The cybersecurity headaches that passwords can cause are now well-known.
According to Verizon’s 2019 Data Breach Investigations Report, 80% of hacking related to compromised or weak passwords.
In a survey conducted by Google in 2019, two out of three people admitted to reusing passwords for different services, risking falling victim to credential stuffing attacks.
However, despite their shortcomings, passwords remain by far the most common form of authentication. The FIDO Alliance is looking to change that.
Password alternatives and the FIDO Alliance
FIDO, which stands for Fast IDentity Online, is an open industry association with the goal of reducing “the world’s over-reliance on passwords” by reducing some of the barriers for the adoption of stronger authentication solutions.
FIDO has created open technical standards designed to create “interoperable mechanisms” more secure than passwords, such as biometrics and two-factor authentication devices, making it easier for organisations and end users to adopt password alternatives.
“The thing we do first and foremost is we’ll develop specifications around this technology for performing online authentication without passwords”, Joe Pennisi, Joe Pennisi, Lenovo Distinguished Engineer and founding board director of the FIDO Alliance told Verdict. “So the first mission was to define the technology, to standardise it, and the intellectual property when we define the standards, we give that essentially away to the world so you’re able to utilise this patent free.”
“Number two is then go and drive for adoption. And that’s the phase we’re in now, getting more companies involved, getting people to recognise what it takes to actually implement these protocols and bring this concept to fruition. So we’re we’re defining the standards that everyone will adopt, and then driving customers, online services, device providers, to understand what it means to implement these.”
Founded by Ramesh Kesanupalli in 2012 and launched publicly in 2013, the alliance now has more than 250 members, including Amazon, Facebook, Google and Intel. Earlier this year Apple also joined the alliance.
The FIDO Alliance is using several routes to move closer to its goal of password-free authentication. Firstly, it has created the FIDO authenticator, which uses public key cryptography to create a more secure authentication process.
“In general, we have two categories of products. One would be an authenticator. So that could be a mobile phone, an application on a mobile phone, it could be a USB key or a Bluetooth key. These are things you would use to authenticate. So that’s one of the main certification categories,” says Pennisi.
“The second is the server side. So while you have a device that’s capable of, we’ll say speaking FIDO, you need a back end that’s capable of understanding it as well. So we’ll certify server implementations as well. And we have a entire certification programme that we built from the ground up.”
It has also developed a set of universal standards which if met, mean that a product is FIDO certified, with over 400 interoperable products now certified.
Pennisi explains that having major players in the industry as members is crucial to the widespread adoption of FIDO technology.
“Apple has become a member. It’s critical, especially for companies like them. And Microsoft is a member. Google’s a member. They’re important because they develop platforms. And one of the keys to our success is enabling these platforms to support FIDO authentication. One of the challenges we had early on was a bit of a chicken and egg in that device manufacturers and platform manufacturers weren’t being asked by the online services for this capability,” he says.
“The online services didn’t see enough devices that supported the capability. So you were really stuck with who is going to take the lead. And it turned out that device and platform manufacturers took the lead and right now, Windows 10 has FIDO capability built-in. Android from version seven and later has FIDO capability built in.
“So now you’ve got potentially hundreds of millions or even billions of devices that are capable. And we’re hopeful that that will help drive the ecosystem to recognise there’s a lot of potential devices here.”
FIDO has become increasingly well-known in the tech sphere, and was due to hold its first Authenticate conference in June, which has been postponed to November due to the Covid-19 pandemic.
However, despite the general public being more acustomed to interacting with biometric authentication than ever, with many smartphones now equipped with face or fingerprint recognition, when it comes to signing up to internet services, passwords are still the default.
“I think the first password was used somewhere in the 50s, and it’s just been around forever” says Pennisi.
“All of the processes related to authentication, or account recovery, all that’s been available [is passwords], and it does work. It just works really poorly and has all of these problems. So I think part of it is just the momentum that passwords have been around for so long. Trying to eliminate them has been a challenge, and even with the things we’re doing, we recognise there’ll be a transition period where people will slowly move from utilising passwords into better authentication methods.”
“We have a very strong overriding set of privacy principles”
FIDO supports a number of authentication methods, such as fingerprint and iris scanners, and voice and facial recognition. However, when it comes to biometric data, the potential impact of a breach is a serious concern. Last year, researchers discovered that biometric security company Suprema had left the fingerprints of over one million people unsecured and unencrypted.
Pennisi explains that with FIDO products, biometric data never leaves an individuals’ device.
“When we design protocols within FIDO, we have a very strong overriding set of privacy principles. And one of those says biometric data never leaves your device. So that’s one of the key elements here is if you’re going to use a mobile phoneor a computer to use FIDO to log into an online service, that fingerprint data never leaves your phone. It’s not it’s not allowed to be part of what’s sent to the online service,” he says.
“I think it’s important that people recognise that you are in control of all of your biometric data, and it never leaves your particular device. That was definitely a key element of designing this. There have been a few breaches of centralised biometric information. And unlike a password, you can’t get another set of fingers.”
A key benefit in adopting these password alternatives is mitigating credential stuffing attacks, in which attackers will try breached credentials on a number of online services, in the hope that passwords have been reused. As the average internet user has around 90 online accounts, the impact of this can be significant.
Pennisi explains that through asymmetric cryptography, which FIDO uses, this risk is mitigated.
“[Asymmetric cryptography] has two keys.They’re not the same, but they’re related. One’s called the public, and one’s called the private key. So whatever you do with one to encrypt, you have to use the other to decrypt. So they’re matching pairs. And FIDO technology is built on that concept,” he says.
“If somebody gets to that server, and gets that public key, they can’t do anything with it. You can’t encrypt with that public key, you’ve got to have the private one that’s now protected in your device. It’s no longer a symmetric secret. So you could go breach this server, and you’re never going to be able to take that information and log in with FIDO. Number two, we make a different key pair for every service, so they all have different public keys. So if company one gets breached, it has no impact on any other companies.”
“Eliminating passwords will become a lot easier”
Moving forward, FIDO is working with the US government, with its technology now an option on some government sites. It is also working with regulators to support PSD2, particularly the strong customer authentication requirement, and has turned its attentions to the security issues present in the Internet of Things industry.
“We’ve spent time with the US government talking to them and actually there are some places in US government sites that actually accept FIDO authenticators. We’ve spent quite a bit of time with the European regulators educating them on what FIDO can do, and working within FIDO to try to make FIDO one of those viable options for supporting the regulations in PSD2,” explains Pennisi.
“This passwordless technology we have, while we’re applying it to end users, it could apply quite well to Internet of Things. Right now, if you want to add a device to your home network, you’re still doing it with a password based on the device and trying to connect the device to your network using passwords.”
“I don’t know if [passwords] will ever be completely gone. I think there’s so many ways to do things in the world. I think you would define elimination of passwords to be a certain critical mass. That when you go to create an account somewhere, you always have the option to not have to use a password,” he says.
“I think if we get to the point where people can choose anytime they want to create an account, anytime they want to set something up, to do a non password-based one, I think that’s the step we’ve got to get to. And then once we’re there, I think eliminating passwords will become a lot easier.
“But there’s still work to be done to get all of these online services that have built up in the internet era around utilising passwords as their primary authentication to one that doesn’t have to rely on that.”