Financial servies has always been a target for hackers, and COVID only accelerated this – over 230% growth in attacks from Feb-April alone. The average cost is nearly $20M for an attack.
And the fact of the matter is I could spend my entire 15 minutes with slide after slide with data like this, and at the end of the day the vast majority of these stats come down to a fundamental truth, which is
Phishing attacks will grow because hackers like making money, in addition to causing chaos. They’re relatively cheap to execute and have a staggering success rate.. 50% +
But that’s not really new – I could have made the same prediction in each of the past several years and have been 100% correct.
My headline prediction for 2022 is that MFA bypass attacks will become mainstream. Here are two examples from just this year – attacks on two hugely valuable brands
But it’s not all doom and gloom.. There’s plenty of good news too.
In general, there’s more awareness of the inherent risk of passwords – and Gartner has cited passwordless authentication as a technology to deploy NOW, with FIDO and FIDO security keys cited as the preferred method. This is one reason why we’re seeing so much VC investment in the digital identity landscape – our vendor community is struggling to keep up with all of the demand, which certainly is a good ‘problem’ to have
[click]
Beyond the enterprise, I’m confident that we’ll see solutions emerge from mobile platforms emerge this year that can bring truly passwordless login alternatives to the masses
Do you look at your users this way?
What is stopping you?
FIDO’s goal from day one was to transform the market away from dependence on centrally stored shared secrets to a model that uses public key cryptography and allows consumers to authenticate through devices that they literally have in their fingertips every day. It’s simpler and stronger authentication.
This vision has been realized through several sets of specifications since 2015, and also has seen rapid deployment – which we’ll touch on in a few
And then today you can see major additions that have helped us move forward on our mission – amazon, apple, LINE, yahoo Japan, etc
We always need a device in the middle, we call this the authenticator
Step 1 - Local interaction between the user and authenticator – we call this user verification
On the front end, we are very flexible – we require some user gesture and that gesture is verified by the authenticator directly
Facial recognition, local PIN entry, security key – but we will talk more about the user experience in a minute
Step 2:
Once the user is verified by the authenticator, which lives on your personal device, the authenticator then authenticates you to the service. Not using your information or the evidence of who you are, but actually using public key cryptography.
What’s beautiful about public key cryptography is you don’t ever have to give away your private key (your secret), with asymmetric cryptography – which is what we use – you use that private key to sign a challenge : proof of possession that you have the right private key. The service provider verifies that it is correct with the corresponding public key. Unique key pairs for each service – this is essential for privacy. No global identifiers with FIDO.
Simple change of architecture turns the model upside down.
The only thing now that is stored on a server are the public keys, which aren’t useful for scalable attack. With the chip migration here in the U.S., We used to talk a lot of about removing the incentive for cybercriminals to go after data – because chip data has so much less value. This is similar here to what we’re doing with FIDO.
Talk about the journey of how we got here (FIDO2 / W3C)
And it’s through that collaboration that we’re able to work towards device ubiquity – indeed as ubiqitiously available as passwords … on every device. Every browser. Every operating system.
Change logos out
1PW
Microsoft
Dashlane
Google
Add:
Rakuten
CVSHealth
Merck
B of A
eBay
Change logos out
So where do we need to go to get to mass adoption? It’s really about usability while keeping our core security principles a priority. What we mean by usability is not just the experience of logging in but looking at user behavior and answering questions like what are the best messages for getting users interested in enrolling, what does that optimal enrollment flow look like, what visual cues are most appropriate for log in, how do we solve for account recovery in our device-based authentication model if someone loses a device or just gets a new one? These are the things that we are working on, and making progress on
Also, deployability / integratability
Workforce usability
User journey is actually quite nuanced
Employees will break your MFA if it’s not usable
This is the next step in the evolution of FIDO and passwordless authentication adoption
Makes FIDO as ubiquitous and available as passwords