Skip to main content

Consortiums and Standards in Authentication

The FIDO Alliance published their standards recently.  I was amazed to find  out from Eve Maler  that the license does not include any implementation rights.  You just get to look at them.  I find this fascinating in today's world of prolific coding.  Verisign, on the other hand, published the Oauth protocol as an IETF standard, which Google made popular.  WiKID is not in danger of becoming a market-dominating standard (yet), but we have an open-source version that mitigates many of risks of choosing WiKID.  This led me to think about what's really important from a buyer's perspective.

Buyers like standards (either industry-chosen or market-created) because of:

  • Interoperability.  Standards help things communicate. RADIUS allows my Cisco VPN to talk to AD and then to a WiKID Strong Authentication server.
  • Substitution.  RADIUS allows me to swap out my first Linksys VPN/Router with a Cisco without changing my AD or WiKID Server.  It allows me to swap out an expensive two-factor server with a WiKID server.
  • Reduced risk of obsolescence.  I gradually had to get rid of all my BetaMax equipment as the video store's shelves gradually went from 50/50 VHS/Beta to 100% VHS.
  • Reduced costs.  An open standard should reduce costs.  There should be a number of suppliers.  It's easier to hire an employee that knows a standard.  If a person has worked in enterprise IAM and security, chances are they know LDAP, RADIUS, SAML, etc.

It is too early to say if the Fido Alliance provides any of these benefits.  Interoperability is already provided on the back-end by Radius inside the firewall and SAML/OpenID Connect/etc outside.   There's no need to interoperability on the client itself.  While it might be nice to have one token client, it might also be nice not to.   (What's needed is a trusted computing platform for all authentication mechanisms.)

RADIUS also allows extensive substitution.  Switching costs would consist of token distribution and user registration.  WiKID minimizes sunk costs via our subscription licensing (as do services).  One strategy to pursue during this time of confusion is to avoid any large deployment costs, going with low-cost software solutions or services until standards develop.  Let the pioneers get the arrows, but do what you should to minimize your risks.

Because for enterprises obsolescence is only an issue if you don't get your money's worth.  If you spend a great deal of money on something that doesn't work or needs to be replaced, you are a poor steward of your shareholder's capital.  Keep your network running Token Ring until Ethernet cards are dirt cheap.  

WiKID's open-source version provides many of the benefits of a standard.  In the unlikely event we went out of business (we are cash-flow positive), our customers could hire developers to improve and maintain the code.  The costs would be minimal.  The code could be extended via our API to support any additional protocols.  

I posited on Twitter that WiKID could release our architecture as a part of a consortium and give all of our customers a free membership. We would be well ahead of Fido in deployments.  We wouldn't have members like Google, but clearly Google is playing the field.  They want a solution and perhaps they realize that there will not be a single winning standard.

That's my belief:  There won't be a winning standard in two-factor authentication.  Fido seems aimed at the consumer authentication problem.  I think that market is splintered.  What will be needed for online banking will be different than an online health exchange or an email service.  The differences are too great and the benefits of standardization are too small.   Most breaches would not be stopped by consumer authentication anyway.   It's the authentication of admins and users inside the firewall that have been causing problems.  

Current rating: 1

Recent Posts







RSS / Atom