Demystifying New FIDO Standards & InnovationsStaying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.
Weak or stolen passwords are responsible for more than 80% of hacking-related breaches, according to research from Verizon. In response to the undeniable password problem, the nonprofit standards body FIDO Alliance is addressing traditional authentication issues and providing organizations with a framework that protects them from chronic risks, such as credential stuffing, password reuse, and phishing attacks. This past March, FIDO launched a new set of standards, FIDO2: WebAuthn and CTAP, which enables organizations to move beyond a reliance on passwords and shared secrets, and instead leverage common devices to easily authenticate to online services in both mobile and desktop environments.
With a greater emphasis on browser-based authentication (versus solely mobile, as seen in previous standards), FIDO2 standards support all major browsers with Secure Sockets Layer certificates, including Chrome, Internet Explorer, Firefox, and Safari. By allowing users to log in to Internet accounts using their existing, preferred device, the WebAuthn component of FIDO2 enables easier, safer login experiences via biometrics, mobile devices, and/or FIDO security keys. The CTAP component allows for external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also serve as authenticators to desktop applications and Web services.
Standardized Biometrics Provide Particular Value
FIDO2 standards are already bolstering the cybersecurity landscape, particularly via its standardized biometric capabilities. The majority of mobile phones, laptops, and desktops available for purchase today also boast facial recognition features, but FIDO2 provides a way to leverage the power of biometrics in a standardized manner. For instance, previously, organizations had to write their own unique code entirely from scratch to use any biometric sensor. Significant language and a common interface were required so sensors could communicate with one another. With FIDO2, this process has been standardized and browser support is built in, making it much easier for organizations to implement and adopt biometric technology.
Best Practices for Adopting FIDO2
To best take advantage of FIDO2 and all the benefits the standards can provide, organizations and their IT and security teams should abide by the following three best practices:
- Follow a standardized approach. When implementing any component of FIDO2, it's critical to refrain from incorporating any proprietary or black-box technology, even if it promises to adhere to applicable requirements. Standards have been established for a reason — they're much easier to audit, more people can understand them, and they provide flexibility through interoperability. To achieve success and compliance over the long term, always opt for standards-based technologies. Additionally, make sure any previous versions of technology being used are interoperable so you don't have to start from scratch when introducing any additional authentication standards.
- Start with the highest-impact use cases. Rather than implementing too many changes too quickly and overwhelming security and IT teams (as well as end users), it's important to start small and look for areas within FIDO2 that stand to make the most impact on your organization. For example, because these latest standards were designed to help eliminate passwords and shared secrets, perhaps it makes sense to start by incorporating FIDO2 into corporate workstation access processes. Rather than continuing to offer employees password login and reset features (which can easily be tampered with or stolen via malware), FIDO2 can seamlessly provide employees with secure, password-less workstation access through any Web-based application.
- Evaluate current costs. To prepare for current standards like FIDO2 as well as the inevitable slew of additional, future standards, take the time to look at the hard costs associated with passwords and other shared secrets, because this is precisely where security standards can provide clear return on investment. For instance, any unnecessary expenses related to password resets and/or account lockouts should serve as a prime incentive for adopting standards like FIDO2 and beyond. Better yet, by pinpointing cost inefficiencies such as password resets, the time and resources required to incorporate new standards can be easily justified to all organizational stakeholders.
Long-Term Viability Requires Password-less Authentication
Staying on top of all the latest cybersecurity risks and preferred attack methods can feel like an insurmountable task. In fact, even keeping abreast of all the latest security standards can be a challenge. What's most important is that organizations and their IT and security teams recognize that standards like FIDO2 are designed to help relieve the burden of cybersecurity. Passwords and shared secrets no longer suffice in our high-risk, fast-paced digital landscape, so it's paramount that organizations incorporate more secure methods of authentication. By adopting password-less standards like FIDO2 in a timely manner, organizations can confidently secure their most valuable assets, while also driving crucial initiatives like digital transformation projects by making their users immune to phishing attacks and account takeovers.
Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.