Strong Authentication: Standards Coming?

Online authentication practices that rely on usernames and passwords are weak, easily broken and too often to blame for account takeovers and other online compromises.

But a new consortium is attempting to pave the way for wider use of more sophisticated forms of authentication, with a goal of reducing reliance on passwords. The group, known as the FIDO Alliance, is developing technical specifications that define an open, scalable, interoperable set of mechanisms for advanced authentication.

FIDO hopes to unveil its initial set of specifications for online authentication by early next year. Ultimately, it will submit those specs to a standards-setting body for approval.

Established in February, the alliance, which started out in February with just six founding member companies out of Silicon Valley, already has grown to include more than 50 members, ranging from small tech companies to MasterCard and Google.

Representatives from the Federal Reserve banks of Boston and Atlanta are closely watching how FIDO's authentication standards might enhance e-commerce security.

The consortium's goals are ambitious; gaining widespread adoption of new standards won't be easy. But its ongoing efforts are worth watching.

Open Standards

The group is working toward open standards for use in all sectors that support a broad range of authentication approaches, such as biometrics, trusted platform modules, USB security tokens, smart cards and near-field communication, says Sebastien Taveau, chief technology officer of online security firm Validity and one of the alliance's founding board members.

The consortium believes that for advanced authentication to become ubiquitous, devices used for e-commerce or electronic banking need to be equipped with standards-based authentication mechanisms that are interoperable.

Under FIDO's proposed model, devices would register the user to a server. To authenticate the user, the device would communicate directly with the server using a private key.

The FIDO Alliance expects to complete its first set of specifications in early 2014. Then, products that will enable websites and devices to accommodate stronger, more flexible authentication will be available in the market. These products, delivered by FIDO member companies, will be interoperable and will promote many options for easy widespread adoption of strong authentication. FIDO's goal is to publish these specifications as an open standard in the future.

Will FIDO Prove Practical?

Will the consortium's approach prove practical? Only time will tell.

"Until the standards are released, and implementations actually appear, it is anyone's guess as to what the adoption rate might be," says Peter Tapling, president and CEO of Authentify, an out-of-band authentication provider. Although his firm is a FIDO Alliance member, Tapling is not speaking on the alliance's behalf.

Advancements in security hinge on innovation, not just regulation. That's why consortium members deserve credit for their efforts. Even if FIDO's efforts don't result in widely used standards, the collaboration FIDO has encouraged across industries is bringing attention to ways online authentication can be enhanced.

I'll be reporting more about this group's efforts in the months to come. FIDO's initiative to develop online authentication standards is definitely worth watching - even if this effort proves to be just a stepping stone toward a better solution.