Can we expect a future free from passwords and PINs?

FIDO unveils details of a future free from passwords and PINs

Image from FIDO websiteGlobal authentication working group the FIDO Alliance has released the final draft of version 1.0 of its authentication specifications, which it hopes will reduce or even end our reliance on passwords for online authentication.

FIDO, short for Fast IDentity Online, says its new set of rules for designing interoperable authentication systems should “make authentication simpler and stronger for all”.

The group’s president Michael Barrett goes even further, describing the 1.0 release as: achievement that will define the point at which the old world order of passwords and PINs started to wither and die.

FIDO was officially formed in 2012 and publicly launched in February 2013, making the speed of progress in agreeing on an initial set of standards fairly impressive given the diverse range of people involved.

FIDO members cover a broad spectrum, from financial firms such as PayPal, Visa, MasterCard and Bank of America, to tech players including Google, Microsoft, ARM, Lenovo and Samsung.

Also on board are online traders and service providers like Alibaba (who had a bit of an authentication issue of its own this week) and Netflix, along with rafts of firms specialising in authentication. Even UK high street key-cutters and dry-cleaners Timpson is in on the action.

The specifications published on 8 December cover two main areas, referred to as “Universal Authentication Framework” (UAF) and “Universal 2nd Factor” (U2F).

The first of these, UAF, covers options designed to completely replace passwords, mainly relying on biometrics reading aspects of our bodies and hardware dongles we carry around with us.

The second, U2F, is more of a complement to the existing standards of password use, covering ways to integrate second-factor double-checking for more secure logins.

Between them the two sets of specs provide detailed instructions for anyone designing or implementing authentication processes, so that any site or service can interact with any supported device or method to authenticate its users.

The main problem with biometrics and other jazzy modern forms of identifying ourselves has always been the need for additional hardware – the dongles, bangles, eyeball- or face-scanners, sniffers, patches or fingerprint readers they use to confirm we are indeed ourselves.

With no approach acceptable to all people in all circumstances, no one product could ever hope to build up enough of a market share to tip the balance and make the password a thing of the past.

So instead of a monopoly, FIDO proposes a system where we can use whatever tools work best for us, as long as the sites we use are clued up and on board with their universal schema.

To quote FIDO’s Barrett again:

FIDO Alliance pioneers can forever lay claim to ushering in the 'post password' era, which is already revealing new dimensions in internet services and digital commerce.

They’re claiming that some serious progress along this road will be made in 2015.

Until it moves from dry standards to a living ecosystem, we will of course still need to maintain proper standards of password hygiene – but maybe not for too much longer.