clock menu more-arrow no yes

Filed under:

Google, Samsung, and 16 others receive post-password certification

New, 19 comments

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

This morning, the plot to kill the password got a little stronger. 18 different companies received an official FIDO certification for 31 different products, ranging from physical devices to login services. They're the first products to be officially certified under the specification, opening the door for interoperating services down the road. The services aren't comprehensive enough to do away with passwords entirely, and not all of them have been deployed — but once they are, anyone using the systems will have a robust alternative to simply typing in a string of characters.

The FIDO specification was officially published in December, establishing basic ground rules for post-password authentication. Using FIDO, a fingerprint reader can authenticate a user without sharing the fingerprint itself, using a zero-knowledge proof to protect sensitive biometric data. More importantly, a system that's compatible with FIDO can accept a login from any FIDO-certified device, whether it's a fingerprint reader, a voiceprint detector, or even a more exotic system that hasn't been invented yet.

Two-factor authentication is just the first step

Google's all-purpose login service was the biggest system to be certified, receiving a certification as a universal two-factor server. Yubico also received a certification for two different USB security keys, which are designed for use as a physical second factor. Google announced support for Yubico keys in October, allowing users to opt for the physical keys rather than the standard four-digit authentication code.

But two-factor authentication is just the first step of the process, and a number of FIDO services have already moved into more ambitious territory. Egis's Yukey authenticators were also certified in the first batch, letting users authenticate through a combination fingerprint reader and biometric wristband. Samsung's secure identification framework was also certified, as well as a system that would use Samsung's fingerprint reader to log into online stores.

Today's certification also included a number of software development tools, and there's also reason to believe more services are on the way. Visa and Bank of America are both on the FIDO board, but neither of the companies have released any FIDO compatible login systems as of yet.

One name missing from the list was Microsoft, which plans to integrate Windows 10 and FIDO once the next version of the specification is released. Microsoft has taken an active role in managing the spec this year, with Microsoft executive Dustin Ingalls taking on duties as President of the FIDO alliance in January.