Why developers need to engineer-in FIDO two factor authentication now

This is a contributed piece for the Computer Weekly Developer Network written by Jason Kent in his role as director at Open Seas, a UK-based enterprise IT solutions company specialising in data protection and backup services

We know that Covid-19 and the invasion of Ukraine have put cybersecurity threats and attacks to the forefront of everyone’s mind. The pandemic specifically, caused the sudden mass-shift to remote working, whilst continued ‘hybrid’ working has created big gaps in which hackers can circumvent access to sensitive information. 

However says Kent, behind the scenes, this increased activity was already on a rampage long before these recent events made the news. So what does all this mean for developers today now looking to build more secure applications for long term user benefit?

Kent writes as follows…

The individual hobby hacker (of yesteryear) has moved into a world where organised crime and rogue nations use IT threats and attacks as a means to achieve the goals they have set themselves: make quick earnings, steal technologies and achieve quick political gains through chaos.

Recent reports have revealed that ransomware attacks rose by 92.7% in 2021 compared to 2020 levels, with 90% of breaches resulting from authentication issues. One way for bad actors to circumvent weak authentication is via phishing and indeed the UK Government’s recent Cyber Security Breaches Survey 2021 has shown that phishing attacks are the most common type of attack, responsible for 83% of security breaches.

Outdated solutions

It is no wonder that breaches are on the rise — many businesses and consumers are using solutions that are outdated.

One of these areas is mobile app authenticators.

While they are a good entry-level 2FA (two-factor authentication), it is costly and not foolproof because at the end of the day it is software that can be beaten. Most authenticator apps use cryptographic keys to generate codes used for user identification. If a bad operator steals these keys, they can get the authority to authenticate transactions on a user’s behalf. Authenticator apps with one-time password (OTP) and SMS verification are the most susceptible to such man-in-the-middle attacks.

Further to that, SIM-swap fraud cases have increased 400% in the past 6 years. If hackers are cloning mobile phone numbers, assigning them to new SIM cards and accessing online bank accounts and other sensitive data we need to question the value of mobile app authenticators.

The other area is passwords.

Open Seas’ Kent: Passwords are not a modern security solution and they do little to secure an individual’s identity in a cyber world.

We are all prone to human error and one small error can open a door to a hacker. Passwords are not a modern security solution and they do little to secure an individual’s identity in a cyber world. Even a strong password will not protect you from a phishing or ransomware attack. That is why organisations such as Microsoft are pushing the ‘passwordless’ drive.

FIDO2 could defeat phishing

When building out business IT architecture, engineers should look at how FIDO2 authentication solutions can help decrease the risk of breaches. The FIDO Alliance’s protocol consists of a user-controlled cryptographic authenticator (such as NEOWAVE’s Winkeo secure keys) that can be linked to directories and apps such as AzureAD and Microsoft 365 so can have wide business use. Validation can only take place in person by the user tapping the key and entering a PIN code. This removes the risk of relying on mobile software apps that can be bypassed.

FIDO Alliance (Fast IDentity Online) approved keys and cards can also identify malicious websites. If a malicious website is visited by a user, they will not be asked for FIDO authentication. Any login information passed on to bad actors will not enable them to access their accounts via the real website. This is because they will not have the physical key required to authenticate. It stops the worry that MFA only protects from phishing attacks after immediate credentials.

Increased security, at a fraction of cost

Implementing FIDO solutions also makes business sense when looking at the cost.

A FIDO key costs around £25 per person, which is very affordable when compared to around £500 per person for a smartphone with an authenticator app. Google has already implemented U2F authentication across its organisation. The company even claimed to have put an end to all phishing breaches due to the company’s requirement for all employees to use physical secure keys.

Cyber security has never been more important and that’s why engineers need to take all steps necessary to ensure sensitive information is protected with the latest secure technology.