The Fast Identity Online (FIDO) standard for authenticating browsers that reduces the reliance of passwords to access applications and devices advanced this week after an endorsement from Apple.
The FIDO standard consists of a Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, a set of specifications for eliminating the need for passwords altogether. Apple hasn’t revealed how it will implement any of these standards within its Safari browser, but the company is joining Amazon, ARM, American Express, Facebook, Google, Intel, Lenovo, Microsoft, PayPal, Samsung, Visa and Mastercard as a member of the board of the FIDO Alliance. The expectation is Apple will enable FaceID/TouchID for FIDO authentication via the Safari Browser.
Dr. Rolf Lindemann, co-chair of the Security Requirements Working Group within the FIDO Alliance and vice president of products at Nok Nok Labs, which created FIDO, said Apple represents a missing piece of the puzzle in a long campaign to eliminate the need for passwords with a more robust approach to two-factor authentication.
In fact, he noted that many of the existing approaches to two-factor authentication are flawed in that they require end users to be authenticated to access a cloud application via a text message, for example. The FIDO specifications provide a more seamless mechanism for implementing two-factor authentication via a single gesture that ultimately provides a more consistent application experience, he said.
The FIDO standard has been around since 2013 and Nok Nok has enabled FIDO two-factor authentication on iOS devices since 2014. Last year Nok Nok added the Nok Nok App software development kit (SDK) for Smart Watch. However, Lindemann said there is still a lot of work to be done in terms of encouraging providers of cloud application services and endpoint devices to embrace two-factor authentication in the form of FIDO.
In general, password management remains unwieldy. End users either opt to rely on simple passwords that are easily hacked or they continually make requests to change complex passwords they can’t remember. Very few will take the time to set up a password manager. Of course, constantly changing passwords might be considered a best cybersecurity practice. However, rather than log in to a banking application, many users will simply decide to do something else or physically visit their local branch office. It’s incumbent on application providers to make it easier to securely access services.
It may be a very long while before passwords are eliminated from the pantheon of cybersecurity tools employed. In one form or another, passwords have been employed by humanity since the dawn of civilization. However, now that passwords are required to access any digital service, their limitations are now being keenly felt by not just cybersecurity and IT professionals but also by end users. There may come a day when end users show a marked preference for online services that don’t require them to remember a password.
In the meantime, cybersecurity professionals should at the very least be encouraging developers to implement two-factor authentication as an alternative to passwords. There may come a day when biometric-based approaches to authentication eliminate the need for existing approaches to two-factor authentication. In the meantime, those existing approaches to two-factor authentication are already far superior to passwords that are easily stolen or compromised.