UK To Invest In FIDO-Based Passwordless Systems To Improve Security

The FIDO Alliance, which includes members such as Google, Microsoft, ARM, Intel, and PayPal, as well as banks and many other companies, aims to get rid of passwords through new industry standards for biometric authentication and for two-factor authentication. The UK government recently announced that it will invest £1.9 billion ($2.3 billion USD) in cybersecurity over the next five years, and that includes adoption of devices capable of FIDO authentication.

Security By Default

The UK government’s new strategy for “defensive” cybersecurity is to ensure that future devices that arrive on the market are “secure by default.” The recent massive DDoS attacks due to all the insecure IoT devices that come to market may have been one of reasons why the UK government chose this strategy.

In its strategy document, the UK government said:

[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.

FIDO said that the UK government realized the same thing the group did--that passwords are an unsustainable method of authentication, something of which all the major data breaches in the past few years have reminded us.

Ending "Security Fatigue"

FIDO also noted that users want strong security to be accompanied by a positive user experience. As a recent NIST report concluded, users--especially in the enterprise environment--are starting to feel “security fatigue.” This is due to all the dozens of passwords they have to manage to get into the various applications that they need to use.

The FIDO authentication methods promise to enable easy access to devices and applications through fingerprints, selfies, or a single touch of a security key. Authentication through facial recognition has had a bad track record, so it remains to be seen if FIDO’s implementation will be more resilient to attacks than previous facial recognition solutions.

Fingerprints should offer reasonable security for most people, as long as governments don’t also decide to store everyone’s fingerprints in their hacking-prone databases, which could then expose everyone’s devices when a data breach happens.

The FIDO Alliance is also enabling strong two-factor authentication, so ideally the biometric authentication will almost always be accompanied by some form of second-factor authentication as well, to better protect FIDO-enabled devices.

The U.S. government has also been urging the move away from passwords, which it has called the “weakest link” in security.

This thread is closed for comments
18 comments
    Your comment
  • Scrotus
    Fingerprints for some of us may also present a problem. I'm a senior citizen and my fingerprints as we normally see them are mostly gone. The last time I needed to submit fingerprints the system had a really difficult time reading them. I wonder if lack of fingerprints will be a pretty widespread problem.
  • anathema_forever
    Fingerprints seem like a bad way to go anyway for the digital age. Database breaches getting peoples cheesy passwords, who are just a pet name etc aren't a huge loss. Depending on fingerprints and those getting lost is catastrophic so it would be best if we just didn't use them like that anymore. Easy to make massive and random digital keys so why even do that to ourselves.
  • Abbe Normal
    If UK government supports some security technology for common use then you can bet it is already stuffed with government backdoors. Would you use the keylock that was recommended by a guy who broke into your house yesterday? :-)