FIDO: Beyond 'Simple' Authentication New Protocol Strives to Wipe Out Password Use
Simple credentials, such as passwords, are a hacker's best friend, says Phillip Dunkelberger of Nok Nok Labs, a founding member of the FIDO Alliance. That's why the alliance is working to reduce reliance on passwords by enabling advanced authentication.

Many data breaches are linked to compromised usernames and passwords, says Dunkelberger during this interview with Information Security Media Group at the RSA Conference 2014.

Retail networks are prime targets because they typically house a great deal of personal information about cardholders, such as e-mail addresses and phone numbers, he adds. And because most online users reuse common usernames and passwords across numerous e-commerce sites, once those credentials are compromised, attackers have access to an array of accounts, Dunkelberger explains.

"Attackers choose the path of least resistance," he says. "Password reuse is common ... and third parties often hold many credentials in a centralized database, which makes them easy to steal."

To enhance online security, the industry has to retire usernames and passwords, Dunkelberger says. And that is where the FIDO authentication protocol comes in.

FIDO's Initiative

FIDO, which stands for Fast IDentity Online, is a global non-profit organization focused on stronger authentication. The FIDO protocol, which is expected to be issued later this year, will support any device, including a wide variety of mobile hardware, Dunkelberger says.

"The FIDO protocol gives you a way to define how you want authenticate a user," with multiple biometrics as well as a public-private key exchange.

"You have to have both the public key and the private key to authenticate," he says. And with the biometric piece, authentication requires three parts, Dunkelberger says. "It's really about making it harder for the attacker," he explains.

Role of Mobile

Mobile is an integral piece of FIDO's initiative, says Marc Briceno, senior director of products for Nok Nok Labs, who also participated in the interview. Through a program called Mobile Connect, banking institutions can literally connect through FIDO's standardized authentication protocol to authenticate users via multiple mobile devices and platforms, he says.

Dunkelberger says Mobile Connect is just another way FIDO is helping organizations move beyond simple-credential-based authentication.

During this interview, Dunkelberger and Briceno discuss:

  • FIDO's multiyear vision;
  • The alliance's growing membership and key announcements from Samsung and PayPal, which are expected to help accelerate adoption of the FIDO protocol; and
  • Why the timing is right for a new authentication protocol that relies on true multifactor authentication beyond usernames and passwords.

Prior to joining Nok Nok Labs, Dunkelberger served as co-founder and CEO of PGP Corp., an enterprise data protection provider that was acquired by Symantec in 2010. Before PGP, Dunkelberger was an Entrepreneur-in-Residence at Doll Capital Management, president and CEO of Embark, and served as chief operating officer of Vantive Corp.

Around the Network