Why FIDO Holds the Key to Our Passwordless Future
Enterprises across the globe have been trying to minimize and remove passwords for years. Security is an obvious reason why, as attacks featuring lost or stolen credentials account for 80% of breaches. Productivity also is a factor, since the amount of time your employees spend each year entering, resetting and keeping track of passwords wastes time and drains resources.
Despite such valid concerns, for many companies getting rid of passwords has been more a stretch goal than a reality—but that’s about to change. Passwordless adoption no longer requires a significant hardware investment to get started, with advancements in multi-factor authentication (MFA) device-level biometrics like facial and fingerprint recognition providing alternatives to passwords. And many employees who are familiar with these technologies outside of work are aware of their speed and ease-of-use benefits, and therefore are more receptive to using them in the workplace.
Additionally, passwordless is gaining traction because today’s enterprises have choices when it comes to available authentication methods. Chances are your organization has already implemented a variation of passwordless already, and you may not even know it. Here are the typical ways you can implement passwordless today (from less to more advanced, technologically speaking):
It’s the latter method—FIDO login—that holds a great deal of promise for helping grow a passwordless future globally across all industries. Read on to learn why the FIDO open standard is helping allay security unease and encourage user adoption of passwordless authentication.
The fact that FIDO is an open standard is significant. Open standards are technologies that will never be proprietary or driven by a single entity for profit. This is especially important in identity, where enterprises running multiple clouds and diverse IT environments don’t want to be locked into a particular vendor’s contract or product strategy. Open standards provide independence, and this is why Ping has a history steeped in early adoption and contribution to most of the identity standards committees and bodies of today.
Open standards are also widely embraced by the developer community. You are more likely to convince your developers and DevOps teams to adopt open standards like FIDO for broad coverage versus an authentication protocol that is only intended for a certain ecosystem of applications. When developers see the potential impact of an open standard, they are more likely to learn about it.
Last but not least, open standards evolve at a much faster pace. The FIDO Alliance has members like Apple, Google, Visa, Microsoft and, of course, Ping. With these companies working together and a formal certification program in place, there is genuine effort to ensure that future applications and devices will be FIDO compliant. That standard will continue to evolve to make life easier and more secure for customers and employees.
FIDO as an organization is not new. FIDO, which stands for fast identity online, was created in 2013 with the mission to develop and promote standards that would reduce our world’s reliance on passwords. A major issue that FIDO is tackling is the lack of interoperability among devices, applications and other resources to deliver passwordless experiences. The latest FIDO standard, known as FIDO2, is a combination of the Client to Authenticator Protocol (CTAP) and Web Authentication (WebAuthn) that can be formally certified.
Privacy is a key component of FIDO. Unlike other authentication scenarios, with FIDO a service provider never accesses your login credentials or biometric data. In addition, your FIDO does not have any personal information stored on it, in case it’s stolen or lost. If your company suffers a breach, the employee or customer credentials are protected and cannot be used elsewhere.
What’s unique about FIDO is public key cryptography, a strong authentication mechanism that reduces the risk of common attacks (session hijacking, man-in-the-middle, phishing, malware, etc.) that result in stolen credentials. FIDO can take advantage of this mechanism because it relies on authentication via a physical key, either an Android or iPhone device or a hardware token. The device must be registered with a certain site and those credentials can’t be used elsewhere.
To understand how FIDO lowers security risk, take the example of when an employee clicks a link in a phishing e-mail. They are directed to a fraudulent site created with the intention of capturing their credentials. However, because authentication is performed on the device or hardware token, the user won’t have any credentials to enter. And because that site is not registered to their FIDO key, a login attempt will fail.
FIDO isn’t perfect, though. The main disadvantage of FIDO is that it requires extra steps to perform the initial registration. Also, if a FIDO device or token gets lost, a new one will be needed to re-register to each and every site. It’s also recommended for users to have a backup method for authentication or they’ll have to call the helpdesk to verify their identity.
It’s important for organizations to think about these scenarios and have easy alternatives in place for employees to gain access. You must have a solution that can work across a range of devices, authenticators and hardware tokens, such as YubiKeys. For example, we have seen clients who have empowered store clerks with hardware tokens because the clerks could not access phones. We’ve also seen other clients who needed to respond quickly to the shift in remote work (and did not have time to purchase and provision devices) utilize the PingID app to empower their employees in BYOD scenarios.
FIDO is not ubiquitous yet—but it’s gaining traction. As more products become certified, your organization will see an increased availability of FIDO use cases. Embedding FIDO into your new apps and services will help drive user adoption and temper security concerns.
With PingZero, our passwordless authentication feature that leverages the FIDO standard, we provide passwordless options to fit your enterprise needs. Ping offers passwordless maturity that includes centralized authentication services, extension MFA to every app and resource, and even FIDO at scale. Passwordless is a key component in providing seamless and secure digital experiences. To learn more, please visit PingZero.