May 9th, 2013 by Jeremy Sherwood, Cloud Strategist
Michael Barrett, Chief Information Security Officer at PayPal, was the lead-off keynote speaker on day #2 ½ if you count the first night as a ½ day. He spoke on password security in the world of “Internet of Things”. Michael started his keynote really focusing on the data of passwords. “Passwords really started back in 1961 with the Mainframes,” Michael said. It was a time when you would timeshare with workloads on those mainframes. The process to get access was as simple as seeking out the system administrator and signing up for workload time slots and you would be issued access keys at your time slot to start your work. Michael goes on to describe, and paint a picture of, the passwords of today in the life of a user. We all have more usernames and passwords than any one person should. Michael goes on to say because of the pain of having to remember usernames and passwords, we reuse the same set of keys over and over again making them more and more useless. I would agree with Michael in the sheer volume of passwords that I have myself; it is crazy to recall them all. I personally have used and looked at tools like LastPass to help address this need. However, Michael’s keynote started to shift not away from the password problem, but more towards a really unique way to solve the problem. He introduced FIDO Alliance as the key to a standard protocol for how to change the paradigm of passwords and put them to rest.
For those of us who weren’t, or still aren’t, familiar with FIDO Alliance here is a brief explanation from their website:
“The FIDO (Fast IDentity Online) Alliance was formed in July 2012 to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.”
Michael continued to expand the story by providing some examples of how one standard can be used but the implementation can be unique. Michael gave an example of this year’s upcoming cell phones that will have fingerprint scanning technology to leverage authentication instead of passwords. For me, the idea of simplifying my life while still maintaining the level of security that allows me to sleep at night is a future I can get behind. For more information on FIDO I would encourage you to check out their website here: http://www.fidoalliance.org as well as read this article that was written in Computer Weekly a few months back that really does a great job explaining the problem and solution.