FIDO – Forget passwords…Enter biometrics??
13 February 2013 14:42 GMT

Biometrics could play a central role in the future of online authentication

The beginning of the end of passwords and PINs is the bold claim being made by the FIDO Alliance (Fast IDentity Online), as it announced an important new open industry standard for online authentication.

The Alliance has some weight behind its efforts, which could see a surge in the use of identity technologies, such as biometrics, being used to secure logon and access to online accounts and services. In its ranks are founding member organizations, such as Agnitio, Infineon Technologies, Lenovo, Nok Nok Labs, PayPal, and Validity.

“PayPal authenticates 7.5 million transactions every day and we take our customers’ security very seriously,” said Bill Leddy, Principal Security Strategist, PayPal. “We recognize that user authentication must go beyond passwords. With FIDO, PayPal’s customers will have more choice and stronger methods of authentication including biometrics, USB security tokens and one-time passwords. By collaborating with the industry to create open authentication standards such as FIDO, we can make authentication simpler and stronger for Internet users everywhere.”

This view is also reflected by Mark Cohen, Vice President and General Manager, Ecosystem and Monetization, Lenovo. According to Cohen: “Recognizing that our customers wanted more than just passwords for authentication, we began shipping ThinkPad PCs with integrated fingerprint readers nearly a decade ago. We are excited about the new FIDO standard because it enhances both security and convenience, enabling biometric and other forms of authentication to take place directly between the user and the service that he or she is trying to use.”

According to the Alliance, current password authentication is weak due to reuse, malware and phishing, and leaves enterprises and end-users vulnerable to financial and identity theft. FIDO’s standards-based approach automatically detects when a FIDO-enabled device is present, and offers users the option to replace passwords with authentication methods that are more secure and easier to use.

The FIDO Alliance is encouraging and inviting participation from all companies and organizations that want simpler, stronger authentication. The FIDO standard will support a full range of technologies, including biometrics, such as fingerprint sensors, voice and facial recognition, as well as existing authentication solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, Near Field Communication (NFC), One Time Passwords (OTP) and many other existing and future technology options.

The open protocol is designed to be extensible and to accommodate future innovation, as well as protect existing investments.

At its heart, the FIDO protocol allows the interaction of technologies within a single infrastructure, enabling security options to be tailored to the distinct needs of each user and organization. As more organizations join the FIDO Alliance, more use cases and technologies will become part of the solution.

“The Internet - especially with recent rapid mobile and cloud expansion – exposes users and enterprises, more than ever before, to fraud. It’s critical to know who you’re dealing with on the Internet. The FIDO Alliance is a private sector and industry-driven collaboration to combat the very real challenge of confirming every user’s identity online,” said Michael Barrett, FIDO Alliance president and PayPal Chief Information Security Officer.

"By giving users choice in the way they authenticate and taking an open-based approach to standards, we can make universal online authentication a reality. We want every company, vendor, and organization that needs to verify user identity to join us in making online authentication easier and safer for users everywhere.”

According to Sally Hudson, Research Director, Security Products and Services, at IDC, a market research company: “IDC forecasts the strong authentication market to realize more than $2.2 billion in revenues alone by 2016. This demand is driven by social networking, internet, cloud and mobile, all of which will require higher and higher levels of authentication by governments, corporations and consumers. We believe that standards based, automated solutions such as those advocated by FIDO will contribute greatly toward making this a reality.”

"At the core of National Strategy for Trusted Identities in Cyberspace (NSTIC) is a call for the private sector to lead in developing open technology standards that will enable a more trusted and secure Identity Ecosystem. The new FIDO Alliance has pledged to do just that," said Jeremy Grant, who is leading the implementation of NSTIC as Senior Executive Advisor for Identity Management at the National Institute for Standards and Technology (NIST).

Why Now?

Though many authentication systems and point solutions currently exist, the FIDO Alliance claims that they have been proprietary, difficult and costly to manage, and/or insufficient to scale. The FIDO Alliance says its objective is to be all-inclusive, embracing both existing and new authentication methods and hardware with the FIDO open protocol.

FIDO-compliant smartphones, tablets, PCs and laptops will be able to replace password dependency and exposure of sensitive user information by automatically and transparently providing user credentials when they’re required.

According to Cisco Systems, 50 billion internet-connected devices are predicted to be in the marketplace by 2020. The FIDO protocol aims to inherently support consumerization trends, by allowing end users any choice of authentication method.

Today, users are often required to remember a selection of security questions, enter a unique ID with a main password, and potentially use a software or hardware token, as well. Most users have a handful of slightly varied passwords they use to access multiple sites and accounts. This cross-use of passwords poses serious risks if one account is compromised and user credentials are exposed to potential fraud across the range of a user’s accounts. Following a breach, providers are invariably implicated when data is breached and personal information is exposed at a site or within an application.

Repeated attempts to outline better security practices and change user behaviors haven’t succeeded. The FIDO Alliance says it is committed to overcoming prevailing limitations by developing an authentication ecosystem with a standardized, global protocol and necessary interfaces. With users free to select any FIDO-compliant token type, even devices previously considered proprietary can be adapted for use, and new vendors with new protocol-compliant devices easily become part of the marketplace. The FIDO Alliance and standards create the open, non-proprietary and flexible authentication protocol framework that lowers costs to deploy and improve returns on investment by using devices and systems already in the marketplace to authenticate users.

FIDO Alliance and biometrics

Biometrics – finger, hand/palm, face, voice, iris — represent something everyone has with them at all times. The FIDO Alliance brings renewed attention to the range of biometric options that identify who a user is.

By enabling dynamic discovery of FIDO-compliant biometric devices, the FIDO Alliance manifests remarkable advantages to biometric users and manufacturers of biometric devices and systems, as well as device manufacturers who want to incorporate biometric recognition technology into their systems and devices to enable FIDO-compliance.

Sebastien Taveau, FIDO Alliance Board Member and CTO for Validity Sensors, commented: “As device and digital consumption continues to grow exponentially, so does the challenge of maintaining privacy and ease of use. PC manufacturers have already recognized the power of leveraging a fingerprint for authentication, and with the upcoming release of fingerprint sensors in mobile devices, now is the time for the FIDO Alliance to bring together the hardware, software and applications that create a seamless user experience with a much needed new approach to security.”

According to Emilio Martinez, CEO of Agnitio: “Agnitio is committed and passionate about fighting for Internet citizens worldwide against identity fraud and criminal activity. The FIDO Alliance facilitates our global opportunity to equip users with the convenience of using their voice to automatically authenticate instead of having to remember and enter passwords, especially when they’re on the go.”