Security Experts:

Internet Giants Launch New System to Fix the Password Problem

Making Passwords Better

An alliance of Internet giants, including PayPal and Lenovo, are tackling the identity problem head-on with a new authentication system designed to do away with passwords and improve online security.

The FIDO Alliance (Fast IDentity Online) was formed to develop open authentication standards based on a combination of hardware, software, and services to verify a person's identity, Michael Barrett, CISO of PayPal and president of the alliance, told SecurityWeek. The alliance released its reference architecture spelling out the fundamentals of its system on Feb. 11. Formally launched on the same day, startup Nok Nok Labs is the first company implementing the FIDO specification.

The six founding companies include Agnitio, semiconductor maker Infineon Technologies, PC-maker Lenovo, new Silicon Valley startup Nok Nok Labs, PayPal, and Validity. The CEO of Nok Nok is Phillip Dunkelberger, the co-founder and former CEO of PGP who wound up selling the company to Symantec in 2010 for $300 million. FIDO Alliance has Barrett at the helm, and Ramesh Kesanupalli, founder of Nok Nok Labs, as vice-president.

FIDO takes an "open-based approach to standards" to give users a "choice and decide which method to use to authenticate," Barrett told SecurityWeek.

Passwords are not keeping users safe online, and it is increasingly becoming clear that new methods of authentication and authorization was necessary, Dunkelberger told SecurityWeek. The client/server platform from Nok Nok Labs conforms to the FIDO specification and is not limited to any particular authentication method or device. Businesses would be able to offer users a range of authentication options using their mobile devices, PCs, or any Web-connected device.

"We need to take authentication technology and make it better," Dunkelberger said.

Under the FIDO specification, businesses would be able to authenticate and authorize users using existing hardware devices, such as smartphones and tablets, fingerprint readers, microphones, cameras, TPM chips, near-field communications, and one-time password tokens. Instead of traditional username and password combinations, the device the user happens to be holding would play a more central role in authentication, according to the FIDO Alliance. This would make it much more difficult for attackers to steal login credentials and compromise user accounts, Barrett said.

The authentication infrastructure "leverages existing technologies such as fingerpring scanning and webcams," Barrett said.

Interested organizations would first need to load FIDO-compliant software onto their servers and encourage end-users to load the appropriate apps on their devices in order to take advantage of the new system, Kesanupalli explained. Web and mobile developers could also build the specification directly into their applications.

The FIDO Alliance will be making a Web plugin available for the end-users to download, Kesanupalli said. Users "want to be secure, but they also want easy to use," he said.

FIDO's system is safer than existing system of credentials because there is no way for the user information to be intercepted, Kesanupalli said. The specification has password and other identifying information being stored on the device itself. The FIDO software encrypts the information and sends only the cryptographic string to the back-end server to verify the user identity. The credentials never leave the user's device, he said.

The user's device also receives a cryptographic string from the back-end server to verify that it is a legitimate server and not an imposter.

The alliance considers the FIDO protocol, coming later this year, as a complementary format, one designed to interoperate with other existing authentication and authorization standards, such as OAuth 2.0 and OpenID. The fact that organizations would not have to rip out existing implementations using other protocols would hopefully lead to large-scale adoption among vendors. The group also plans to eventually work with an existing standards body such as the Internet Engineering Task Force or the World Wide Web Consortium to define the protocol as a formal standard.

Nok Nok Labs also announced it has raised $15 million in early financing from ONSET Ventures and Doll Capital Management. Richard Clarke, the former White House anti-terrorism czar, and PayPal's Barrett also joined the board.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.