According to Productiv’s 2021 report, State of SaaS Sprawl, enterprises have on average 254 apps in their app portfolio. The implication for IT teams is not only the upkeep of hundreds of apps but the security of employees, business partners and even customers accessing these applications.
The Verizon 2022 Data Breach Investigations Report revealed that 80% of breaches are attributed to stolen credentials, a 30% increase since 2017, cementing it as one of the “most tried-and-true methods to gain access to an organisation for the past four years.”
This trend will likely continue as organisations move IT operations to the cloud, and consumers become even more conditioned to engage with mobile apps.
FIDO or Fast Identity Online authentication is a set of open technical specifications that define user authentication mechanisms that reduce the reliance on passwords.
To continue its mission of developing and promoting authentication standards to help reduce the world's over-reliance on passwords, the FIDO Alliance has teamed up with the World Wide Web Consortium (W3C) on FIDO2 to strengthen authentication for the web.
Alex Wilson, director of solutions engineering Asia Pacific & Japan at Yubico, says FIDO2 is the collection of both the backend and frontend aspects of an authentication protocol. It includes the WebAuthn protocol as defined by W3C and the CTAP protocol as defined by the FIDO Alliance.
Wilson refers to this as the future of authentication where a world without passwords exists.
What problems/risks does FIDO2 mitigate?
Alex Wilson: There are many authentication types available today, most of which rely on technology that is not suited to the combination of ease of use, security, and scale. Passwords themselves are no longer fit for purpose, they are clumsy, hard to remember and easy to steal or replay.
As an industry, we have layered on additional factors to support Two-Factor Authentication or 2FA, whether SMS or OTPs, but as the sophistication of cyberattacks has increased, these methods have been exposed as ineffective in protecting our information and stopping the bad guys from getting in.
The FIDO2 standard for authentication has been specifically designed for ease of use, phishing-resistant security and global scale.
"The use of FIDO2 across your organisation greatly reduces the ability of attackers to steal your credentials through several common attacks. These include phishing, man in the middle, credential stuffing and many other passwords or OTP-style attacks."
Alex Wilson
Who needs it?
Alex Wilson: As FIDO was written specifically to address the future of authentication, then anyone who needs to log in can and should use it.
FIDO is the simplest authentication process to use. It provides the highest level of security and works at scale wherever it is needed.
How do I implement/deploy FIDO2 in my organisation?
Alex Wilson: If you are a Microsoft or Google customer today then it is as simple as purchasing a FIDO2-supported token and registering it against your account within Microsoft or Google.
You may need to enable 2FA for your users if this is something you control or simply switch it on yourself and benefit from the added protection it gives.
When registering a second factor, most systems define the FIDO2 protocol by the name “Security Key”, you will see within Microsoft and Google the ability to register a “Security Key” Most other systems continue with this naming convention or simply refer to it as a FIDO credential.
How does it tie into my multi-factor authentication (MFA), zero trust implementations?
Alex Wilson: One of the key pillars of Zero Trust is to ensure the correct people are getting the correct information they need, only at the time that they need it.
To enable this, you must ensure that the user who is being granted access has authenticated themselves correctly and securely. To check that the user is not being impersonated, the use of FIDO-based security keys for MFA ensures a level of verifier impersonation resistance at the strongest level available today.
The use of the FIDO Security Keys, like a YubiKey, delivers a simple, yet highly secure, authentication capability.
Any tips on how to include this in the security budget?
Alex Wilson: There are many avenues to direct funding to support and adopt FIDO. There are existing help desk costs that are already being allocated to support existing password reset capabilities, support for battery-based physical devices that need to be regularly replaced and support proprietary 2FA and mobile-based 2FA where you need to supply the mobile.
On the flip side, the cost of a data breach grows yearly, ransomware is becoming more prevalent and being dragged through the press when something goes wrong can seriously damage your reputation.
The business case for phishing-resistant MFA can be looked at from different angles
- Higher levels of security for compliance or insurance reasons. We are increasingly seeing adoption of strong MFA has an impact on reducing cyber insurance premiums
- User convenience and frictionless authentication have a productivity benefit
- Risk reduction and cost avoidance. Ransomware costs are significant and can be mitigated with strong phishing-resistant MFA
- Cost reduction or cost avoidance through reduced workload on IT support teams. With no account lockouts or takeovers, there is a 92% reduction in support calls
- Refer to the Forrester TEI report and headline benefits. 203% ROI and payback of 11 months
How do I encourage my ecosystem to adopt FIDO2?
Alex Wilson: Finding simple avenues to adopt the technology may be as simple as finding those in your organisation who do not like resetting their passwords on a regular basis, alternately finding those that seem to forget their password regularly and lose valuable work time to do frequent resets.
Seek out areas where FIDO2 and Security Keys can be used to reduce friction and increase security where needed. Remember that FIDO2 not only makes it easier, but it also increases your security posture.
"Passwords are not going away anytime soon, but there is a need to reduce their usage, remove their importance and lead everyone to a more modern authentication experience."
Alex Wilson