The FIDO (Faster IDentity Online) alliance was formed in 2012 with the lofty aim of “developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.
The alliance welcomed Microsoft in late 2013, by which time it already counted Google, PayPal and MasterCard among its members. The group launched its first set of specifications just a couple of months ago, in December 2014.
These specifications aimed to pin down how various types of passwordless and second-factor technologies – ranging from smartphone fingerprint readers to USB dongles – will interact with the various sites and services which want to use them to better identify their users.
Now Microsoft has stepped up to the plate and promised to make its glitzy new version of Windows compliant with those specifications, allowing all the devices and software already built along the lines provided by the spec to simply plug in and work when the new platform is released.
Or has it?
You would certainly think that from the headline of the Microsoft blog post making the announcement:
Microsoft Announces FIDO Support Coming to Windows 10
And also from most of the coverage the announcement has received, reveling in the prospect of a future free from the shackles of complexity, length and odd characters that current password systems keep us tangled up in.
Something in the wording of the Microsoft blog post doesn’t sit quite right though; it seems a little misaligned with this joyous feeling.
It doesn’t exactly say “Yea, for we have looked upon the FIDO specification and seen that it is the way and the truth, and we shall follow that way”.
Rather it reads as follows:
Microsoft has contributed design inputs to the Fast IDentity Online (FIDO) Alliance, to be incorporated within FIDO 2.0 Technical Specifications.
And a little later:
Our current implementation in the Windows 10 Technical Preview reflects our inputs into the FIDO 2.0 Specification Technical Working Group
Now this may be overly sceptical, but that sounds a lot more like “Yea, we have developed our Windows 10, and we have gone to FIDO, and we have said look, this is how we’re going to do it, so please rewrite your specification to fit our way of doing things.”
This may be quite wrong of course; it could be that the 1.0 specification just needs a few minor tweaks, and that all those developers of products and websites and other in-betweeny things, the ones who have been beavering away over the last few months to make sure they fit in nicely with those (still pretty new) 1.0 specifications, are all OK and their work is done.
On the other hand, it could mean that something didn’t sit nicely with the way Windows 10 was rolling along, and that there need to be some big changes made in the spec, which may well mean some headaches and extra work to do for everyone else.
That’s the beauty of being a multi-hundredweight gorilla – once you’ve set your mind to something, it’s pretty easy to get everyone else to agree to your way.
Perhaps coincidentally, FIDO recently reorganised its management, with Microsoft Group Program Manager Dustin Ingalls taking the reins as president.
Windows 10 will be released – according to those in the know – some time later in 2015, maybe around September. And it seems like it will almost certainly have some some sort of “password replacement solution”.
Which, potential implementation headaches aside, will surely be a good thing.
In the interests of neutrality, it’s worth pointing out that other password-killing initiatives are also available.