Pleasure to be here today, and flattered to follow Eric’s opening comments
Have been here the past few years – for those of you who have attended this will provide you with updates on the substantial progress we’ve made in 2021
For those who are newer to FIDO, I hope that this talk gives you a good feel for the imperative that FIDO is seeking to address – which is the need not just for ‘check the box’ MFA, but a truly unphishable foundation to secure for a variety of connected services that are critical to today’s networked society
Sadly, one thing I can always count on when giving this sort of presentation is a relevant and recent example of a remote attack on sensitive resources
[click]
Indeed, just last week we saw a phishing attack on the Dept of Labor.
Elsewhere in the world, Singapore has been rocked by an SMS phishing scheme where hackers sent SMS messages that actually had phishing links, including for OTP codes. The Singpoare Monetary Authority is now scrambling to implement new regulations on SMS-oriented banking communications while thousands of customers are trying to recover tens of millions of dollars.
Phishing attacks will grow because hackers like making money, in addition to causing chaos. They’re relatively cheap to execute and have a staggering success rate.. 50% +
But that’s not really new – I could have made the same prediction in each of the past several years and have been 100% correct.
My headline prediction for 2022 is that MFA bypass attacks will become mainstream. Here are two examples from just this year – attacks on two hugely valuable brands
But it’s not all doom and gloom.. There’s plenty of good news too.
In general, there’s more awareness of the inherent risk of passwords – and Gartner has cited passwordless authentication as a technology to deploy NOW, with FIDO and FIDO security keys cited as the preferred method. This is one reason why we’re seeing so much VC investment in the digital identity landscape – our vendor community is struggling to keep up with all of the demand, which certainly is a good ‘problem’ to have
[click]
Beyond the enterprise, I’m confident that we’ll see solutions emerge from mobile platforms emerge this year that can bring truly passwordless login alternatives to the masses
Coming back to my prediction from a few slides ago -- *this* is the delineation that we need to see industry and regulators make – the distinction between legacy and modern authentication. Between knowledge-based and possession-based.
“Check the box” MFA simply won’t cut it for much longer, and frankly isn’t needed as the availability and scalability of unphishable FIDO authentication continues to grow.
FIDO’s goal from day one was to transform the market away from dependence on centrally stored shared secrets to a model that uses public key cryptography and allows consumers to authenticate through devices that they literally have in their fingertips every day. It’s simpler and stronger authentication.
This vision has been realized through several sets of specifications since 2015, and also has seen rapid deployment – which we’ll touch on in a few
In case you’re not familiar with who is driving FIDO’s efforts, this is our Board of Directors…
Look at the numbers – 5 billion devices support built-in cryptographic strong authentication, the products are in market to help service providers move beyond passwords and 150 million people are using passwordless methods each month – and that’s just from Microsoft. In practice we’re looking at many more than that.
For FIDO to achieve our audacious goal of providing simpler, stronger authn for all, we need to have endpoint support. This has been a huge focus of the Alliance since our inception and we’ve attacked this through collaboration with groups like W3C, which has led to broad FIDO support in every major web browser.
Additionally, all of the major OS vendors are core FIDO stakeholders and have built native FIDO support into their devices.
Virtually every device being unboxed today has built-in support for FIDO Authn. This sets the stage for industry to move beyond passwords.
Which has only helped accelerate the growing number of service providers that are leveraging FIDO
As we look at government, the FIDO imperative is similar to that of industry in several ways, but there are also distinct requirements.
click
Trust is overlooked sometimes when it comes to authentication – but it’s a core element for all constituents (employees, citizens, agencies, partners/suppliers)..
You’ve already heard from Eric and you’ll hear other perspectives shortly – but FIDO’s blend of security, usability and deployability have forced new thinking from governments – which is ongoing.
Simply put, as technology evolved, policy needs to evolve with it.
To wit, when FIDO started engaging with governments back in 2015, most had not heard of FIDO – and in fact, most were just implementing or finalizing regulations that were largely focused on OTP or PKI.
Fast forwarding to 2022, not only are more governments aware of FIDO, but they’re actively driving conversation on the delineation between legacy and phishing-resistant MFA.
Thanks Venable!
And FIDO is also often cited in government guidance documents – as Eric talked about earlier, and as others will speak to later today. Outside of the US we see groups like the Australian Cyber Security Centre and the UK Govt Digital Serivce and Cabinet Office explicitly recommending utililzation of FIDO Security keys to help secure govt services
Identity coming to the fore in government in general:
Identity is now seen as critical infrastructure – right alongside the nation’s power grid
You see the CISA references, and also the Biden EO on MFA
Outside of the US there are critical identity initiatives also taking place – including eIDAS and National ID wallets in Europe
It’s worth highlighting the latest CISA guidance on MFA, which cites FIDO and FIDO security keys as the gold standard of MFA.
Many thanks to Jen Easterly and her remarkable team for the work that they’re doing.
We heard earlier from Eric Mill in his opening address – but for those of you who may have arrived late, it’s worth highlighting these aspects of the OMB zero trust strategy
Specifically, the push on *any* phishing-resistant MFA for agency workers, and also as an option for public users.
Look, PIV and CAC are great – but the fact of the matter is that FIDO Security Keys from companies such as Yubico, OneSpan and Feitian present a lower-friction option for agencies to deploy in rapid fashion
So to start to wrap things up, I’d like to look at a few of FIDO’s objectives – the first of which is to become part of the Web’s DNA
This is an objective because it is *necessary* for our mission to be successful. Passwords are part of our lives because they’re ubiquitious and part of the web’s DNA – simply put, we need to supplant them.
There are three key steps that any technology needs to achieve to reach this goal..
Once that’s accomplished, our primary objective is to enable a phishing-resistant future. Here’s what we have to do to get there.
Changing user behavior. Not using a password is easier than trying to remember a password, but trying to change user behavior is difficult. We did a UX study last year and it was fascinating to see consumers’ reactions to using what ultimately is a more user-friendly solution. That points to the need for education and consistent implementation – but the good news is that thanks to mobile devices, most people are accustomed to password-free login flows through things like FaceID. Now we all know that’s not truly passwordless – but having people learn that behavior is good.
This is a big one – and a space where FIDO is doing some super important work to standardize ID verification flows. But as long as accounts are being created with knowledge-based credentials, there will also be a wide open account recovery backdoor that hackers can use to take over accounts. We need to standardize and implement a possession-based approach to account creation that matches our commitment to possession-based authn
Then, we can truly start to replace passwords altogether with FIDO keypairs. We’re seeing several major companies do this today – most notably Microsoft accounts, but also eBay, NTT DOCOMO and several other companies are now allowing users to delete their passwords altogether.