Security group plans for a future without passwords
- 10 December, 2014 04:47
Having to remember multiple passwords may soon be a thing of the past.
Setting the stage for a password-free future, an industry consortium has issued a set of instructions that specify a number of alternate ways that computers and devices can confirm a user's identity. The FIDO (Fast IDentity Online) Alliance, which issued the specifications on Tuesday, is backed by a number of large companies in the IT and banking industries, including Microsoft, Google, PayPal, Bank of America, and MasterCard.
After two years of work, FIDO has issued the first fully completed drafts of two specifications - the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). If widely deployed, these specifications could form the basis for securing online communications without using passwords, which are cumbersome and can pose security threats.
The two specifications describe procedures that systems can use to verify a person's identity. For instance, biometric sensors such as fingerprint readers could identify a user's identity. A portable hardware token, which can be carried about, could also be used to authenticate individuals.
Today, most users log on to secured online services using passwords, yet this approach remains problematic. More than 76 percent of online breaches exploit weak or stolen log-in credentials, according to a survey from Verizon. While other forms of authentication such as biometrics have long been available, there has been little industry consensus on how these security mechanisms should be implemented, leading to a fragmented and complex environment for online authentication management.
Members of the FIDO Alliance are now able to use these specifications to build security systems. Companies such as Google, PayPal, Samsung and Alibaba have already incorporated early drafts of the specifications into their products and services.
Now that it has finished the core specifications, the FIDO Alliance is working on a set of extensions that will incorporate additional forms of access security, such as establishing identities using Near Field Communications and Bluetooth wireless communications.