Yesterday, Fast IDentity Online Alliance (FIDO) a consortium of some of the biggest names in the industry released open specifications they say will bring passwords to an end by enabling authentication through biometrics and hardware tokens.
FIDO hopes the standard will be adopted by hardware and software vendors and cloud service providers for accessing everything from cloud computing Web sites, mobile devices, servers and client software.
To enable the system be effective, biometric-enabled devices like fingerprint readers on smart phones will have to be more widespread.
The alliance president Michael Barrett, said in a statement that the achievement will define the point at which the old world order of passwords and PINs started to wither and die .
“FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce,” he said.
Members of the Alliance include handset makers BlackBerry and Samsung Electronics; Google; RSA; chipmaker Qualcomm; mobile chip designer ARM Holdings; Microsoft; Lenovo; Toronto-based authentication provider SecureKey ; Bank of America; PayPal and Visa.
Version 1.0 of the two specifications, which can be downloaded here. One is a protocol for creating biometric authentication, while the other enables the use of second factor devices users carry such as USB tokens. The alliance says the protocols are based on public key cryptography and “are strongly resistant to phishing.”
The passwordless protocol is called the Universal Authentication Framework (UAF) protocol. A user registers their device to an online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic or entering a PIN. Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. Multiple authentication mechanisms such as fingerprint plus PIN can be enabled.
The Universal Second Factor (U2F) protocol lets a user log in with a username and password plus demand a second factor device — a secure USB device or a device using Near Field Communications (NFC). The strong second factor allows the service to simplify its passwords without compromising security, says the alliance.
The alliance says NFC and Bluetooth extensions will be added soon.
Source: IT World Canada