FIDO: Security without Passwords
First, a test question: What is the word FIDO generally thought to be?
- Name of a family dog
- Name of a zombie movie
- An acronym standing for Fast Identity Online
- All of the above
You have 30-seconds and there is no prize for a correct answer. OK, times up and “d” is the correct answer; however, I don’t recommend the movie. For the purpose of this article, the third answer is our focus.
It is an acronym that stands for Fast Identification Online, but I don’t want to jump ahead. So first we’ll review the problem of vulnerable security on the internet. Passwords may be the issue and here are the indicators why:1
- Passwords are the root cause of over 80% of data breaches
- Users have more than 90 online accounts
- Up to 51% of passwords are reused
- 1/3 of online purchases are abandoned due to forgotten passwords
- $70: average help desk labor cost for a single password reset
What is a password? A very general definition states that a password is a secret word or phrase used to gain admission to something. We know from history that the Roman Army used passwords, also known as watchwords, and had a protocol on how to disseminate them throughout a unit. Skipping forward, in 1961 MIT used a computer system that requested a password when a “Login” command was issued. In the early 1970’s, password storage security was improved when stored passwords were hashed. Passwords have been around a very long time.
Many of us have seen the annual worst password lists. Splashdata reports the top 25 yearly. In 2018 the top 10 were:2
- 123456 (Rank unchanged from last year)
- password (Unchanged)
- 123456789 (Up 3)
- 12345678 (Down 1)
- 12345 (Unchanged)
- 111111 (New)
- 1234567 (Up 1)
- sunshine (New)
- qwerty (Down 5)
- iloveyou (Unchanged)
It is sad to note that similar failing approaches to passwords are used over and over again. So, is it really true to say passwords are the problem or is the mentally lax manner in which we generate passwords the problem? The fact that this problem continues year after year tells us that we, the computer users, are not going to invest the mental energy to fix this issue. This historical trend line has spawned an industry working group called the FIDO Alliance.
The FIDO Alliance is comprised of industry leaders from IT, finance and authentication/encryption fields. There are many members of the FIDO Alliance. Here are a few, but not all, of the more well-known Board Level Member3:AetnaAmazon American ExpressBank of AmericaFacebookGoogleINGIntelLenovoMastercardMicrosoftPayPalQualcommRSASamsungUSAAVisaVMWare
Note: While Apple is not currently involved in the FIDO effort, the Apple browser does include FIDO code.
The FIDO Alliance overview states, “The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords.”
To use FIDO to authenticate, you must first register. The following is a brief description of the process taken directly from the FIDO web site. This is the short version and, although a few technical terms are used, it is generally non-technical and easy to follow.
About Insite Data Services
IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology. IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning. Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing. These operations experts allow partnered banks to focus on their most important asset, their customers. For more information visit www.insitedataservices.com.