Can the FIDO Alliance Help Obsolete User Name/Password Authentication?

It seems like yesterday when I was logging onto the VAX system at my alma mater UMass so I could work on a market research project with a statistics program.  When my time slot came up, I would sit in front of a VT100 terminal, input my user name and password, and voila – a timesharing session at the cutting-edge of high tech.

Well this memory may seem recent but in truth it was back in the mid-1980s.  I probably had a mullet and was hankering to listen to Flock of Seagulls at the time.  The VAX, mullet, and new wave music are now ancient history but we’re still using user names and passwords for authentication most of the time. 

In my mind, this is insane as we all know that user name/password authentication is awful.  It’s insecure and forces us to memorize all kinds of cryptic passwords as an inadequate security control.  According to ESG research, I’m not alone in my disdain for user name/password authentication.  The majority of security professionals working at enterprise organizations (i.e. more than 1,000 employees) feel the same way:

• 11% of enterprise security professionals say that, “user name/password authentication is no longer secure and should be eliminated as a form of authentication in all cases.”

• 44% of enterprise security professionals say that, “user name/password authentication is no longer secure and should be eliminated as a form of authentication for business critical applications but remains an adequate option for non-business critical applications.”

• 34% of enterprise security professionals say that, “user name/password authentication is fairly secure and remains a viable option for most business critical and non-business critical applications.”

• 11% of enterprise security professionals say that, “user name/password authentication is secure and remains a viable option for most business critical and non-business critical applications.”

So if user name/passwords belongs as a 1980s memory, why aren’t we using more multi-factor authentication?  Common wisdom suggest that it is simply too costly and complex for pervasive deployment.  Until now, no one but the Feds wanted to incur the expense, technical headaches, and operational overhead of ubiquitous multi-factor authentication.  Now hold the phone, this historical argument is about to change!

Aside from consumer biometrics like thumb readers in iPhone 5s, the FIDO (Fast Identity Online) Alliance finally published its v1 specification this week.  This nerdy group may actually be a holy grail for cheap and universal multi-factor authentication.

What does this specification do?  Simply stated, it provides standard protocols so that devices (like smart phones, tablets, PCs, IoT sensors, etc.) can easily participate in PKI infrastructure using just about any type of authentication technology as one of the factors.  Don’t have a thumbprint reader on your phone?  No problem.  FIDO can find some other unique identifier (a TPM chip for example) and use this to create a key pair and act as the root of trust.  Additionally, FIDO can create unique key pairs for different applications and services (i.e. Windows logon, Facebook, Paypal, etc.) and FIDO provides an abstraction layer so the actual private keys never leave the device and remain secure.

Good stuff but the proof will be in the pudding.  FIDO has been tested in the lab but must remain secure in the real world.  Furthermore, FIDO success is contingent on its penetration into consumer and enterprise use.  That said, the membership list is a veritable who’s who of the technology and financial services glitterati including Blackberry, Google, Lenovo, MasterCard, Microsoft,PayPal and RSA Security.  Others are watching FIDO with great interest.  If these folks get onboard and actually deliver FIDO technology to market, other vendors like Apple, Bank of America, Facebook, and IBM are sure to follow. 

The FIDO specification is a bit late and other than new membership announcements, the FIDO story has been exceedingly geeky and lacked widespread visibility.  Now that the spec is out, that could all change quickly.  Soon, our mobile devices could deliver “trusted convenience,” by consumerizing multi-factor authentication and finally putting user names and passwords in their rightful place – next to moonwalking, Chrysler K-cars, and trickle-down economics.  Sounds like a potential game-changer to me.