Why Standards are Critical for Authentication
The need to remove our collective reliance on “shared secrets” (passwords, one-time passcodes and security questions) to enable secure user access to online services and enterprise resources has never been more clear. What is also abundantly clear: the opportunity to solve this problem in a robust, scalable manner that leverages proven public key cryptography in combination with user experience innovations to deliver truly simpler, stronger authentication.
Open authentication standards developed by the cross-industry FIDO Alliance enable any solution provider to capitalize on the need for stronger security and simple user experiences by participating in an open, interoperable ecosystem of devices and services that work together to solve the world’s password problem. We could never have gotten this far without a historic industry-wide, public-private, multi-stakeholder collaboration to develop open technical standards that are free to implement.
In 2016 alone, a record two billion password-protected accounts were compromised. Millions of people are continually scrambling to change old, simple passwords that they re-use across many different applications. Additionally, more than 63 percent of data breaches involved compromised password login credentials, according to the 2016 Verizon Data Breach Investigation Report.
At the same time, the general online population continues to follow poor security practices whenever faced with the tradeoff between convenience and security. However, with the introduction of user experience innovations like biometrics that are increasingly being built right into devices, and external “security keys” that require a simple push of a button, more and more users are voluntarily choosing better security, not because it is more secure, but because it is more convenient than the less secure practices they were obligated to use in the past.
Why do we need standards for authentication? Solving the password problem will require ubiquitous use of strong authentication, and the only way to get there is with a solution that meets three criteria: 1. is based on proven security (in FIDO’s case, public key cryptography) to stop the ongoing onslaught of data breaches; 2. leverages easy “single gesture” authentication (with biometrics, security keys) so that users will actually want to use it; and 3. is an open industry standard so it can be adopted by the whole internet ecosystem. This is what we have developed with the FIDO standards.
Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments to integrate proprietary capabilities into their infrastructure. We’ve developed the standards to be user verification method-agnostic, which gives authentication providers a lot of freedom to innovate around FIDO’s core security and privacy principles to provide simple and enhanced authentication experiences.
Today, any device manufacturer, software developer and/or online service provider can build support for FIDO standards into their existing products and services to make online authentication simpler and stronger for their users. This has led us to a “net effect,” where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.
Since we published the first FIDO standards in 2014, the growth of the FIDO ecosystem has grown quickly making FIDO the de facto strong authentication standard. To cite a few quick facts, FIDO Authentication is: available to protect 3 billion user accounts, in more than 300 FIDO(R) Certified products, on flagship handsets from top mobile handset manufacturers, and will be built into browsers this year thanks to our partnership collaboration with W3C.
This major momentum behind FIDO Authentication points to one conclusion: the industry overwhelming agrees on the need for open standards for authentication, and that FIDO’s mix of secure and usable authentication is the right approach. Come to Cloud Identity Summit to learn more about the technology, who is using it and how, as well as what more you expect from the FIDO ecosystem in the near future.
View More Posts
by Brett McDowell, Executive Director, FIDO Alliance