The newly created FIDO (Fast IDentity Online) Alliance is promoting a standardised, global protocol and the necessary interfaces to allow organisations to support authentication solutions appropriate to the level of risk involved.
The FIDO protocol will allow the interaction of technologies within a single infrastructure so security options can be tailored to the distinct needs of each user and organisation. Users will be able to choose their own authentication form factor and not be reliant on passwords.
I was sitting on the other side of the dark mahogany desk when my local insurance agent, who had been staring intently at his monitor, suddenly turned to rummage frantically through his desk drawer. Quickly glancing up at me, he apologetically explained that he had forgotten the password for a certain web site, and he could not complete my transaction until he found it. "This will only take a minute," he said, abandoning the drawer search and grabbing a small box on his desk, shaking it upside down. A small confetti shower of yellow PostIt-size notes fell out.
Picking through them one by one, he explained that he had about 30 different passwords to remember for online access to the companies and government agencies he does business with daily. Selecting one of the yellow squares, he squinted at the contents and turned back to the computer, typing again. "Ok, that's it. Now, it says here that your policy was originally purchased in .."
He manages life, auto, health, disability and home owner lines for several national insurance carriers. Not only does he inter-act with their systems, but he also is required to digitally communicate with the department of motor vehicles, the social security administration,various banks and lending institutions. He hasn't even begun to think about a second factor, much less multiple factors, of authentication. He is happy to find the right password. He also had words to describe the various password reset systems, but that is another issue
Unfortunately this scenario is typical. It is also highly insecure and probably violates all kinds of privacy laws, both written and proposed. It is this type of situation that the FIDO Alliance plans to eliminate altogether in the coming years.
Announced last week, the FIDO (Fast IDentity Online) Alliance's goal is to create interoperability among strong authentication devices and eliminate user dependence on passwords. (does this sound familiar?) What makes FIDO different? From their website:
The net-net is that users will be able to securely authenticate online using any form factor they choose: smart phone, token, smart card, finger print, voice, etc. etc., as long as it is FIDO compliant.
Of course, the creation of, and the widespread adoption of, an industry protocol/standard are two very different things. It usually involves a lot of time, energy, dedication, cooperation, conflict resolution and a dash of fanaticism among proponents. Some succeed (a recent example is SAML), some ultimately fail (anyone remember DCE?). As it emerges from the gate, FIDO has PayPal, Lenovo, Nok Nok Labs, Validity, Agnitio and Infineon. Not a bad start, but some have started with more and ended up on the sidelines.
To succeed, FIDO will have to quickly add to this list, and be able to demonstrate progress quickly to participants and potential adherents. We wish FIDO well. It would be a benefit to all if they achieve their goal of creating a more secure online ecosystem for users and businesses.
Posted by Sally Hudson, Research Director, Identity and Access Management BuyerPulse Programme