FB pixel

Persistent phishing to push passkeys past passwords

Persistent phishing to push passkeys past passwords
 

The adoption of the FIDO Alliance’s passkeys by tech giants has pushed their support by user devices beyond three out of every four in consumers’ hands already, according to a new report from OwnID. ‘The Passwordless Authentication Report 2023’ has been released on the heels of in-depth discussions of passkeys and their impact at the annual Cybersecurity Policy Forum hosted by the Better Identity Coalition, FIDO Alliance and Identity Theft Resource Center.

OwnID says that customers have found implementing passwordless registration and logins increases authenticated users by 20 percent across websites.

There was also a significant shift over the past year towards the adoption of biometrics for passwordless authentication, according to the report.

FIDO forecasts phishing

FIDO Alliance Executive Director and CMO Andrew Shikiar delivered a keynote address at the Cybersecurity Policy Forum.

The emergence of MFA bypass attacks into the mainstream, predicted by FIDO at the virtual Cybersecurity Policy Forum in 2022, accentuates the need to move from legacy authentication methods based on knowledge to more modern authentication based on a possession factor with local biometrics, he says.

In the year ahead, Shikiar sees MFA bypass attacks will continue, but in doing so will force organizations towards unphishable authentication.

In the Octopus attack, CloudFlare avoided a breach by “layering FIDO security keys on top of Okta instead of TOTP: They did not get hit by the attack.” The same attack motivated Twilio to move to FIDO2 instead of one-time passwords.

SMS OTP is the next vulnerability set to emerge. Identity verification is also heading into the mainstream, Shikiar says, citing moves by Twitter and to institute online age protections.

In response to these trends, the FIDO Alliance plans to launch certification for liveness and biometric matching for face verification solutions in 2023. The organization’s Biometric Component Certification tests are expanding with a presentation attack detection-only offering as well.

The organization is also working towards scaling its authentication through ubiquitous availability and adoption by incumbents.

“There are some fundamental aspects in how we’ve been deploying FIDO that were hindering such adoption,” Shikiar says. “So we took the decision with passkey that allows for further usability from the OS on up, while not loosing focus on security.”

What is different that the private key is now allowed to be securely synched across a cloud. Passkeys are also more deeply integrated with operating systems, allowing the “quirky” device and browser prompts that are found in some WebAuthn integrations to be skipped.

Passkeys are highly complementary to FIDO Security Keys, according to Shikiar, and will progress further into the consumer mainstream in 2023.

Together, they could help authentication to serve as a bridge over the digital divide, replacing the wedge created by numerous passwords.

Meaningful progress will come this year on reducing passwords for government services, FIDO predicts.

Shikiar cited the endorsement of FIDO and strong authentication in various publications and announcements by government agencies in the U.S. and elsewhere.

Passkeys ready now . . . at least for some

A panel discussion on ‘Passkeys and the Future of Passwordless Authentication’ immediately followed Shikiar’s presentation.

The panel was made up of representatives from NIST, Microsoft, Amazon and Google, and was moderated by Megan Shamas of the FIDO Alliance.

Passkeys will begin making their way into Google products this year, Google Product Manager for Identity and Security Christiaan Brand says. The company’s internal research suggests that 46 percent of consumers will fall for a well-crafted phishing attempt, lending urgency to the encouragement of adoption among the general public.

The role of password managers and other third-parties is as what Microsoft Identity Standards Architect Tim Cappalli refers to as “pluggable passkey providers.” They would interact with the OS as a native plug-in, which provides other aspects of functionality like biometrics.

Brand noted that while consumers have some clarity about how platforms like Apple and Android handle passkeys, the introduction of third parties introduces complexity, and may handle security in different ways. A minimum bar is being discussed within the Alliance.

Different environments like enterprise systems also present their own complexities.

Synching between devices introduces considerations for NIST’s Digital Identity Guidelines SP 800-63-4, currently at the draft stage, NIST Computer Security Division Lead for Hardware-Rooted Security Andrew Regenscheid says. It would be good to have a signal that a given credential has been synched to a new device.

Organizations were urged during the presentation to look at adoption beyond a binary decision to deploy passkeys everywhere for everyone, or nowhere at all.

For more complicated use cases, like those involving multiple devices, clarity about when and how the passkey should be served is coming in 2023.

With that clarity, and user adoption presumably taking significant bites out of the quantity of user devices without passkeys, will answer some of the remaining question over time, or render them moot.

That will be the time, it seems, when phishing will finally go from something users need to watch out for, to a legacy of a less-secure age.

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Malaysia’s prime minister loses it with MyDigital ID’s slow progress

Malaysia’s leader has voiced deep frustration with the slow progress in two key national digital initiatives. This week it was…

 

IDVerse acquired by LexisNexis to boost biometric fraud protection

LexisNexis Risk Solutions has struck a deal to acquire IDVerse adding biometric fraud protection to its portfolio of analytics and…

 

Intellicheck to provide identity validation for Accio Data

Intellicheck, Inc. has announced an integration with Accio Data to streamline background screening checks for job applicants. A release from…

 

UK digital age assurance receives support from stakeholders: Reports

UK’s attempts to legalize digital age assurance technology are likely to be successful, according to media reports. In January, the…

 

Ghana unveils biometric border management system, e-gates at main airport

Ghana has upgraded its border management capabilities with the introduction of a biometric-based system to facilitate immigration controls. The launch…

 

Tender for fingerprint scanners from Ukraine cites Thales, Dermalog

Ukraine’s Ministry of Foreign Affairs has issued a Request for Quotation (RFQ) for biometric fingerprint scanners. Tender 4200772976 calls for…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events