Javelin Research's State of Strong Authentication 2019 Report Webinar

All Rights Reserved | FIDO Alliance | Copyright 20191
JAVELIN RESEARCH’S STATE OF
STRONG AUTHENTICATION
2019 REPORT
AL PASCUAL – SVP AND RESEARCH DIRECTOR
JAVELIN STRATEGY & RESEARCH
ANDREW SHIKIAR – CHIEF MARKETING OFFICER
FIDO ALLIANCE
FEBRUARY 7, 2019

2
SPEAKERS
Al Pascual
SVP & Research
Director
Javelin Strategy
& Research
Andrew Shikiar
CMO
FIDO Alliance

3
THE STATE OF STRONG
AUTHENTICATION
2019 REPORT
AL PASCUAL, JAVELIN STRATEGY &
RESEARCH

METHODOLOGY
Enterprise data in this report was collected from a survey of 600 identity and authentication
decision-makers for businesses headquartered in the United States, with revenues of at least $20
million for the previous year.
301 respondents answered questions about their business' practices in authenticating customers and
299 answered questions about their business' practices in authenticating employees, vendors, and
contractors.
When data was compared against 2017 responses, previous years' data was adjusted to exclude
businesses with annual revenues under $20 million for more accurate comparisons against the 2018
respondent pool.

5
STRONG VS TRADITIONAL AUTHENTICATION
STRONG AUTHENTICATION
✓ Multiple factors
✓ 1+ factor uses cryptographically
backed authentication method
TRADITIONAL AUTHENTICATION
✓ Multiple factors
x No cryptographic handshake
CRYPTOGRAPHICALLY BACKED STRONG AUTHENTICATION:
Where one of multiple authentication factors uses public key cryptography

6
KEY FINDINGS: DRAMATIC GROWTH SINCE 2017
Adoption of cryptographically
backed authentication has…
for consumers
TRIPLED
for enterprise
INCREASED 50%

7
KEY FINDINGS: ADOPTION ACCELERATED BY REGULATION
Nearly 70% of businesses agree they face strong regulatory pressure
to provide strong authentication for their customers
PSD2
GDP
R

8
KEY FINDINGS: HOLDOUTS UNDERESTIMATE RISKS
Two-thirds of businesses that use only passwords to authenticate their
employees do so because they believe passwords are “good enough”
despite cybercriminals’ continuing to target a wide variety
of consumer and business information

9
RECOMMENDATIONS: SUNSET OTPS
With cyber criminals using social engineering, phone porting and malware
to compromise OTP authenticators, Javelin recommends moving away from
them and adopting cryptographically-backed strong authentication

10
CASE STUDIES: GOOGLE, TRADELINK, VISA
• No successful phishing attacks
against 85,000+ employees since
implementing FIDO Security Keys
in 2017
• Released their FIDO-based
Titan Security Key, intended for
enterprises using Google services
• Chrome supports WebAuthn
• Using FIDO Authentication since
2016
• Adoption by banks has been
strong – no user information ever
leaves the device
• Hong Kong government will
launch new initiative for
electronic ID in 2020 leveraging
FIDO Authentication
• Using a FIDO Certified solution
as part of it’s ID Intelligence
suite for FIDO-based biometrics
• Visa chose a FIDO-based solution
because it aligned with its
approach to prioritize protecting
user data and leveraging
available data to make better
decisions

FIDO: CRYPTOGRAPHICALLY
BACKED AUTHENTICATION
ANDREW SHIKIAR, FIDO ALLIANCE

Data breaches in 2016
that involved weak,
default, or stolen
passwords (VDBR)
81%
Phishing attacks were
successful in 2017
(VDBR)
Breaches in 2017, a 45%
increase over 2016
(ITRC)
1 IN 8
1,579
Of passwords are
reused across services
(University of Oxford)
51%
Of helpdesk calls are for
password resets (at
$70/reset)(Gartner/Forrester)
Password-driven cart
abandonment rate (Visa)
20-50%
49%
MEASURING THE PROBLEM

LEADING THE EFFORT
CONSUMER ELECTRONICS SECURITY & BIOMETRICS HIGH-ASSURANCE SERVICES

DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App /
Web-site (“phishing”)
2
Too many passwords to remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4
OLD AUTHENTICATION WITH PASSWORDS

NEW AUTHENTICATION WITH FIDO
AuthenticatorUser verification FIDO Authentication
Require user gesture
before private key can
be used
Challenge
(Signed) Response
Private key (handle)
per account Public key
No secrets stored on the
server
1
Authenticator cannot be
“tricked” by phishing
2
Nothing to remember, no friction
added to transaction process
3
Single gesture
convenience for User
4

THE FIDO AUTHENTICATOR
AuthenticatorUser verification FIDO Authentication
… …SE
How is the key protected
(TPM, SE, TEE, …)?
Which user verification
method is used?

FIDO SPECIFICATIONS
Passwordless Experience (UAF & FIDO2)
Authenticated Online
3
Biometric User Verification*
21
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Security Key* /
Press Button
Second Factor Experience (U2F & FIDO2)
*There are other types of authenticators
21

FIDO IS A W3C SPECIFICATION
FIDO2 (CTAP & W3C Web Authentication / “WebAuthn”)

FIDO IS AN ITU STANDARD
x.1277 -- ITU ratification of FIDO UAF
x.1278 -- ITU ratification of FIDO2 CTAP (includes CTAP1/U2F)

INDUSTRY PARTNERSHIPS

BACKED BY CERTIFICATION (500++)
• Functional Certification (End-to-End):
• Conformance Testing
• Interoperability Testing
• Authenticator Security Certification Levels
• How well do you protect the private key?
• 3rd-party laboratory verification
• Complimented by Biometric Component certification
• Universal Server:
• Ensures compatibility with all FIDO Certified Authenticators

FIDO CERTIFIED ECOSYSTEM (SAMPLE)
SECURITY KEYS (and
more)HANDSETS + PCS CLOUD/SERVER SOLUTIONS

FIDO IS BEING USED AROUND THE WORLD
(Sample of deployments in production)

IN SUMMARY… SECURE BY DESIGN
Based on public
key cryptography
No server-side
shared secrets
Keys stay
on device
No 3rd
party in
the protocol
Biometrics, if used,
never leave device
No link-ability between
services or accounts

FIDO:
THE FUTURE OF
USER
AUTHENTICATION
FIDO Authentication is the industry’s
response to the password problem
• INDUSTRY SUPPORT - FIDO represents the efforts of some of the world’s largest companies whose very
businesses rely upon better user authentication
• THOUSANDS OF SPEC DEVELOPMENT HOURS - Now being realized in products being used every day
• ONGOING INNOVATION - Specifications, certification programs, and deployment working groups
establishing best implementation practices
• ENABLEMENT - Leading service providers representing billions of user identities are already
FIDO-enabling their authentication processes

Join the FIDO Ecosystem
www.fidoalliance.org
Deploy
Take Part in FIDO Events
Build FIDO Certified Solutions
Join the Alliance
Twitter: @fidoalliance

Connect with FIDO
fidoalliance.org

Javelin Research's State of Strong Authentication 2019 Report Webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Javelin Research's State of Strong Authentication 2019 Report Webinar

Similar to Javelin Research's State of Strong Authentication 2019 Report Webinar (20)

More from FIDO Alliance

More from FIDO Alliance (20)

Recently uploaded

Recently uploaded (20)

Javelin Research's State of Strong Authentication 2019 Report Webinar