Microsoft joins tech giants and FIDO in the fight for simpler, safer authentication

library
crime | hacking | security

Microsoft has become a member of the FIDO (Fast IDentity Online) Alliance, a non-profit group working to design better and more standardised methods of checking identity across the internet.

The operating system, software and mobile giant joins fellow tech juggernaut Google as a member of FIDO’s board of directors, according to an announcement [PDF] issued this week by the Alliance.

FIDO was set up in July 2012 by a group including online payment processor PayPal, hardware maker Lenovo and a handful of specialist authentication firms.

Since then membership has swelled to include the likes of once-dominant mobile firm BlackBerry, global payment colossus MasterCard and a raft of firms working in the fields of identity, biometrics and authentication.

The mission of the Alliance is to combat the inherent weakness of the current standard authentication method, the username/password combo.

The problems with the old approach are many and severe, with humans seemingly incapable of maintaining good password hygiene, and businesses similarly wobbly when it comes to keeping their password databases secure.

FIDO’s answer is a set of standards and specifications for an authentication system based on public key infrastructure (PKI), which is still under development.

The idea is that once hardware, software and online service providers agree and adopt the standard, users should be able to use a unified system to prove they are who they say they are, to any and all services they use online.

It will work by generating key pairs for each site or service you use – the private (or “secret”) key stays with you, and the public key is handed over. Then each time you want to access the site, it presents you with a challenge encrypted with your public key, which can only be decrypted by the holder of the private key, ie: you.

This does away with the problem of hacked password databases at the server side, as they’ll only be holding public keys – these will be of little use to hackers, as it should be more or less impossible to figure out the private key even if you have the public one (hence the names).

Having separate key pairs for each site means sites can’t pretend to be other sites and peep over each others’ shoulders at what you’re doing.

Of course, you’ll still need to authenticate yourself to whatever device you’re storing the secret keys on, which is where all those biometric firms come in.

Fingerprints, voice patterns, hand gestures or even a good-old fashioned strong password should all be compatible with the standard, the good part being that even if you prefer to avoid eyeball scanners or implanted circuitry, you won’t need to remember new passwords for everything, only the one for the mobile/PC/wristwatch you’re using to surf the web.

Any local authentication information will be strictly kept to the local device, so again there’s no risk of hackers making off with a database of everyone’s bio data. There’s also a two factor-version of the standard being developed, with the addition of a dongle or one-time-password generator for extra security.

There will doubtless be all manner of apps and accessories providing different spins on the system, but the point of having a unified standard is that they can all interact in the same way, meaning end-users can choose how they want to do things without putting extra workload on the platform and web service makers – they should all just play happily together.

It may all just be a pipe dream of course, but having the weight of Microsoft behind it, alongside the existing lineup of heavyweights, makes it all a good chunk more likely to come true.

There are still a few serious players missing from the list, notably Apple who are notorious for preferring to plough their own furrow in all things, but with amount of support the Alliance is building up, FIDO’s ideas have a good chance of becoming a true standard that everyone will have to support.