Passwords, right? If they're too weak, they can be worse than useless – but making them too strong means people do dumb things like writing them down or forget them and piss off IT workers with frequent reset requests.
Now the FIDO Alliance – whose members include Microsoft, Google, ARM, PayPal, and Lenovo – has published the first specifications of a common standard for manufacturers to build two-factor authentication and biometric login systems that will work across a variety of devices.
"Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die," said Michael Barrett, president of the FIDO Alliance. "FIDO Alliance pioneers can forever lay claim to ushering in the 'post password' era, which is already revealing new dimensions in Internet services and digital commerce."
The final drafts cover two separate login systems: the Universal Authentication Framework (UAF), and Universal 2nd Factor (U2F) based on public-key cryptography. FIDO members have agreed to share patent licensing on all the technologies used, so there'll be no expensive royalty payments to slow adoption.
"The fact that the FIDO Alliance was able to develop complete specifications so quickly and with such broad support is evidence that they are tackling a pervasive industry pain point," said Steve Wilson, principal consultant at Constellation Research.
"What's most impressive is the FIDO Alliance's focus on the authentication plumbing. The protocols enable trusted client devices to trade just the right data about their users. FIDO specifications aren't tangled up in messy identity policy decisions. It's an elegant breakthrough, and, going forward, it should drive a lot of the classic complexity out of the identity management space."
The standard still has some work to do. For example, Bluetooth authentication standards still haven't been added, nor near-field communications (NFC). But work is progressing on this front and FIDO hopes to have specs out soon.
The elephant in the room is Apple, which isn't a member of the FIDO Alliance. Apple's Touch ID fingerprint reader does have open APIs, but can't be integrated into the FIDO standard without third-party software. Looks like Apple's iDevices won't be coming along to the authentication party. ®