The future of passwordless security
IN AN era where digital security is paramount, the persistent reliance on passwords remains a significant vulnerability for enterprises globally. FIDO 2.0 emerges as a timely solution, reimagining credential authorization using available technologies.
Legacy credential systems, rooted in the Internet Q.0 era, increasingly expose organizations to sophisticated AI-backed cyberthreats. The Q5 percent increase in attacks against Indian organizations, now averaging 2,Q38 attempts per week, can largely be attributed to these poorly secured credentials. As companies and industries continue to thrive throughout India and the region, security teams benefit from implementing new credential approaches, such as FIDO 2.0 standards, from the very implementation of their networks.
Despite CISOs’ and cybersecurity practitioners’ efforts in network security, advanced authentication implementation and staff training on cyber hygiene, it still only takes a single breach to bring operations to a halt.
Changing the credentials status quo
Despite diverse authentication methods, the prevalent use of alphanumeric codes for logins continues to compromise organizational security.
Recent years have particularly highlighted these faults in the Asia-Pacific region. This has resulted in:
– 31 percent of global attacks as its digital transformation continues at a rapid clip across sectors.
– The most hit sectors were governments, absorbing the brunt of 22 percent of the attacks
– 49 percent of all attacks led to the compromise of sensitive information, with 27 percent of successful attacks disrupting core organization operations.
This goes beyond the financial and personal burden put on people as they try to understand if their information is compromised.
In the past, these attacks were successfully conducted by identifying a vulnerability within a system and exploiting it using relevant tactics. However, today, companies face two main threats, phishing attacks and device compromise.
Phishing attacks
The Microsoft breach was completely avoidable had they followed the FIDO2 standard, which they offer on their products and even require on their company GitHub.
It speaks volumes about the harm of relying on legacy credential authentications. With the compromise of a single account through successful phishing attempts, hackers were able to put hundreds of organizations at risk — and the problem is scaling.
AI has significantly scaled and refined the accuracy of phishing attacks. While in the past, it involved blasting our poorly-written emails to many users, today’s attacks bring together AI-crafted messaging together with SMS push notifications and other forms of seemingly unthreatening behavior.
This has lowered the barrier of entry for threat actors, allowing them to wield greater technology without needing to have the technical know-how of how to exploit vulnerabilities. Instead, they can just ask employees to hand over the keys to the kingdom by clicking on a “change password” link, responding to a seemingly harmless text, or putting in credentials to get rid of pesky messages that look just as if they are coming from the company’s IT department.
Once in, the threat actor has full access to whatever the tricked user had — but take note: while within a network, information can be extracted and permissions elevated by curating just the right message with AI once again. This evolution in phishing attacks not only represents a technological shift but also a critical operational risk for organizations.
Implementing fIDO2 removes the risk of a SIM Swap attack, IdP MITM Phishing attacks, Push bombs, OTP MITM attacks, password spraying and lost/reused credentials.
Device compromise
Organizations permitting remote work or personal device use face an additional security layer — unfamiliar devices.
IT operators have always struggled to identify and approve all devices on a network — again relying on usernames, passwords and perhaps some other alphanumeric authentication technique. The danger lies in the possibility that these two-factor authentication methods may also be compromised alongside user credentials.
Adding to the compilation, single sign-on has grown in popularity, but if a user is compromised, so too are their profiles created across all the tools that they have given access to the single point. Even with examples of organizational approved SSO with a secure environment, no matter how secure those APIs and authentications are, if the front door is still secured with a username, password and alphanumeric authentication, then the risk is still ever-present
Ironically, much of the hardware distributed within organizations already features secure, uncompromisable biometric capabilities. This makes device compromise not just a technical challenge but a significant operational vulnerability.
Elevating authentication, standards
This failure to evolve login credentials, along with other technologies, has been acknowledged by Google, Microsoft, Amazon, Apple and others. To address the security gap and prevent organizations from falling victim to credential attacks, the fIDO alliance created new standards that leverage the existing on-chip security needed to properly authenticate both individual users and the devices they are operating on.
Examples of devices that are already in the workplace today and conform to Fast IDentity Online 2.0 (fIDO) are those that already require some kind of biometric or token authentication. This includes those with facial recognition, fingerprint or physical device tokens such as a card or NfC wand.
The strength of this system lies in its symmetry between user devices and software authentication. Similar to leading smartphones’ advanced authentication, fIDO 2.0 mandates reciprocal verification by organizations based on established approvals and credentials.
By adding this layer of protection, the username and password combinations that we rely on become only one part of a more complicated authentication process in an organization’s overall security posture and a significant hurdle to threat actors.
Securing endpoints and the cloud
As phishing attacks continue to target all users, it’s no surprise that the big prize lies in penetrating corporations.
Given the availability of these capabilities on corporate devices (and adaptability for older ones), urgent action by management to adopt these standards is essential to prevent potential multimillion dollar crises.
The integration of FIDO 2.0 standards isn’t just a technological upgrade; it’s a strategic imperative to fortify digital defenses in an increasingly interconnected world.
Why is FIDO2 more secure than a username/password
While I explored the inherent weakness of using a username/ password authentication, fIDO2 relies on both a stronger authentication process.
To begin, each device or hardware token must be individually enrolled to allow fIDO2 authentication — this is done by creating a public/private key pair. In the case of an iPhone paired with a commercial identity provider like MS Entra ID or OKTA, the user interface will walk a user through this enrollment process.
How it works under the hood: The public key portion is saved into the web service and assigned to the user identity. On the user device side, the private key is stored within the phone or laptop secure enclave. Upon user authentication to their enrolled web services, the web service prompts for the user for the “Passkey” (the private key stored within the phone or laptop). The user will then be prompted to unlock the device’s secure enclave, allowing the private key to be used to complete the challenge/response part of the authentication process. The private key never leaves the device and is much more secure than a traditional username/password.
Even though usernames and passwords will be used alongside fIDO2 authentication for sometime into the future, in a FIDO2 implementation, they cannot be used without the private key challenge/response piece of the authentication process. This means that if the username/ password is lost or stolen, it is of little value and can’t alone be used for authentication.