The need for authentication standards

In the cybersecurity industry, many new technologies–particularly those related to identity management and authentication–are constantly driving change and innovation. Yet one thing remains the same: the use of passwords continues to pose a threat to an organization’s IT security. As long as passwords continue to be used, users and organizations will remain vulnerable to attacks. Fortunately, due to the development of new solutions and authentication standards, replacing passwords as the dominant form of authentication on the Internet now seems to be possible.

Various annual surveys demonstrate that password compromises are associated with 70-80% of data breaches. As a response to the over-reliance on passwords, the non-profit organization FIDO ("Fast IDentity Online") Alliance was launched in 2013 to develop and promote authentication standards. With the help of the FIDO Alliance, a set of open, scalable, and interoperable specifications has been developed to replace passwords as a secure authentication method for online services. The alliance has also worked with companies such as Microsoft, Google and Apple to integrate and adopt FIDO standards across their operating systems.


FIDO Alliance reveals its latest whitepaper

Most recently, the FIDO Alliance and the W3C WebAuthn working group published a whitepaper in March 2022 explaining how the introduction of multi-device FIDO credentials will enable FIDO technology to supplant passwords for many consumer use cases. The framework goes further by outlining two proposals for phishing-resistant authentication mechanisms:

  • Using your phone as a roaming authenticator: Essentially, this involves connecting the user's smartphone (which becomes the FIDO authenticator) and the device from which the user is trying to authenticate via Bluetooth. Since Bluetooth requires physical presence, the use of proximity-based authentication should be resistant to any phishing attacks. As a result, the smartphone becomes a sort of smart card while providing the necessary FIDO requirements to the device from which the user is trying to authenticate.
  • Multi-device FIDO credentials: To improve user experience, the second proposal encourages FIDO authenticator vendors to adapt their authenticators in the event of lost or stolen devices. As users move from device to device, FIDO credentials should be available on a user’s new device without the need of implementing a password.  For example, a smartphone, a desktop, and a USB token could act as a mutually exchangeable FIDO authenticator.

The whitepaper argues that the syncing of FIDO credentials, together with the Bluetooth alternative, allows FIDO authentication to be a secure and convenient solution for existing two-factor deployments. Furthermore, the paper makes it clear that the proposal is not a change in standards, but rather a set of prescriptions for vendors to implement themselves.


However, there is one crucial point that the FIDO and WebAuthn proposals seem to ignore. So far, the whitepaper has not specified whether users will feel comfortable with a password successor where the cloud operator has access to secret keys. If users roam enterprise-issued keys via potentially insecure clouds, organizations must understand the risks that come with convenience when syncing is not end-to-end secured.  At the end of the day, it comes down to what end users will do and only time will tell if they are willing to trust Microsoft, Google, and Apple as the ultimate confidants of their organization's credentials.


In addition, if the deprovisioning of access within applications is not properly implemented, former employees might gain access to cloud-based applications when leaving an organization and returning their physical FIDO key. By not having proper controls in place, this new level of convenience will increase the risk and reduce the level of control an organization is able to exert.
Therefore, KuppingerCole believes that companies and other organizations that are looking to modernize and improve authentication solutions should understand the consequences beforehand. If done right, this solution has the potential to provide a frictionless user experience while improving security at the same time. We expect to see a significant number of FIDO authenticators, vendors, servers, and compatible web apps in industry over the course of the next few years.

 

European Identity and Cloud (EIC) conference

Because we understand the importance of authentication standards, KuppingerCole has a great deal of content available in a variety of formats, including live events such as the 2022 KuppingerCole European Identity and Cloud (EIC) conference taking place in Berlin and online in May.
The agenda includes keynote presentations and panel discussions on the State of Passwordless Authentication, The Future of Authentication, MFA usage in enterprise, and Zero Trust Best Practices, as well as other cyber security-related presentations including:

To find out more about the offerings in these markets and how to select the product that are best suited to your organization, have a look at the following Leadership Compasses: