FIDO: Here’s Another Knife to Help Murder Passwords

After years of promising a passwordless future – really, any day now! – FIDO is proposing tweaks to WebAuthn that could put us out of password misery. Experts aren’t so sure.

We all hate passwords, but none of us want to make logging into our accounts a hassle with extra time, steps and devices. That’s why the Fast Identity Online Alliance (FIDO) published a white paper (PDF) on Thursday, outlining different use cases for the adoption of their FIDO2 set of specifications.

At the heart of the matter: proposed WebAuthn changes that will smooth the traditional security-versus-usability trade-off that users face when considering FIDO. While FIDO can deliver better security, users have hoops to jump through, FIDO said, including the need to adopt a security key – for example, the fobs sold by Yubico – as an authentication device.

Unfortunately, if you avoid the ruffling of users’ feathers, you keep them in a tepid state of security, according to the paper: “Many relying parties keep their users in a password-only mode, or at best, offer phishable second factors,” according to FIDO.

Infosec Insiders Newsletter

It’s proposing the following changes to WebAuthn – the API that makes it easy for web services and other authentication-requesting entities to integrate strong authentication on security keys or on built-in platform authenticators such as biometric readers – to improve on the situation:

  1. Turning the user’s existing smartphone into a roaming authenticator, and
  2. Providing better support for authenticator implementations (in particular platform authenticators) that sync FIDO credentials between the user’s devices.

“This makes FIDO the first authentication technology that can match the ubiquity of passwords, without the inherent risks and phishability,” the paper asserted.

FIDO History

FIDO, alongside the World Wide Web Consortium (W3C), created FIDO2 to be “the industry’s answer to the global password problem,” according to its marketing, addressing “all of the issues of traditional authentication.” These specifications – 10 years in the making – threaten to replace traditional passwords entirely. Yet they “haven’t attained large-scale adoption of FIDO-based authentication in the consumer space,” the paper admitted.

Now is the time for individuals and enterprises to take the proactive step of implementing strong authentication. So will they?

And, really, should they? Not everybody thinks so.

What is FIDO2?

Passwords are the single most tenuous beam propping up our security online. A tiny minority of people follow authentication best practices. Most of us use bad passwords, and then reuse them over and over, even though we know we shouldn’t. Then we continue reusing those passwords even after they’ve been leaked to cybercriminals.

Such was the impetus for the formation of the FIDO alliance. Nearly a decade ago, FIDO made it its mission to fight stale, plaintext passwords and create a new, interoperable system of authentication technologies. Since then, the FIDO Alliance has been interested in establishing a standard of interoperable authentication schemes. They could absorb new authentication technologies into a single infrastructure where they can work in concert with existing technologies like USB tokens, one-time passwords and near-field communications (NFC), among others, the thinking went.

The world’s biggest technology, finance and security companies – Apple, Meta, Google, PayPal, Wells Fargo, RSA, and on and on – count themselves among the alliance. Many of these companies have implemented – or even contributed to – improved authentication security in recent years. Multi-factor authentication (MFA), in particular, has become more common and more robust since the early days of FIDO, when cyberattackers could nab people’s passwords as easily as they could get at phone numbers in the phonebook.

But “while traditional multi-factor authentication (MFA) solutions like SMS one-time codes add another layer of security,” wrote FIDO representatives in 2019, “they are still vulnerable to phishing attacks, aren’t simple to use and suffer from low opt-in rates.” Hackers can even bypass the 2FA process entirely.

FIDO2 combines WebAuthn – in the words of its creators, W3C, “an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications” – and FIDO’s client to authenticator protocol (CTAP), which “enables external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also to serve as authenticators to desktop applications and web services.”

Phish-Proofing Authentication

Past all the technical detail, the bottom line is this: By downloading FIDO2 specs, “users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device,” in a way that “eliminates the risks of phishing, all forms of password theft and replay attacks.” That, according to a FIDO press release from 2019.

The system uses your mobile devices to reduce login theft because, wrote FIDO, “cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user’s device and are never stored on a server.” And “because FIDO keys are unique for each Internet site, they cannot be used to track you across sites.”

Enhanced security, via a device you already have in your pocket, or on your desk. Is this the future?

Will the Password Finally Die?

Experts across the cybersecurity industry – not to mention, ordinary people everywhere – have called for the end of traditional passwords. “Moving to a passwordless experience is an absolute necessity to restore trust and improve security and ease of use,” Jerome Becquart, COO of Axiad, explained to Threatpost via email. “We need a pragmatic approach to passwordless, leveraging both FIDO and PKI,” – public key infrastructure – “in order to address as many use cases as possible, today.”

“Mobile phones are the perfect platform to become the all-in-one passwordless authenticator,” he continued, “however they are not going to be the right answer for every use case. For higher trust requirements, such as privilege accounts, a dedicated, hardware authenticator will still be needed. Additionally there are a number of mobile restricted environments, such as data centers, help desks, manufacturing floors, clean rooms, etc.. that may not allow mobile phones to be used. The pragmatic approach is to offer end users multiple authentication form factors, phone, platform bound or dedicated authenticators in order to address this variety of use cases and environments.”

With newer, stronger methods of authentication, the issue becomes not the technology but its adoption.

Hence Thursday’s white paper, which dove into the problem of usability. FIDO concluded its document by claiming that they’ve developed “the first authentication technology that can match the ubiquity of passwords, without the inherent risks and phishability,” but Becquart believes that “we are still going to be faced for the foreseeable future with legacy systems and applications that cannot be changed and modified and will still rely on passwords. The only choice for these legacy apps is to use some kind of password vault or SSO products, protected by a FIDO2 credential.”

How soon can we make the upgrade?

Not all experts agree that we must. “Ultimately this is an approach for people with means,” John Bambenek, principal threat hunter at Netenrich, wrote of FIDO2 in an email to Threatpost. “Many people lack the resources for FIDO keys or the sophistication to manage new authentication methods with their smartphone.”

Plus, “at a basic level, smartphones can be lost or stolen which means a need for some centralized place to reprovision access. The reality is no technology can be completely trusted.

“Passwords are easy and cheap,” Bambenek concluded, “which is why they’ll be around. In the end, people like easy and cheap over complicated and costly.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles