Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Internet Giants Launch New System to Fix the Password Problem

Making Passwords Better

An alliance of Internet giants, including PayPal and Lenovo, are tackling the identity problem head-on with a new authentication system designed to do away with passwords and improve online security.

Making Passwords Better

An alliance of Internet giants, including PayPal and Lenovo, are tackling the identity problem head-on with a new authentication system designed to do away with passwords and improve online security.

The FIDO Alliance (Fast IDentity Online) was formed to develop open authentication standards based on a combination of hardware, software, and services to verify a person’s identity, Michael Barrett, CISO of PayPal and president of the alliance, told SecurityWeek. The alliance released its reference architecture spelling out the fundamentals of its system on Feb. 11. Formally launched on the same day, startup Nok Nok Labs is the first company implementing the FIDO specification.

The six founding companies include Agnitio, semiconductor maker Infineon Technologies, PC-maker Lenovo, new Silicon Valley startup Nok Nok Labs, PayPal, and Validity. The CEO of Nok Nok is Phillip Dunkelberger, the co-founder and former CEO of PGP who wound up selling the company to Symantec in 2010 for $300 million. FIDO Alliance has Barrett at the helm, and Ramesh Kesanupalli, founder of Nok Nok Labs, as vice-president.

FIDO takes an “open-based approach to standards” to give users a “choice and decide which method to use to authenticate,” Barrett told SecurityWeek.

Passwords are not keeping users safe online, and it is increasingly becoming clear that new methods of authentication and authorization was necessary, Dunkelberger told SecurityWeek. The client/server platform from Nok Nok Labs conforms to the FIDO specification and is not limited to any particular authentication method or device. Businesses would be able to offer users a range of authentication options using their mobile devices, PCs, or any Web-connected device.

“We need to take authentication technology and make it better,” Dunkelberger said.

Under the FIDO specification, businesses would be able to authenticate and authorize users using existing hardware devices, such as smartphones and tablets, fingerprint readers, microphones, cameras, TPM chips, near-field communications, and one-time password tokens. Instead of traditional username and password combinations, the device the user happens to be holding would play a more central role in authentication, according to the FIDO Alliance. This would make it much more difficult for attackers to steal login credentials and compromise user accounts, Barrett said.

The authentication infrastructure “leverages existing technologies such as fingerpring scanning and webcams,” Barrett said.

Advertisement. Scroll to continue reading.

Interested organizations would first need to load FIDO-compliant software onto their servers and encourage end-users to load the appropriate apps on their devices in order to take advantage of the new system, Kesanupalli explained. Web and mobile developers could also build the specification directly into their applications.

The FIDO Alliance will be making a Web plugin available for the end-users to download, Kesanupalli said. Users “want to be secure, but they also want easy to use,” he said.

FIDO’s system is safer than existing system of credentials because there is no way for the user information to be intercepted, Kesanupalli said. The specification has password and other identifying information being stored on the device itself. The FIDO software encrypts the information and sends only the cryptographic string to the back-end server to verify the user identity. The credentials never leave the user’s device, he said.

The user’s device also receives a cryptographic string from the back-end server to verify that it is a legitimate server and not an imposter.

The alliance considers the FIDO protocol, coming later this year, as a complementary format, one designed to interoperate with other existing authentication and authorization standards, such as OAuth 2.0 and OpenID. The fact that organizations would not have to rip out existing implementations using other protocols would hopefully lead to large-scale adoption among vendors. The group also plans to eventually work with an existing standards body such as the Internet Engineering Task Force or the World Wide Web Consortium to define the protocol as a formal standard.

Nok Nok Labs also announced it has raised $15 million in early financing from ONSET Ventures and Doll Capital Management. Richard Clarke, the former White House anti-terrorism czar, and PayPal’s Barrett also joined the board.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.