FIDO Alliance adopts standard that makes Android touch ID sensors possible

By Byron V. Acohido

Michael Barrett cringes every time he has to enter a password on his smartphone.

But six months from now Barrett says he will be able to choose from the latest Android models that will come equipped with a biometric sensor capable of letting him swipe his fingerprint to access a wide range of his online accounts.

That’s the scenario being proactively pursued by the FIDO Alliance, a group of 48 tech companies, led by PayPal and Lenovo, hustling to implement a milestone technical standard.

“The intention of FIDO is absolutely that it will allow consumers to have access to mobile services that they can use with very low friction, while keeping good security,” says Barrett, president of the FIDO Alliance. “That’s explicitly what we want to build.”

As FIDO gains traction, it should radically change mobile computing, much as the Wi-Fi standard did. FIDO should reduce, if not eliminate all together, the use of passwords to access accounts on mobile devices.

Apple’s latest iPhone model features a much-ballyhooed fingerprint sensor, called Touch ID, that can be used to lock and unlock the phone, as well as authenticate the user to purchase digital media on iTunes. Touch ID, for the moment, is not FIDO-compliant. Apple spokeswoman Natalie Kerris declined comment.

However, Barrett says Touch ID could easily be adapted to FIDO. “Our view is that it’s possible Apple might choose to start using FIDO, but that’s probably a couple of years out.”

Meanwhile, Barrett is on a mission to get other hardware makers and online companies to arrive at a consensus on common rules of the road for enabling consumers to use their computing devices — be it a smartphone, touch tablet, laptop or desktop PC — more centrally in the authentication process.

Biometric sensing technology is well understood. Yet, passwords — and poor password habits — remain central to accessing online accounts. This has made it all too easy for cybercriminals.

“We make tradeoffs to balance security with convenience,” says Manoj Nair, general manager of identity trust management at RSA. “The next generation of identity protection will allow us to be more convenient and secure at the same time.”

That’s where FIDO comes in. The alliance is hashing out an open standard that any company can adopt. So a music service or online banking site will be able to recognize the unique characteristics stored on a PC’s security chip or a smartphone’s biometric sensor, as long as all parties adhere to FIDO.

The alliance officially launched in February with a handful of founders and has grown rapidly.

The initial FIDO-equipped Android devices, along with an array of commercial services using the FIDO protocols, are on track to roll out in early 2014, Barrett says.

Silicon Valley start-up Nok Nok Labs is developing the first servers to facilitate FIDO services. If all goes as hoped, FIDO will become to authentication what Wi-Fi is to Internet hookups, says Phil Dunkelberger, CEO of Nok Nok Labs.

“We didn’t create the current authentication mess overnight, so it’s going to take us a while to fix it,” Dunkelberger says. “We need to educate the marketplace that it is possible to make things more secure for business and easier for consumers, while still ensuring that legitimate privacy concerns are respected.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone