Microsoft joins FIDO Alliance that wants to replace passwords

Securing an online account with a password is still the most used method of authentication but, as we have reported before, most passwords can be quickly guessed by hackers. There's also the constant threat of password database theft. Is there a better way to make online authentication more secure without the need for typing in a bunch of characters?

The FIDO Alliance thinks there could be a better way and this week it got Microsoft to sign onto its mission to replace the old fashioned password. The non-profit organization, which was formed in 2012, announced that Microsoft has now joined its Board of Directors, which already includes companies like Google, BlackBerry, Lenovo, and PayPal.

FIDO stands for Fast IDentity Online and, as its name suggests, the members of the coalition want to create a set of open authentication standards that are easy to use by consumers and business and yet offer better security than the current login-password set up. The group states:

Open FIDO specifications will support a full range of authentication technologies for operating systems , including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE) , and Near Field Communication (NFC).

The group will offer its final proposals to groups like the Internet Engineering Task Force and the World Wide Web Consortium with the goal of getting them approved as open standards that are used by everyone.

Source: FIDO Alliance via PCWorld | Image via

Report a problem with article
Previous Story

Valve releases first public version of SteamOS

Next Story

Image points to on-screen Back, Start, Search buttons in Windows Phone 8.1

15 Comments

'such as fingerprint and iris scanners, voice and facial recognition'
Awesome, easier for hackers to steal your identity.

inb4 'nsa wants this...'

n_K said,
'such as fingerprint and iris scanners, voice and facial recognition'
Awesome, easier for hackers to steal your identity.

inb4 'nsa wants this...'

One of the biggest problems is people use the same password for everything. I don't see how using the same fingerprint etc for everything is going to change things when it's the servers that are getting hacked into.

Once the server is hacked, and your password be it a string of characters you type in, or your fingerprint, its out there. Fortunately you can change your password, the same can't be said for finger prints or your eye ball.

I know people are going to say but but the server uses a salted password so the password hash won't be the same.. that's great but as many of the recent hacks have proven, not every company takes security seriously enough to salt their password database.

More needs to be done investing in security at the server level before we even consider trying to force what will ultimately be a waste of time for users.

Also, for people who have privacy concerns, I'd be less worried about the NSA and more worried about your local police state. Right now the majority of them can't for you to give a password, but they can take your finger print, eye image, voice etc without your permission...

sagum said,

One of the biggest problems is people use the same password for everything. I don't see how using the same fingerprint etc for everything is going to change things when it's the servers that are getting hacked into.

Once the server is hacked, and your password be it a string of characters you type in, or your fingerprint, its out there. Fortunately you can change your password, the same can't be said for finger prints or your eye ball.

I know people are going to say but but the server uses a salted password so the password hash won't be the same.. that's great but as many of the recent hacks have proven, not every company takes security seriously enough to salt their password database.

More needs to be done investing in security at the server level before we even consider trying to force what will ultimately be a waste of time for users.

Also, for people who have privacy concerns, I'd be less worried about the NSA and more worried about your local police state. Right now the majority of them can't for you to give a password, but they can take your finger print, eye image, voice etc without your permission...


at a guess i would imagine this group is aware of the issues present and wants to fix things end to end via an open standard or set of standards

n_K said,
'such as fingerprint and iris scanners, voice and facial recognition'inb4 'nsa wants this...'

Indeed, these things have already existed for years. Seems Microsoft and this organisation is nothing more than a "solution looking for a problem".

This often happens when companies are beyond their peak, loosing relevance, and looking for the "next big thing".

dvb2000 said,

Indeed, these things have already existed for years.

They have existed for years but as local authentication, i.e. to login to your laptop or a work computer via intranet, they've not stored your unique human details on a remote internet server before.

Passwords are a abomination for most people. because they phished, reused, and key logged.
They are also difficult to remember and difficult to type and may not be secure. And there are legitatmate issues concerning the issues concerning the specifics of FIDO alliance. But until the final spec is released I think its difficult to say one way or the the other if this will work. But I think its great that they trying.

Microsoft jumps on yet another hip fad bandwagon. Passwords are here to stay. Two thousands of years of cryptography research can't be wrong.

I would be surprised in 20 years If passwords were the primary way for authentication. I think its the beginning of end for passwords.

Notice I did n't say they would use passwords.. Just that the alternatives for authentication would be more prevelant. If you have ever had type long password on tablet then you know that passwords suck. Its not great experience.

Are you honestly going to say that is more convient to type a password on a tablet rather then some then use biometrics. Everyone that I know uses the fingerprint reader on iphone 5s rather then a password even though they have a choice.

Honestly I'm going to say that tablets and phones suck in general. On-screen keyboards coupled with options to "remember me" (you should never ever use these) and generally lax security model together leave a lot to be desired.
At the very least use password manager.

The only way this could work is if there was one "unhackable" database of encrypted login details. and websites would have to signup to use the service. If you let any random developers start collecting biometric data it could go bad, fast.

Commenting is disabled on this article.