Some colleagues and I got into a short discussion about the FIDO alliance last week. That’s the Fast Identity Online Alliance, which was formed in July 2012 with the aim of addressing the lack of interoperability among strong authentication devices. They also wish to do something about the problems users face with creating and remembering multiple usernames and passwords. According to their web site, “the FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plugins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security.”
There’ll be more from us in the coming weeks and months about FIDO and other emerging protocols, but our discussion got me thinking about something else.
There are now more than 50 members of the alliance, and someone mentioned that Google was an early joiner – not a founding member, but getting on board soon after. The question was Why Google would do this and what that portended for FIDO’s future.
Obviously it’s good to have a big name like Google on board. Along with other well-known names (Lenovo, Blackberry, MasterCard, Yubico and more) the Google brand makes for a bigger “buzz” and makes getting press (and, let’s face it, analyst) coverage easier. There’s no question that having Google on board is a major plus for FIDO. But is FIDO a plus for Google?
Google is known for supporting many authentication and identity protocols and services. They were on board early with OpenID, OpenID Connect, SCIM (System for Cross-domain Identity Management), Oauth and Oauth2, SAML and more. In fact, there are few internet friendly identity-related mechanisms that Google doesn’t support. But why?
One clue is the person responsible for all this activity. Eric Sachs is Google’s Group Product Manager for Identity. On his Google+ site he identifies his goal rather succinctly: Eliminate Internet passwords. He’s very serious about that.
One first step was the implementation of two-factor authentication (2FA) by the search giant last year. Rumor is that in the not too distant future two-factor AuthN will be required by the company. FIDO, of course, has two-factor authentication as one of the ways they wish to strengthen on-line account access.
Why are Google doing this? 2FA is not as easy to use as a simple username/password. It is, though, more secure. And Google wants you to think that their services are more secure than their competitions’. If you feel your account (and your content) is more secure with Google Docs, Google Drive, YouTube, Google+, etc. then you are more likely to use those services rather than another. Since Google’s business is based on advertising, the more “eyes” it gets on its services the more ads it sells and for more dollars per ad.
The second part of the equation is that by supporting strong authentication Google is more assured that you are who you say you are. You may remember the brouhaha that ensued when Google required so called “real names” for Google+ back in 2011 (the aptly named “Nymwars”). Google’s advertising revenue is enhanced when it can deliver ads to you that resonate with your tastes, your wishes and your lifestyle – unlike Walmart, whose marketing gaffe (selling smoked hams to Jews) went viral. By making sure it’s really you, and by tying together everything you do on Google properties, the company ensures that it has the best targeted marketing in cyberspace.
Targeted advertising is another can of worms, which I won’t get into here. But, if that’s what keeps Google working for stronger authentication and password elimination, then I’m OK with that.
Martin Kuppinger suggested another possible reason: Google not only wants to eliminate username/password (which makes sense), they want to end up with strong authentication that does not require massive cost and logistics (deploying hard tokens etc.) for them. This is just not feasible for Google. And it is a problem all larger organizations are facing, while smaller organizations can handle it. Thus Google is looking for standards that allow them to reuse existing strong authentication in a flexible way. Makes sense to me.
To get back to the beginning of this piece, it appears that Google supports any protocol or system that shows any promise of bringing stronger authentication. So the question remains, is FIDO the right vehicle to do that? I’ll look at that question next time. For now, take a look at what Martin had to say last spring in “The FIDO Alliance – game changer for Internet Security?”