Reducing the use of passwords

Enterprise IT News chats with Andrew Shikiar, Executive Director of the  FIDO Alliance, about a possible password-less future.

EITN: Is facial recognition a less viable option now that the world is donning masks?

Andrew: In the context of using facial recognition for unlocking your device or logging into an app, it’s true that users are mostly needing to opt for their option B, such as using fingerprint or PIN. Many companies are reporting that they are advancing their technology to be able to recognise users even if they are wearing a mask. The biometrics industry is constantly innovating and adapting, so I don’t see this as an issue for support for facial biometrics for authentication. FIDO standards, in particular, support a wide variety of authentication mechanisms in addition to facial biometrics. But in the end, regardless of the authentication mechanism, there needs to be more awareness on ensuring that the respective authentication methods are secure.

EITN: With deep fake technology becoming more sophisticated, very lifelike and prevalent, the fact that there exist man-made algorithms to replicate a person’s face, and a person with an identity, is facial recognition rendered useless now? If yes or no, why? How can organizations be sure that people accessing the corporate network or joining business calls remotely are who they say they are?

Andrew: No, we wouldn’t say useless. It’s certainly true that with biometrics, we are in a new arms race between the hackers who are trying to defeat biometrics with higher resolution spoofs, and the biometrics industry who keeps innovating. This is the innovation of the sensitivity of their sensors as well as their PAD (presentation attack detection) capabilities, e.g. liveness detection — having the user blink when using a face recognition system or having them say a passphrase when using a voice recognition system, or having the fingerprint sensor read below the skin for characteristics that cannot be spoofed by a fake fingerprint, etc. The technology today can detect a large majority of spoofs.

When it comes to deep fakes or very sophisticated spoofs, it’s worth noting that they take the kind of time and effort that is simply not scalable. So the majority of users of biometric facial recognition aren’t going to be targeted with this kind of attack.

But, the threat still exists. This is why the FIDO Alliance and standards dictate the use of biometrics together with proof of possession of the authorized user’s personal device. This removes the ability to do remote spoofing and takes away the possibility of doing any kind of scalable attack with biometric data.

EITN: What are the risks of relying on passwords for authentication?

Andrew: Passwords are hard to remember. The average consumer keeps track of more than 191 pairs of usernames and passwords.

Very often, these passwords are not unique. Two in three users reuse passwords, or they make minor variations of a few passwords – that makes them easy to crack. Stolen and reused credentials are implicated in 80% of hacking-related breaches (2019 Verizon Data Breach Investigations Report), and hackers attack every 39 seconds (Clark School study at University of Maryland). When we rely on just passwords, we are opening ourselves to these risks.

The use of passwords needs to be reduced, if not replaced. The problem in the past was that users are accustomed to the password user experience, and online service providers don’t want the cost and complexity of developing and provisioning their own dedicated solutions. This is why FIDO Alliance created open standards for authentication that is both easier for users and more secure and easier to implement for organisations.

EITN: What can or should be the new authentication norm for mobile workers?

Andrew: It’s time we transition away from our dependence on single-factor authentication methods, like passwords, which most of us don’t have best practices for.

A passwordless future, such as one that adopts multi-factor authentication (MFA), should be the norm. MFA verifies the user’s identity by requiring multiple credentials, and it can be used by organizations across industries, no matter the size.

Rather than just asking for a username and password, MFA asks for other, additional, credentials, such as a code from the user’s smartphone, a hardware security key, a fingerprint, or facial recognition.

Traditional usernames and passwords can be stolen, but with MFA, it creates multiple layers of security to help increase the confidence that users requesting access are actually who they claim to be. And that’s what makes it important – with MFA, a cybercriminal may steal one credential but will be thwarted by having to verify identity in a different manner. Reiterating on the wall analogy, it means that the attacker will be faced with another wall even after breaking one. But what’s best, is moving away from passwords entirely. Our standards remove the password from the authentication flow, and instead relies on much stronger and advanced security technology to log the user in.

EITN: How can we replace passwords with faster and more secure login, without compromising user experiences?

Andrew: The FIDO Alliance, FIDO being short for Fast IDentity Online, is one of the ways that can help us move towards a passwordless future.

With FIDO, authentication protocol layers are standardised. What that means is that other authentication methods such as biometrics, PINs and second–factors that can be used with a variety of online services in an interoperable manner – ensuring a safe and easy to implement MFA.

Authentication is done by the user’s device proving possession of the private key to the service by signing a challenge. This means when the user returns to the site or app, he verifies himself through a simple gesture such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

FIDO’s standards also champion simple, strong authentication, making the case that user data cannot be hacked from a server if it remains on the user device. Designed from the ground up to protect user privacy, these protocols do not provide information that can be used by different online services to collaborate and track a user across the services – thereby eliminating the threat of phishing or account takeover.

With end users constantly looking for ways to reduce the hassle that passwords bring, FIDO provides single gesture convenience for the user that eliminates the need to remember multiple username-password combinations. This ensures that end users not only receive a faster and more secure authentication, but also a more seamless login method compared to password authentication.

EITN: How are device manufacturers and major websites  working with the FIDO Alliance to rectify the problem of our heavy reliance on passwords?

Andrew: Our FIDO Certified program allows device manufacturers and developers to deploy FIDO Authentication solutions worldwide. Once certified, a FIDO2 Certified Server can accept any FIDO2 Certified authenticator, irrespective of its manufacturer. As we have long worked with Google, any compatible device running Android 7.0+ is now FIDO2 Certified out of the box.

Leading web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox and Apple Safari are already supporting FIDO authentication. For developers, that means integrating FIDO’s strong authentication to apps and websites is as simple as an API call. The resulting JSON message from the API call is sent back to the server and the server will validate the challenge, signature, origin, and other key security characteristics of the registration message.

Most importantly, it doesn’t compromise user experience as it runs in the background, marrying security with convenience to kill our heavy reliance on passwords.