Google-supported FIDO is on its way to killing traditional passwords

by: Jimmy WestenbergDecember 10, 2014
255

fido-alliance_w_600

For quite some time, Google has been trying to make passwords a thing of the past. Back in October, they announced Security Key, a physical USB key that’s part of the 2-step authentication process. They key is inserted into your computer, letting the computer know it’s actually you logging in. The groundwork for Security Key was developed by the FIDO (Fast Identification Online) Alliance, a group dedicated to developing alternative methods to verify a user’s identity online. Up until now, we haven’t heard much about the Security Key technology or FIDO making any progress.

Today, FIDO has released version 1.0 of their alternative password open standard. Version 1.0 will be more widely available for more sites to adopt the standard, and provide further cryptographic authentication to their users. Google’s Security Key is built on an earlier version of FIDO’s open standard, as is Samsung’s fingerprint scanner. This newer version is more stable and effective, and should be showing up around websites and apps within the coming months. FIDO’s open standard will also be updated next year with support for Bluetooth and NFC, allowing users to unlock their smartphones using even more types of technology.

So, what does this mean for you? Thanks to version 1.0, more online businesses will begin to adopt this technology, allowing you to use a physical USB key, fingerprint reader and/or other “password alternative” hardware (voice, bluetooth, etc) sooner rather than later. Even better, having one standard means that your device should work with services using FIDO technology, regardless of what OEM made it. Of course, this is a very substantial undertaking, so don’t be surprised if your favorite site or app doesn’t adopt the new standard right away.

FIDO’s standard incorporates ARM’s TrustZone technology. ARM has been doing a lot of work to improve security – read more about it here.

FIDO wants to rid the world of passwords and lead us into a world of authentication, and it looks like they’re doing a pretty great job so far. With backers like Google, PayPal, Samsung, Microsoft and many other big names, we wouldn’t be surprised if this technology took off in the near future. What do you think of the idea of using fingerprints, voice and USB keys as part of the login process? Are you eager to see the days of traditional, sometimes confusing, passwords come to an end?

  • I had to download Fido software in order to enable fingerprint homescreen unlock and Paypal fingerprint support on my Note 4 so it looks like Samsung is already pushing this tech to consumers.

  • Zman

    Hmmm, my smartphone and tablet do not have USB ports for a “key”. Plus the USB key I purchased does nothing in my Chromebook.

    • I’m pretty sure when all is said and done, it will work pretty much like Android Lolipop and ChromeOS’s SmartLock feature that allows for any paired bluetooth or NFC enabled device with unique IDs (all of them) to serve as a key.

      Looks like my old expired transit passes with their NFC tags just got a new job.

      • Labrat

        Actually, U2F specs says that the crypto keys be kept on inside a Hardware based Secure element.

        Instead of shared secret used for One Time Password, it uses PKI. Hence it’s more secure if the keys are properly secure on the U2F device.

        All in all, much more secure than current second factor solutions.

    • Labrat

      You can already buy Yubikey Neo-N that has U2F and NFC (and possibly other FOB). While it doesn’t do U2F over NFC yet, you can store the secret used for the One Time Password inside the Yubikey (instead of inside Google Authenticator) leading to added security as Secret can’t be extracted. The OTP is generated when you tap the Yubikey on your NFC enabled phone.

      But you are right, until BLE/NFC physical support, U2F will have limited reach in mobile, but this will be fixed in future standards.