The Global Identity Summit is taking place in Tampa, Florida, this week and it started with a fresh tone. Brett McDowell, executive director of the FIDO Alliance, took to the keynote stage to represent the private sector in authentication and identity, tasked with kicking off a conference that traditionally revolves around the identity needs and accomplishments of the public sector.
“I like to think of the ‘G’ in GIS as the ‘Government’—the Government Identity Summit,” said McDowell, who is also on the GIS planning committee. “That’s what makes this conference unique. It’s actually organized by government, for government, in collaboration with academia and the private sector. I am involved in a lot of conferences, and this one is unique for that reason, and I value that.”
McDowell said that GIS wants to make sure government and private sector collaboration is always increasing, so he proposed to have a private sector focused opening session. It’s one thing for the government to come and hear what the private sector has in terms of innovations and new solutions that the government can use, he explained, but it’s something else for the government to see what the private sector is struggling with and where these two different worlds of identity tech have common ground. The idea is that the government sector can take what the commercial market has achieved and adopt it to fit its ambitious, high risk deployment needs.
Introducing a panel of four other experts—Abbie Barbir from Aetna, Arshad Noor from StrongAuth, Don Thibeau from OpenID, and John Bradley of Ping Identity—each set to talk about the state of authentication and federation from a standards and enterprise level standpoint, McDowell took on the role of providing a snapshot of authentication standards right now.
As often has been the case since its founding in 2012, the FIDO Alliance made a good impression. Its authentication standards—the biometrics based UAF and second factor based U2F—seek to usher in a passwordless era of strong online authentication. Because the idea of FIDO is so well defined, and at least on its surface very simple, it is easy to evangelize. (The FIDO website summarizes each of its standards in simple illustrated diagrams).
“FIDO is the industry’s response to what we believe is a failed architecture and, getting right down to the heart of it, shared secrets,” said McDowell.
Shared secrets, which are not simply limited to passwords, are something the user is asked to provide, are carried to a server, and then used to authenticate. The shared secret concept includes one time passcodes, which McDowell pointed out are vulnerable to malware, phishing attacks, and social engineering.
“So, the shared secret problem—and that’s the way I want you to think about it; that’s the way we think about it—needs to be replaced with something fundamentally different.”
Quickly describing FIDO without much time to get technical, McDowell called it “PKI without the I.”
“PKI without that certificate of authority infrastructure and all the deployment costs and complexity that goes along with PKI,” he explained, citing this as why governments are now discussing whether FIDO can be used as a derived credential from PIV and other credentials.
Given its activity over the past twelve months, the Alliance’s approach seems to be working out in its favor. Collaboration with governments and other standards organizations like W3C have broadened its scope in terms of application, and only yesterday the organization announced that there are now 250 FIDO Certified products on the market.
It’s not just Alliance stakeholders embracing FIDO either, even though its membership includes private sector heavy hitters like Google, PayPal, Mastercard, and Microsoft, the last of which launched a biometric security solution based on FIDO specifications built into the Windows 10 OS. As two-factor authentication company Yubico has noted, unaffiliated companies are employing the standards simply for strong authentication purposes. It’s clear that this trend is where McDowell sees FIDO heading.
“The capability for doing this kind of public key cryptography is coming embedded in all the devices that we get,” he said. “Whether you’re enterprise or consumer, FIDO is showing up on more and more devices, and we predict it’ll be on everything. It will be the Bluetooth of authentication before very long.”
Considering its certification numbers have grown more than 200 percent over the past year, and the aforementioned initiatives to move beyond simply consumer tech, McDowell’s ambitious goals do seem achievable. If this positive trajectory continues for the FIDO Alliance, soon only one question will really remain: as McDowell said closing out his summary, “How do you want to take advantage of that ubiquity that’s already on phones, and laptops, and tablets, and the wearables that people are buying?”
September 22, 2016 – by Peter B. Counter