Why your business needs FIDO authentication technology

0

For more than a decade, I’ve campaigned for greater use of multi-factor authentication (MFA). Far too many online transactions are still done with simple passwords that are often reused, copied, accidentally given away, shared, stolen, forgotten and/or written on yellow sticky notes across the office.

Here are two blogs from 2014 and 2021 that delve deeper into MFA:

How to be safe online with passwords – with one more step: “The National Cyber ​​Security Alliance is bringing the online safety message to a city near you. A national campaign is spreading the word that multifactor authentication is easy to use and now available – often for free.”


Email security, working from home and World Password Day: “What does the future of passwords look like? More importantly, how are you doing now with password use (or reuse)? Here are some helpful tips ahead of World Password Day on May 6th.”

But one New study from Great Britain. found that only about a third of organizations use MFA. Other A 2019 study in the US found that about 57 percent of companies were using MFAbut that most organizations have not used MFA for all applications or access.

Conclusion: With the growing breadth and depth of cyber threats that use stolen credentials, MFA is clearly better than using passwords alone. More organizations and individuals should use MFA when it becomes available. For example, commonly used home applications like LinkedIn, Facebook, and Gmail offer free MFA that is underutilized.

PLEASE ALTERNATIVES – HOW TO DEFEAT MFA IS A GROWING TREND

But this blog is about the rest of the story. Wired The magazine recently published an intriguing article entitled “A sinister way to beat multifactor authentication is on the rise.”

Consider this excerpt: “Some forms of MFA are stronger than others, and recent events show that these weaker forms are not a major hurdle for some hackers. In recent months, script kiddies like that suspected Lapsus $ data racketeering gang and Elite Russian State Threat Actors (like Cozy Bear, the group behind the SolarWinds Hack) both successfully defeated the protection. …

“‘Many MFA providers allow users to accept a push notification from a phone app or answer a call and press a button as a second factor,’ Mandiant researchers wrote. ‘That [Nobelium] The attacker took advantage of this and made multiple MFA requests to the end user’s legitimate device until the user accepted the authentication, eventually giving the attacker access to the account.”

The article continues to reveal new ways in which criminals can trick users who believe their MFA authentication is secure into granting access to systems.

WHAT IS FIDO?

This introductory video describes in simple terms how the Fast Identity Online Alliance (FIDO) can help:

That FIDO Alliance website starts with this message: “Simpler, Stronger Authentication – Solving the World’s Password Problem.”

Here is an excerpt: “The FIDO protocols use standard public-key cryptographic techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It keeps the private key and registers the public key with the online service. Authentication is performed by the client device proving ownership of the private key for the service by signing a challenge. The client’s private keys can only be used after they have been unlocked locally on the device by the user. Local unlocking is done through a user-friendly and secure action, such as For example, swiping your finger, entering a PIN, speaking into a microphone, inserting a second factor device, or pressing a button.

“The FIDO protocols are designed from the ground up to protect user privacy. The logs do not provide information that can be used by different online services to work together and track a user across the services. Biometric information, if used, never leaves the user’s device.”

EXAMPLES, PLEASE

companies like 1 cosmos are part of the FIDO Alliance and this FIDO Alliance Database contains many FIDO certified products consider.

I encourage readers to explore this FIDO certified software showcasewhich lists the companies that top the FIDO fee.

This article by NextGov outlines the introduction of FIDO2 by the federal government. Chris DeRusha, former federal CISO, said, “Identity is a key pillar of the US government’s Zero Trust strategy, and a key component of that is ensuring that federal agencies use strong multi-factor authentication that protects against phishing.” , one of the most common companies, protects threat vectors… To do this consistently, we expect federal agencies will need to supplement their use of PIV with devices that support FIDO2 and web authentication standards, while weaker approaches that provide less protection from real-world phishing campaigns will be phased out.”

FINAL THOUGHTS

We are in a complex time in the cybersecurity industry in terms of many new technologies – especially identity management and authentication. Almost everyone agrees that implementing a Zero Trust Architecture is a must, as specified in Presidential Regulations.

At the same time, improving authentication and identity management is seen as an essential early (if not first) step towards zero trust. While MFA is clearly a better solution than passwords alone, some forms of MFA are now being defeated.

As more cyberattacks against MFA solutions emerge (and succeed), it’s important for organizations to pay attention to the FIDO alliance and emerging technologies to strengthen authentication.

Share.

About Author

Comments are closed.