Sophos Cloud Optix
Global authentication working group the FIDO Alliance has released the final draft of version 1.0 of its authentication specifications, which it hopes will reduce or even end our reliance on passwords for online authentication.
FIDO, short for Fast IDentity Online, says its new set of rules for designing interoperable authentication systems should “make authentication simpler and stronger for all”.
The group’s president Michael Barrett goes even further, describing the 1.0 release as:
...an achievement that will define the point at which the old world order of passwords and PINs started to wither and die.
FIDO was officially formed in 2012 and publicly launched in February 2013, making the speed of progress in agreeing on an initial set of standards fairly impressive given the diverse range of people involved.
FIDO members cover a broad spectrum, from financial firms such as PayPal, Visa, MasterCard and Bank of America, to tech players including Google, Microsoft, ARM, Lenovo and Samsung.
Also on board are online traders and service providers like Alibaba (who had a bit of an authentication issue of its own this week) and Netflix, along with rafts of firms specialising in authentication. Even UK high street key-cutters and dry-cleaners Timpson is in on the action.
The specifications published on 8 December cover two main areas, referred to as “Universal Authentication Framework” (UAF) and “Universal 2nd Factor” (U2F).
The first of these, UAF, covers options designed to completely replace passwords, mainly relying on biometrics reading aspects of our bodies and hardware dongles we carry around with us.
The second, U2F, is more of a complement to the existing standards of password use, covering ways to integrate second-factor double-checking for more secure logins.
Between them the two sets of specs provide detailed instructions for anyone designing or implementing authentication processes, so that any site or service can interact with any supported device or method to authenticate its users.
The main problem with biometrics and other jazzy modern forms of identifying ourselves has always been the need for additional hardware – the dongles, bangles, eyeball- or face-scanners, sniffers, patches or fingerprint readers they use to confirm we are indeed ourselves.
With no approach acceptable to all people in all circumstances, no one product could ever hope to build up enough of a market share to tip the balance and make the password a thing of the past.
So instead of a monopoly, FIDO proposes a system where we can use whatever tools work best for us, as long as the sites we use are clued up and on board with their universal schema.
To quote FIDO’s Barrett again:
FIDO Alliance pioneers can forever lay claim to ushering in the 'post password' era, which is already revealing new dimensions in internet services and digital commerce.
They’re claiming that some serious progress along this road will be made in 2015.
Until it moves from dry standards to a living ecosystem, we will of course still need to maintain proper standards of password hygiene – but maybe not for too much longer.
The use of finger print patterns has already been discreditted for such use! Plus there are serious issues about personal security, which is why so few laptops that have a fingerprint recognition capability are actually sold becuase of that feature. People worry about their personal information and further ‘sharing’ of such is not a good idea.
In any case, a fingerprint can be ‘spoofed’, ask any forensic scientist working in the field! In court, a further level of corroboration of identity is needed, not just a fingerprint.
I find those finger print readers on your computer never seem to work right anyway. I would not want to rely on one to get access to stuff – most of the time they won’t read your finger print no matter how many times you scan it!
You WANT your biometric info in the cloud? I’ll pass.
The governments will love this (if not already behind). Forget about passwords, use biometrics to identify yourself. NSA and alike must be already celebrating…
I don’t get how is this a good idea…
I’m glad they’re trying to make more than one method work for a few reasons.
First, as the article mentions and other cementers clearly reinforce, not every method will work for every person. Biometrics (especially iris scanning) are more secure than passwords, but may raise privacy concerns, or by physically impossible for a person to produce.
Second, you may leave a dongle at home or lose it entirely, and it’d be nice to be able to get in another way if you needed to. Or you might meet with an accident and lose your biometric identifier.
“…is more of a compliment to the existing standards…”. Should be “complement”.
Good spot. Thanks!
The question raised is “should we expect”. Would a better question be “should we demand”?
In the grand effort to thwart dishonesty we are giving away more than we realise. If only we could just take all the dishonest thieves ( cos people who steal your stuff are thieves, individuals, corporate or government) out and shoot them, no more thieves and my milk money will always be safe under the empty milk bottle on the front porch. Security is not the problem society is the problem.
You still have milk deliveries where you live?
What do you do if someone finds a way to spoof your biometric details?
Presumably you cannot acquire new ones (like you can get a new credit card with a different number).
There is a danger that the courts may view something authenticated with “your” biometric details as infallible and absolute proof that it was “you”.