The FIDO Alliance Wants to Kill Your Passwords, Here’s Why

killpasswords

“Username and password please.” You’re asked for it every day and you probably have several combinations. Work email, home email, Facebook, Twitter, Amazon, your CRM system—so many things to remember—you may even have dozens. For decades, the password has been the de facto standard of online authentication, but recently, many security professionals have been calling for change.

Passwords, it turns out, aren’t very secure at all. In fact, even the most complex of passwords may be as useless as using “password” as your password, according to some recent reports. On top of that, passwords can be sold and exchanged, which makes them a massive liability for large organizations— some research has shown that employees could sell their passwords for as little as $150. If that employee is a privileged user, then he or she could compromise an organization’s entire IT infrastructure with a single password.With all that in mind, it’s no wonder so many security professionals are calling for a new set of standards.

Top4PIMwhitepapersAre you protecting your privileged users’ accounts?

From compliance to managing identity in hybrid IT environments to managing data breaches and insider attacks, these four free resources will give you the knowledge you need to build the basis of your Privileged Identity Management initiative.

Check out our write-up here.

One of the most vocal groups calling for “killing the password” has been the Fast Identity Online (FIDO) Alliance, a non-profit organization formed by a group of security professionals in 2012 to address the lack of interoperability and compatibility among strong authentication devices, and to change the nature of online authentication by developing specifications and standards for open, scalable, and interoperable mechanisms to reduce reliance on passwords for authentication. FIDO Alliance board members include executives from Microsoft, Google, Lenovo, and Bank of America.

Put simply, FIDO is a group of people working to make authentication simpler, safer, and more reliable. In doing that, FIDO hopes to make passwords a thing of the past, according to FIDO Alliance member Kayvan Alikhani, senior director of technology at RSA and previously CEO at PassBan (acquired by RSA).

In an interview with  bankinfosecurity.com, Alikhani says that FIDO is working toward “eliminating users’ dependency on passwords and suggesting an alternative to authenticate user identity.”

According to Alikhani, encouraging the use of a strong, standardized multi-factor authentication mechanism is critical to fighting increasing security threats and preserve end-user privacy. This issue is even more acute with the massive proliferation of mobile transactions as pay-by-phone products such as Venmo, Apple Pay and Google Wallet become more prevalent.

“With the rate of acceleration in mobile transactions on the rise, FIDO observes that only a fraction of devices are equipped with the right type of sensors that protect the credentials of the user. To do this, we need more mature authentication frameworks,” Alikhani says.

The interview was conducted at the recent RSA Conference for Asia Pacific & Japan, held in Marina Bay Sands, Singapore last week, where Alikhani gave a speech titled “Does FIDO Really Usher the Death of Passwords?,” you can get presentation slides for that speech and other RSA conference events here.

Beyond the topics touched on above, Alikhani gives his thoughts on building strong authentication tools, developing risk mitigation strategies, using biometrics, and the importance of training and support for identity management initiatives. You can listen to a recording of the full interview here.

 

Follow Jeff

Jeff Edwards

Editor, Cybersecurity at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff