47: How The FIDO Alliance Are Going To Kill The Password

May 26, 2016

Have you ever locked yourself out of an account? Are you tired of having 10, 15, 20 passwords that all have to be different? I think we would all like to see the back of that dreaded password.

Have you ever locked yourself out of an account? Are you tired of having 10, 15, 20 passwords that all have to be different? I think we would all like to see the back of that dreaded password.

The FIDO Alliance was launched in 2013 and includes 200 of the biggest companies such as Microsoft, MasterCard, Google, PayPal and eBay all working on a password less authentication protocol.

All users want to see the end of passwords but now with 200 of the world’s biggest businesses all saying the same thing by joining the FIDO Alliance I felt compelled to get the executive director Brett McDowell onto the show to find out a little bit more.

order Lyrica online usa Can you tell my listeners a little bit about your role at FIDO Alliance?

I am the executive director of the Fast Identity Online Alliance which goes by the acronym FIDO. Our mission is to essentially deliver an alternative to passwords that is easier to use and more secure. In my role, I shepherd our strategic direction and provide some leadership, guidance, and management to the large coalition of volunteers that we have.

Brett McDowell

Brett McDowell

http://ninacrews.com/tag/imagination/ In 2004 Bill Gates declared passwords are dead. Are you surprised we’re still having this conversation some twelve years later?

In all honesty, I am not surprised we’re still having this conversation. I’ve been in the industry for awhile and our response to the plague of passwords up until this initiative of FIDO was to increase security and accept the trade off that it’s going to be less convenient. We looked at the problem like a continuum. On one end is a delightful user experience and on the other end is super perfect security and everyone lives somewhere on that continuum.

When we launched this project, before we really rolled up our sleeves on the technology at all, was decide that we were going to turn that upside down and look at it more like an XY graph and aim for that upper right hand corner. Better usability then what you’re currently doing and more secure. History has shown that when we don’t focus on user experience we don’t get user acceptance and if we don’t get user acceptance it’s just another in a long book of failed attempts.

follow url How difficult was it to get these big businesses on board?

The key to building this alliance was and continues to be earning and maintaining the trust of the industry’s leading stakeholders. Does this organization have the right mission? Does it understand the problem it is trying to solve? We have helped answer that for the industry stakeholders by being very focused. We are not trying to solve every problem related to internet identity. We are only solving the authentication problem.

We now have more passwords than ever before. We’re constantly told they must all be unique and have a capital letter and number but we must not write them down. This might be secure but it’s clearly not realistic. What do we need to do to finally live in a world without passwords and replace this broken authentication method?

While you’re waiting for all your applications and all your devices to become FIDO enabled you’re going to be dealing with passwords for awhile. I’m happy to share my personal trick of managing passwords:

  • You come up with one set of meaningless characters. This is the one “blob” as I call it that you need to memorize. It should have some numbers, some characters and some upper and lower case because of the password rules you run into around the internet. You just have to commit yourself to memorize that one blob.
  • Then you have one rule. This is the rule you apply every time you are setting up a new account or changing your password with a website. So now you only have two things to remember: your blob of characters and your one rule.
  • Your rule involves the domain name of the website or the brand name of the application. I apply my rule, which has something to do with the manipulation of that name, and my blob of characters. I’ve only had to memorize two things and I have a strong, unique password at every website.

contraindicaciones diclofenaco sodico 50 mg What’s next for FIDO Alliance?

We’re working on some evolution of our specifications, version 2 if you will. We’re partnering with the W3C (the World Wide Web Consortium) which is the body that sets the standards for web browsers in particular. We took the components of version 2 of FIDO and we submitted the components and specifications for what a web browser would have to implement into the W3C.

They have been a great partner, they have accepted all of that work and they have built a new authentication working group around it. What’s next is really working through that process so that we can get every web browser across all the operating systems to be fully FIDO compliant while simultaneously working on the other bits of FIDO version 2 within FIDO Alliance that’s going to enable cool new use cases.

Where can listeners find out more about your progress?

Our website is www.FIDOAlliance.org. There you will find all those certified products listed as well as our specifications. You can download and start playing around with those specifications.

We have a public forum for developers. FIDO-DEV@FIDOAlliance.org is a public Google group where you can register and join the conversation.

@FIDOAlliance is our Twitter handle

If you are in the industry and in the conference circuit look for the FIDO discussion at any information security conference. We’re hitting most of them these days.

Check Out Neil’s Column at INC. called Tomorrow’s Tech

Please also see check out the related article from my column: How This Alliance Is Planning to Kill Passwords

podcastitunesbutton subscribe-stitcher-button  tunein-buttonRSS11email

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.