IT security experts will tell you that 80% to 90% of breaches could be prevented if organizations enforced stronger password controls. But IT administrators will tell you that convincing people to use strong passwords is a lost cause. No matter how much you educate, cajole and frighten them, a frustratingly large number of people will still safeguard their critical information with “123456.”
That’s why Keeper has joined the FIDO (Fast IDentity Online) Alliance. The FIDO Alliance is working to create technical specifications for an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords. It’s trying to bridge a seemingly contradictory set of objectives. “FIDO is strengthening the authentication process while at the same time making it easier to users,” said Andrew Shikiar, senior director of marketing at the Alliance. “Our goal is to make it easier for enterprises and service providers to move beyond the password.”
FIDO has a unique approach to authentication that uses public key cryptography to create secure authentication credentials that are stored on and never leave the user’s device. Local authentication is important because it both protects user privacy and reduces reliance on passwords stored on third-party servers, which creates an additional vulnerability point. The FIDO Alliance’s approach is in line philosophically with Keeper’s zero-knowledge architecture.
The use of centralized password databases has been behind the damage of some of the world’s largest security breaches. For example, the two attacks on Yahoo collectively exposed more than one billion user accounts to compromise. Cyber criminals can purchase these lists and use them for “credential stuffing,” or testing the login information on other websites. “The success rate for credential stuffing is as high as two percent, which is staggeringly large,” Shikiar said. “FIDO’s approach to strong authentication can take this threat vector away entirely.”
If two percent doesn’t sound like a lot, consider that running one million usernames and passwords through the authentication process of a bank or stock-trading site at a two-percent success rate translates into 20,000 successful accesses.
The FIDO Alliance is promoting two sets of specifications: Universal Authentication Framework (UAF) and Universal Second Factor (U2F). UAF is most typically implemented in mobile apps. No passwords are involved. Users register their device to an online service by selecting a local authentication mechanism such as a fingerprint, PIN or face/voice recognition, at the service provider’s discretion. From there, users simply repeat the local authentication action whenever they log in.
U2F uses a password complemented by a second factor through a FIDO Security Key such as a USB token — proving that the user is in possession of their device. The use of a second factor enables the service to simplify passwords without compromising security.
The FIDO Client-to-Authenticator Protocol, which is currently in review, provides for the use of smartphones or even wearables as a primary authentication device. Coupled with W3C’s Web Authentication efforts (which will bring native FIDO support to leading web browsers), CTAP will expand FIDO’s reach to a much larger number of users as part of the FIDO 2 project.
In the five years of its existence, the FIDO Alliance has rung up a lot of successes, enlisting more than 250 members ranging from IT organizations to mobile app developers, government organizations, platform providers and financial institutions. Facebook rolled out FIDO authentication in January, extending it to 1.7 billion additional users. Google has been a member since 2014.
Keeper believes in the value of standards as a way to continually move the industry forward. The more organizations that sign on to the FIDO Alliance, the faster the industry can solve the password problem and tackle the next set of challenges. We are proud to be part of that effort.