It all starts with a concept: passwords just are not doing their job any more. The average user has about 26 separate usernames for personal and work accounts, each requiring the demanding best password practices that, on their own, seem archaic and demanding. It’s no surprise then that a large number of users recently surveyed repeatedly use the same password between accounts and are eager for an alternative.
Strong authentication has long presented the key to this password problem, and thanks to the work of organizations like the FIDO Alliance, we are finally starting to see some headway in killing the password.
While the FIDO Alliance was founded in 2013, and grown tremendously since then, its purpose has not wavered. FIDO is dedicated to reducing user reliance on passwords through the creation of strong authentication standards and specifications. It has developed final 1.0 specification drafts, which were published late last year, and they describe two password mitigating standards, Universal Authentication Factor (UAF) and Universal Second Factor (U2F), both of which will be described in the following sections.
2015 has been a big year for the Alliance, with its expansion to include its first government members – NIST and the UK’s Office of the Cabinet – as well as its support of Bluetooth LE and NFC support. The most recent round of testing for FIDO compliance has determined that there are 62 FIDO Certified authentication products now, and with many of those relying on compliant integrated tech, that number is sure to grow.
Here is a rundown of what the Alliance has been up to recently:
Across the Universe
The FIDO UAF specifications stand as the Alliance’s heavy hitter in terms of identity management. Relying solely on biometric factors and on-device authentication, products that meet the criteria of the UAF standard are completely passwordless. The process is described on the FIDO website in an infographic and it’s almost staggeringly simple: authorization is requested from the transaction provider, the user shows a biometric, the transaction is completed.
The standard is multimodal, and products range from voice, face and fingerprint recognition even to the iris biometrics included on the Fujitsu Arrows NX F-04G.
The links below will give you an idea on the diversity of UAF solutions and how they function:
As I mentioned in the first subsection of this post, the FIDO standards are meant to reduce reliance on passwords. That means that, while UAF can outright make passwords disappear from your life, there still might be situations in which the implementation of such technology is not possible at first. Moving on from the password will be a process, and it can start with the Alliance’s other standard, U2F.
U2F certified devices do not require biometrics to authenticate, but rather act as digital keys to your online identity. While biometrics are a factor of what you are, the U2F specifications combine the other two modes of identity: what you have and what you know. A user authenticating in this manner enters her password and then when prompted activates her dongle, proving that she is at the online access point, and is subsequently granted access.
The following links will help give an idea of what U2F solutions are, how they work and who is embracing the two-step standard:
The Long Death of the Password
In December of 2013, the FIDO Alliance joined Mobile ID World and our sister site FindBiometrics for an exclusive webinar event ushering in the post-password era. While the presentation took place almost two years ago, and the FIDO Alliance has grown in leaps and bounds since then, the webinar recording bellow still captures the spirit and intention of the global strong authentication initiative being forwarded by the consortium and its legion of high profile members.
Webinar: The Password is Dead!
September is Strong Authentication Month at Mobile ID World. Participate in the conversation online by following us on Twitter and tweeting with the hashtag #MIDWOnline.