There's little doubt that the venerable password, the internet's primary authentication tool, is buckling under the strain of both trying to protect a huge variety of information as well as the constant threat of hackers trying to defeat it. The common view is that passwords are fundamentally broken and need to be replaced with something more secure — we've recently seen Google consider a ring-like physical token, and DARPA has been working on its "Active Authentication" scheme since early last year. Now, Lenovo, PayPal, and a number of other companies have formally launched the FIDO (Fast Identity Online) Alliance to try and bring a standards-based approach to security an authentication to the internet and the devices that access it. The group was first formed back in July of 2012, but now it's releasing more information about the companies that make it up and the technology it hopes to spread.
The end goal is simpler, stronger authentication
FIDO is still very much in the early stages, but it sounds like it'll encompass a wide variety of different authentication methods — the group's press release mentions biometrics, voice and facial recognition, and existing standards like NFC, one-time passwords, and USB security tokens. The goal is for FIDO-enabled devices to allow users to swap out passwords for other authentication methods — either some of the above-mentioned options, or whatever new technologies are developed going forward. The FIDO Alliance hopes its standard will be the one that lets different users and organizations deploy whatever authentication features they feel will work best.
In practice, users with have one of two types of FIDO Authenticators: ID tokens are unique identifiers that connect to the user's internet accounts, and authentication tokens will ask the user to perform specific actions to prove their identity. That's where the biometrics come in; the authentication tokens will use two-step authentication, with the user having to both perform an action or have the proper hardware key as well as the need for a password or PIN or some other thing only the specific user will know.
While it's hard to say how well this will work in action, it's encouraging to see major companies like PayPal and Lenovo work to push online security forward. In addition to those big names, the Alliance also has Agnitio, a voice biometrics company, on board. While Agnitio only focuses on using the human voice for security, it'll be important for the FIDO Alliance to recruit other similar companies to help build out its standard. Hopefully FIDO's position as an open standard will help increase support and adoption — a security standard that isn't widely-used will have a hard time catching on.