UK To Invest In FIDO-Based Passwordless Systems To Improve Security

The FIDO Alliance, which includes members such as Google, Microsoft, ARM, Intel, and PayPal, as well as banks and many other companies, aims to get rid of passwords through new industry standards for biometric authentication and for two-factor authentication. The UK government recently announced that it will invest £1.9 billion ($2.3 billion USD) in cybersecurity over the next five years, and that includes adoption of devices capable of FIDO authentication.

Security By Default

The UK government’s new strategy for “defensive” cybersecurity is to ensure that future devices that arrive on the market are “secure by default.” The recent massive DDoS attacks due to all the insecure IoT devices that come to market may have been one of reasons why the UK government chose this strategy.

In its strategy document, the UK government said:

[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.

FIDO said that the UK government realized the same thing the group did--that passwords are an unsustainable method of authentication, something of which all the major data breaches in the past few years have reminded us.

Ending "Security Fatigue"

FIDO also noted that users want strong security to be accompanied by a positive user experience. As a recent NIST report concluded, users--especially in the enterprise environment--are starting to feel “security fatigue.” This is due to all the dozens of passwords they have to manage to get into the various applications that they need to use.

The FIDO authentication methods promise to enable easy access to devices and applications through fingerprints, selfies, or a single touch of a security key. Authentication through facial recognition has had a bad track record, so it remains to be seen if FIDO’s implementation will be more resilient to attacks than previous facial recognition solutions.

Fingerprints should offer reasonable security for most people, as long as governments don’t also decide to store everyone’s fingerprints in their hacking-prone databases, which could then expose everyone’s devices when a data breach happens.

The FIDO Alliance is also enabling strong two-factor authentication, so ideally the biometric authentication will almost always be accompanied by some form of second-factor authentication as well, to better protect FIDO-enabled devices.

The U.S. government has also been urging the move away from passwords, which it has called the “weakest link” in security.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Scrotus
    Fingerprints for some of us may also present a problem. I'm a senior citizen and my fingerprints as we normally see them are mostly gone. The last time I needed to submit fingerprints the system had a really difficult time reading them. I wonder if lack of fingerprints will be a pretty widespread problem.
  • anathema_forever
    Fingerprints seem like a bad way to go anyway for the digital age. Database breaches getting peoples cheesy passwords, who are just a pet name etc aren't a huge loss. Depending on fingerprints and those getting lost is catastrophic so it would be best if we just didn't use them like that anymore. Easy to make massive and random digital keys so why even do that to ourselves.
  • Abbe Normal
    If UK government supports some security technology for common use then you can bet it is already stuffed with government backdoors. Would you use the keylock that was recommended by a guy who broke into your house yesterday? :-)
  • targetdrone
    Biometric security is a stupid idea because once compromised, that it's, game over. You can't change your fingerprints, or retinas , like you can with a password and authentication key.

    Don't think that information can't be hacked? Last Year over 5 million Federal employees and contractors has their fingerprints stolen during the Office of Personal Management data-breach.
  • rantoc
    Yeah, once the biometric readings for a person is out then it would be an all out access to all sites who uses that said biometric (be it fingerprint, retina ect.). Its like having a single password on every site, once one is breached - Good luck!

    Until that "once breached your totally screwed" issue can be resolved, good luck getting my fingerprint as password - I don't like to give a clever hacked all out access once one site is hacked. Speaking ab out collecting ALL EGGS IN ONE BASKET... guess what basket WILL BE HACKED?
  • drajitsh
    What we need is support on financial sites for password mangers. most sites disable them, especially for financial transactions. Practically, given enough time and effort any system can be hacked. If not through a choice vulnerability then an inside job. Putting all your eggs in one basket forever is not a good idea.
  • Joker41NAM
    Anyone want to place bets on how long until the first major biometric authentication breach? (last gov one doesn't count, wasn't being used for authentication)
  • shiitaki
    Replace passwords? Not likely! The government is pushing for biometrics? The government who lost millions of fingerprints in a data breach?

    The NSA are a bunch of self important jackasses and have little to contribute to the security of the world, more like they may be one of the greatest threats to out security with their backdoors being installed everywhere! Notice the NSA isn't asking congress for a backdoor in to hard drive encryption? The NSA wants to get rid of passwords because then they can't force you to hand over your data since only pins and password are protected under the constitution.

    The NSA getting rid of passwords is self serving!
  • maxwellmelon
    its simple lets get a secure chip implant one in everyone arm, forehead. password problem solved. the solution was only predicted 2000 years ago.
  • kittle
    when my passwords is stolen, i can change it and use a different one. I cant change my fingerprint.