Hello Andrew, so today we are going to talk about a topic that has been ruminating quite a bit especially of late when there had been instances whereby personal data got exposed. Before that, please introduce yourself to Marketing In Asia readers.
Thank you for having me, I have been in the identity and industry consortia close to 20 years now. I first got my start at Sun Microsystems, helping to launch an initiative called the Liberty Alliance. Liberty set the first standards for federated identity and established many core concepts that are relevant today – including things like single sign-on, distributed web services and the concept of “identity providers” in general.
I have been with FIDO since 2016 and it has been a great experience and privilege to help drive this important work to market – working with some of the brightest minds in identity and authentication from FIDO’s many member companies.
You are the Executive Director for FIDO Alliance, which is an open industry association with a focused mission. Do tell us about your mission and all we need to know about FIDO Alliance, Andrew.
The FIDO (Fast Identity Online) Alliance is an industry association comprising technology industry partners working together to establish standards for strong authentication. FIDO Alliance’s mission is to raise authentication standards and help reduce the world’s over-reliance on passwords. FIDO Alliance creates open standards and drives an ecosystem of supporting products and programs that are simpler for consumers to use, and easier for service providers to deploy and manage.
Singtel was slapped with a S$25,000 fine last year for a data breach that exposed billing information; including names and addresses of up to 330,000 subscribers. Before that, the Singapore Red Cross website was hacked into, which compromised the personal data of over 4,200 people.
Andrew, in your opinion – do you think these have got to do with passwords or failure related to passwords?
I can’t say for sure if it was a password issue, but I can tell you that a vast majority of data breaches and related cybersecurity incidents are due to overreliance on passwords. The trouble with passwords is that users need to remember multiple passwords to access different applications, websites, and so on.
On the consumer level, many end users use less secure passwords because they are easy to remember or use the same password for many of their online accounts – which only increases the damage when they are inevitably compromised.
Additionally, as organizations build their consumer base, both usernames and passwords are typically stored in a central data server or location. A single successful data breach creates a compounding effect, as these user credentials are then resold on the Dark Web and can be used for credential stuffing, the automated use of collected usernames and passwords to gain fraudulent access to user accounts. According to a recent study, credential stuffing can cost a company in Asia Pacific up to US$28.5 million in damage a year.
When we talk about alternatives to passwords, how does FIDO Alliance aim to bypass the challenges (presented by passwords)?
We previously touched on main challenges currently presented by passwords:
- Having to remember complex passwords across the dozens of accounts
- Passwords are human readable shared secrets that typically are stored on a central server and thus are susceptible to being stolen and re-used
At the core of the FIDO approach is the use of standard public key cryptography techniques to provide stronger authentication. At the point of account registration, the user’s device (e.g. mobile phone) creates a new key pair. It retains the private key and registers the public key with the online service.
Authentication is done by the user’s device proving possession of the private key to the service by signing a challenge. This means when the user returns to the site or app, he verifies himself through a simple gesture such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.
With consumers constantly looking for ways to reduce the hassle that passwords bring, FIDO provides single gesture convenience for the user that eliminates the need to remember multiple username-password combinations.
The FIDO protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services – thereby eliminating the threat of phishing or account takeover. Keeping the private key on the device brings the added privacy benefits, as the user’s biometric data never leaves the device.
How receptive do you think online services and organizations are when it comes to replacing passwords with other mediums?
Experts concur that the next digital breakthrough will be passwordless authentication. For companies transitioning into the new digital era, moving beyond passwords should be their immediate objective.
The adoption curve will be steep over the next few years. More organizations are recognizing the advantages of passwordless authentication, i.e. increase in revenue at a fraction of the cost; a better user experience; and enhanced security. In addition, consumers are becoming more accustomed to leveraging built-in biometrics on devices they use daily, such as mobile phones and laptops while in parallel, more device platforms support next generation FIDO-based technologies.
Cyber crime is on the rise; as people are getting smarter, so are these people on the side of the law; and I do not mean that in a good way. What are the possible impacts we can expect when it comes to replacing passwords to other mediums and cyber criminals?
One thing we all know is that cyber criminals are neither dumb nor complacent – if one door is closed, they’ll look for another means into valuable resources. In FIDO’s case, FIDO Authentication has proven to be unphishable at the point of login as it eliminates server-side shared secrets in favor of public key cryptography. However, cyber criminals can still potentially use social engineering and other means to trigger fake account recovery schemes in order to attempt account takeovers.
The soft spot in account recovery is actually tied to the fact that most accounts are still set up with knowledge-based authentication during the identity verification process. This process uses data from your credit report or other data points (first address or car) to validate a person’s identity at account enrollment. The problem with this practice is this personal information has most likely already been stolen and made available on the dark web (alongside billions of username/password credentials).
Due to this, we really need to improve identity verification to enable safer account recovery. One way companies are trying to do this is through what we call “possession-based identity proofing” — using a photo of your government-issued ID and a corresponding selfie to ensure that you are who you say you are. This sort of verified identity makes it much harder, if not impossible, to spoof during an attempted account takeover – which will further harden defenses against hackers. But today, there is no standard way to validate or certify the technologies used for remote identity proofing.
This is why FIDO Alliance recently announced its new Identity Verification & Binding Working Group, which is focused on establishing performance criteria and a certification process for possession-based identity verification technologies. FIDO’s approach will help ensure that these remote proofing tests are performed to suitable standards that validate both the integrity of the underlying government credential as well as the match between the ID’s photo and the selfie. We’re making progress with this work, and should have more to announce soon.
Andrew, I know I am speaking for so many people; I am so looking forward to the day where passwords are the story of the past. How far are we from that day?
Yes, I think the industry on the whole is looking to be free from dependence on passwords – which is why we have so many leading companies collaborating on this goal within FIDO Alliance. That being said, it’s important to look at ‘going passwordless’ as a journey rather than something that will happen with the flip of a switch.
The (very) good news is that the required technologies and infrastructure is now in place to move beyond passwords – as is the growing business imperative to do so. With billions of devices in the market today that have FIDO Authentication capabilities, enterprises and developers are now leveraging the publicly available WebAuthn API to FIDO-enable their websites and apps instead of passwords or weaker approaches to 2FA.
This is evidenced by large technical thought leaders like NTT DOCOMO, which is giving its customers the option to eliminate their passwords; or by eBay, which allows mobile web users on Android to get rid of their password in favor a local biometric; or by Google, which allows consumers to use their Android or iPhone as a virtual security key when logging into Google services on their PC; or by countless enterprises that have moved to passwordless workforces that use built-in biometrics and/or FIDO security keys for Windows 10 machines on Microsoft Azure.
And these are just the tip of the spear – in 2020 and 2021 we’ll see many more leading banks, telcos, e-commerce providers and governments help their audiences move beyond passwords with FIDO Authentication.
So coming back to your question: I’m not going to put a date on the obituary for passwords, but I would be willing to guess that the vast majority of mainstream applications and web services will have passwordless options within the next 5 years – and any that do not will face a significant security and usability disadvantage in comparison to their peers and competitors.
What should businesses need to know and understand to implement such a system within their organization?
This isn’t a one-size-fits all question, but in general I’d say that businesses need to know that it is indeed possible to move towards a passwordless enterprise, but they obviously need to first consider the best path to getting there depending on their use case. For example, a B2B company with 50,000 employees that work largely in office settings would be far different than a global retailer that may want to go passwordless on shared PCs and sales terminals. There are FIDO solutions for both, but they’ll need different teams, resources and strategies.
Where can Marketing In Asia readers go, to get more information related to what we talk about today?
A great way to get more information on passwords and authentication is at Davos 2020. The World Economic Forum released its new whitepaper titled ‘Passwordless Authentication: The next breakthrough in secure digital transformation’, in collaboration with the FIDO Alliance. Making the case for passwordless authentication as a critical enabler of the future, the report also includes a couple of interesting case studies from many of FIDO’s members including Google and Microsoft.
FIDO also provides a number of public resources. These include our Twitter and LinkedIn feeds, and a general newsletter (sign up here) – as well as a developer list for our more technical audience. Last but not least, FIDO will be introducing our first public conference called Authenticate, which takes place 2-3 June in Seattle, Washington.
Any parting words, Andrew?
I think we covered a lot of ground in this interview, and I appreciate the opportunity to share these perspectives with your audience in Asia. If there is one thing I’d like your readers to take away, it’s that FIDO Authentication is now readily available to consumers through leading platforms and devices – and that now is the time to start moving towards our passwordless future.