Security: When Passwords Are Not Enough

Michael Barrett and Sebastien Taveau

Standards are finally emerging that will bring secure biometric authentication to millions of smart phones.

Those of us who practice the “dark arts” of information security know all too well that we are often misunderstood by our colleagues. They have been quick to impugn our craft as being too opaque, disconnected from corporate priorities, and an obstruction to product innovation.

But that was then and this is now. There is a new wave of innovation coming to the mobile ecosystem that will revolutionize the end-user experience, greatly reduce the friction of account creation, increase customer engagement with online services, and accelerate the growth of mobile commerce. And it’s all due to a breakthrough solution to a longstanding security problem: how to authenticate consumers when passwords are not enough.

Security experts routinely face the challenge of balancing convenience with security. Our discipline has often viewed the problem of secure authentication as a linear one, with convenience on one end of the spectrum and security on the other. The security team is responsible for setting the level of security required and then sticking the product teams with the requirement to ratchet up the inconvenience on the customer accordingly.

No more. Security architects at PayPal, in cooperation with Validity and other collaborators, have rejected this outdated mode of thinking. We believe that the right model is a two-dimensional view, with security on one axis and convenience on the other, and with the desirable solutions residing in the “magic quadrant” scoring highly against both criteria.

Existential Threat

So what is the security team to do in today’s environment, when new devices such as mobile phones and tablets are introduced with a high degree of heterogeneity? There are multiple makes, models, and user experiences, along with a multiplicity of new security vulnerabilities due to the absence of anti-virus software. Complicating matters are two other factors: a lack of appropriate care from users who don’t yet understand the “spoof” threats native to mobile interfaces; and the fact that these devices no longer conform to the traditional boundary between personal and professional content, access, or usage.

For the longest time, security teams have made risk-management decisions guided by the old authentication model of “counting factors,” such as “what you have” and “what you know” (“What You Have, Where You Are, What You Know, Who You Are,” October 2012). The e-mail/password, mobile/PIN, and card/signature credentialing schemes, while still effective when combined with advanced back-end risk-management capabilities, are losing their effectiveness across much of the ecosystem due to an increasing rate of credential theft and identity fraud.

So how are companies supposed to be able to protect their users and themselves while still increasing their subscriber base and expanding support for new devices? By being proactive in moving off legacy credentialing systems, like passwords, and onto the emerging authentication modality.

So what is this innovation that is going to solve the existential threat to consumer protection in the new economy? Well, surprisingly, while the mobile industry has spawned a lot of innovation and fed it back to the classic PC industry (TEE architecture, multi-communication mode, app-ification of the user interface, and so on), the PC industry actually has been using “the next big thing” for mobile authentication for nearly 10 years now—albeit in niche deployments.

What Is the Next Big Thing?

The next big thing for mobile authentication is biometrics in combination with secure hardware and an open, interoperable, standards-based ecosystem that moves this technology out of enterprise deployments and into the consumer-driven mobile economy.

Fingerprint sensors have been in laptops for many years, yet they have not been leveraged to their full potential because very few applications have been able to use these capabilities beyond simple login for select enterprise Windows environments.

With the new BYOD (“bring your own device”) wave (and, in the near future, BYOT as in “be your own token”), the same IT departments have been revisiting how to create a better security environment without infringing on the privacy of their employees or presuming ownership of the devices on their networks.

The FIDO Standards

The only problem with applying biometrics to this new environment, of course, is that these mobile devices do not have biometric capabilities (in secure hardware), and even if they did, there is no cost-effective way to integrate those capabilities into all the cloud-based services in today’s enterprise or consumer environments. Each deployment would be a one-off proprietary integration.

However, with major acquisitions and product releases in the consumer-authentication space, these devices are actually expected to hit the mass market within a few months. That solves the first problem: getting these capabilities on the devices themselves. But there is still the problem of how to integrate these devices into the cloud in a way that is secure, interoperable, and cost-effective.

Where are the standards to support the mobile biometric ecosystem?

The Fast Identity Online (FIDO) Alliance was formed in the summer of 2012 and launched in February 2013 (http://www.fidoalliance.org) to develop the standards required to enable this interoperable, secure, consumer-driven mobile ecosystem.

The FIDO Alliance is about changing the nature of online authentication by defining an open, scalable, interoperable set of mechanisms that universally authenticate users and reduce reliance on passwords. The FIDO standards create an interoperable “shim” between FIDO-compliant authenticators (which could be biometrics or PIN-protected secure elements, for example) and applications, both native apps and online services being accessed through a FIDO-compliant Web browser.

Secondly, the FIDO Alliance addresses user privacy by defining an architecture that keeps biometric data local to the device, and not in the cloud or any central database. Traditional biometric authentication systems used by governments, health groups, and military entities are willing and sometimes even mandated to have a central database of biometric credentials. The credential capture is local but the matching is remote.

In what some have begun to refer to as “natural ID” or consumer-grade biometry, no service provider or relying party will have a massive database of biometric credentials stored in its data center. This would result in an unmanageable and dangerous situation for consumer or employee privacy, breach protection, and usability.

A Simpler Experience

So it became clear for PayPal and other FIDO Alliance founders that we would need new mechanisms to be put in place for consumer-centric strong authentication to take off. Indeed, privacy protections have been a core tenet of the FIDO architecture from the beginning.

We are excited about 2013, which looks to be the year when the first market-driven devices and services become capable of securing the digital experience through more convenient, more secure authentication schemes standardized by the FIDO Alliance.

Is that wishful thinking? We don’t think so. Based on the level of interest from other stakeholders in the industry and the major trends of acceptance and adoption, we are confident the FIDO Alliance represents the foundation for a new form of authentication that is well-positioned for ubiquitous adoption over the next few years.

As an additional proof point, PC makers have also embraced the promise of the Alliance. With mobile devices equipped with a microphone for voice recognition, a camera for facial recognition, and now a fingerprint sensor, and with these technologies coupled with a secure element, it is expected that users will be presented with a simpler, yet more secure, experience.

As a service provider, PayPal is looking forward to the day when it can start to leverage the FIDO Alliance standards to enable more convenient and more secure financial transactions for its customers who buy FIDO-compliant, natural ID-enabled devices.

Let 2013 be the year we can finally begin to forget passwords!

Michael Barrett is chief information security officer at PayPal Inc. and president of the FIDO Alliance.

Sebastien Taveau is chief technology officer at Validity Sensors Inc. and chair of the FIDO Technology Working Group.