Passwords and PINs could soon be another footnote in the history of computing, as a consortium of tech giants including Google and Samsung unveil technology to make it easier for developers to check IDs using USB keys or fingerprint scanners
The humble password took one step closer to obsolescence today after an alliance of tech giants including Google and Samsung unveiled a way to create log-ins with hardware tokens, like a USB keyring, or biometric data like fingerprints or iris scans.
FIDO (fast identity online) was founded in 2012 but already has the backing of ARM, Alibaba, Bank of America, BlackBerry, MasterCard, Microsoft and Qualcomm. It has now launched an open protocol for simple and two-factor log-ins that anyone can use to implement in their own hardware, software or website.
One of the big problems facing developers who want to drop passwords is the amount of work that needs to be done. It’s possible for the Apples of this world to develop the hardware and software needed to scan a fingerprint and securely check ID, but for small development teams behind apps and websites it’s a daunting and insurmountable obstacle.
The open protocols will allow technology to be created for signing-in without a password that can be used in a wide range of applications with minimal fuss.
“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the FIDO Alliance.
“FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in internet services and digital commerce.”
Some products using earlier versions of the protocol are already in use, such as the chip which Google announced in October that could be used to log-in to Gmail and Samsung’s smartphone fingerprint reader.
The protocol will mean that software developers can integrate such features into their products without worrying about hardware: a phone manufacturer will create FIDO-compatible devices that can be accessed from software in a uniform way. No longer would an app developer have to write specific code for different models of phone.
Wireless log-ins using Bluetooth and NFC chips are not yet supported by the protocol, but future versions will integrate them, says FIDO.
According to Verizon’s Data Breach Investigations Report, weak or stolen passwords played a role in more than three quarters of security breaches.
“The fact that the FIDO Alliance was able to develop complete specifications so quickly and with such broad support is evidence that they are tackling a pervasive industry pain point,” said Steve Wilson, vice president at Constellation Research.
“No consortium in the identity management (IdM) industry has every grown so fast, with such strong representation from the technology buy side. What’s most impressive is the FIDO Alliance’s focus on the authentication plumbing. The protocols enable trusted client devices to trade just the right data about their users.
“FIDO specifications aren’t tangled up in messy identity policy decisions. It’s an elegant breakthrough, and, going forward, it should drive a lot of the classic complexity out of the IdM space.”