A few days ago I met up with Phillip Dunkelberger, CEO of start-up Nok Nok Labs and a founding member of the FIDO Alliance.
Over a few cups of coffee at my neighborhood Starbucks, the infosec veteran went into detail about The Fast Identity Online (FIDO) Alliance, an organization out to revolutionize online authentication with an industry-supported, standards-based open protocol that makes life easier and more secure for the user.
More specifically, the group -- backed by PayPal, Lenovo, Infineon and Nok Nok Labs -- has built what it calls the Online Security Transaction Protocol (OSTP), designed to help companies cast aside simple user passwords and logins in favor of a much stronger multi-factor identity check online before allowing certain types of Web access to happen.
"It's about solving the problem of weak authentication," Dunkelberger told me. His product is at heart a browser plug-in and back-end software development kit for a server that supports FIDO's OSTP. "We're building a protocol all authentication vendors can take advantage of."
Here's a deeper description from the press release I pulled off FIDO's website:
The FIDO standard will support a full range of technologies, including biometrics such as fingerprint scanners, voice and facial recognition, as well as existing authentication solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, Near Field Communication (NFC), One Time Passwords (OTP) and many other existing and future technology options. The open protocol is designed to be extensible and to accommodate future innovation, as well as protect existing investments.
The FIDO protocol allows the interaction of technologies within a single infrastructure, enabling security options to be tailored to the distinct needs of each user and organization. As more organizations join the FIDO Alliance, more use cases and technologies will become part of the solution. Today, users are often required to remember a selection of security questions, enter a unique ID with a main password, and potentially use a software or hardware token, as well. Most users have a handful of slightly varied passwords they use to access multiple sites and accounts. This cross-use of passwords poses serious risks if one account is compromised and user credentials are exposed to potential fraud across the range of a user’s accounts.
Providers are invariably implicated when data is breached and personal information is exposed at a site or within an application. Repeated attempts to outline better security practices and change user behaviors haven’t succeeded. The FIDO Alliance is committed to overcoming prevailing limitations by developing an authentication ecosystem with a standardized, global protocol and necessary interfaces. With users free to select any FIDO-compliant token type, even devices previously considered proprietary can be adapted for use, and new vendors with new protocol-compliant devices easily become part of the marketplace.
Expect to hear a lot more about this at the upcoming RSA Conference. As someone who's inundated with passwords, I sure hope it leads to a better way.