Five ways to maximize FIDO
Perform a quick Google search for “causes of data breaches”, and you will be inundated with reports of stolen credentials and weak passwords. Organizations can spend billions on technology to harden their systems against attack, but they are fighting a losing battle until they are able to confidently attribute a login with a valid user.
Image by the FIDO Alliance
What is FIDO, and why does it matter?
FIDO stands for Fast Identity Online. It is a free and open set of standards and technologies that aims to reduce the world’s reliance on passwords. FIDO is designed to bolster authentication assurance by “protecting” and eliminating passwords.
FIDO-enabled advances in authentication are paving the way to this foundational paradigm shift. Unfortunately, authenticators are not quite there yet, because even though the capabilities are available for incredible strong authentication, implementations can vary, and it is up to implementers to determine how much of FIDO’s security will be integrated into their products.
A few examples: biometrics are supported, but not always implemented; authentication procedures are often cumbersome; passwords are still used as a primary credential. Further, as inherently secure as FIDO standards are, there is always room for improvement. Here are five ways to maximize FIDO.
Maximize FIDO: Use all three factors
More is better – most of the time. Thanks to smartphones, three-factor authentication – something you know, something you have, something you are – should be ubiquitous, but it is not. Many FIDO authenticators are only using two-layered factors, usually something you have and something you know.
While certainly better than just a password, this does not protect against instances such as a device being left open at a café. Using the built-in biometric capabilities inherently supported in all modern smartphones, FIDO-based authenticators can provide 3FA, bolstering security and eliminating such vulnerabilities, all while keeping user friction to a minimum.
Make it simple and secure
Many FIDO-based authenticators implement two-factor authentication (2FA) by interjecting an additional code/PIN from within their authenticator app. The user must remember the PIN and attempt to type it in before the timer runs out, or if the timer is already low, wait for it to be reset before attempting to enter it. Either way, this increases friction for the user and decreases security, and this PIN can still be extracted from the user through social engineering.
There are better ways. Apps should be designed from the ground up with simplicity in mind. An example of a simple and secure method could be a simple three-digit code paired with an image, and nothing for the user to enter. The user would simply ensure the code and image match on their device and portal, and then click “ok”.
Fully leverage existing MDM features
Smartphones, and smart devices for that matter, are everywhere. With the growing number of these devices permeating our planet, wise and insightful minds saw fit to develop technologies to monitor and protect these devices. Mobile device management (MDM) functions can bolster existing authentication paradigms through features such as “geofencing”.
FIDO-enabled authenticators can use geofencing to allow or prevent authentication based on the user’s physical location. Another key MDM feature that should be in place can prevent connections for devices that have been “rooted” or “jailbroken”. These devices present a much greater security threat and can be easily identified using existing technology.
Get rid of passwords
Who here is not guilty of reusing a password or two… or three? Passwords are a legacy security afterthought. Unfortunately, many FIDO-based authenticators are still relying on usernames and passwords as the primary authentication credential pair. But FIDO enables secure certificate-based authentication – we no longer need the password. Passwordless authentication also brings with it the added benefit of decentralized key stores allowing the organizations to get rid of the big red targets that are centralized password repositories.
Use bidirectional authentication
Last but not least, implementing bidirectional authentication can improve on FIDO’s already stellar authentication model. Bidirectional authentication takes the traditional FIDO authentication model and adds server-to-user authentication as well, so before the user sends their authentication information to the server, the server authenticates to the user. This provides an added degree of confidence to the end user and all but eliminates the possibility of a Man-in-the-Middle attack due to there being nothing for the end user to share.
The technology for simple and secure authentication is available and – thanks to FIDO standards and protocols – straightforward to implement. In the end, it comes down to the creativity and diligence of those designing current authenticators to completely leverage the available technology and integrate them in a well-thought-out manner that increases security and decreases user friction.