Passwords are among the least costly security mechanisms for applications and systems. They are usually free and built into many information technologies. They are easy to use and technical staff are familiar with how to set them up. While passwords are better than having no authentication mechanism at all, they have significant flaws which will be discussed.
In 2018, an estimated five million hacked passwords were on sale on the Dark Web. Passwords are among the most common cybersecurity problems. They are often easy to break which allows unauthorized users to access business information and systems, employee e-mails, consumer accounts, and other online platforms. “123456” and “password” continue to be the two most utilized passwords, demonstrating a widespread disregard for security by many Internet and system users.
Complex Password Challenges
For passwords to be effective and serve their intended purpose, they must include characters, numbers, and symbols which in itself is a major problem. While creating complex password is easy, being able to remember such passwords is often difficult or impossible. Users who are frustrated with constantly resetting their forgotten passwords finally give in and create a simple password that they can remember and use across many systems which is welcome by hackers who are looking for easy ways to breach systems.
Using Passwords Across Multiple Systems
As mentioned, another problem is that people often reuse passwords across multiple websites and systems. Therefore, a data breach at one organization can have a ripple effect impacting security across other websites and social media platforms. People are often susceptible to phishing schemes whereby cyber criminals pose as legitimate organizations and institutions and ask users to provide them with log-in credentials.
Password cracking technology has also become more sophisticated allowing people to crack passwords quicker. In 20 years, the average length of a password is projected to increase by two characters, while computing power is expected to increase exponentially. Currently, 54% of passwords are only three to six characters in length, making them easy targets for cracking. This is driving the push to find alternative methods of authentication.
Too many people are using default or common passwords that were programmed into the device or application leaving them vulnerable to cybercriminals. For every twenty passwords, one is being shared with another person or multiple users. Retaining default passwords can jeopardize the cybersecurity of an entire organization or business.
Additionally, while it is helpful that password expirations are becoming more common, people are often reverting their passwords to minor variations on previously used passwords. Therefore, it creates a false sense of security especially when there is a history of data breaches and people create slight changes to existing credentials.
What is the FIDO (Fast Identity Online) Standard?
The Fast Identity Online or FIDO standard is a joint development by the world’s leading technology companies which try to strengthen the security of systems, mobile devices and applications through strong password-less authentication. FIDO passwordless authentication allows users to leverage the standard to sign in to their platform or system without a username or password using an external security key or platform key built into a device. FIDO aims to replace the use of susceptible password for authentication with more secure biometric authentication reinforced by encryption.
The biometric systems that FIDO plans to utilize include fingerprints and facial recognition. This will be combined with second-factor and multi-factor authentication which will provide layers of verification which will be far more difficult to break. The integration of these two authentication alternatives will provide an easier and more secure way to identify authorized users.
How does FIDO Fast Identity Online Work?
When users become members of a platform, application, or system that uses FIDO, the system creates cryptographic keys, so that the private password remains on the device, while the public password is registered on the online platform or system. To verify one’s identity the user demonstrates that they have the private password through a challenge such as a mathematical verification.
The private password can only be entered if the user has unlocked the local device or the hardware of the device they are using. This can be done through voice, a secure PIN inserting a second-factor device or, a fingerprint. This process protects the user’s credentials and privacy, providing more security with minimally invasive techniques. The standard does not provide data that can be used by applications and platforms to track user activity. Biometric information is also never shared, remaining on the user’s local device.
Why Use FIDO Instead of Passwords
FIDO authentication standards are based on public-key cryptography which provides authentication that is more secure than passwords. Additionally, consumers and workplaces are gaining increased security without placing time barriers on the user experience. People are finding FIDO authentication standards easier to use while platforms and applications are easier to manage. It reduces the likelihood of accounts being hacked, and reduces the likelihood that a single data breach will affect multiple systems and organizations.
FIDO Alliance Members
The FIDO alliance members are comprised of technology leaders from around the world including the government, healthcare companies, telecommunications companies, and corporations. The alliance is driven by the mission to find alternatives to passwords and reduce reliance on their usage. These diverse partners work together to develop common standards, collaborate on establishing best practices for FIDO authentication, and generating global awareness of the benefits of adhering to FIDO standards. A full list of board-level members, sponsor level members, government members, and associate level members is available on the Fido Alliance’s website.
To meet FIDO standard requirements, authentication providers are required to be certified in at least one of the three certification levels. Currently, those three levels are level 1 and 1+, level 2 and 2 +, and level 3 and 3+. At each successive level, the requirements build from the previous level. Therefore, level 2 must meet the requirements for level 1 in addition to unique requirements. For example, level 1 FIDO authenticators must defend against phishing plus server credential breaches. Level 2 must meet all level 1 requirements as well as defend against device OS compromise.
The FIDO alliance is currently working on software and hardware requirements for additional levels beyond level 3+. There is a stringent process by which vendors can demonstrate if their implementation of FIDO standards meets the FIDO authenticator requirements. At the end of the process, qualified vendors can receive a FIDO certification.
The Benefits of FIDO Authentication
The pros of FIDO are that it provides strong security, has a range of secure recovery options, and is resistant to phishing attacks. Fido passwordless authentication is secure because it cannot be redirected or intercepted due to the challenge and security key requirements. FIDO also allows users to register multiple devices on the service provider that they work with. Finally, phishing attacks are ineffective since they are sent through a URL link or e-mail attachment and FIDO enabled tools and keys only work with the URLs that the user has registered. Some have suggested that adopting FIDO authentication may be costly and going through the process wastes time. However, the benefits that are gained in terms of security as opposed to traditional passwords authentication is a game-changer.