A group of some 150 companies last week moved closer to eliminating the bane of many an online user: the password. The FIDO Alliance, which counts among its members Microsoft, PayPal, Google, Bank of America, Visa and MasterCard, released version 1.0 of its open specifications for strong authentication on the Internet without the use of passwords. Release of the specifications opens the door for those who want to authenticate their users securely without the use of usernames and passwords.
FIDO is expected to make sure that the vendors of biometric products which need to be operated together with passwords for fallback/backup/self-rescue by OR/Disjunction (as against AND/Conjunction that is common for 2-factor authentication) should explicitly publicize that
(A) The biometric product raises the convenience at the sacrifice of security when the user keeps using the same password.
&
(B) The biometric product could raise the convenience without sacrificing security when the user changed the password to a largely-harder-to-break password (with a footnote that the password should be remembered, not carried around on a memo and that the password should not be reused across other accounts.)
It should also be noted that it is not possible to compare the strength of biometrics used without passwords altogether with that of passwords. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)
Loading ...
FIDO Pursues Vision of a Password-Free World
Posted by: John P. Mello Jr. December 17, 2014 10:55 AMA group of some 150 companies last week moved closer to eliminating the bane of many an online user: the password. The FIDO Alliance, which counts among its members Microsoft, PayPal, Google, Bank of America, Visa and MasterCard, released version 1.0 of its open specifications for strong authentication on the Internet without the use of passwords. Release of the specifications opens the door for those who want to authenticate their users securely without the use of usernames and passwords.
(A) The biometric product raises the convenience at the sacrifice of security when the user keeps using the same password.
&
(B) The biometric product could raise the convenience without sacrificing security when the user changed the password to a largely-harder-to-break password (with a footnote that the password should be remembered, not carried around on a memo and that the password should not be reused across other accounts.)
It should also be noted that it is not possible to compare the strength of biometrics used without passwords altogether with that of passwords. There are no objective data on the vulnerability of biometric products (not just false acceptance rate when false rejection is sufficiently low but also the risk of forgery of body features and the risk of use when the user is unconscious) and that of the passwords (not only that the entropy may be as low as 10 bits or as high as 100 bits but also that it can be stolen and leaked.)