WSJournal. PayPal Embraces New Digital Security Framework

PayPal is Tuesday helping to launch the FIDO Alliance, which will later this month introduce specifications for an open technology standard intended to help companies and individuals authenticate their online identities. Michael Barrett, chief information security officer of PayPal, a subsidiary of eBay Inc., as well as president of the FIDO Alliance (FIDO stands for “fast identity online”), says the standard meets “a large, suppressed demand for this technology.” At present, he said, “there are no security alternatives that meet our needs.” The question remains, however, whether this support from one of the world’s largest e-commerce sites, along with commitments from a number of important hardware vendors, will provide the new standard with enough traction to become truly standard.

The rising incidence — and cost — of cyber crime is creating significant challenges for companies that rely on the Internet for commerce with consumers, or for communication with business partners. Companies have had to rely either on security technology developed at the dawn of the Internet Age, or else on proprietary applications that don’t work in all cases, and which make it more difficult for end users to interact with their systems. “There are a hundred vendors that build authentication technology, but none of them interoperate with one another,” Mr. Barrett told CIO Journal.

Under the proposed system, users accessing a website or application running this technology will be asked to initially bind a biometric piece of information or token to their existing user name and password combination. That creates a three-way bind between the user, the device and the new token, which the device uses to authenticate users on their subsequent visits to the same site or application. Authentication then occurs between the device and the site or application calling for the authentication. Conversely, users – and hackers pretending to be them — will no longer be able to identify themselves by simply typing a user name and password.

The new framework relies largely on existing technologies, such as the fingerprint swiping sensors that have been available on most laptops produced by Lenovo Group Ltd. since 2004. The device records biometric information provided by the end-user and stores it locally in encrypted form. According to Mr. Barrett, the technology is likely to be embraced by end users because it’s easy to use, and because their biometric information remains on the device rather than being stored in a third-party database.

Lenovo, chipmaker Infineon Technologies AG, and Validity Sensors Inc. are among the founding members of the FIDO Alliance, and their presence is one important reason Mr. Barrett believes the standard will quickly gain broad market adoption. “We have credible representation from the technology providers in different categories,” he said. He noted that the same strategy – standard creation by companies relying on the technology, along with broad vendor participation — was employed by the Liberty Alliance, of which he was a part, and which created the SAML 2.0 digital identification standard in 2003.

Sites like PayPal, or corporate IT departments, can implement this authentication technology using standards-based software that prompts end users to create biometric or token-based authentication. The software then authenticates the user with the originating site via an encrypted message. The first vendor offering this software is Nok Nok Labs Inc., a startup which Tuesday said it received $15 million in Series A funding. The company, which helped found the FIDO Alliance, clearly has a head start on potential competitors, but says the open standard is available to all comers. Phil Dunkelberger, president and CEO of Nok Nok Labs, says “it’s going to take ecosystem adoption” for the standard to truly become ubiquitous.

Indeed, adoption of standards is a virtuous cycle. “How standards take is, deployment wins,” he says.

Mr. Barrett, who is one of the founders of Nok Nok Labs and remains on its board, says he has no investment in or other financial relationship with the company. “It’s necessary for the space to have a rich ecosystem of technology providers, and it’s necessary to have at least one company to do what [Nok Nok Labs] does. But they should not be the only company in a mature ecosystem,” he said.

However, the FIDO Alliance is still a long-shot to succeed, according to Eve Maler, an analyst with Forrester Research Inc. who was briefed on the technology. She questioned the fact that Nok Nok Labs is currently the only vendor providing the crucial middleman service. “How much of an ecosystem is it if there’s only one provider doing the proof of concept?” she said.

“There’s sanction [of a standard by a governing body] and then there’s traction. Without traction, you don’t have anything,” she said.