"The thing to remember is that the whole FIDO methodology is rethinking how authentication is handled from the ground up," says Barrett, president of the alliance. "Early on, you logged on and typed in your username and password and then you were validated through the mainframe. And today, online, that is essentially the same methodology we use."
To help ease the transition to a wide variety of more advanced forms of authentication, ranging from biometrics to using mobile devices as tokens, FIDO plans to publish in the first quarter of this year its first official draft of authentication specifications. "2014 is definitely the year when things will really start moving in the marketplace," Barrett says.
The alliance hopes to eventually help launch a certification program to verify that hardware and software is "FIDO enabled" and uses the group's specifications, he explains in an interview with Information Security Media Group.
FIDO, which stands for Fast IDentity Online, is a global non-profit organization that now has 70 member companies, all with an interest in stronger authentication, says Almenara, a FIDO board member who is vice president of authentication and decision infrastructure at Discover Financial Services.
By participating in the alliance, Almenara says, Discover hopes to help accelerate the transition to more sophisticated user authentication that's easy to use. "The alliance is a powerful platform for collaborating with our technology and digital leaders; we all share the same goal of creating a safe and simple experience," he says.
The FIDO authentication model will support any device, including a wide variety of mobile hardware - as well as a wide variety of authentication methods, Barrett says. That's because it's common for end-users to use multiple devices to access systems.
"With the FIDO model, let's say the user has a mobile handset that has a fingerprint reader as well as a voice print," he says. "The end-user picks which of those he or she is comfortable with."
During this interview, Barrett and Almenara discuss:
- Why global standardization of identity management is so critical;
- Steps organizations should be taking to prepare for these anticipated authentication standards;
- FIDO's priorities for 2014.
From 2006 to 2013, Barrett served as chief information security officer of PayPal, where he was responsible for ensuring the security of PayPal's 130M active accounts worldwide. Previously, he was the vice president of security and utility strategy at American Express, where he helped define the company's information security program and directed its Internet technology strategy. He also formerly was president of the Liberty Alliance, an open-standards consortium focused on identity management standards and guidelines, which culminated in the development of SAML 2.0.
At Discover, Almenara is responsible for customer authentication strategy and decision infrastructure capabilities across all business lines. He develops the infrastructure to manage customer risk and the authentication framework that improves customer experience while enhancing the security of the company's online and off-line interactions with customers. Before joining Discover in July 2013, Almenara was a global client consultant at Experian, and he spent more than 20 years in global risk management, operations and fraud prevention roles at American Express.