Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Internet Giants Launch New System to Fix the Password Problem

Making Passwords Better

An alliance of Internet giants, including PayPal and Lenovo, are tackling the identity problem head-on with a new authentication system designed to do away with passwords and improve online security.

Making Passwords Better

An alliance of Internet giants, including PayPal and Lenovo, are tackling the identity problem head-on with a new authentication system designed to do away with passwords and improve online security.

The FIDO Alliance (Fast IDentity Online) was formed to develop open authentication standards based on a combination of hardware, software, and services to verify a person’s identity, Michael Barrett, CISO of PayPal and president of the alliance, told SecurityWeek. The alliance released its reference architecture spelling out the fundamentals of its system on Feb. 11. Formally launched on the same day, startup Nok Nok Labs is the first company implementing the FIDO specification.

The six founding companies include Agnitio, semiconductor maker Infineon Technologies, PC-maker Lenovo, new Silicon Valley startup Nok Nok Labs, PayPal, and Validity. The CEO of Nok Nok is Phillip Dunkelberger, the co-founder and former CEO of PGP who wound up selling the company to Symantec in 2010 for $300 million. FIDO Alliance has Barrett at the helm, and Ramesh Kesanupalli, founder of Nok Nok Labs, as vice-president.

FIDO takes an “open-based approach to standards” to give users a “choice and decide which method to use to authenticate,” Barrett told SecurityWeek.

Passwords are not keeping users safe online, and it is increasingly becoming clear that new methods of authentication and authorization was necessary, Dunkelberger told SecurityWeek. The client/server platform from Nok Nok Labs conforms to the FIDO specification and is not limited to any particular authentication method or device. Businesses would be able to offer users a range of authentication options using their mobile devices, PCs, or any Web-connected device.

“We need to take authentication technology and make it better,” Dunkelberger said.

Under the FIDO specification, businesses would be able to authenticate and authorize users using existing hardware devices, such as smartphones and tablets, fingerprint readers, microphones, cameras, TPM chips, near-field communications, and one-time password tokens. Instead of traditional username and password combinations, the device the user happens to be holding would play a more central role in authentication, according to the FIDO Alliance. This would make it much more difficult for attackers to steal login credentials and compromise user accounts, Barrett said.

The authentication infrastructure “leverages existing technologies such as fingerpring scanning and webcams,” Barrett said.

Interested organizations would first need to load FIDO-compliant software onto their servers and encourage end-users to load the appropriate apps on their devices in order to take advantage of the new system, Kesanupalli explained. Web and mobile developers could also build the specification directly into their applications.

The FIDO Alliance will be making a Web plugin available for the end-users to download, Kesanupalli said. Users “want to be secure, but they also want easy to use,” he said.

FIDO’s system is safer than existing system of credentials because there is no way for the user information to be intercepted, Kesanupalli said. The specification has password and other identifying information being stored on the device itself. The FIDO software encrypts the information and sends only the cryptographic string to the back-end server to verify the user identity. The credentials never leave the user’s device, he said.

The user’s device also receives a cryptographic string from the back-end server to verify that it is a legitimate server and not an imposter.

The alliance considers the FIDO protocol, coming later this year, as a complementary format, one designed to interoperate with other existing authentication and authorization standards, such as OAuth 2.0 and OpenID. The fact that organizations would not have to rip out existing implementations using other protocols would hopefully lead to large-scale adoption among vendors. The group also plans to eventually work with an existing standards body such as the Internet Engineering Task Force or the World Wide Web Consortium to define the protocol as a formal standard.

Nok Nok Labs also announced it has raised $15 million in early financing from ONSET Ventures and Doll Capital Management. Richard Clarke, the former White House anti-terrorism czar, and PayPal’s Barrett also joined the board.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.