In a recent article, we took a look at SQRL, Steve Gibson’s solution to the password problem. SQRL is an authentication solution that aims to do away with passwords altogether and replace them with an authentication mechanism that relies on public key cryptography. SQRL got a lot of attention, but it’s far from being the only game in town when it comes to doing away with the pesky password and putting in its place an authentication solution that doesn’t rely on the fallible human brain to manage authentication tokens.
The major hurdle any new system will have to overcome is adoption. The Internet and the large companies that provide most of the services we use every day move slowly. They often aren’t willing to jump on board schemes that would cost them a lot of money to implement, but SQRL’s competitor, FIDO, already has at least tentative support from the leading online services companies. That’s not enough to guarantee that it will be widely adopted any time soon, but it’s a positive indication that the big boys at least acknowledge the scope of the problem and are actively pursuing a solution.
FIDO, the Fast Identity Online Alliance, is an industry consortium that is made up of many of the major players, including Google, Facebook, Mastercard, PayPal, and, as was announced recently, Microsoft.
Most people are aware of the failings of the username / password system: which largely stem from the inability of the wetware between people’s ears to cope with long strings of characters. However much security experts may evangelize the benefits of long random passwords, the fact is that people are neither willing or capable of properly managing them. The result is that almost everyone uses insecure passwords. The solution is not to force people to use better passwords, but to get rid of passwords altogether — that’s what FIDO is for.
The basic idea behind FIDO is fairly straightforward. Just as with SQRL, FIDO implements a device centered authentication mechanism. When a user wants to authenticate with a service, they register using a public key. The server issues a challenge which the device then signs using a private key. The keys held on the device can be unlocked by various mechanisms, including biometrics like fingerprints or, potentially, retina scans.
Unfortunately, Apple is one of the holdouts that hasn’t joined the FIDO consortium, but we can imagine a situation in which the TouchID scanner on an iPhone is used to unlock the keys that are used for authentication.
Webmasters, web hosting companies, and other Internet service providers have a huge stake in the authentication problem — they’re the ones that will be expected to implement FIDO should the standard be widely adopted, and they stand to benefit considerably from the trust engendered by more secure systems. Now is the time that we should be joining the conversation, so that industry voices are heard and have some influence in shaping whichever new authentication model wins out and gains widespread adoption.
Photo credits: Ruedaladeras