FIDO Alliance develops strong authentication approach to replace passwords
A group of Internet companies, systems integrators and security firms have teamed to offer a strong online authentication standard designed to replace the need for passwords, which provide weak authentication because of user reuse as well as having to protect against malware and phishing attacks. IDC forecasts the strong authentication market to reach more than $2.2 billion in revenues by 2016.
Agnitio, Infineon Technologies, Lenovo, Nok Nok Labs, PayPal and Validity Sensors formed a coalition called the Fast Identity Online (FIDO) Alliance to develop a standards-based open approach that automatically detects when a FIDO-enabled device is present and offers users the option to replace passwords with more secure authentication techniques such as biometrics.
"For the enterprise, this has fantastic potential… to solve a lot of the security issues... This doesn't depend on one type of technology. This could be fingerprint, voice recognition, DSP token, whatever you have," Clain Anderson, director of software at Lenovo, told FierceEnterpriseCommunications.
The open FIDO protocol enables the interaction of technologies within a single infrastructure. Enterprises and users can tailor their solutions to their individual security needs. As more organizations join the FIDO Alliance, more use cases and technologies will become part of the solution, the Alliance explained.
"If you look at password issues in detail, people have been talking about high support costs and ease of theft. Password-based security is starting to cost businesses a lot of money," said Michael Barrett, FIDO Alliance president and PayPal chief information security officer.
"Within enterprises, people with my job title jump up and down and demand that their organizations deploy strong authentication, but it is expensive… When you are talking about rolling out strong authentication, that can cost enterprises $100 plus per user," Barrett told FierceEnterpriseCommunications.
In addition, there are help desk costs associated with employees who lose their passwords and need to reset them. "Those costs are nontrivial," Barrett noted. "A solution that reduces that problem is a big deal."
Barrett explained: "A full, open-standards-based solution is an extremely effective way of building a security ecosystem… There is no open authentication standard available today. Without the interoperability layer, we have islands of authentication that don't talk to each other."
Regarding the BYOD security implications, Sebastien Taveau, FIDO Alliance board member and chief technology officer with Validity Sensors, said what FIDO "can create is a 'bring your own token' trend. As an employee, I can provide something that is sufficient for a corporate network, but at the same time I am not sharing everything that is private on my device… The FIDO Alliance can provide the next step to the BYOD trend of today."
- see the FIDO Alliance release