Computer security: password protection could be a thing of the past

Thorsten Stremlau

Tuesday 20 December 2016

Thorsten Stremlau, Lenovo’s WW Principal IT Architect, on why having to remember a password will soon be a thing of the past.

Password protection has a problem. Lots of people still use the same password across multiple devices and platforms, meaning that if a hacker compromises one account, they can compromise them all. And hackers are more active than ever: computer security is threatened as evidenced by the recent LinkedIn and Twitter hacks. Other technologies, such as biometrics and smart cards, are more secure but they too have their weaknesses. With all our information now stored digitally, the issue of security is more important than ever. So how do we move to a more secure model?

A better way to authenticate

The answer is the FIDO Alliance. This is a group formed of some of the biggest companies in technology: Lenovo (a founding member), Google, ARM, Bank of America, Intel, Microsoft, PayPal, Qualcomm and Samsung, and the list goes on. It was set up to pioneer better security methods across all platforms and devices. And it’s ensuring that the password’s days are numbered.

It all started when Lenovo acquired a fingerprint sensor manufacturer called Validity. The chief executive of Validity had approached a number of big companies including PayPal in order to use their technology to authenticate payments. The idea was that it shouldn’t matter what device you were using, as long as it had a Validity sensor, PayPal should be able to authenticate the payment. PayPal loved it. But there was a problem.

If it did this for Validity, it would have to do it for all fingerprint sensor manufacturers. At the time, there were around 150 to 200 of them. So PayPal would spend all of its time integrating and security testing, which obviously wasn’t feasible.

Instead, Lenovo, PayPal and Validity created and led an open industry alliance to revolutionise online authentication. This is called the FIDO Alliance, which stands for Fast IDentity Online.

What came before?

Before FIDO, authentication was a mess. You’d need a client or a piece of software running on your device. You’d use an authentication method – be it a password, RSA token, smart card or fingerprint – which would authenticate against this client software. The client software would send a signal back to the server, which would say, for example: ‘OK, this is a successful authentication by Thorsten’. It sounds simple, but there were plenty of problems.

For every authentication, you had to implement some sort of software solution for that particular hardware. This was specific to that authentication and couldn’t be transferred to anything else. If you had a fingerprint solution, you needed a fingerprint solution running on your server as well as a fingerprint client – and the same with a smart card and an RSA token. These weren’t compatible across platforms, so it was really hard to switch devices.

Also, it was very difficult to reuse. If I used my smart card solution in my company, I couldn’t also use it for my bank, my online payments with Amazon, or with PayPal. It was tied to my corporate environment, and that was that.

How FIDO is better

The FIDO Alliance creates a FIDO client on the machine. This exists for Android, Windows and the Chrome browser. Instead of authenticating against a piece of software that has to be installed on the machine, Windows 10, Android and Chrome have this built into their systems data. The FIDO code can work with any device that’s FIDO certified. There are more than 100 FIDO-certified solutions now available, including smart cards, fingerprint readers, RSA tokens, and iris-recognition software. So it spans all sorts of use cases.

It’s much more secure and easier to use. Say, I’m authenticating against the FIDO client that’s local on my machine. The FIDO client just sends a message to the webpage saying the authentication was successful. So no password or password hash needs to be transferred across the server anymore. There’s nothing stored on every webpage’s authentication server that can be reused on other sites. To log on to Amazon or Google, you just use the FIDO authenticator to authenticate against the site. Then you can use any device that you’ve enrolled against that site. It completely eliminates the need for passwords.

The FIDO Alliance promotes two types of authentication technology. Universal Authentication Factors (UAF) is the use of biometrics, physical tokens and passwords. The other is Universal Second Factor Authentication (U2F). Every method of authentication has its own weaknesses – passwords can be guessed, smart cards stolen and biometrics faked under certain conditions. But if you combine them, as U2F does, it gives a higher level of security.

Our online security is paramount, both in our personal and corporate lives. The FIDO Alliance is the best way to make sure our data remains ours. I for one won’t be mourning the password’s passing.