Event Recording

Andrew Shikiar - Moving Beyond Passwords with Standards-based Strong Authentication

My name is Andrew shearly marketing here at Fido at Fido Alliance. It's great to be in Seattle. I did grow up here. It's my hometown. So that gives me license to complain about growth and traffic. Like any other old timer in Seattle. How many of you are familiar with pH Alliance? How many are not familiar with pH Alliance? Okay, good. So that's a good, good baseline for us. This is the point of the presentation where I usually ask how many of you like passwords, but I'm not gonna do that. Cuz usually there's some snickering and one person raises their hand. But instead let's kind of just look at the, the, the numbers at hand and look at the problem with passwords. So consumers have a password problem, right? We can all relate to that. They're clumsy hard to remember. There's supposed to be change all the time.
This is one of the, the big usability problems with passwords and, and you know, you'll see different statistics depending on your source, but in general, they're all pretty glaring and pretty, pretty bad. So the average user has 90 plus accounts, right? For those of you in this room, you probably have 200 plus accounts and they're managed with usually less than five passwords, right? Because passwords are hard to use and most haven't changed their password in their past five years. As a result, you see things like only 32% use a unique password per site. And those unique passwords by the way, are not strong passwords. They'd be things like, you know, website name 1, 2, 3 website, name my name, you know, kind of week passwords, which, which can be easily hacked even more easily than, than a more complex password, which can also be hacked. And you know, collectively this is causing problems, you know?
So every day it's estimated that, you know, humans around the world spend 1300 years every day entering passwords, which is a lot of time to be spent frustrating yourself. I could think a lot of other things I'd rather do with my time than enter passwords for that length of time. So that's a consumer problem. You know, businesses have a problem as well. And let's look at a couple aspects of this. First of all, there's, there's a risk aspect. You know, passwords are the Achilles heel and any, any sort of system. They're the cause for the vast majority of data breaches, 81% of data breaches were caused by weak credentials and they lend themselves to phishing attacks, right? So here you see a staff from the Verizon data breach report that one in 14 phishing attacks were successful in 2016. We saw a really great presentation yesterday from Google, who based on their data says that a well-crafted fishing attack.
So not your Nigerian prince kind of thing, but a good one has a 42% success rate. So not a click through rate, but success rate of someone actually getting fished, right? So the Fisher Fisher are getting smarter, they're getting more sophisticated and they're getting more successful. And as a result, we see a growth in fishing. We see a growth in data breaches. There's also hard costs associated with, with passwords, right? So there's the management cost, which many of you are probably attuned to, you know, the vast majority of help desk calls are associated with passwords. A large organization spends around a million dollars a year in password resets, right? So there's the internal costs. And then there's the, you know, the loss costs, right? So roughly half of shopping cart, abandonment instances are due to login problems or password problems, right? So that you're, it's costing more money and there's loss for revenue opportunity due to the password problem.
So a lot of this comes down and then, you know, by the way, I'm sure over the next two days, you'll see more statistics like this and that, you know, the common theme is, you know, passwords suck, right? We need to get, we need to come up with a better way of, of doing this. What I wanna stress today is that, you know, a big part of the problem is the approach that we've always taken to authentication, which is centralized authentication, where you have a centralized server that has shared secrets, metric secrets that stores passwords stores, username, credentials, that's a risk. And that's a problem that's leading to all of these horrible data points.
So our friends at shape security to a great report every year on credential spills. And there's a lot of very interesting data in there. And, and it starts with the fact that, you know, there's 2.3 billion credentials are stolen in, in 2017 alone. And that's a big number and it's hard to think about sometimes, but you know, what's, what's the, what's the real impact of these, you know, 2.3 billion. And, and sometimes you can get numb to it, but you know, if you back to like the Yahoo data breach, for example, think about the real cost there. So anyone who, you know, had a Yahoo ID stolen odds are, there's nothing of that much value of a Yahoo property that was at risk, right? Worst thing could happen is maybe someone mismanages your fantasy football team, but the real risk is actually people stealing those credentials and then stuffing it in other sites.
And so credential stuffing is, is a huge problem. That again comes back to the fact that they're centralized authentication stores, where people are stealing these credentials and using them in, in massive numbers, right? So there's over 130 million stuffing attempts in retail alone each day. And in fact, you know, if you look a little closer at this over 80 to 90% of e-commerce sites, attempted logins are stuffing attempts. So the vast majority of attempted logins are, are, are illegitimate logins and even worse, you know, there's up to a 2% success rate, right? So you do the math here, you know, so you're looking at over, you know, millions of invalid logins based on stolen credentials every single day. And there's a real cost to this, right? The real cost around 5 billion per year to us businesses, right? So that's a very real cost, you know, associated with stuffing, which all stems back to the fact that, you know, these credentials can be hacked, they can be available.
And this is what we're trying to change at photo Alliance, looking at password issues a little bit more graphically, you know, this is how passwords work. First of all, you know, this is a usual login scenario where a user uses a device to log into a server. The password is stored on the server. The username credentials are stored in the server. Even if you have a complex password, even if you have a hash password that can be hacked, right. And if you can't hack the hash password, you can brute force it and guess someone's password, right? So if you know the top 1000 passwords that are out there, I think you have around a 60% chance of logging in if you know, the top 10,000, even 98 and a half percent chance of, you know, being correct. Right. So there's a lot of ways to get around passwords in addition to flat out, stealing them, additionally passwords lend themselves to fishing, right?
So we talked about Phish fishing a little bit, but you know, if you have a password based authentication and you have this, you know, simple symmetric relationship between the user login and, and the server, it lends itself to phishing for through apps or on the web. And then we have the usability issues, right? We already talked about the fact that, you know, password reuse, shopping cart abandonment, then also there's kinda the usability issue on devices, right? So on a mobile device who likes typing passwords and mobile devices, no one better. Yet someone pointed out yesterday typing a complex password on remote control on your TV is living hell, right? So the usability factor for passwords is, is another, you know, major challenge. So obviously people have known the passwords are a problem, you know, for some time. And, and there's been, you know, solutions there's been improvements.
So, you know, traditionally the way to improve passwords, to do an OTP one time passcode, which is certainly better than a password, but also has its own faults and its own shortcomings. So, you know, one of these is that OTPs are still vulnerable to fishing and man, the middle and man, the browser attacks, right? So OTPs can be spoofed. They can be, they can be knocked off. Secondly, especially on mobile device, they're also very insecure, right? So whether it's through social engineering or an S seven hack, mobile, mobile OTPs, I SMS can be, can be manipulated as well. So it's a little wonder that N for example, and their latest digital identity guidelines, deprecated, SMS OTP, as a means a strong customer authentication. And then coming back to the user, as we all care about here, of course, there's usability issues too, right? So the, the traditional OTP tokens, they're expensive.
You know, people don't want another device. They're not very consumer friendly. And inside the enterprise, you have the, you know, the classic kind of token key chain scenario, where you have network admin who has a literally key chain of OTP tokens that are all bespoke, you know, one each for each service that they're logging into. So they don't scale very well. And then you have the same device input issues that you have with passwords, right? So the more sophisticated the device that you have to enter an OTP into the harder it is, whether that's a, a mobile phone tablet or something else, if you're getting a notification on your device, enter in that device is, is, is no, you know, easy matter.
So, you know, what's the solution, you know, so on, on this graph here, you see in the bottom half there, we have passwords. You know, they have reasonably poor usability, really low security. And above that, you see OTPs have much better security, but even worse usability. You know, we wanna be in that, that holy grail, we wanna be in the top corner with a simpler, stronger approach to user authentication. And that's what Fido's doing, right? So Fido is an industry answer to these problems. And what we're doing as an industry is creating open standards for simpler, stronger authentication, using public key cryptography. That's a single gesture, fishing resistant multifactor authentication, right? Which is a fancy way of saying it's easy to use with a single motion and underneath there's a lot of, you know, strong protections and cryptography to make sure that everything's done fully securely in a fishing resistant way.
So Fido has launched in, in 2013 with six board members, we've grown have over 250 companies around the world shown here, our fighters board of directors. It's an interesting chart, lots of good companies here. You see, we have consumer electronics vendors, security vendors, and people who deliver services. Another way of looking at this chart is if I asked one of you in this room and I said, Hey, look, we have to crack this password problem. What types of companies do we need to have sitting around the table to, to help solve this problem? And this, the collection of logos you'd come up with, probably look a lot like this, right? So people who produce devices and platforms, you use every day specialists in security and biometrics and perhaps most important, you know, the businesses who manage billions of identities, who's very businesses depend on, you know, high or delivering high assurance services to consumers and who, you know, need to have stronger, simpler authentication to have a low friction way of securely authenticating their users.
So that's, you know, these are just the board directors who are leading the pH Alliance and there's dozens of other members representing leaders in government, telecommunications, finance, and it, PHS focus is quite narrow, right? So we only focus on, on the authentication layer and identity stack, user authentication, basically trying to move beyond passwords. Since our focus is narrow, we, you know, happily partner with other organizations to help give us broader reach into adjacent market spaces and adjacent geographies. So you see a lot of other identity groups here. You see, you know, adjacent markets like the car connectivity consortium. And also we, we do a lot with regional groups to help, you know, get the word out in different parts of the world.
Another thing that we've, you know, had success doing as an industry is engaging with government and getting positive feedback from government. So way back in 2014, N who's a member, the us, government's a member of phyto Alliance, the N guidelines back then identified that it's okay for technology to have two secure, distinct authentication factors in a single device. That's basically the phyto UAF approach where you can have two factors in, in one motion, in one device, the commission on, on enhancing national cybersecurity, cited Fido as one of the best models moving forward for user authentication. Senator widen down in Oregon is a, you know, one of the, probably the, the top congressional champion on matters of cybersecurity without any direct engagement from Fido. You know, he wrote a letter to bank letters asking for support of Fido U two F last year. And then last year also N's latest digital identity guidelines, 863 dash three cited pH authentication as meeting the, the new AAL three requirements, the higher, higher level of requirements within that document outside the us.
We've seen a lot of engagement as well, right? So there's a lot of regulations. As we know, in Europe and Asia, the UK government has been tracking Fido quite closely. In fact, you can use a pH security key to log in and, and secure your UK digital citizen services, but they cited Fido as a future to replace passwords way back in 2016, the EBA with PSD two, I mean, many of your companies here merchant have to deal with PSE two. We've engaged directly with them as an industry body. And they've noted that they accept similar to the, the us government, that one device serving as two-factor authentication in Asia. We've seen a lot of adoption. Asia's a really interesting area for Fido. A lot of these countries have had very advanced digital ID schemes that were put in place, you know, in the early two thousands that are now being replaced by more modern authentication schemes.
They're basically looking to evolve their PKI infrastructures for citizen identity and something more modern and, and vendor neutral. And so you see a lot of adoption there, you know, have two data points here, one in Taiwan where they cite clients side biometrics as being appropriate for e-banking applications in Korea, where over 70% of the banks, 70% of the banks use pH authentication in Korea, Kea embrace Fido as part of a broader, more modern and vendor neutral approach to authentication. Likewise, in Hong Kong right now there's an RFP out for their citizen, E I D schemes, which specifies phyto support as, as part of that implementation. So we're seeing really strong, you know, embrace and adoption by government and regulatory bodies worldwide. So a little bit about how phyto works, you know, at very high level, the key concept here is an introduction. Something called the phyto authenticator.
This is a, a secure area of your device will store your private key. And the public key is, is stored on the server, right? So what's not on the server. Are your authentication credentials or anything unique to you that takes away the, the server as a, as a hacking target for hackers? Cause there's no central credentials to store, you know, through the challenge response mechanism, there's a lot of added measures put in there to prevent fishing, to assure that there is a one to one match between your authenticator and the website that you're authenticating to. So Fido is phishing resistant and, and prevents man, the middle man, the browser attacks as well.
All this is manifest in, in Fido specification. So we have two, two user experiences that we are covered in our specifications. The first is a passwordless experience. This is, was first manifested in our phyto UAF specifications against three steps where you're presented with authentication challenge. You do user verifications through a single biometric gesture, and then you're authenticated online. Or in that app, the second factor experience is, you know, where you are still using a password, but using a strong second factor to prove presence of, of, of yourself. And again, in three steps, you can, you know, be authenticated online using the, the second factor experience. So that was called the phyto U two F standard as well. More recently, we've introduced, what's called web authentication from W3C, which I'm sure many of you are familiar with. So web came to be when phyto partnered with W3C to contribute three technical specifications into that working body to create the, the web working group and the web specification, which was finalized well near finalizing and came out this spring in April.
And, and, and, you know, the net effect of this is that this approach for strong user authentication is being standardized in the web platform and in the web and, and also being sedimented into leading operating systems, operating environments within W3C, you know, there's strong participation from all major platform providers. And what we've seen is already that the leading browsers now support web a then, and, and, and through that photo authentication in leading browsers from Microsoft, Google and, and Mozilla, in addition to web authentication, the pH oh two specification includes something called CTAP client to authenticator protocol, which is basically an extension. If you will, of U two F that allows you to use either an external authenticator as a second factor to log into your device. And also the new use case of using say your handset to authenticate to your PC or to your desktop.
So these are the 5 0 2 specifications. There's a, basically a web browser web platform component, and there's an external authenticator component to it. And this is pH two. And this is where we're seeing a lot of industry gravitation around as the two key platform stakeholders in Fido, both Google and Microsoft are bringing this into their respective platforms of windows and Android. So stay tuned for, for new, very soon by the first 5 0 2 certified products, which will be coming on market in, in the very, very near, near future. Speaking of certification, you know, it is all good and well to do specifications, but I like to say that specifications without certification is like one hand clapping, right? There's no way to verify that, that these things are being used correctly. So Fido has a very robust certification program at the cores, our functional interoperability testing. So this, this verifies that a product conforms the Fido specifications and also interoperates with other others in their specification suite, right?
This is very important for those of you who might be thinking about deploying pH authentication as part of your own infrastructure. To know that a, if you find a pH certified product, it will interate with others in your stack. So this program has grown dramatically. We have over 400 cer 75 certified certified implementations to date. Next week, we should be announcing our first 5 0 2 certified products. Additionally, we've introduced something called certified authenticator levels. So, you know, Fido, certifies servers and clients and authenticators authenticator could be a roaming authenticator like a security key, or could be something embedded in your mobile device or in your desktop with these gradient levels of security certification. It allows relying party to, to specify that the authenticator, you know, meets these specs. And in general, we have three levels, L one prevents against, you know, large scale attacks, L two prevents against malware or operating system compromise.
And L three prevents against actual physical hardware attacks. Meaning that the, the chip is the, the authentication credentials are fully secure in that chip. And then last one, not least we are introducing something called the phyto universal server. This is a very important concept. This is for a relying party or service provider that wishes to make sure that their site can authenticate any phyto authenticator, any phyto credential. So universal server can, you know, basically interoperate across pH's full range of specifications. And we think this will be the best practice for anyone who is deploying phyto authentication as part of their identity scheme.
So the PHY certified ecosystem is, is growing. You know, I mentioned that if you are, you know, rolling out implementation of, of, of Fido, you can look for different products and services on market that support the phyto specifications. These include devices that you use every day. These include like phones, PCs, and browsers. So very important that your end users will have, will likely have a phyto compatible device, whether that's one of these devices or a phyto security key, that market is growing recently, Google announced that they're shipping their own security keys so that the Google Titan security key. And then there's also, you know, backend server side solutions. What's interesting about that third column over there is that these aren't just solutions coming to market from companies like knock knock labs, but also this represents, you know, large service providers who have rolled their own pH implementation, like I N G and bank of America and MasterCard, but they're going through certification to make sure that their servers can interoperate with the rest of fi ecosystem.
Otherwise in that there would be risk with them having some sort of bespoke fi implementation that might not fully interoperate. So we're seeing a really strong engagement on the certification front from both product vendors and implementers, and this is where it all nets out, right? So this is these people who are actually deploying Fido today. And this is really past the testing and pilot and POC stage. This is really becoming the mainstream best practice. You see a lot of logos up here. This really is a fraction of people deploying a couple anecdotes. So we see Google in the top left corner. Google announced a study recently where they deployed security keys, 85,000 employees inside the company over, I think a four or, or five year period and not one of them was phished, right? That's super compelling. That's why they're actually going to market now with their own security keys and the bottom there, you see BC card, BC cards, a Korean payment provider. They've gone to market with a biometric payment platform that allows anyone to, you know, validate payments with, with either voice or face they're doing over a million authentications a day, you know, using the phyto protocols. So this is all very real. Additionally, you see T-Mobile Intuit eBay bank of America, PayPal. These are all apps on your mobile phones right now that are using pH authentication under, under the hoods. This is all very real and happening today.
So to wrap up, you know, Fido authentication phyto Alliance is really the industry's response to the password problem. You know, I, I, I can't emphasize industry enough. You know, this is, you know, Fido's, you know, by the industry for the industry, it does represent the efforts of some of the world's largest brands, you know, who, who are utterly dependent on better user authentication. A key thing to think about also is that the specifications we've created the industry has created, you know, represent tens of thousands of development hours, right? So these are our lead engineers from some of the, the brightest minds and identity authentication security on the planet, working together to actually put these specs together and we continue to innovate, right? So the specs continue to evolve, certification continues to evolve. And more importantly, it's interesting yesterday, a lot of the conversations were about, you know, the practical considerations of rolling out user authentication.
So as Fido as a body evolves, you know, more and more of our effort will be, you know, focused on deployment, best, best practices, you know, pulling relying parties together to understand, you know, what policy considerations might be and, and kind, really looking at those business challenges as well, and then enablement, right? So, you know, we continue to work with service providers to, you know, enable their authentication processes to make sure that they have successful Fido deployments. So with that, you know, if you want to get involved with Fido, you certainly can. We welcome new members. We have open communities. If you have questions around, you know, how to deploy or get certified, let me know, or visit the resources I have on this page. So thank you very much. I think, do we have time for questions?
I've got a question and then we'll go to break.
So the universal server will that be? And I think I know the answer, the universal server will that include any, like multi-protocol STS from Fido to create Sam assertions or claims or things like that for other downstream systems
Sweetest for interoperability, just, just across against the, the phyto authenticators and three protocols.
Okay. But vendors are free to build that kind of functionality into their product. One question before break.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00