FB pixel

Ideal authentication solution boils down to using best tools to stop attacks

No silver bullet in FIDO passkeys as fraud perpetuates and passwords linger
Ideal authentication solution boils down to using best tools to stop attacks
 

Authentication: why do we do it? The conversation about authentication often centers on technologies, devices, methods and user experience. Biometrics for passkeys? Verifiable credentials for mobile? Passive or active liveness detection? The reality is that, for at least a couple of generations, most people will continue to use a mix of security and authentication tools – including passwords – as cryptographic technology, digital credentials and biometric identity verification continue to mature.

The point, say participants in a recent FIDO panel, is why authentication is needed in the first place. “At the end of the day the focus should be on, how do we get rid of phishing? How do we get rid of remote attack scenarios?” says Matthew Miller, FIDO Alliance board member and passwordless technical lead for event sponsor Cisco Duo.

Passkeys provide resistance against phishing, but authentication is an ever-evolving problem whose scope grows as new identity theft and fraud techniques emerge. A truly secure end-to-end user authentication workflow needs phishing-resistance at the point of authentication, but also protection at enrollment and during authenticated sessions thereafter.

“One thing, like a passkey, by itself, will not bring about the utopian unphishable world of tomorrow,” says Cisco Duo Principal Product Manager Chris Anderson. “It’s a layering approach of different services.”

At issue is not necessarily which tools to use, but the nature and scale of the threat. In a briefing on the current state of authentication, Anderson shares recent Cisco Talis Incident Response data showing that 80 percent of breaches in 2023-24 leverage identity as a key component.

“Why is this happening?” he asks. “Why does this continue to happen year in and year out? Why do we continue to see identity as a core vector for breaches?”

Cisco identifies three key areas in which to find answers: opaque identity infrastructure with no centralized insights, gaps in protection from multifactor authentication (MFA) methods, and high friction leading to frustrated users.

Given the shifting nature of work, with more employees working remotely, the variety of gaps in protection is manifold. Clunky authentication experiences mean users are often asked to sign in multiple times a day for different applications and accounts. “Users get extremely frustrated when this occurs, and they end up having resistance to adopting these authentication methods,” Anderson says.

To improve the situation, organizations need to manage authentication scenarios in onboarding, session tokens to remember login – and the reality of username and password authentication still being used extensively throughout the security landscape, leaving vulnerabilities to fraud.

Passkeys are good for users because they simplify and streamline the actual authentication ceremony itself, where the user is actively involved,” Miller says. “It doesn’t necessarily decrease the number of times they have to authenticate but it does make it simpler and less taxing.”

“They also have knock-on benefits of reducing the amount of information that leaks in the case of a database leak that can be used by an attacker. It shrinks the blast radius of account compromise.”

Session tokens are where the next need for innovation in authentication is brewing, says Miller – specifically in binding session tokens to a device. Effectively, the success of passkeys has pushed fraudsters to look to session tokens as a target. He notes that Google and Microsoft are working on device-bound session credential (DBSC) technology that “allow a website to work with a browser to sign a cookie using a device-bound key pair that the browser maintains.”

The big takeaway is that organizations need to be cognizant of authentication challenges throughout the user experience, aware of evolving fraud threats, and practical in adopting an ecosystem of security tools that helps stamp out the core issue and provide the smoothest possible user experience.

“It’s not going to be an overnight transition to passkeys,” says Miller. “If you can remove passwords, great, but the majority of people are never going to get there, or if they will it’s going to be a multigenerational thing.”

Dashlane passkey report shows Amazon leading passwordless adoption

Dashlane is in agreement, declaring in a release that “passwords have long been a drag on the digital economy.” Noting that it was the “first credential manager to support passkeys across all major platforms,” it has launched the Dashlane Passkey Report, “a first-of-its-kind look at the brands and services leading passwordless adoption.”

The report shows that consumers are choosing passkeys for their most-used apps. Amazon comes out on top. With eBay and Target also in the top four, e-commerce proves to be a passkey powerhouse. (The third-fastest is online bookkeeping tool Moneybird.)

Also on the list are social media platforms X (Twitter) and Facebook, Silicon Valley giants Apple and Google, and – coming in at number eight – Roblox.

Dashlane says scaled platforms and early adopters are driving and maintaining a large share of passkey usage, but things are changing as more and more sites enable passkeys. “Passkey use overall is still nascent compared to passwords,” says the report, “but growth continues to accelerate. Passkey authentications with Dashlane have grown to 200,000 per month, a more than 400 percent increase since the beginning of the year.”

‘What kind of effort level does it take for an attacker to break that?’

A new Identerati Office Hours session from gluu features speakers on the topic of passkeys for high-risk use cases, with a specific focus on the challenges of synced passkeys. In this instance, too, the key question arises: with passkeys and multifactor authentication, what are we trying to achieve?

“One of the biggest threats on the internet currently is password stuffing,” says John Bradley, an identity management expert who currently serves as a Senior Technical Architect focused on open identity standards for Yubico.

“If you don’t care about whose account you’re trying to break into, taking a list of common passwords and just trying a 100 million accounts with them actually works quite well. That’s one of the things that two-factor authentication was meant to slow down, but it wasn’t necessarily intended to stop targeted attacks. Different people had different goals with it.”

Bradley also says that FIDO’s phishing-resistance is great, with multi-factor authentication, even if a system sounds great, those pesky security gaps are possible if defenses are not optimized across the whole attack front.

Rolf Lindemann of Nok Nok Labs agrees that the question of labeling for compliance is less important than true practical protection. “More relevant than whether it gets a label of one factor or two factors or three factors – or there’s a nice cartoon showing a 13-factor banking authentication which is totally unusable – is really the robustness of the security.” For high-risk security measures, the only relevant question is, “what kind of effort level does it take for an attacker to break that?”

YouTube has the full session online.

Related Posts

Article Topics

 |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

A billion stolen passwords make passkeys look good, despite growing pains

In breaking news that should come as no surprise, your password isn’t good enough. And no, not even if you…

 

Trump puts brakes on Biden-era AI regulation; future uncertain

As was expected, on day one of being inaugurated, President Donald Trump repealed outgoing President Joe Biden’s Executive Order (EO)…

 

How AI fraudsters are capitalizing on the slow rollout of digital IDs

By Ofer Friedman, Chief Business Development Officer, AU10TIX As professional fraudsters ramp up their attacks, leveraging generative AI and randomization…

 

UK government reveals mDL pilot, Gov.uk digital wallet plans

A Gov.uk digital wallet and app will be introduced this year to ease access to pubic services for British residents,…

 

Yoti responds to Ofcom’s guidance on age checks for porn sites

While the age assurance sector has welcomed Ofcom’s newly published guidance on highly effective age assurance for adult content sites,…

 

Jumio, Innovatrics, Vouched and Regula advance identity verification use cases

Whether it’s in gaming, home stays or automotive sales, the need to establish trust is crucial. Effective digital identity verification…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events