A group of some 150 companies last week moved closer to eliminating the bane of many an online user: the password.
The FIDO Alliance, which counts among its members Microsoft, PayPal, Google, Bank of America, Visa and MasterCard, released version 1.0 of its open specifications for strong authentication on the Internet without the use of passwords.
Release of the specifications — Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) — opens the door for those who want to authenticate their users securely without the use of usernames and passwords.
A new standard is established by the specs for devices, servers and client software — including browsers, browser plugins and native app subsystems.
Websites and cloud services can use the specs to interface with FIDO-enabled authenticators such as biometric devices and hardware tokens.
“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” FIDO Alliance President Michael Barrett said.
Easy Authentication for Everyone
Once FIDO spreads, consumers will have more authentication options available to them, noted Phil Dunkelberger, CEO of Nok Nok Labs.
“Trying to type things into a small screen with multiple upper and lower-case characters … can be replaced with something more natural, like a fingerprint swipe — and later on, facial recognition or voice,” he told TechNewsWorld.
Biometrics, like fingerprint scanning, is used now for authentication by some vendors, but their solutions are proprietary. Using them can lead to vendor lock-in for both consumer and service provider.
FIDO, on the other hand, is an open standard so anyone can use it.
“It’s comparable to SSL,” Dunkelberger said.
“If you’re making endpoint devices or secure elements, they can be easily integrated with your backend systems if you support FIDO,” he pointed out. “FIDO is about giving people a much easier way to integrate strong authentication into their offering.”
Breadth and Pace Concerns
The breadth of the FIDO Alliance’s undertaking could be problematic
“They may be biting off more than they can chew,” said Kevin Jones, a senior security architect with Thycotic.
“It could take them years to get this technology in place to support something like this. By then, other problems will have surfaced, and it will arrive dead on arrival,” he told TechNewsWorld.
“It’s a good idea, but I’m skeptical that it can be rolled out in a cost-effective and secure way that consumers will understand,” Jones added. “I hope FIDO succeeds because it has a lot of good ideas. I’m just worried that we’re taking this at a pace that all the people necessary to be involved can actually do.”
Bitcoin Theft Declining?
Microsoft raised a few eyebrows last week when it announced it would start allowing users to buy content using bitcoins. The move definitely bolstered the legitimacy of the digital currency, which has had a checkered history.
The market recently has been more stable, though, and the electronic wallets used to store bitcoins seem to have lost their allure to hackers.
“About a year ago, we saw a lot of interest in stealing bitcoin, but it’s dropped off the map in the last few months,” said Christopher Budd, threat communications manager at Trend Micro.
“That makes sense, because criminals have been more successful in the last 12 months going after real currency through all the point-of-sale breaches,” he told TechNewsWorld.
“Why invest energy in a digital currency whose value fluctuates wildly and whose acceptance is spotty?” Budd asked. “At the end of the day, dollars are still used universally.”
That scenario will change, though, as more companies — like Microsoft — contribute to bitcoin’s legitimacy.
“Without bitcoin, it was much more difficult for criminal hackers to sell illicit goods online without having the transactions traced,” noted Greg Foss, a senior security research engineer with LogRhythm.
“Once bitcoin became more standardized and trusted, this process became so easy that it set the bar much lower for new criminals to get involved,” he told TechNewsWorld. “Now that companies are selling legal goods with bitcoin, this simply provides a new target for attackers.”
Breach Diary
- Dec. 8. Microsoft files brief in U.S. Appeals Court challenging lower court ruling ordering company to comply with U.S. search warrant for customer email stored in Ireland.
- Dec. 9. Head of FBI cyberdivision Joe Demarest, speaking at a cybersecurity conference, says his agency has not confirmed that North Korea was behind data breach Nov. 24 at Sony Pictures Entertainment.
- Dec. 9. Charge Anywhere, which processes point-of-sale transactions, confirms data breach affecting transactions dating back to November 2009. Number of customers affected by the breach was not disclosed.
- Dec. 9. TD Bank settles data breach lawsuit with Massachuetts for US$625,000. Previously the bank settled with nine other states for $850,000.
- Dec. 9. Two password manager makers, Dashlane and LastPass, announce automatic password changing features for their products to eliminate hassle of resetting passwords following a data breach.
- Dec. 11. U.S. Judical Panel on Multidistrict litgation consolidates data breach lawsuits against Home Depot. Cases will be heard in federal court for Northern District of Georgia, where the retailer’s headquarters is located.
- Dec. 11. St. Louis Parking Company reveals data breach has placed at risk payment cards of customers who used its Union Station parking lot between Oct. 6 and Oct. 31.
Upcoming Security Events
- Jan. 19. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.
- Feb. 4-5. Suits and Spooks. The Ritz-Carlton, Pentagon City, 1250 South Hayes Street, Arlington, Virginia. Registration: $675.
- Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Registration: $695 (with 16 CPE credits); $295 (with 12 CPE credits).
- Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
- March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
- April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
FIDO is expected to make sure that the vendors of biometric products which need to be operated together with passwords for fallback/backup/self-rescue by OR/Disjunction (as against AND/Conjunction that is common for 2-factor authentication) should explicitly publicize that
(A) The biometric product raises the convenience at the sacrifice of security when the user keeps using the same password.
&
(B) The biometric product could raise the convenience without sacrificing security when the user changed the password to a largely-harder-to-break password (with a footnote that the password should be remembered, not carried around on a memo and that the password should not be reused across other accounts.)
It should also be noted that it is not possible to compare the strength of biometrics used without passwords altogether with that of passwords. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)