The speed and convenience of the internet comes with a common annoyance: too many passwords. Your computer, email, credit cards, shopping websites, bank, hotel loyalty programs, social media, cable channels, airline, and on and on. In fact, the typical user has about 90 online accounts and each needs a password.
Hopefully, each has a different password, because otherwise, you are only as safe as the least secure website you frequent. Hackers love to stuff passwords: taking a password stolen from one site and using it on other sites. Yet more than half of the passwords are reused.
Those statistics on the number of online accounts and reusing passwords come from the FIDO Alliance, an open industry association working to reduce the world’s excessive reliance on passwords.
FIDO – which stands for Fast IDentity Online – is working to change the nature of authentication with open standards that are more secure than passwords, simpler for consumers to use and easier for service providers to deploy and manage.
Officially founded in 2012 and publicly announced in 2013, FIDO started with just a handful of companies including Lenovo. As an original member of FIDO along with PayPal, Nok Nok Labs, Validity Sensors, Infineon and Agnitio, Lenovo continues to play a leadership role in moving FIDO standards from development to widespread adoption.
The FIDO Alliance has grown well beyond the original members and now includes more than 250 members including Microsoft, Google and Intel, with Apple being the latest to join in February. That rapid growth now has the group approaching widespread adoption of the FIDO standards and a corresponding jump in the number of FIDO Certified products.
There are now hundreds of FIDO Certified products – including Windows 10 – moving FIDO closer to its goal of FIDO products of being the norm, not the exception.
The ongoing growth is very satisfying to Lenovo’s Joe Pennisi, who played a major role in founding and growing the FIDO Alliance. Pennisi, a Lenovo Distinguished Engineer and leader of the PCSD Global Security Lab, first heard about the idea in 2010, when he was contacted by Ramesh Kesanupalli, the founder and driving force behind FIDO. Pennisi knew Kesanupalli, the founder of Nok Nok Labs, from working together on fingerprint sensors in ThinkPads.
Pennisi brought Lenovo into the alliance from the start, joining as one of the four founding board members, serving as treasurer since the beginning, roles he still has today. He has managed the group’s financial growth and investing in the alliance’s objectives.
As part of FIDO’s leadership, he helped recruit new members, where the alliance enjoyed steady success, bringing in Google in 2013 and Microsoft in 2014 among a steady influx of tech companies, web merchants and financial institutions interested in improving online security.
“What attracted me first of all was that it is a big worldwide problem that affects almost everyone,” Pennisi said. “We call it the ‘password problem’ because it’s a shared secret that can be attacked from either end: the user or the online service. If your password or its protection is weak, I can attack that, or if the database of passwords at a site isn’t well protected – and many aren’t – then I can attack that.”
The weakness of passwords also creates a great incentive for hackers, who can target databases of passwords and get millions, possibly billions, of user IDs and passwords.
Having been working on fingerprint readers for seven years, Pennisi knew there were better ways to secure online use, such as biometrics. But there was no industry standard for online services to work with biometrics such as fingerprint readers, thereby preventing widespread use.
When the FIDO Alliance started, the first challenge it faced was to create some working groups to establish the standard and work on the technical details of the protocol. That meant groups to create the standards at the heart of FIDO security.
With FIDO specs in development in 2013, David Rivera, a Lenovo Principal Engineer and Director of Device Security for Lenovo’s Global Security.
FIDO’s work is not done by any stretch. While the FIDO board has many large financial organizations, financial institutions remain one of the biggest areas without FIDO adoption.
“That sector has been rather cautious,” Pennisi said. “If you sign into a bank account, the bank really wants to know it’s you before allowing a connection, so that’s an area the group is working on.”
Pennisi said FIDO is starting to look at Internet of Things devices, the next big opportunity to improve cybersecurity, as well as Identity Verification to support standardized methods of verifying identities for both account provisioning and recovery, other areas in need of innovation to improve overall online security.
This blog post was originally written by Andy Barron for Lenovo StoryHub.