In 2017, your usernames and passwords are as much a part of your identity as your driver’s license and birth certificate.
You’re asked for them every day and you’ve probably got several combinations, maybe even dozens. For decades, the password has been the de facto standard for digital authentication, but recently, many security professionals have been calling for change.
Passwords, it turns out, aren’t very secure at all.
In fact, even the most complex of passwords may be as useless as using “password” as your password, according to some recent reports. On top of that, passwords can be sold and exchanged, which makes them a massive liability for large organizations. Research has shown that employees could sell their passwords for as little as $150. If that employee is a privileged user, then he or she could compromise an organization’s entire IT infrastructure with a single password.
With all that in mind, it’s no wonder so many security professionals are calling for a new set of standards.
One of the most vocal groups calling for “killing the password” has been the Fast Identity Online (FIDO) Alliance, a non-profit organization formed by a group of security professionals in 2012 to address the lack of interoperability and compatibility among strong authentication devices, and to change the nature of online authentication by developing specifications and standards for open, scalable, and interoperable mechanisms to reduce reliance on passwords for authentication. FIDO Alliance board members include executives from Microsoft, Google, Lenovo, and Bank of America.
Put simply, FIDO is a group of people working to make authentication simpler, safer, and more reliable. In doing that, FIDO hopes to make passwords a thing of the past—and they’re making pretty decent headway.
Among those lining up to help FIDO kill the password are tech giants Google and Microsoft, as well as well known Identity management vendors such as RSA and Micro Focus.
As of last month, more than 150 products are now FIDO Certified, a 50 percent jump from last quarter. Here are a few of the most interesting and high-profile plays for FIDO Certified alternative authentication.
Google’s Project Abacus
Project Abacus is Google/Alphabet’s complicated plan to kill the password by replacing it with biometrics authentication. Sounds pretty standard right? Not quite.
Abacus make authentication decisions based on an algorithmic “trust score,” built on the continuous monitoring of user patterns such as location, voice and speech, and more.
On the one hand, Abacus would be one of the most secure forms of multifactor biometric authentication possible, on the other, it’s a bit creepy.
Windows Hello is Microsoft’s biometric authentication play, or, as Redmond calls it: “a more personal way to sign in to your Windows 10 devices with just a look or a touch.”
With Windows Hello, users on Microsoft devices can forgo the password and teach their devices to recognize them based on their face, fingerprint, or even their iris. To those in the know, that could sound like standard fair for biometric authentication at this point, but one cool differentiator for Windows Hello is its use of asymmetric or public-key cryptography as another factor in authentication.
Samsung and Paypal
This one is as OG as it gets… concerning FIDO-certified biometric authentication anyway…
Way back in 2014, founding FIDO board member PayPal, and their partner Samsung, announced a collaboration that enabled Samsung Galaxy S5 users to log in and shop with the swipe of a finger in online, mobile and in-store payments wherever PayPal is accepted, thus marking the first deployment of FIDO authentication in the wild. These days nearly every new phone has a fingerprint reader, so it’s safe to say this was a game changer.
Check out the full list of all 150 FIDO Certified products here.
Latest posts by Jeff Edwards (see all)
- 17 Cybersecurity Podcasts You Should Listen to in 2019 - January 3, 2019
- What’s Changed: Gartner 2017 Magic Quadrant for Identity Governance and Administration (IGA) - January 28, 2018
- Crossmatch Integrates Keyboard Capture to Identity Management Software - November 27, 2017