FIDO offers alternatives to password protection
Last week’s Data Strategy Office Hours with Debbie Reynolds was a trove of information around data security and authentication methods. In case you weren’t able to make it to the event, here are some of the highlights of the discussion.
The death of passwords
Office Hours kicked off with a discussion around the FIDO Alliance’s recent White Paper that lays out their vision for solving the usability issues that have dogged password-less features and prevented widespread consumer adoption. Some heavy hitters contributed to the White Paper, including Google, Amazon, American Express.
“People need to find better ways to secure data. We know that even though passwords and usernames are the most ubiquitous way that happens, we also know that that’s probably not the best or the most secure way for people to access data,” Reynolds said. “NIST considers username/password as the lowest level of authentication.”
A lot of companies have tried to force people to do two-factor authentication or multi factor authentication. But, as Reynolds explained, two-factor authentication can be phished as well. The challenge is to find a higher level of security that isn’t vulnerable to phishing because it involves hardware components.
Even though effective PKI and strong authentication solutions have existed for years, there have been barriers to widespread adoption. Consumers don’t like the user experience, and online service providers don’t want the cost and complexity of developing and provisioning their own dedicated solutions. The trick is finding ways that create more security and do it in a way that creates less friction for the user.
Ben Stitt (Cybersecurity Policy Analyst) noted, “I was setting up an account with Chrome on PC for something the other day and instead of my YubiKey it used my phone as the physical MFA setup. It was the first I’d seen of that and it was really interesting.”
Using your phone as a roaming authenticator
The proposed additions to the FIDO/WebAuthn specs define a protocol that uses Bluetooth to communicate between the user’s phone (which becomes the FIDO authenticator) and the device from which the user is trying to authenticate. Bluetooth requires physical proximity, which provides a phishing-resistant way to leverage the user’s phone during authentication. With this addition to the FIDO/WebAuthn standards, two-factor deployments that currently use the user’s phone as a second factor will be able to upgrade to a higher security level (phishing resistance) without the need for the user to carry a specialized piece of authentication hardware (security keys).
“Let’s say someone has a job and they have a phone with Bluetooth. Part of the authentication process involves their proximity to another device that proves they’re the person they say they are,” Reynolds explained. “Let’s say you have a laptop and then you have a phone. If they’re in proximity to each other or you have access to both, they do a check for one another and that may be a way they can authenticate the user.”
“If you think about it, people have a variety of Amazon devices, whether it’s Fire Sticks or Echos. Then you have Google devices and Nest thermostats. Until we get the big players collaborating with FIDO, it’s still going to be patchwork,” said Joe Sireci, former CISO, Ann Taylor. “I can’t even wrap my head around identity in a distributed blockchain database. People still have challenges with cryptocurrencies. And yet, we’re saying, put your identity in a distributed database. Right? And lock it down. I’m just struggling with that whole concept.”
Want to attend Flyover Future’s Data Strategy or Cybersecurity Office Hours? Become a member of our IT Strategy Slack Community today — it’s free to join. We will send you details for all future events.