Windows 10 and biometrics

Microsoft Announces FIDO Support For Windows 10 (The Verge)

Soon, you may be able to log in to Outlook with a fingerprint or an eyescan. At the Stanford Cybersecurity Summit on Friday, Microsoft announced that Windows 10 would support the next version of the Fast Identification Online (FIDO) spec, allowing devices to work with a wealth of third-party biometric readers and providing an easy framework for any hardware makers that want to build extra security into a laptop or phone.

Being realistic about passwords

Ping Identity engineer: On second thought, passwords may be okay (FierceEnterpriseCommunications)

In the first part of a new discussion with Paul Madsen, a senior technical architect in Ping’s office of the CTO, I first asked whether Ping truly did intend to resurrect the password as a viable mechanism by way of supporting FIDO 1.0.

Paul Madsen, Senior Technical Architect, Ping Identity: It’s less a resurrection than just trying to be a little bit realistic about what FIDO does, and what it can do. Half of the FIDO specification set–U2F, specifically–pretty much assumes that there are still passwords in the mix. FIDO, arguably more so than killing off passwords, just mitigates some of their worst problems, particularly the risk of bulk compromise of the password database, as we see more and more.

Two things jump right out of this article. The first is the realistic treatment of the fact that passwords aren’t going the way of the dodo any time soon. The second is that passwords that control access to databases of passwords are very different than passwords that control access to an individual account.

The big scores are database hacks.

See also:
FIDO is not the end of passwords (and that’s OK) at the Ping Identity blog. It’s well worth it.

Well, he will be soon, he’s very ill.

The Dead Collector: Bring out yer dead.
Man With Dead Body: Here’s one.
The Dead Collector: That’ll be ninepence.
That Claims It Isn’t: I’m not dead.
The Dead Collector: What?
Man With Dead Body: Nothing. There’s your ninepence.
The Dead Collector: ‘Ere, he says he’s not dead.
Man With Dead Body: Yes he is.
That Claims It Isn’t: I’m not.
The Dead Collector: He isn’t.
Man With Dead Body: Well, he will be soon, he’s very ill. [Source]

FIDO 1.0 Specifications are Published and Final Preparing for Broad Industry Adoption of Strong Authentication in 2015 (FIDO Alliance)

“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the FIDO Alliance. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce.”

FIDO is doing great work at developing standards for managing online identity without passwords.
FIDO’s press release and this article at PC World explain what FIDO is up to quite well and the people behind FIDO are to be commended for tackling a serious issue, the solution to which could add significantly to the value proposition for businesses and customers interacting over electronic networks.

Just don’t fall for all the “death of passwords” hype that is out there in other places.

Passwords are going to be around for a long, long time but FIDO is doing a great job of corralling them back to where they can do the most good with the least annoyance.

See also:
Why Passwords are Great

A closer look at the Fast Identity Online Alliance

If you haven’t heard of FIDO yet, you should really click through to the entire article.

Password-free authentication: Figuring out FIDO (Search Security)

Online authentication mechanisms have grown increasingly difficult for IT security teams as employees and customers expect to access online services and e-commerce sites from a myriad of devices. With password fatigue reaching new heights, many security professionals want stronger authentication methods that eliminate the complexities and risks associated with the integration of online credentials and identity management.

By now, most security professionals have heard about the Fast Identity Online (FIDO) Alliance, a non-profit founded in July 2012 and publicly announced in February 2013. The industry group is championing better multifactor authentication and open standards to promote interoperability of next-generation authentication technologies.