Strengthening Passwords with the FIDO Alliance
The average consumer has 35 passwords, but how secure are they?
How many passwords do you have? The average consumer has 35. The problem when you get that number is remembering them, duplicating them or losing them. That’s where the FIDO (Fast IDentity Online) Alliance comes in.
The Alliance was formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems that users face with creating and remembering multiple usernames and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. Google, NXP and CrucialTec have joined the FIDO Alliance Board of Directors, adding to founding board members Lenovo, Nok Nok Labs, PayPal and Validity. I recently spoke with PayPal CISO and FIDO Alliance president Michael Barrett about this new Alliance and its benefits for security executives.
Why was the Alliance formed?
This particular problem of passwords is one that has been more relevant to the logical security side of the house than the physical security of the house, but there is convergence. It is now an enterprise problem. Passwords have been around since the 1960s, and back in the day, they worked well. They weren’t brilliant, but they worked well. A decade ago, the average consumer had four to six user IDs and passwords. Now, people have upwards of 35 passwords, and they can’t manage it any longer. So what many people are doing is using the same password. But that reduces their security. And hackers are able to penetrate passwords.
What are the benefits for an authentication organization to join the Alliance?
The 100 or so companies who have already joined understand the need for universal strong authentication because the current situation makes it harder for them from a sales perspective. But more importantly, those who join and become FIDO-enabled are able to offer end users a pure solution versus selling them something on the strengths of their sales pitch. That’s also a benefit to CSOs, because they are getting the facts, not the pitch.
With all of the warnings about not reusing passwords, why do people still do it?
Consumers and employees do what’s easiest. They assume that they are adequately secure. As human beings, our tendency is to use the easiest method possible. There are many authentication solutions on the market to solve this problem – more than 100 companies that are innovating in this space. The problem is that if you are CSO or CISO and you want to use one of those companies, to try out their system, for example, every time that it is a different integration model, so you incur costs each time. The Alliance is providing user choice. We are defining the standards by which authentication companies can operate, so everyone uses the same authentication style. That means many benefits for end users.
What are those benefits?
There will be a world where you can do a level of exploration without incurring costs, mistakes and wasting time. A CSO, using FIDO standards, sets a policy that says “we will accept only these types of authentications, and then they are done. It’s a one-time decision. The implementation is done once. Among the benefits is that employees are not constantly calling the IT desk for password support. That’s one significant money saver.
How is the Alliance doing so far?
We expect the first FIDO enabled devices to hit the market in the second half of 2013. The FIDO Alliance is welcoming new members every week. We want FIDO to embrace every use case, and we’re encouraging all who use authentication online, in mobile or in physical applications, to join us and affect some remarkable changes. We are very close to the world changing, but we are not quite there yet. The train is just leaving the station.
Read moreSecurity Talk online at SecurityMagazine.com/columns/SecurityTalk