Can biometrics and the FIDO Alliance save us from password overload?
All the available evidence indicates our password-based security system is broken.
The human brain can only remember so much and its memory capacity is being pushed to the breaking point by a deluge of required user names and passwords. We are forced to use them in every direction, from accessing our email to the most recent heating bill.
Compounding matters, users create security holes in the efforts they take to remember them all. Cybersecurity experts counsel against two commonly used methods—keeping a “master list” of password information on a computer and re-using the same password for multiple sites. The problem is if one file or password is compromised, the problem spreads like wildfire.
These issues explain the broad-based movement away from passwords and towards using authentication security models instead. Rather than relying on a user’s memory, authentication security relies on confirming the person is who they claim to be. Device identification and biometrics (for example, fingerprinting software) are two big developments fueling this movement.
The challenge, however, is that organizations have traditionally worked on authentication in silos, specific to their own companies’ environment and with their own industry knowledge. But now the FIDO Alliance has emerged to create an open set of standards so all participating members can agree on a methodology to securely authenticate users across industries.
With the creation of this organization that will set the standards, best practices for proper authentication can be developed for the benefit of all organizations and establish a united front against potential consumer compromise and breaches.
Going forward, it’s clear that the FIDO Alliance will be a key driver in moving the industry towards fewer passwords. At the same time, vendors and corporations will move independently of the FIDO Alliance to lessen our reliance on the broken password system with a biometric approach.
The other big push will come from consumers. Customers are clearly frustrated with the status quo and will continue to demand the acceptance of their preferred authenticator, whether it be a fingerprint, voice, iris, or even a selfie. Authenticators must create a frictionless experience for the customer and the FIDO Alliance is creating an organized response to it.
Progress in this area, however, will not be something that will happen overnight. Looking at the industry as a whole, to completely eliminate passwords may take years. However, the adoption by customers when a biometric is offered is quite fast. Once a customer has used a biometric fingerprint to identify themselves, they never want to go back to using a password. The fingerprint method of authentication is both quick and not human memory dependent.
Despite this, it is expected there will be some skeptical customers who fear the biometric itself may someday be captured and compromised. However, this risk is actually quite small if a FIDO (or similar) architecture is widely adopted. In the FIDO system, the biometric identifier never leaves the device and therefore is never stored in a place that could be compromised.
Some online retailers, such as Amazon, have already implemented the use of biometrics in their shopping functionality. It is predicted the ease of use created by this development will result in increased pressure by customers on retailers, financial institutions and other transaction-centric organizations to launch similar services. Additionally, FIDO and EMVCo, the global payment specification body, recently announced they will collaborate together on how FIDO standards will support their payment use cases.
As more manufacturers build the authenticators into the devices themselves or the OS, it is very easy to interact with that authenticator, particularly if it is a FIDO-compliant device and a FIDO architecture is already established. Then it becomes a simpler “bring your own authenticator” approach.
That said, the FIDO Alliance does face some obstacles. As with any standards organization, it’s a matter of adoption and momentum. Apple has not yet joined the alliance, which limits the market for FIDO-specific adoption. Third parties can build a solution around Touch ID that is FIDO compliant, just with a greater degree of difficulty and time investment. Certainly Apple’s participation would greatly further the FIDO cause. Also, there have been some delays in the finalization of the FIDO 2.0 specification, leaving some corporations wondering if they should build towards the 1.0 standard, or wait for the new standard to be finalized. Some corporations may even choose their own route and leverage the built-in biometric authenticators without following the FIDO way.
Although corporations may fully support biometrics and the death of the password, budgets are also a consideration for corporations that want to build a biometric-based framework.
However, the benefits for the customer, including security and convenience, as well as for the organization—security, customer delight, and a reduced amount of customer support—far outweigh the cost of the integration. Indeed, FIDO’s mantra, “simpler, stronger authentication” is a good one and will usher in an era when we won’t have to remember a hundred different passwords. This will be a welcome change for all involved.