Last month I wrote about Google's efforts to provide a secure, easy to use, alternative to user-generated passwords. I noted that this effort has the potential to fundamentally alter the way consumers safeguard their online accounts. That’s largely because Google is pursuing this Universal 2nd Factor (U2F) initiative as a member of the FIDO Alliance. The industry group, which also counts companies like Microsoft, Facebook, Paypal and MasterCard among its members, is promoting an open standard for secure login verification, or authentication as its referred to in the security community. The idea is that an open set of standards and protocols will enable compatibility between hardware and software from a wide range of companies – think USB or Wi-Fi – and thereby lead to widespread adoption.
At the upcoming 2014 Consumers Electronics Show (CES), we’ll get to see some of the first offerings that adhere to this set of standards, as several vendors will be showcasing their FIDO-certified products. I recently wrote about the YubiKey NEO, a USB dongle that can be used to log in from a laptop or desktop computer. And U2F-capable storage cards are on the way as well, with Go-Trust set to demo microSD cards that enable secure logins.
Biometrics is set to play a very big role in authentication. Since we all have unique physical traits, leveraging them to verify our identity online has been an attractive proposition in the security industry for some time. Speech recognition specialist Agnito will be showing off their Voice ID technology that allows you to verify your identity simply by speaking. EyeLock will demo technology that allows a hardware device to scan your iris. And as we’ve seen with Apple's Touch ID in the iPhone 5s, fingerprint scanning offers another avenue of verification, one that seems particularly suited for mobile devices. Fingerprint recognition specialists AxisKey, EgisTec, FingerQ, and FPC will be among the vendors at CES with FIDO-compliant fingerprint sensors that can be used with smartphones and tablets.
While the push for open standards is still in its early days, these handful of products begin to demonstrate the possibilities of a future without passwords. The key of course, will be widespread adoption of the U2F standard so that the authentication devices can work for consumers across multiple browsers and operating systems, while requiring a minimal amount of work for online retailers and financial institutions to implement on the back-end. While Apple, to date, has chosen to “go it alone” with its proprietary Touch ID service – there is no API access to the iPhone 5s’ fingerprint scanner – the widespread attention generated by its phone-unlocking feature has pushed the concept of biometric scans to a mainstream audience.
The beauty of the FIDO Alliance specification is that it allows a broad range of approaches, from USB dongles to eye-scanning devices. It appears that we’ll see a number of password-alternative products becoming available throughout 2014, and with them, perhaps the promise of never having to remember a password again.