Aberdeen Group - Home
Here, FIDO! If We Build Stronger Authentication, Will Consumers Come?
Derek Brink
JUN 07, 2013 08:00 AM
A+ A A-

As a follow-up to my recent blog on Two-Factor Authentication: What a Long, Strange Trip It's Been (6 May 2013), about the flurry of activity around two-factor authentication in consumer scenarios, I want to call your attention to FIDO.

Formed in July 2012, the Fast IDentity Online (FIDO) Alliance is developing specifications for "an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services". As I understand it, the FIDO vision is:

  • Anti-password (which are not convenient, and not secure)
  • Pro-user (choice from a broad range of FIDO-compatible security devices and browser plug-ins, convenience of using common FIDO login at a broad range of websites or cloud applications)
  • Pro-website (stronger than passwords, dynamic discovery of FIDO devices, easy to connect to user accounts, multi-vendor support, control over the level of assurance they ascribe to a given FIDO login)
  • Pro-vendor (access to huge subscriber bases, e.g., 127 million end-users at PayPal)

It's a great vision, and one I sincerely hope comes to pass. Few things would please me more than to see the demise of traditional username and password.

But forgive me when I say that this sounds like a movie we've all seen before.

A similar vision for authentication has been laid out before, both by industry alliances (e.g., the Initiative for Open Authentication, or OATH), and by leading solution providers (e.g., RSA SecurID Ready, VeriSign — now Symantec — Validation and ID Protection Service).

Examples of industry alliances such as FIDO are also plentiful. I've been involved at various levels with several of them myself over the years, including the Open Software Foundation and DCE, the Object Management Group and CORBA, the Liberty Alliance and SAML, and OASIS and the PKI Forum.

All of them start out with vision and enthusiasm. In the early days, they talk about how many participants they have — especially the "big names" (in the case of FIDO, think PayPal and Google).

The pattern usually goes something like this:

  • Launch
  • Growth in membership
  • Development of a specification
  • Reference implementation of the specification
  • Implementation of the specification by vendors — the early adopters for devices
  • Integration by enterprises, websites, cloud applications — the early adopters on the back-end
  • Interoperability testing of implementations
  • Certification of implementations
  • Membership stabilizes; financial models for continuation of the initiative get worked out
  • Roadmap for updates and enhancements to the specification
  • Adoption by end-users — the early adopters on the front-end
  • Deployment at scale

There's usually a bit of a chicken-and-egg dynamic at play between vendors, sites, and users – each group needs to believe there is (or will be) a critical mass of the other two, to make their own adoption worthwhile. Even the involvement of mega-sites such as PayPal and Google doesn't mean that end-users will appreciate the value proposition and adopt at scale — and keep in mind that in the FIDO vision, a lot of the cost burden for stronger authentication is shifted to the end-user, who has to acquire the FIDO-compatible security device.

For me, I add the FIDO Alliance to the list of positive efforts that may one day bring an end to passwords as we currently know them — but at this point it's much too early to break out the celebratory champagne.

by Derek Brink
Vice President and Research Fellow
IT Security

[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment: