Wouldn't it be great if we could ditch passwords and replace them with biometrics and smartphone-based tokens? The FIDO (Fast Identity Online) Alliance, a coalition backed by many A-list names in technology, released its final specifications earlier this week for how to go about it.
But the plans -- involving UAF (Universal Authentication Framework) and U2F (Universal 2nd Factor) -- have a possible loophole, according to Ping Identity, the creators of a passwordless single sign-on solution for enterprises. It may not be the death of passwords, but rather a way to keep them out of sight.
Of the two standards created by the FIDO Alliance, U2F has raised the eyebrows of Paul Madsen, Senior Technical Architect at Ping Identity. U2F "normalizes a second-factor authentication model," he wrote in a blog post, meaning it provides a consistent way for two-factor authentication to be implemented without needing either of the two factors to be one particular item. That's far more flexible than what we have now, which is a good development.
But the bad news, according to Madsen, is that "U2F presumes that the user is first authenticated by some other mechanism before the U2F protocol kicks in. What do you think that other mechanism will be 98 percent of the time? Yup, passwords." Madsen also noted how a password (or a PIN) may also be used as a fallback mechanism in some cases, such as when a phone lacks biometric hardware.
"Perhaps we can say that FIDO is the 'Prison of passwords'," Madsen wrote, "keeping them isolated (to the phone) and so protecting society from the worst of their excesses."
Given that passwords might still enter the picture somewhere along the way, even with UAF and U2F in use, I asked Madsen where, when using such standards, the responsibility lies for making passwords strong. Was it part of the standard itself?
"Depends on the scenario," he told me in an email. "If U2F (the second-factor version of FIDO) is deployed as a second factor to a password, the FIDO protocol is separate (and oblivious) to the password-based authentication. The responsibility to define an appropriate password policy falls on the enterprise."
He further noted what constitutes "appropriate" is not a hard-and-fast rule -- an enterprise could fall back to a shorter password or a PIN if it felt the second factor was strong enough to mitigate it.
Despite this, Madsen noted that his criticisms "should not be interpreted as meaning Ping doesn't see great value in the specifications and the authentication models they enable."
FIDO can cite plenty of major names on its side: Microsoft, Google, PayPal, MasterCard, and Bank of America, some of whom have already begun to deploy FIDO standards. As Madsen noted: "PayPal and Samsung deployed UAF for payments; Google has deployed U2F (through Yubikey USB tokens) for end user login. (I use it myself.)"
Those deployments are mainly aimed at consumers and merchants, and enterprise interest is still young. But Madsen believes deployments for FIDO in the enterprise will ramp up, "especially once some emerging work on marrying FIDO with federation protocols like SAML & OpenID Connect solidifies." Even in the wake of such a development, it seems enforcement for strong passwords will need to exist on some level in the enterprise -- just in case.