Time to deploy strong authentication, says Fido

The tools required to become less dependent on password-based security are now in place, according to the Fido Alliance, a consortium of tech industry partners, including Amazon, Facebook, Google, Microsoft and Intel, that are working together to establish standards for strong authentication.

“This is the year to deploy Fido Authentication because all the pieces are there to do it, all the platforms are supporting it, and so there are no longer any reasons to delay,” said Andrew Shikiar, chief marketing officer for Fido.

“While organisations may not be able to eliminate all passwords immediately, 2019 is definitely the year that they could start reducing their dependency on passwords and reducing the burden of managing passwords, and we should start to see password-free online experiences within the next two years.”

The alliance was formed in July 2012 to enable Fast IDentity Online (Fido) by addressing the lack of interoperability among strong authentication technologies and addressing the problems that users face with creating and remembering multiple usernames and passwords.

Since then, Fido has published the Universal Authentication Framework (UAF) for enabling an authenticator to verify a user to a device and the Universal Second Factor (U2F) protocol for enabling second-factor Fido authentication security to be added to password-based systems through an authenticator such as a Fido-compliant USB key.

This approach enables organisations to move away from vulnerable centralised credential stores to being able to authenticate locally to a device such as a smartphone or security key, which stores the private key, and the server holds only the public key.

“When the user scans their fingerprint, for example, that unlocks the private key, which then communicates with the public key on the server, changing the whole dynamic of authenticating people by using public key cryptography in a decentralised way,” said Shikiar.

“There is a lot of metadata in the handshake between the private and public key, including data about the URL and the website, so it is very resistant to phishing.”

Fido has also set up a certification programme to ensure the interoperability of products and services that support the Fido authentication standards, and more recently completed the Fido2 project, comprising the World Wide Web Consortium (W3C) Web Authentication specification (WebAuthn) and Fido’s corresponding Client-to-Authenticator Protocol (CTAP).

Fido claims that, collectively, Fido2 enables users to authenticate to online services in both mobile and desktop environments using common devices now that multiple major web browsers, including Chrome, Firefox and Microsoft Edge, have implemented the standards and Android, Windows 10 and related Microsoft technologies have built-in support for Fido Authentication.

“There are other ways to do public key cryptography and biometric authentication, but with a standards-based approach, you have greater scalability and flexibility because there are literally hundreds of products that are now certified to interoperate with each other, which means organisations need not be locked into any supplier,” said Shikiar.

The completion of the Fido2 standardisation efforts and the commitment of leading browser suppliers to its implementation opens a new era of ubiquitous, hardware-backed Fido Authentication protection for everyone using the internet, according to the alliance.

“While a world without passwords is the end goal, right now our focus is on Fido enablement in devices and browsers, and with that will come less and less use of passwords, reducing the likelihood of scalable attacks like we saw recently with Collection #1 that leaked 772.9 million emails, 21.2 million passwords and 1.1 billion unique combinations of email addresses and passwords,” said Shikiar.

“Passwords are a huge risk to businesses. The vast majority of breaches are caused by weak and shared credentials, which opens up a huge attack surface for businesses. Passwords also cause friction, with 50% of shopping cart abandonment due to password issues and a large proportion of costly IT support calls within enterprises related to passwords.”

According to Fido, the cost of passwords underlies the need for organisations to switch to an alternative method of authentication that will de-risk the process and cut costs.

In the US, a report shows that the tide is turning, with data breaches, phishing and regulations driving rapid adoption of strong authentication, and that the use of cryptographically backed strong authentication for consumers has tripled since 2017 and has increased by nearly 50% for enterprise authentication.

This form of authentication is not susceptible to phishing, man-in-the-middle and/or other attacks targeting credentials , which are known vulnerabilities with passwords and one-time passwords (OTPs), according to Javelin Strategy & Research’s State of strong authentication 2019 report, sponsored by the Fido Alliance.

Regulation is accelerating strong authentication adoption, the report said, with nearly 70% of businesses polled saying they face strong regulatory pressure to provide strong authentication for their customers with the introduction of the revised Payment Service Directive (PSD2), along with data protection regulations such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act.