2013 has seen a new authentication acronym emerge: FIDO – for Fast Identity Online. It’s a Silicon Valley initiative aiming at creating a large market for strong authentication by establishing standards. All previous such initiatives have failed – not that they lacked prestigious supporters. Which challenges does the FIDO Alliance face? What will make it successful?
Consumer or Enterprise?
As of today, strong authentication is mostly an Enterprise market. Businesses implement strong authentication in order to protect their assets. Enterprise strong authentication is a mature market, although SaaS and mobility are deeply reshuffling it. What does FIDO bring to this market? A priori, little, because businesses issue their own private credentials for employees, partners and customers. Businesses don’t expect and don’t want to leverage third party credentials. Businesses don’t care about interoperability outside their own trust domain. And today’s vendor solutions already enable interoperability – i.e. single sign-on – within the trust domain.
Then, what about consumer and consumer-facing markets, B2C and B2B2C? B2C would mean that end-users actually buy FIDO tokens, which is unrealistic at large scale. It’s not a price question, rather a perception of the value and of the need to own tokens: the vast majority of users are hardly aware that they need something to safely manage their identities, so security tokens are really not on the wish list.
Hence the odds are that the market for FIDO is websites needing to make their users’ authentication more secure.
Embed and fly, or die
Unfortunately, there’s a chicken-and-egg problem: users won’t want security tokens until they can use them to connect to many different sites. Websites won’t be interested in FIDO until they can authenticate a vast proportion of their users with it. That’s typical for two-sided markets. How will FIDO get past it?
FIDO benefit for websites lies in the possibility to leverage existing tokens due to their standardization and interoperability. If a website had to invest in tokens – e.g. to subsidize their users -, that website would have no need for interoperability. This is precisely what happens today: some “rich-enough” websites – e.g. financial services – distribute tokens to some of their user segments, other websites don’t use tokens. Sharing investments requires state or industry-wide initiatives, like BankID in Norway. However, it’s not on FIDO’s agenda to create and operate a centralized authentication service charging websites accepting tokens in order to redeem tokens issuers. And no investment sharing means no incentive to interoperability, hence no need for FIDO.
So what? Device manufacturers may own the key to the solution. Embedding FIDO tokens in every day devices shifts the chicken-and-egg problem from websites to device manufacturers. The manufacturers business model is precisely to add hardware and firmware features that they believe will benefit their sales or margins. So FIDO ultimate challenge will be to convince device manufacturers about the value of embedding tokens. That challenge is not to be underestimated: NFC has been struggling with it for more than 5 years now.
Is that all? Nope…
Besides, as long as most of the installed base won’t be FIDO-enabled, will websites want to support it? Will they implement an “optional” secure authentication, only for those users having a FIDO-compliant device? How will users having several devices – some FIDO-compliant, some not – authenticate? So, FIDO will probably need to convince not just a few, but most device manufacturers.
Now the key question: will Apple join the FIDO Alliance?
The expectations that Apple would embrace NFC have been vain so far, as Apple is pushing an alternative standard. Here, however, Apple has been the first large phone manufacturer to embed a biometric sensor (TouchID on iPhone 5S, see my post). But there is no sign that Apple will open the API or make it FIDO-compliant.
This is more than a challenge for the FIDO Alliance: it’s a risk they can’t mitigate.
And now?! Almost finished…
Last but not least: can this work without an identity provider?
If I was using my FIDO token to authenticate to, say, 15 websites, what would happen if I lost it or I wanted to change the device where it’s embedded? The answer is: I would need to enroll my new token with all of these websites. And for this, how would I prove to these websites that I’m the right user, if I no longer had the token I use to prove my identity? …
Making authentication more secure introduces a need for an “identity provider”, some kind of a neutral entity that can safely issue tokens and reissue them when needed. This is not in FIDO’s scope, so there’s a risk that it will make websites’ life (with authentication) even more complex and costly that it was already.
It’s another challenge, but when FIDO will get to that point, inWebo can help.