the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). If widely deployed, these specifications could form the basis for securing online communications without using passwords, which are cumbersome and can pose security threats.

The two specifications describe procedures that systems can use to verify a person's identity. For instance, biometric sensors such as fingerprint readers could identify a user's identity. A portable hardware token, which can be carried about, could also be used to authenticate individuals.

Today, most users log on to secured online services using passwords, yet this approach remains problematic. More than 76 percent of online breaches exploit weak or stolen log-in credentials, according to a survey from Verizon. While other forms of authentication such as biometrics have long been available, there has been little industry consensus on how these security mechanisms should be implemented, leading to a fragmented and complex environment for online authentication management.

Members of the FIDO Alliance are now able to use these specifications to build security systems. Companies such as Google, PayPal, Samsung and Alibaba have already incorporated early drafts of the specifications into their products and services.

Now that it has finished the core specifications, the FIDO Alliance is working on a set of extensions that will incorporate additional forms of access security, such as establishing identities using Near Field Communications and Bluetooth wireless communications.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.