Passwords are often the bane of the IT professional’s existence. Users can never remember their passwords, and hackers use the doors that passwords open to exploit networks. While some password protection programs generate strong, virtually unbreakable unique passwords, they are often too complex to roll out en masse. Two-factor authentication has helped to boost security but can still be vulnerable to cybercriminals. There are big changes on the horizon, however, which may get rid of the idea of passwords altogether. The new technology rolled out earlier this year, named Fast Identity Online or FIDO, transforms the log-in process, blending phone, face, and fingerprint recognition as well as hardware security keys. If FIDO does what it promises, passwords like “123456” – which made the IT team shake their heads in disbelief – won’t be causing security issues anymore.
As reported this spring on CNET, FIDO is among the changes that should help us be freed from password issues once and for all. These changes include a strategic effort that will affect how we utilize email, send or wire money or log in to your company network. CNET examined different approaches to authentication that get rid of the need for passwords and two-factor authentication while providing the benefits of password managers.
A History of Password Problems
Computer passwords have been causing security headaches for 60 years. An MIT researcher in the 1960’s famously exploited the passwords of his colleagues, while in the 1980s, University of California Berkeley astrophysicist Clifford Stohl monitored a German hacker who was breaking into insecure government and military computers because administrators never changed the default passwords. Today, the most secure passwords are long and complex – but they are also hard to remember, and most people don’t like to keep track of passwords they can’t remember. Therefore users typically default to passwords they have used in the past and have a history with. This causes a big problem, as cybercriminals have stored our passwords for decades through massive data breaches. Hackers simply run an automated program that tries millions of passwords until one works to break into the network of interest. As creatures of habit, many of us use passwords that we have used in the past.
How FIDO Addresses the Issue
FIDO takes on these problems by standardizing the utilization of hardware devices and security keys for authentication.
What are Security Keys? Security keys are the digital version of standard house keys. You plug a security key into a USB or Lightning port, permitting one digital security key to work safely with multiple websites and apps. The key can be used with biometric authentication (i.e., Apple’s Face ID) and will work wirelessly.
FIDO also allows services and sites to completely replace passwords, a change that could make a user’s life much easier while making cybercrime harder.
“Within the next five years, every major consumer internet service will have a passwordless alternative,” says Andrew Shikiar, executive director of the FIDO Alliance, an industry consortium. “The bulk of those will be using FIDO.”
An End to Phishing?
Phishing is a cyber-attack in which hackers utilize a fake email and a fraudulent website to trick an individual into sharing log-in information and passwords.
FIDO utilizes the public key cryptography technology used to protect online credit card numbers for many years. This means that a FIDO security key will not operate with a well-crafted, bogus website.
“With security keys, instead of the user needing to verify the site, the site has to prove itself to the key,” Mark Risher, a leader of authentication work at Google, wrote in a blog post. After Google switched its employees to security keys, successful phishing attempts dropped to zero.
FIDO also alleviates organizational concerns about serious data breaches, especially sensitive customer data like account credentials. Stolen passwords will no longer be sufficient to log into a network. If FIDO works as promised, businesses might not even require passwords at all.
Here is an example of one way that FIDO could work. The user navigates to the website login page, types in a username, enters the security key, and then utilizes the laptop’s biometric authentication to log on. Users will also be able to utilize their phones as a security key.
FIDO Authentication Becoming Mainstream
Experts know hardware security keys to be very secure.
Consumer services sometimes require keys only when logging in on a new PC or phone for the first time. They may also be necessary when performing a susceptible process like transferring money or changing a password.
Currently, major providers such as Android and Apple are making their phones FIDO compliant. Microsoft is a significant supporter as well.
For more information on utilizing hardware security keys to protect your company’s security, call the experts at Alliance IT. We are here to help your network be as efficient, productive, and secure as it can be.