FIDO2 makes the Internet more secure, but not everyone is convinced
This is a guest post by Aman Khanna, VP of Products at ThumbSignIn
With the continued rise of data breaches, studies show that the most vulnerable aspect of the security chain has been weak passwords. It’s becoming easier for hackers to steal passwords with access to more sophisticated technology that allows for phishing, mining, and keylogging attacks.
In an attempt to make passwords more secure, companies are asking users to make them longer and more complex, and to change them every three to six months. This, however, introduces a real usability problem. People find it harder and harder to remember and use passwords, ultimately resisting by creating weak ones—which circles back to the problem of data breaches.
Founded in 2012, the FIDO Alliance is a consortium of more than 350 companies — including Google, Microsoft, and Facebook— whose primary goal is to address common standards for building password authentication technologies across the Internet.
FIDO’s solution has been replacing passwords with biometric authentication, which solves the security problem and usability problem at the same time. When logging in with a fingerprint or Face ID, consumers don’t have to worry about forgetting their credentials because they are with them at all times.
Evolution of FIDO
The original set of FIDO standards was divided into two parts: the FIDO UAF (universal authentication framework), which provided for passwordless authentication, and the FIDO U2F (universal second factor), which provided for two-factor authentication.
While those standards worked well, the evolution of the web has made it necessary for the next edition of standards — called FIDO2 — created in conjunction with the Internet’s governing body, the W3C (World Wide Web Consortium).
The first subset of the FIDO2 standards to be adopted by the W3C is WebAuthn. Previously — although some PCs might have come equipped with fingerprint sensors — there was no way for a user to log in to a website from a desktop device using biometric identification. WebAuthn changes all of that. It makes a call to the browser it’s running on, which in turn provides the functionality to access biometric sensors on a device.
The other big piece of FIDO2 is called the CTAP (client to authenticator protocol), which allows users to use external devices — such as a nearby phone — as authenticators. With CTAP, a device can communicate with a laptop via Bluetooth or NFC, allowing it to tap into the biometric capabilities of smartphones, smartwatches, or other devices.
FIDO2’s combination of WebAuthn and CTAP has dramatically enriched FIDO standards.
Mass adoption of FIDO
A number of factors make this the ideal time for the rapid and broad adoption of FIDO standards, including:
· the exponential rise of cybersecurity breaches in the last three years, more than 75% of which were a result of weak or stolen passwords;
· stricter regulations around consumer privacy which has led to companies being slapped with massive penalties for consumer data breaches;
· the frictionless user experience of biometrics;
· the ubiquity of smartphones with biometric sensors;
· and the W3C’s standardization of strong authentication protocols for the Internet.
FIDO hasn’t convinced everyone
A new survey of top IT and security participants has provided some revelatory new findings. Despite FIDO’s presence over the past few years, only 64% of the survey’s respondents felt it was a necessary or good-to-have standard.
Even though a lot of organizations understand the importance of FIDO and FIDO-based authentication, there are still a lot of bureaucratic and process-related barriers. 26% of responders have a perception that these technologies are very complex to implement and require a huge investment. 26% also revealed they are worried that user adoption may not be great due to established user habits and ill-informed concerns about biometric privacy.
Despite major advances in technology, some barriers remain in making biometric authentication more ubiquitous. For example, although there are some leading banks, such as Bank of America and Wells Fargo, that have adopted FIDO standards, mainstream adoption is not there yet. Many smaller banks are taking a wait-and-watch approach before fully committing to FIDO2.
However, because of W3C’s stamp of approval, these banks will likely consider implementing this technology in the future. International banks might also be motivated by new regulations that require the implementation of strong authentication technologies.
Convenience is more important than security
100% of the companies involved in the survey said that they were interested in biometrics for a smoother user experience, whereas only 75% of them cited security purposes.
Interestingly, the survey also revealed that facial recognition is the most popular type of biometric authentication, with 100% of the respondents considering it, followed by fingerprinting at 82%.
More likely than not, the future of biometric identification is a hybrid approach that uses more than one factor — such as behavioral tracking and facial recognition — to provide even stronger and more frictionless security.
The future of FIDO and biometrics
The simplification of authentication will lead to its expansion into other interactions that consumers have with institutions such as ATMs, call centers, or even in-person visits with a bank loan officer.
As the survey revealed, the future of implementing biometrics is not just about convincing companies of the effectiveness of the technology — it’s about justifying the investment and helping them overcome bureaucratic barriers to adoption.
About the author
Aman Khanna is VP of Products at ThumbSignIn, a strong authentication provider offering a suite of two-factor and biometric solutions.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.