Skip to main content

Google-backed password-killer crosses major milestone

Google-backed password-killer crosses major milestone

Share this story

In October, Google unveiled a surprising new way to log into Chrome and Gmail: a USB key. It only worked as part of a two-factor setup, standing in for an authentication code, but it served as a wakeup call to anyone tired of the standard username-and-password login. Smart people are thinking of better ways to log you in, it turns out, and the days of the password-free login are closer than you think.

The password-free login is closer than you think

Today, the infrastructure behind that gadget is taking a big step forward. It's called FIDO (short for Fast Identification Online), and today the group is releasing the 1.0 version of its open standard. There had been earlier versions, like the one Google's USB key is based on, but this one is more efficient and more stable, providing a cryptographic backing for any service or authenticator device you want to plug in. As a result, life just got a lot easier for anyone who wants to make a phone with a fingerprint reader or an app that requires a fingerprint before it opens up.

So far there are just a handful of products built on FIDO — but with the new spec, that's about to change. Google's security key was one example, and another was Samsung's fingerprint reader, which could log you directly into the native PayPal app. (Samsung and PayPal were both early FIDO members.) But the company anticipates a flood of new phones and authenticator widgets now that the spec is complete. The iPhone's TouchID sensor will also work with the new spec, thanks to some clever coding by a software company called Nok Nok, which has built a program adapting Apple's now-open API to the FIDO protocols.

That means if you want to build a chat app that only opens with the user's fingerprint, you don't have to worry about writing a new program for every different phone. If a phone doesn't have a fingerprint reader, you could use the same system through voice authentication or a token like Google's security key — just as long as it's not a password. Nok Nok says it has over 15 product trials in the works for various applications. The hope is that, as the number of phones with fingerprint scanners and other authenticators grows, there will be more and more apps that want to jump on board. "Now people have something they can code to," said Phil Dunkelberger, Nok Nok's CEO. "This is the start line, not the finish line."

Like any standard, FIDO will succeed or fail by adoption: FIDO-friendly fingerprint readers will inspire more FIDO-friendly apps, and vice versa. But the group already has major companies signed on from nearly every group it needs: manufacturers like Samsung, Qualcomm, and Blackberry; service companies like Google, Microsoft, and Netflix; and financial companies like Bank of America, PayPal, and Visa. Coming on the heels of major hacks at Sony and Target, the group is betting the industry will be ready to move on from passwords. With the completed spec finally available, there'll be nothing to stop them. "We now really are within range of seeing the world changing," FIDO Alliance president Michael Barrett told The Verge, "and that's the exciting part."