Creating a World Without Passwords

Andy Barron, Global Communications Manager, Lenovo

The speed and convenience of the internet comes with a common annoyance: too many passwords. Your computer, email, credit cards, shopping websites, bank, hotel loyalty programs, social media, cable channels, airline and on and on. In fact, the typical user has about 90 online accounts and each needs a password.

Hopefully each has a different password, because otherwise you are only as safe as the least secure website you frequent. Hackers love to stuff passwords: taking a password stolen from one site and using it on other sites. Yet more than half of passwords are reused.

Those statistics on the number of online accounts and reusing passwords come from the FIDO Alliance, an open industry association working to reduce the world’s excessive reliance on passwords.

FIDO – which stands for Fast IDentity Online – is working to change the nature of authentication with open standards that are more secure than passwords, simpler for consumers to use and easier for service providers to deploy and manage.

Officially founded in 2012 and publicly announced in 2013, FIDO started with just a handful of companies including Lenovo. As an original member of FIDO along with PayPal, Nok Nok Labs, Validity Sensors, Infineon and Agnitio, Lenovo continues to play a leadership role in moving FIDO standards from development to widespread adoption.

The FIDO Alliance has grown well beyond the original members and now includes more than 250 members including Microsoft, Google and Intel, with Apple being the latest to join in February. That rapid growth now has the group approaching widespread adoption of the FIDO standards and a corresponding jump in the number of FIDO Certified products.

There are now hundreds of FIDO Certified products – including Windows 10 – moving FIDO closer to its goal of FIDO products of being the norm, not the exception.

The ongoing growth is very satisfying to Lenovo’s Joe Pennisi, who played a major role in founding and growing the FIDO Alliance. Pennisi, a Lenovo Distinguished Engineer and leader of the PCSD Global Security Lab, first heard about the idea in 2010, when he was contacted by Ramesh Kesanupalli, the founder and driving force behind FIDO. Pennisi knew Kesanupalli, the founder of Nok Nok Labs, from working together on fingerprint sensors in ThinkPads.

Pennisi brought Lenovo into the alliance from the start, joining as one of the four founding board members, serving as treasurer since the beginning, roles he still has today. He has managed the group’s financial growth and investing in the alliance’s objectives.

As part of FIDO’s leadership, he helped recruit new members, where the alliance enjoyed steady success, bringing in Google in 2013 and Microsoft in 2014 among a steady influx of tech companies, web merchants and financial institutions interested in improving online security.

Joe Pennisi, a Lenovo Distinguished Engineer and leader of the PCSD Global Security Lab

“What attracted me first of all was that it is a big worldwide problem that affects almost everyone,” Pennisi said. “We call it the ‘password problem’ because it’s a shared secret that can be attacked from either end: the user or the online service. If your password or its protection is weak, I can attack that, or if the database of passwords at a site isn’t well protected – and many aren’t – then I can attack that.”

The weakness of passwords also creates a great incentive for hackers, who can target databases of passwords and get millions, possibly billions, of user IDs and passwords.

Having been working on fingerprint readers for seven years, Pennisi knew there were better ways to secure online use, such as biometrics. But there was no industry standard for online services to work with biometrics such as fingerprint readers, thereby preventing widespread use.

When the FIDO Alliance started, the first challenge it faced was to create some working groups to establish the standard and work on the technical details of the protocol. That meant groups to create the standards at the heart of FIDO security.

With FIDO specs in development in 2013, David Rivera, a Lenovo Principal Engineer and Director of Device Security for Lenovo’s Global Security

David Rivera, Lenovo Principal Engineer and Director of Device Security for Lenovo’s Global Security

Lab, joined FIDO. He founded and continues to lead the Certification Working Group, developing the policies and processes to test and approve products as FIDO Certified.

“We needed to make sure that once the FIDO standards were set that we had testing tools and processes in place to make sure vendors creating products using FIDO standards were implementing the specs correctly, and that the products from different vendors worked well together,” Rivera said.

“That involves bringing vendors together, establishing the processes and then testing products to make sure they all can talk to one another as designed.”

So how does FIDO replace passwords?

The short answer is asymmetric encryption keys, a pair of keys that are related but not identical. In the pair of keys, one key encrypts the data being sent, the other key decrypts.

This is different than the encryption on your hard drive, for example, where one key both encrypts and decrypts. With FIDO, your PC would have a unique private key for each website and the website you wanted to use would have the complementary public key.

“That public/private connection would be different for every online service, and for every device you have,” Pennisi said. From a security perspective, now it comes down to how well I can protect the key on my device. What also helps is that now an attacker’s return on investment is much, much smaller.

Hacking a device may provide information about a single user only, and hacking an online service gets a databased of public keys which are of no value authenticating to this service as all key pairs are unique, so all other services are not impacted.

“FIDO certification includes a mandatory security certification for devices, which helps give both users and web sites some assurance that the devices are doing a good job of protecting the keys,” Rivera said. “Additionally, FIDO has also recently added biometric certification, giving even stronger proof that devices that use biometrics are going to do a good job of replacing passwords.”

Both Pennisi and Rivera expect the number of FIDO Certified devices to grow quickly in the next few years as more and more companies adopt the standard, and users see the benefits.  Microsoft’s adoption of FIDO in Windows 10 just last year was the catalyst for this year’s growth, and they hope Apple joining will be yet another boost that fuels greater adoption.

“It’s been great to work on solving a really big customer pain point, and it’s been great that Lenovo has been there from the start,” Rivera said. “Having been there in the early days it’s really gratifying to see so many products with the FIDO stamp today.”

It’s been great to work on solving a really big customer pain point, and it’s been great that Lenovo has been there from the start

FIDO’s work is not done by any stretch.  While the FIDO board has many large financial organizations, financial institutions remain one of the biggest areas without FIDO adoption.

“That sector has been rather cautious,” Pennisi said. “If you sign into a bank account, the bank really wants to know it’s you before allowing a connection, so that’s an area the group is working on.”

Pennisi said FIDO is starting to look at Internet of Things devices, the next big opportunity to improve cybersecurity, as well as Identity Verification to support standardized methods of verifying identities for both account provisioning and recovery, other areas in need of innovation to improve overall online security.

[ssba]
Don't Miss StoryHub Updates: