The FIDO Alliance has released a public draft of new security standards that could someday make user passwords obsolete, Forbes reports. The FIDO Alliance, a security-minded industry consortium that includes Google, Netflix and PayPal, is drawing the support of major tech companies looking for login alternatives with greater security, which easing the authentication burden on consumers, who must create and manage passwords and credentials for the numerous sites they visit.
A report by Forrester Research puts the cost of password breaches at $200 billion in annual losses. FIDO’s specifications offer a two-pronged approach to secure logins, as well as improved consumer experiences. The proposed U2F would enable users to login using a simple PIN to identify themselves, and at that point, a hardware device you carry with you (USB dongle, NFC-enabled smartphone or tablet, etc) would be used to identify you through encrypted communication through the Web browser, the article says.
The second protocol – UAF – allows for the use of biometric data (thumbprint, vocal phrase or iris scan) to verify a user’s identify.
Both protocols incorporate public key cryptography – you would register your local device with any sites to be used, and you would also have the ability to terminate registration at any time if the device is stolen or lost. The UAF standard restricts storage of any biometric data to the local device. Neither standard provides information that a site you registered with could use to track your visits to, or registration with, any other sites, Forbes reports.
FIDO has currently begun a compliance testing program.
You can read an overview of specifications or download the complete draft on the FIDO website.