Microsoft joins tech giants and FIDO in the fight for simpler, safer authentication

Filed Under: Google, Microsoft

FIDO AllianceMicrosoft has become a member of the FIDO (Fast IDentity Online) Alliance, a non-profit group working to design better and more standardised methods of checking identity across the internet.

The operating system, software and mobile giant joins fellow tech juggernaut Google as a member of FIDO's board of directors, according to an announcement [PDF] issued this week by the Alliance.

FIDO was set up in July 2012 by a group including online payment processor PayPal, hardware maker Lenovo and a handful of specialist authentication firms.

Since then membership has swelled to include the likes of once-dominant mobile firm BlackBerry, global payment colossus MasterCard and a raft of firms working in the fields of identity, biometrics and authentication.

The mission of the Alliance is to combat the inherent weakness of the current standard authentication method, the username/password combo.

The problems with the old approach are many and severe, with humans seemingly incapable of maintaining good password hygiene, and businesses similarly wobbly when it comes to keeping their password databases secure.

FIDO's answer is a set of standards and specifications for an authentication system based on public key infrastructure (PKI), which is still under development.

The idea is that once hardware, software and online service providers agree and adopt the standard, users should be able to use a unified system to prove they are who they say they are, to any and all services they use online.

It will work by generating key pairs for each site or service you use - the private (or "secret") key stays with you, and the public key is handed over. Then each time you want to access the site, it presents you with a challenge encrypted with your public key, which can only be decrypted by the holder of the private key, ie: you.

This does away with the problem of hacked password databases at the server side, as they'll only be holding public keys - these will be of little use to hackers, as it should be more or less impossible to figure out the private key even if you have the public one (hence the names).

Having separate key pairs for each site means sites can't pretend to be other sites and peep over each others' shoulders at what you're doing.

Encryption key, image courtesy of ShutterstockOf course, you'll still need to authenticate yourself to whatever device you're storing the secret keys on, which is where all those biometric firms come in.

Fingerprints, voice patterns, hand gestures or even a good-old fashioned strong password should all be compatible with the standard, the good part being that even if you prefer to avoid eyeball scanners or implanted circuitry, you won't need to remember new passwords for everything, only the one for the mobile/PC/wristwatch you're using to surf the web.

Any local authentication information will be strictly kept to the local device, so again there's no risk of hackers making off with a database of everyone's bio data. There's also a two factor-version of the standard being developed, with the addition of a dongle or one-time-password generator for extra security.

There will doubtless be all manner of apps and accessories providing different spins on the system, but the point of having a unified standard is that they can all interact in the same way, meaning end-users can choose how they want to do things without putting extra workload on the platform and web service makers - they should all just play happily together.

It may all just be a pipe dream of course, but having the weight of Microsoft behind it, alongside the existing lineup of heavyweights, makes it all a good chunk more likely to come true.

There are still a few serious players missing from the list, notably Apple who are notorious for preferring to plough their own furrow in all things, but with amount of support the Alliance is building up, FIDO's ideas have a good chance of becoming a true standard that everyone will have to support.

That should be pretty good for everyone.


Image of encryption key courtesy of Shutterstock.

, , , , , , ,

You might like

7 Responses to Microsoft joins tech giants and FIDO in the fight for simpler, safer authentication

  1. asdfa · 288 days ago

    What a terrible acronym. Sounds like M$ et al are a desperate to respond to SQRL.

    • Hearth · 287 days ago

      Sound like it basically *is* SQRL in essence if not in name.

  2. Milford Gay · 287 days ago

    "And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name." -- Revelation 13:16-17

  3. Sam · 287 days ago

    Thank goodness someone has got round to this. At last we will be able to impose signatures on emails and other transmitted files.

    It will also provide a solution to an increasing problem - how to establish the required credentials with finance houses. I have recently been asked - yet again - for an original copy of a bank statement for an online bank account! They (the finance house and the regulators) won't accept a printout from me. How much easier it will be when I can download a signed PDF copy from my account and forward it with my signature added to the finance house! They will be able to prove it came from me and that the document came from my bank.

    Roll on!

  4. Marius · 287 days ago

    I wonder what is harder to hack. A google/etc. server or a PC?

  5. 4caster · 287 days ago

    In 1944 and 1945, FIDO stood for "Fog Intensive Dispersal Operation". It involved burning 100,000 gallons [approx 500,000 litres, Ed.] of petrol per hour to clear fog at 15 RAF airfields in England, to enable returning bombers to land. It worked when the fog was up to 100 feet deep, but it would not clear deeper fog, just generating a lot of smoke and hot air. I hope the modern FIDO does not suffer that misfortune. See http://www.rti.org/pubs/bk-0003-1109-chapter13.pdf

  6. siva · 287 days ago

    I would assume even it is much easier to compramise an end user pc(most end users doesn't have much insights abt security) where the private key is being stored then to hack organizations servers which are ideally being protected by the technologies like firewalls,ips and antivirus solutions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.