Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/1/2019
02:00 PM
Bojan Simic
Bojan Simic
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Demystifying New FIDO Standards & Innovations

Staying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.

Weak or stolen passwords are responsible for more than 80% of hacking-related breaches, according to research from Verizon. In response to the undeniable password problem, the nonprofit standards body FIDO Alliance is addressing traditional authentication issues and providing organizations with a framework that protects them from chronic risks, such as credential stuffing, password reuse, and phishing attacks. This past March, FIDO launched a new set of standards, FIDO2: WebAuthn and CTAP, which enables organizations to move beyond a reliance on passwords and shared secrets, and instead leverage common devices to easily authenticate to online services in both mobile and desktop environments.

With a greater emphasis on browser-based authentication (versus solely mobile, as seen in previous standards), FIDO2 standards support all major browsers with Secure Sockets Layer certificates, including Chrome, Internet Explorer, Firefox, and Safari. By allowing users to log in to Internet accounts using their existing, preferred device, the WebAuthn component of FIDO2 enables easier, safer login experiences via biometrics, mobile devices, and/or FIDO security keys. The CTAP component allows for external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also serve as authenticators to desktop applications and Web services.

Standardized Biometrics Provide Particular Value
FIDO2 standards are already bolstering the cybersecurity landscape, particularly via its standardized biometric capabilities. The majority of mobile phones, laptops, and desktops available for purchase today also boast facial recognition features, but FIDO2 provides a way to leverage the power of biometrics in a standardized manner. For instance, previously, organizations had to write their own unique code entirely from scratch to use any biometric sensor. Significant language and a common interface were required so sensors could communicate with one another. With FIDO2, this process has been standardized and browser support is built in, making it much easier for organizations to implement and adopt biometric technology.

Best Practices for Adopting FIDO2
To best take advantage of FIDO2 and all the benefits the standards can provide, organizations and their IT and security teams should abide by the following three best practices:

  1. Follow a standardized approach. When implementing any component of FIDO2, it's critical to refrain from incorporating any proprietary or black-box technology, even if it promises to adhere to applicable requirements. Standards have been established for a reason — they're much easier to audit, more people can understand them, and they provide flexibility through interoperability. To achieve success and compliance over the long term, always opt for standards-based technologies. Additionally, make sure any previous versions of technology being used are interoperable so you don't have to start from scratch when introducing any additional authentication standards.
  2. Start with the highest-impact use cases. Rather than implementing too many changes too quickly and overwhelming security and IT teams (as well as end users), it's important to start small and look for areas within FIDO2 that stand to make the most impact on your organization. For example, because these latest standards were designed to help eliminate passwords and shared secrets, perhaps it makes sense to start by incorporating FIDO2 into corporate workstation access processes. Rather than continuing to offer employees password login and reset features (which can easily be tampered with or stolen via malware), FIDO2 can seamlessly provide employees with secure, password-less workstation access through any Web-based application.
  3. Evaluate current costs. To prepare for current standards like FIDO2 as well as the inevitable slew of additional, future standards, take the time to look at the hard costs associated with passwords and other shared secrets, because this is precisely where security standards can provide clear return on investment. For instance, any unnecessary expenses related to password resets and/or account lockouts should serve as a prime incentive for adopting standards like FIDO2 and beyond. Better yet, by pinpointing cost inefficiencies such as password resets, the time and resources required to incorporate new standards can be easily justified to all organizational stakeholders.

Long-Term Viability Requires Password-less Authentication 
Staying on top of all the latest cybersecurity risks and preferred attack methods can feel like an insurmountable task. In fact, even keeping abreast of all the latest security standards can be a challenge. What's most important is that organizations and their IT and security teams recognize that standards like FIDO2 are designed to help relieve the burden of cybersecurity. Passwords and shared secrets no longer suffice in our high-risk, fast-paced digital landscape, so it's paramount that organizations incorporate more secure methods of authentication. By adopting password-less standards like FIDO2 in a timely manner, organizations can confidently secure their most valuable assets, while also driving crucial initiatives like digital transformation projects by making their users immune to phishing attacks and account takeovers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14832
PUBLISHED: 2019-10-15
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
CVE-2017-10022
PUBLISHED: 2019-10-15
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing ...
CVE-2019-10759
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-10760
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-17397
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.