Since the FIDO Alliance launched 18 months ago, its achievements have not been boasted about too much, while it has quietly gone about its business attracting participating partners.
While the likes of PayPal’s security manager was there at the start, it has since attracted the likes of Alibaba and Winfrasoft and the industry has talked more and more about passwords and better authentication.
Research by Intercede of 2,000 UK consumers found 60 per cent of UK consumers confirmed that they only used passwords they could ‘remember’, while 30 per cent admitted to knowing a friend, relative, partner or work colleague’s passwords.
Speaking with FIDO Alliance board member Phil Dunkelberger, he admitted that rather than taking 18 months to produce any visible solutions, the project has been in operation for two and a half years “with a bunch of guys talking ad hoc about how to improve security and how to build a standard like SSL”. He explained that is at the centre of the alliance, what would commerce be like if there was no SSL?
“So if you said ‘what are the goals Phil?’ I would say that the first is to rebuild authentication and deploy it at the internet scale, this isn’t build a widget that you stick in the enterprise or put it as an app in the app store, that is good technology but it is rudimentary compared to building something for the ecosystem,” he said.
“The first to come out of the box was Samsung. All players came together for a solution that says ‘hey I’ve given the ability to millions of users and websites to be able to swipe your finger and buy with Paypal directly’ (or via an embedded website) and enable it overnight, so that is a pretty big thing. We built it to scale.”
Dunkelberger said that the concept is about giving the power back to the people, as we have dissolved the perimeter and a lot of the counter measures, and as usernames and passwords are stolen, that remains the number one way for breaches to start.
“People said ‘we have got to get a method that scales, that prevents scalable attacks without building Big Data stores in the back end with people’s credentials’,” he said. “Let’s stop man in the middle attacks because without a public and private key, you cannot do anything with the data and let’s stop phishing. Yet all these things fried, but then there is an even bigger idea, let’s make it easier to use. When was the last time someone built a security protocol that made it easy to use?”
Jamie Cowper, marketing director at FIDO Alliance member Nok Nok Labs, said that devices do exist, whether it is a token or an embedded biometric, and are there to be used for a website or application.
Dunkelberger said that it is about making a slope, rather than a step, function and it doesn’t need entire industry adoption, but it is a protocol that all can adopt it and make IoT adoption work. “Let’s make authentication work now as it is one of the core pillars of computing,” he said.
“Are people’s details going to continue to be abused? Industry has got to do something to fix it and got to address the cost, security, privacy and usability problems and that is what FIDO was designed to do.”
I asked Dunkelberger for his thoughts on criticism of the FIDO Alliance failure to deliver a product in the 18 months
of its public work. Cowper said that you need to look at the evolution of standards bodies, saying he didn’t know of anyone who had seen anything go from zero to 150 members in less than two years and be on the verge of bringing out version one of its protocol. “In that world of standards development, that is extraordinary,” he said.
Dunkelberger referred to his old project of PGP, and open GPG in the public domain, saying it took a “ridiculous number of years to get it ratified” as technical working groups from around the world met to ask “how do we make this more universally available?”
He said: “The deal is more about people in that it is not a bad thing, but people do not know how standards evolve. How do you get people in a room and agree on things, and they are agree?
“Look at the building blocks of people and people ask ‘how do we make this line up securely, and support a protocol that helps us all do a better job?’ When I got on board, people said I am trying to make PGP again. PGP changed the world, no argument on that as it brought encryption to the masses and it is historically significant, but step by step, it is about building blocks and doing it the right way.
“I was asked if I was satisfied and I am an impatient person, but when I showed the standards I have been on my whole career, you can see how this is moving.”
Cowper admitted that those working with standards do not want to do things quickly; they want to do it right and that is the right instinct.
Dunkelberger made the point that someone is trying to do something about it, to make authentication easier to use with better security underneath, everything stored locally and all privacy conventions say that is the right thing to do.
“A lot of things we set out to do: get the membership up, get the industry players, get the people to agree on a spec is all coming from everyone who lives in that world,” he said.
Phil Dunkelberger, FIDO Alliance board member, was talking to Dan Raywood
