The tools required to become less dependent on password-based security are now in place, according to the Fido Alliance, a consortium of tech industry partners, including Amazon, Facebook, Google, Microsoft and Intel, that are working together to establish standards for strong authentication.
“This is the year to deploy Fido Authentication because all the pieces are there to do it, all the platforms are supporting it, and so there are no longer any reasons to delay,” said Andrew Shikiar, chief marketing officer for Fido.
“While organisations may not be able to eliminate all passwords immediately, 2019 is definitely the year that they could start reducing their dependency on passwords and reducing the burden of managing passwords, and we should start to see password-free online experiences within the next two years.”
The alliance was formed in July 2012 to enable Fast IDentity Online (Fido) by addressing the lack of interoperability among strong authentication technologies and addressing the problems that users face with creating and remembering multiple usernames and passwords.
Since then, Fido has published the Universal Authentication Framework (UAF) for enabling an authenticator to verify a user to a device and the Universal Second Factor (U2F) protocol for enabling second-factor Fido authentication security to be added to password-based systems through an authenticator such as a Fido-compliant USB key.
This approach enables organisations to move away from vulnerable centralised credential stores to being able to authenticate locally to a device such as a smartphone or security key, which stores the private key, and the server holds only the public key.
“When the user scans their fingerprint, for example, that unlocks the private key, which then communicates with the public key on the server, changing the whole dynamic of authenticating people by using public key cryptography in a decentralised way,” said Shikiar.
“There is a lot of metadata in the handshake between the private and public key, including data about the URL and the website, so it is very resistant to phishing.”
Fido has also set up a certification programme to ensure the interoperability of products and services that support the Fido authentication standards, and more recently completed the Fido2 project, comprising the World Wide Web Consortium (W3C) Web Authentication specification (WebAuthn) and Fido’s corresponding Client-to-Authenticator Protocol (CTAP).
Fido claims that, collectively, Fido2 enables users to authenticate to online services in both mobile and desktop environments using common devices now that multiple major web browsers, including Chrome, Firefox and Microsoft Edge, have implemented the standards and Android, Windows 10 and related Microsoft technologies have built-in support for Fido Authentication.
“There are other ways to do public key cryptography and biometric authentication, but with a standards-based approach, you have greater scalability and flexibility because there are literally hundreds of products that are now certified to interoperate with each other, which means organisations need not be locked into any supplier,” said Shikiar.
Read more about the Fido Alliance
- Fido Alliance launches authentication standards certification.
- The Fido Alliance has published the final technical specification of its password-killing authentication standards.
- Facebook ups security with Fido U2F two-factor authentication.
- Google’s Security Key is the first deployment of the universal second-factor authentication (U2F) standard published by the Fido Alliance.
The completion of the Fido2 standardisation efforts and the commitment of leading browser suppliers to its implementation opens a new era of ubiquitous, hardware-backed Fido Authentication protection for everyone using the internet, according to the alliance.
“While a world without passwords is the end goal, right now our focus is on Fido enablement in devices and browsers, and with that will come less and less use of passwords, reducing the likelihood of scalable attacks like we saw recently with Collection #1 that leaked 772.9 million emails, 21.2 million passwords and 1.1 billion unique combinations of email addresses and passwords,” said Shikiar.
“Passwords are a huge risk to businesses. The vast majority of breaches are caused by weak and shared credentials, which opens up a huge attack surface for businesses. Passwords also cause friction, with 50% of shopping cart abandonment due to password issues and a large proportion of costly IT support calls within enterprises related to passwords.”
According to Fido, the cost of passwords underlies the need for organisations to switch to an alternative method of authentication that will de-risk the process and cut costs.
In the US, a report shows that the tide is turning, with data breaches, phishing and regulations driving rapid adoption of strong authentication, and that the use of cryptographically backed strong authentication for consumers has tripled since 2017 and has increased by nearly 50% for enterprise authentication.
This form of authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials , which are known vulnerabilities with passwords and one-time passwords (OTPs), according to Javelin Strategy & Research’s State of strong authentication 2019 report, sponsored by the Fido Alliance.
Regulation is accelerating strong authentication adoption, the report said, with nearly 70% of businesses polled saying they face strong regulatory pressure to provide strong authentication for their customers with the introduction of the revised Payment Service Directive (PSD2), along with data protection regulations such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act.
Underestimating the risks
Organisations holding out against strong authentication are underestimating the risks to their businesses and customers, the report said, noting that two-thirds of businesses that use only passwords to authenticate their employees do so because they believe passwords are “good enough” for the type of information they are protecting, despite cyber criminals continuing to target a wide variety of consumer and business information.
The report also pointed out that not all strong authentication is created equal. According to Javelin, adopting strong authentication solutions that are based on standards and employ cryptographic security, like Fido Authentication, can help organisations to lower the cost of keeping up with regulation, customer expectations and increasingly sophisticated fraud schemes.
The report said it is time to move away from OTPs, with cyber criminals using social engineering, phone porting and malware to compromise OTP authenticators. Javelin recommends adopting cryptographically backed strong authentication instead.
“The increase in strong authentication adoption makes sense given that while data breaches, phishing threats and regulatory pressures have risen, the financial and user experience costs associated with implementing strong authentication have decreased,” said Al Pascual, senior vice-president and research director at Javelin.
“What is less encouraging is that we are finding that the holdouts believe passwords alone are sufficient security. These companies need to realise that even data they may think is low-risk can provide significant value to fraudsters and expose them to regulatory scrutiny.
“As such, they need to make plans to move to strong authentication now or they will find themselves an attractive target for cyber criminals.”
Brett McDowell, executive director of the Fido Alliance, welcomed the fact that organisations are recognising that passwords, and even OTPs, do not provide sufficient protection.
“I hope this study helps to raise awareness of new cryptographically backed authentication capabilities, compliant with industry standards from the Fido Alliance and W3C, now widely available in leading web and mobile app platforms,” he said.
“These capabilities enable applications to bind account credentials to the user’s physical device, so they cannot be phished by remote attackers. Platforms are packaging these security capabilities into more convenient experiences for users by enabling them to use their finger, face or security key to log in to all of their favourite websites and applications.”