Figuring out FIDO (i.e. the Fast IDentity Online alliance and standard)

Great potential but too much hype and confusion are getting in the way

No one hates passwords more than I do and it seems like I’m asked to register for a new site each day.  For those of us in the know, this situation of “password sprawl” is even more frustrating because we really should have solved this problem years ago.  After all, Whit Diffie, Marty Hellman, and the RSA guys first came up with PKI back in the 1970s so you’d think that passwords would be dead and strong authentication would be ubiquitous by now!

Thankfully, there may be hope on the horizon in the form of the FIDO alliance.  The group, composed on a who’s who of industry big shots like ARM, Bank of America, Discover Card, Google, Lenovo, MasterCard, Microsoft, PayPal, RSA, Samsung, and VISA, is “developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance of passwords to authenticate users.”  In other words, FIDO wants to introduce “trusted convenience” by making strong authentication easy to deploy and easy to use on the front-end (i.e. for users) and back-end (i.e. for IT). 

Yup, FIDO has great promise, but like many innovative initiatives, FIDO is greatly misunderstood in the marketplace.  What’s more, the FIDO alliance has morphed into its own little hype machine, spending more time on crowing about new members and pre-announcing marketing programs rather than educating developers, customer organizations, and technology vendors. 

Given the potential to eliminate passwords, FIDO needs clarification as soon as possible, so here’s my attempt at clearing up some of the misconceptions and industry hype:

  1. The FIDO alliance is an industry standards body.  I know this is obvious to us industry folks, but people are still confused.  Right now, the FIDO alliance is working on a specification (FIDO 1.0) which should come out in late 2014 or early 2015.  In this regards, FIDO should behave more like the IEEE, IETF, or OASIS. 
  2. FIDO is an industry standard.  Obvious again but I’m repeating this to make a clear point.  FIDO is an industry specification and NOT open source – the FIDO alliance will not produce any code.  When the 1.0 specification is published, developers can then use the specification to develop their own code which may need to be tested and certified before it can actually use the FIDO branding.  This means that its way too early to go crazy with FIDO labels and market programs. 
  3. FIDO is neither “now” nor “ready.”  The FIDO alliance website might as well be called, “marketing team gone wild” as it is rather heavy-handed on hype.  The website proclaims, “FIDO is now,” but this isn’t really true since the specification is still being finalized.  Furthermore, the website trumpets “FIDO-ready” technology but this is just another meaningless marketing term being pushed by some authentication vendors.  Certainly large organizations should follow FIDO developments and even push forward on their own testing and POCs at the appropriate time, but the FIDO alliance should be acting like a standards body rather than a VC-backed technology startup yahoo.  When the 1.0 specification goes public, FIDO will be “now” and “ready,” but not until then. 
  4. FIDO does not equal biometrics.  In truth, the FIDO specification is authentication technology agnostic.  Yes, biometrics (especially those built into or added on to mobile devices) will likely become a dominant authentication technology but lots of companies will still use tokens, passwords, digital certificates, etc. 
  5. For now, FIDO is a single specification.  Rumor has it that FIDO is actually different things to different member organizations.  I understand where this line of thinking comes from since firms like Google, Lenovo, Microsoft, and PayPal have vastly different use cases for FIDO and may have side projects for authentication in some cases.  Nevertheless, the alliance is unified in its support for the 1.0 specification.  It’s likely that future specifications will include options for different use cases, but you have to start somewhere.

FIDO is a great idea and is already backed by highly-skilled organizations that have the resources and talent to make it a reality.  In addition, Internet users are rooting for FIDO to eliminate passwords, enhance usability, and improve privacy/security.  Given these factors, the FIDO alliance has to eschew industry hyperbole, manage its members, and focus on two things:  1) Getting the specification to market as soon as possible, and 2) Clear and concise communications so the whole world is ready when FIDO hits. 

Copyright © 2014 IDG Communications, Inc.

8 pitfalls that undermine security program success