Fascinating technology

Why Your Business Needs FIDO Authentication Technology

For more than a decade, I’ve been advocating for the increased use of multi-factor authentication (MFA). Far too many online transactions are still done using simple passwords that are often reused, copied, accidentally given away, shared, stolen, forgotten and/or written on yellow post-its all over the office.

Here are two blogs from 2014 and 2021 that dig deeper into MFA:

How to be safe online using passwords – with another step: “The National Cyber ​​Security Alliance takes the message of online safety to a city near you. A national campaign takes the message that the multi-factor authentication is easy to use and available now, often for free.”


Email security, working from home and World Password Day: “What’s the future of passwords? More pressing, how are you doing with using (or reusing) passwords? Here are some helpful tips ahead of World Password Day on May 6th.

But a new study from the UK found that only around a third of organizations use MFA. Another 2019 study in the United States found that around 57% of organizations used MFA, but most organizations did not use MFA for all applications or all access.

Ultimately, with the growing breadth and depth of cyber threats using stolen credentials, MFA is clearly better than passwords alone. More organizations and individuals should use MFA when it is available. For example, commonly used home apps like LinkedIn, Facebook, and Gmail offer free MFA that isn’t widely used.

ALTERNATIVES PLEASE – HOW OVERCOMING MFA IS A GROWING TREND

But this blog is about the rest of the story. Wired The magazine recently published an intriguing article titled “A Sinister Way to Beat Multifactor Authentication Is on the Rise”.

Consider this excerpt: “Some forms of MFA are more powerful than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to overcome. Over the past few months, alleged script kiddies like the Lapsus$ data extortion gang and elite Russian state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated protection. …

“Many MFA vendors allow users to accept a phone app push notification or receive a phone call and press a key as a second factor,” Mandiant researchers wrote. [Nobelium] The threat actor took advantage of this and sent multiple MFA requests to the end user’s legitimate device until the user accepted authentication, eventually allowing the threat actor access of the account. »

The article goes on to show new ways criminals can trick users, who believe their MFA authentication is secure, into granting access to systems.

WHAT IS FIDO?

This introductory video describes in simple terms how Fast Identity Online Alliance (FIDO) can help you:

The FIDO Alliance website begins with this message: “Easier, Stronger Authentication — Solving the Global Password Problem.”

Here is an excerpt: “The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. When registering for an online service, the user’s client device creates a new key pair. It keeps the private key and registers the public key with the online service. Authentication is performed by the client device proving possession of the private key to the service by signing a challenge. Customer private keys can only be used after being unlocked locally on the device by the user. Local unlocking is accomplished by a user-friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second factor device, or pressing a button.

“FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device. »

EXAMPLES, PLEASE

Companies like 1Kosmos are part of the FIDO Alliance, and this FIDO Alliance database contains many FIDO-certified products to consider.

I encourage readers to explore this FIDO Certified Software Showcase, which lists companies leading the FIDO charge.

This article from NextGov describes the federal government’s adoption of FIDO2. Former Federal CISO Chris DeRusha said: “Identity is a key pillar of the U.S. government’s zero trust strategy, and an important part of that is ensuring federal agencies use strong multi-factor authentication that defends against phishing, one of the most common business threat vectors… To achieve this consistently, we anticipate that federal agencies will need to supplement their use of PIV with devices that support FIDO2 standards and authentication tools, while phasing out weaker approaches that offer less protection against real-world phishing campaigns.

FINAL THOUGHTS

We are going through a complex time within the cybersecurity industry with regards to many new technologies, especially identity management and authentication. Almost everyone agrees that implementing a zero-trust architecture is a must, as outlined in presidential decrees.

At the same time, improving authentication and identity management is seen as an essential first step (if not the first) on the journey to zero trust. While MFA is clearly a better solution than passwords alone, some forms of MFA are now being defeated.

As more and more cyberattacks emerge (and succeed) against MFA solutions, it’s important that companies start paying attention to the FIDO Alliance and new technologies that strengthen authentication.