Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
Passwords are an integral part of our cybersecurity culture. They are easy for people to use, comparatively easy to implement for app and web developers and generally understood. But their widespread use is also their Achilles heel. Passwords, even complex ones, are at the mercy of cybercriminals who find ways to exploit passwords for fraud, data theft and other cyberattacks. The password is where the cybersecurity buck stops with usability out balancing security.
In May, the FIDO (Fast Identity Online) Initiative , alongside some big-name techs, announced a potential solution that could finally let the world say bye-bye to the password. But in the battle of security vs. usability, can FIDO balance the scales and change how people log in?
ChatGPT training built for everyone
A short history of Fast Identity Online (FIDO)
FIDO Alliance is backed by several big-tech organizations and smaller specialist vendors in the security space. The alliance is around ten years old and the various working groups have worked diligently during that decade towards a passwordless future. FIDO has birthed several versions of protocols and APIs to deliver enterprise-grade authentication. Each new version progressed toward a universal passwordless schema: FIDO 1 delivered the three core components of passwordless; FIDO 2 extended the support for MFA; next came the WebAuthn API, which is a JavaScript-based API developed as a standard in collaboration with the internet standards body W3C.
FIDO experimented with moving the dial from mandated passwords to passwordless login. However, implementation constraints, such as the requirement for a hardware key, made FIDO unsuitable for mass consumer adoption. As a result, FIDO was stuck in an enterprise authentication loop. Then a FIDO paper published in March 2022 on the goals of passwordless authentication for consumers recognized that the requirement for a hardware key was a no-go for consumers, stating the need for a "special-purpose authentication device (security keys)" created barriers to use of FIDO in consumer services.
However, FIDO had thought ahead… the WebAuthn API provides support for Chrome, Firefox and Edge browsers. This support is essential to FIDO's dreams of making passwordless applications universal in consumer use, not just enterprises.
Big tech strikes again
FIDO has, to date, never really cracked the consumer market with its passwordless ideals. However, W3C released WebAuthn as a standard in 2016 and it became a candidate for taking us all to the promised land of passwordless.
WebAuthn provides web developers with FIDO-based authentication support. This support is essential because it helps Web developers, who are not usually authentication experts, to support passwordless login. This help comes in the form of standards, libraries and protocols to integrate robust authentication options into websites, apps and services. However, even with this support, passwordless did not come to pass, at least as far as consumer markets go, and customer-facing services did not jump on the FIDO bandwagon.
This was not because the protocols and APIs developed by FIDO and W3C were poorly written. It was because consumer authentication has specific considerations that enterprise authentication does (or did) not. Before continuing, it is worth saying that the needs for consumer authentication vs. enterprise authentication models are fuzzier now because of the expanded networks of cloud infrastructures and remote working. Therefore, any movement by FIDO and W3C that facilitates consumer use of passwordless sign-in will also benefit enterprise authentication systems.
FIDO hit the ten years mark as Google, Microsoft and Apple announced that they would fully embrace the dream of a passwordless internet. The announcement focused on the collaboration between the three tech giants and W3C and FIDO to build a usable yet secure internet experience. Taken from the announcement:
“[T]he consortium will) expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.”
This statement is a significant leap forward in usability. The consumer uptake of secure authentication options has always been an uphill struggle. Second-factor authentication (2FA) hesitancy has long been a hurdle for consumer-facing systems to jump.For example, Google had to force users to use two factors through auto-enrollment. According to Google, password managers also have low uptake, with only 24% of users using a password manager. In addition, where 2FA is offered, users don't turn it on. Twitter is a prime example, with only 2.3% of users using a second factor to access their accounts.
From this perspective, a passwordless option that users accept offers everyone a win in the authentication stakes. But is FIDO's consumer market push secure and usable?
What are the implications of FIDO for security and digital identity?
The announcement by Google et al. of their plans to support FIDO is a crucial part of the passwordless puzzle. These companies know the requirements for usable but secure consumer authentication. They understand how vital underlying security mechanisms are in preventing exploitation by cybercriminals. They also understand how human behavior impacts the uptake and use of highly secure authentication options. In consumer services, highly secure systems impact usability and vice versa. Highly secure authentication may even result in loss of market share, with customers giving up on the service and moving to a competitor. The balance of security and usability is not just a nice thing to have but a must-have in consumer-facing system design.
Now that the tech giants are supporting FIDO, will this move the dial of security usability? There are two critical aspects of FIDO's ability to support the complexities of consumer authentication:
- Roaming authentication using existing smartphones
- Syncing of FIDO credentials between devices
To achieve this, the implementation overhead of FIDO lies in the hands of the OS (operating system). As FIDO points out:
“For these multi-device FIDO credentials, it is the OS platform’s responsibility to ensure that the credentials are available where the user needs them. Just like password managers do with passwords, the underlying OS platform will ‘sync’ the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depend on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts and on the security method for reinstating access when all (old) devices were lost.”
ChatGPT training built for everyone
The support of FIDO by the consumer tech giants is likely to create the environment that will make FIDO standardized across browsers and various operating systems. This is like pressing the big green “Go” button because FIDO is the best bet for a passwordless future where phishing would have to reinvent itself or die.
However, nothing is ever 100% secure; rather, security is about reducing risk. For example, a passwordless sign-in could remove specific threats, such as phishing, that are overwhelming IT and IS departments: each FIDO credential is unique for a given website, so a phisher would have a barrier to cross to create a spoof version of a website. However, I'd be amazed if phishers are not already working out ways around this.
As for digital identity, most people would welcome not having to remember large numbers of passwords. Importantly, FIDO, if implemented correctly, would require little setup by users. In addition, FIDO should allow a seamless authentication experience, something customers have wanted, and vendors have strived to achieve.
But, like everything in software development and system design, the devil is in the details. The big techs are offering to remove the hurdles for FIDO implementation, taking the strain off developers; this should open the floodgates to websites offering passwordless consumer support. Only time will tell how secure FIDO is for consumers, and only time will tell if consumers opt for a passwordless future.
Sources:
- FIDO Alliance
- W3C WebAuthn standard
- Twitter Transparency Report
- How FIDO Addresses a Full Range of Use Cases
- Google Security Infographic
- Apple, Google, and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign‑ins, Apple Newsroom
- Worst passwords of the decade: A historical analysis, Infosec
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization