FIDO Authentication: Unphishable MFA for All
•
1 like•546 views
Andrew Shikiar's talk from "Identity, Authentication, and the Road Ahead" on January 25, 2022
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to FIDO Authentication: Unphishable MFA for All
Similar to FIDO Authentication: Unphishable MFA for All (20)
More from FIDO Alliance
More from FIDO Alliance (20)
Recently uploaded
Recently uploaded (20)
FIDO Authentication: Unphishable MFA for All
- 1. 1 © FIDO Alliance 2022 FIDO Authentication: Unphishable MFA for All Andrew Shikiar Executive Director and CMO FIDO Alliance January 25, 2022
- 2. 2 © FIDO Alliance 2022 Just last week…
- 3. 3 © FIDO Alliance 2022 Some Predictions for 2022 Phishing attacks will continue to succeed MFA bypass attacks will become mainstream
- 4. 4 © FIDO Alliance 2022 Some (Happier) Predictions for 2022 Enterprise passwordless deployments will grow rapidly Mobile platforms will provide consumer-ready solutions at scale
- 5. 5 © FIDO Alliance 2022 PHISHING RESISTANT A fundamental shift is required • Stored on a server • SMS OTP • KBA • Passwords • On-device (never on a server) • Local Biometric / PIN • DocAuth • Passkeys From legacy, knowledge-based credentialing In your head (remembered) To modern, possession-based credentialing In your hand 5 SUSCEPTIBLE TO COMMON THREATS
- 6. 6 © FIDO Alliance 2022 6 Security Usability Poor Easy Weak Strong = Single Gesture Possession-based Authentication Open standards for simpler, stronger authentication using public key cryptography Industry imperative: Simpler and stronger
- 7. 7 © FIDO Alliance 2022 Backed by global tech leaders 7 + Sponsor members + Associate members + Liaison members + Government members
- 8. 8 © FIDO Alliance 2022 2021 Devices Support FIDO 5 Billion+ FIDO Certified Products 850+ People are using passwordless methods each month* 150 million+ *Microsoft 8
- 9. 9 © FIDO Alliance 2022 The path towards ubiquity 9 Hello
- 10. 10 © FIDO Alliance 2022 10
- 11. 11 © FIDO Alliance 2022 The FIDO imperative in government Create Simpler Sign-in Experiences Enable Trust in the Government Ecosystem Protect Online Accounts for Citizens and Employees
- 12. 12 © FIDO Alliance 2022 FIDO brings a new paradigm for user authentication FIDO specifications offer governments newer, better options for strong authentication… …but governments have had to update some policies to support the ways in which FIDO is different. 12 As technology evolves, policy needs to evolve with it.
- 13. 13 © FIDO Alliance 2022 Delineation is being drawn between legacy MFA and phishing-resistant MFA. FIDO Authentication is emerging as a preferred choice of governments around the world. Most governments had not heard of FIDO. Regulations focused largely on OTP or PKI. 2015 2022
- 14. 14 © FIDO Alliance 2022 Growing trend of government recognition of FIDO 14
- 15. 15 © FIDO Alliance 2022 15 Growing trend of government recognition of FIDO
- 16. 16 © FIDO Alliance 2022 16 CISA: FIDO keys are the “Gold Standard” of MFA “FIDO stands for "Fast IDentity Online" and is considered the gold standard of multi-factor authentication. The FIDO protocol is built into all major browsers and phones. It can use secure biometric authentication mechanisms – like facial recognition, a fingerprint, or voice recognition – and is built on a foundation of strong cryptography. Often it uses a physical device – a key – essentially an encrypted version of a key to your house.”
- 17. 17 © FIDO Alliance 2022 OMB: Focus on phishing-resistance Highlights • For agency staff, contractors, and partners: phishing-resistant MFA is required. • For public users: phishing-resistant MFA must be an option. “Agencies’ highest priority should be to rapidly implement a requirement for phishing-resistant verifiers, whether this is PIV or an alternative method, such as WebAuthn.”
- 18. 18 © FIDO Alliance 2022 FIDO is becoming part of the web’s DNA Industry standardization and collaboration Shipping in devices and platforms at massive scale Strong regulatory and government embrace
- 19. 19 © FIDO Alliance 2022 Here’s how we get to a phishing-resistant future Replace password logins with Biometrics or Keys No knowledge-based authentication for ID proofing Replace passwords with FIDO keypairs
- 20. 20 © FIDO Alliance 2022 Thank you.
Editor's Notes
- Pleasure to be here today, and flattered to follow Eric’s opening comments Have been here the past few years – for those of you who have attended this will provide you with updates on the substantial progress we’ve made in 2021 For those who are newer to FIDO, I hope that this talk gives you a good feel for the imperative that FIDO is seeking to address – which is the need not just for ‘check the box’ MFA, but a truly unphishable foundation to secure for a variety of connected services that are critical to today’s networked society
- Sadly, one thing I can always count on when giving this sort of presentation is a relevant and recent example of a remote attack on sensitive resources [click] Indeed, just last week we saw a phishing attack on the Dept of Labor. Elsewhere in the world, Singapore has been rocked by an SMS phishing scheme where hackers sent SMS messages that actually had phishing links, including for OTP codes. The Singpoare Monetary Authority is now scrambling to implement new regulations on SMS-oriented banking communications while thousands of customers are trying to recover tens of millions of dollars.
- Phishing attacks will grow because hackers like making money, in addition to causing chaos. They’re relatively cheap to execute and have a staggering success rate.. 50% + But that’s not really new – I could have made the same prediction in each of the past several years and have been 100% correct. My headline prediction for 2022 is that MFA bypass attacks will become mainstream. Here are two examples from just this year – attacks on two hugely valuable brands
- But it’s not all doom and gloom.. There’s plenty of good news too. In general, there’s more awareness of the inherent risk of passwords – and Gartner has cited passwordless authentication as a technology to deploy NOW, with FIDO and FIDO security keys cited as the preferred method. This is one reason why we’re seeing so much VC investment in the digital identity landscape – our vendor community is struggling to keep up with all of the demand, which certainly is a good ‘problem’ to have [click] Beyond the enterprise, I’m confident that we’ll see solutions emerge from mobile platforms emerge this year that can bring truly passwordless login alternatives to the masses
- Coming back to my prediction from a few slides ago -- *this* is the delineation that we need to see industry and regulators make – the distinction between legacy and modern authentication. Between knowledge-based and possession-based. “Check the box” MFA simply won’t cut it for much longer, and frankly isn’t needed as the availability and scalability of unphishable FIDO authentication continues to grow.
- FIDO’s goal from day one was to transform the market away from dependence on centrally stored shared secrets to a model that uses public key cryptography and allows consumers to authenticate through devices that they literally have in their fingertips every day. It’s simpler and stronger authentication. This vision has been realized through several sets of specifications since 2015, and also has seen rapid deployment – which we’ll touch on in a few
- In case you’re not familiar with who is driving FIDO’s efforts, this is our Board of Directors…
- Look at the numbers – 5 billion devices support built-in cryptographic strong authentication, the products are in market to help service providers move beyond passwords and 150 million people are using passwordless methods each month – and that’s just from Microsoft. In practice we’re looking at many more than that.
- For FIDO to achieve our audacious goal of providing simpler, stronger authn for all, we need to have endpoint support. This has been a huge focus of the Alliance since our inception and we’ve attacked this through collaboration with groups like W3C, which has led to broad FIDO support in every major web browser. Additionally, all of the major OS vendors are core FIDO stakeholders and have built native FIDO support into their devices. Virtually every device being unboxed today has built-in support for FIDO Authn. This sets the stage for industry to move beyond passwords.
- Which has only helped accelerate the growing number of service providers that are leveraging FIDO
- As we look at government, the FIDO imperative is similar to that of industry in several ways, but there are also distinct requirements. click Trust is overlooked sometimes when it comes to authentication – but it’s a core element for all constituents (employees, citizens, agencies, partners/suppliers)..
- You’ve already heard from Eric and you’ll hear other perspectives shortly – but FIDO’s blend of security, usability and deployability have forced new thinking from governments – which is ongoing. Simply put, as technology evolved, policy needs to evolve with it.
- To wit, when FIDO started engaging with governments back in 2015, most had not heard of FIDO – and in fact, most were just implementing or finalizing regulations that were largely focused on OTP or PKI. Fast forwarding to 2022, not only are more governments aware of FIDO, but they’re actively driving conversation on the delineation between legacy and phishing-resistant MFA. Thanks Venable!
- And FIDO is also often cited in government guidance documents – as Eric talked about earlier, and as others will speak to later today. Outside of the US we see groups like the Australian Cyber Security Centre and the UK Govt Digital Serivce and Cabinet Office explicitly recommending utililzation of FIDO Security keys to help secure govt services
- Identity coming to the fore in government in general: Identity is now seen as critical infrastructure – right alongside the nation’s power grid You see the CISA references, and also the Biden EO on MFA Outside of the US there are critical identity initiatives also taking place – including eIDAS and National ID wallets in Europe
- It’s worth highlighting the latest CISA guidance on MFA, which cites FIDO and FIDO security keys as the gold standard of MFA. Many thanks to Jen Easterly and her remarkable team for the work that they’re doing.
- We heard earlier from Eric Mill in his opening address – but for those of you who may have arrived late, it’s worth highlighting these aspects of the OMB zero trust strategy Specifically, the push on *any* phishing-resistant MFA for agency workers, and also as an option for public users. Look, PIV and CAC are great – but the fact of the matter is that FIDO Security Keys from companies such as Yubico, OneSpan and Feitian present a lower-friction option for agencies to deploy in rapid fashion
- So to start to wrap things up, I’d like to look at a few of FIDO’s objectives – the first of which is to become part of the Web’s DNA This is an objective because it is *necessary* for our mission to be successful. Passwords are part of our lives because they’re ubiquitious and part of the web’s DNA – simply put, we need to supplant them. There are three key steps that any technology needs to achieve to reach this goal..
- Once that’s accomplished, our primary objective is to enable a phishing-resistant future. Here’s what we have to do to get there. Changing user behavior. Not using a password is easier than trying to remember a password, but trying to change user behavior is difficult. We did a UX study last year and it was fascinating to see consumers’ reactions to using what ultimately is a more user-friendly solution. That points to the need for education and consistent implementation – but the good news is that thanks to mobile devices, most people are accustomed to password-free login flows through things like FaceID. Now we all know that’s not truly passwordless – but having people learn that behavior is good. This is a big one – and a space where FIDO is doing some super important work to standardize ID verification flows. But as long as accounts are being created with knowledge-based credentials, there will also be a wide open account recovery backdoor that hackers can use to take over accounts. We need to standardize and implement a possession-based approach to account creation that matches our commitment to possession-based authn Then, we can truly start to replace passwords altogether with FIDO keypairs. We’re seeing several major companies do this today – most notably Microsoft accounts, but also eBay, NTT DOCOMO and several other companies are now allowing users to delete their passwords altogether.