FB pixel

FIDO2 makes the Internet more secure, but not everyone is convinced

Bureaucratic barriers, lack of awareness and a perception that biometrics are complex to implement have kept many companies from incorporating FIDO into their security measures.
| Aman Khanna
Categories Access Control  |  Biometrics News  |  Industry Insights
FIDO2 makes the Internet more secure, but not everyone is convinced
 

This is a guest post by Aman Khanna, VP of Products at ThumbSignIn

With the continued rise of data breaches, studies show that the most vulnerable aspect of the security chain has been weak passwords. It’s becoming easier for hackers to steal passwords with access to more sophisticated technology that allows for phishing, mining, and keylogging attacks.

In an attempt to make passwords more secure, companies are asking users to make them longer and more complex, and to change them every three to six months. This, however, introduces a real usability problem. People find it harder and harder to remember and use passwords, ultimately resisting by creating weak ones—which circles back to the problem of data breaches.

Biometric solution

Founded in 2012, the FIDO Alliance is a consortium of more than 350 companies — including Google, Microsoft, and Facebook— whose primary goal is to address common standards for building password authentication technologies across the Internet.

FIDO’s solution has been replacing passwords with biometric authentication, which solves the security problem and usability problem at the same time. When logging in with a fingerprint or Face ID, consumers don’t have to worry about forgetting their credentials because they are with them at all times.

Evolution of FIDO

The original set of FIDO standards was divided into two parts: the FIDO UAF (universal authentication framework), which provided for passwordless authentication, and the FIDO U2F (universal second factor), which provided for two-factor authentication.

While those standards worked well, the evolution of the web has made it necessary for the next edition of standards — called FIDO2 — created in conjunction with the Internet’s governing body, the W3C (World Wide Web Consortium).

The first subset of the FIDO2 standards to be adopted by the W3C is WebAuthn. Previously — although some PCs might have come equipped with fingerprint sensors — there was no way for a user to log in to a website from a desktop device using biometric identification. WebAuthn changes all of that. It makes a call to the browser it’s running on, which in turn provides the functionality to access biometric sensors on a device.

The other big piece of FIDO2 is called the CTAP (client to authenticator protocol), which allows users to use external devices — such as a nearby phone — as authenticators. With CTAP, a device can communicate with a laptop via Bluetooth or NFC, allowing it to tap into the biometric capabilities of smartphones, smartwatches, or other devices.

FIDO2’s combination of WebAuthn and CTAP has dramatically enriched FIDO standards.

Mass adoption of FIDO

A number of factors make this the ideal time for the rapid and broad adoption of FIDO standards, including:

· the exponential rise of cybersecurity breaches in the last three years, more than 75% of which were a result of weak or stolen passwords;

· stricter regulations around consumer privacy which has led to companies being slapped with massive penalties for consumer data breaches;

· the frictionless user experience of biometrics;

· the ubiquity of smartphones with biometric sensors;

· and the W3C’s standardization of strong authentication protocols for the Internet.

FIDO hasn’t convinced everyone

A new survey of top IT and security participants has provided some revelatory new findings. Despite FIDO’s presence over the past few years, only 64% of the survey’s respondents felt it was a necessary or good-to-have standard.

Even though a lot of organizations understand the importance of FIDO and FIDO-based authentication, there are still a lot of bureaucratic and process-related barriers. 26% of responders have a perception that these technologies are very complex to implement and require a huge investment. 26% also revealed they are worried that user adoption may not be great due to established user habits and ill-informed concerns about biometric privacy.

Despite major advances in technology, some barriers remain in making biometric authentication more ubiquitous. For example, although there are some leading banks, such as Bank of America and Wells Fargo, that have adopted FIDO standards, mainstream adoption is not there yet. Many smaller banks are taking a wait-and-watch approach before fully committing to FIDO2.

However, because of W3C’s stamp of approval, these banks will likely consider implementing this technology in the future. International banks might also be motivated by new regulations that require the implementation of strong authentication technologies.

Convenience is more important than security

100% of the companies involved in the survey said that they were interested in biometrics for a smoother user experience, whereas only 75% of them cited security purposes.

Interestingly, the survey also revealed that facial recognition is the most popular type of biometric authentication, with 100% of the respondents considering it, followed by fingerprinting at 82%.

More likely than not, the future of biometric identification is a hybrid approach that uses more than one factor — such as behavioral tracking and facial recognition — to provide even stronger and more frictionless security.

The future of FIDO and biometrics

The simplification of authentication will lead to its expansion into other interactions that consumers have with institutions such as ATMs, call centers, or even in-person visits with a bank loan officer.

As the survey revealed, the future of implementing biometrics is not just about convincing companies of the effectiveness of the technology — it’s about justifying the investment and helping them overcome bureaucratic barriers to adoption.

About the author

Aman Khanna is VP of Products at ThumbSignIn, a strong authentication provider offering a suite of two-factor and biometric solutions.

DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

CLR Labs wins ISO 17025 accreditation for biometrics testing across EU

Cabinet Louis Reynaud (CLR Labs) has been accredited for ISO/IEC 17025, the international standard for testing and calibration laboratories, in…

 

Leidos, Idemia PS advance checkpoint modernization with biometrics, CAT-2 systems

Leidos and Idemia Public Security have formed a strategic partnership to deploy biometric‑enabled eGates and integrated Credential Authentication Technology (CAT-2)…

 

OpenAI rolls out passkeys for ChatGPT, partners with Yubico

OpenAI has introduced new passwordless security settings for ChatGPT accounts, allowing users to opt for passkeys or physical security keys….

 

Google Wallet supports Aadhaar verifiable credentials in India

Google has added support for Aadhaar Verifiable Credentials in India, allowing users to store and present their digital Aadhaar ID…

 

India scales farmer ID system for payments with KPMG support

The India office of influential accounting firm KPMG has explained how it supported the advancement of the country’s Digital Agriculture…

 

Digital ID systems fail migrants due to policy gaps, Caribou finds

A new report by research organization Caribou has warned that digital ID systems around the world have continued to deepen…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Continue Reading

Biometric Market Analysis and Buyer's Guides

Most Viewed This Week

Featured Company

Learn More

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events