Fraud Management & Cybercrime
Top Tech Vendors Back the FIDO Alliance’s Passwordless Sign-In Standard
Apple, Google and Microsoft are joining forces to back a standard that will allow websites and apps to offer passwordless sign-ins across devices and platforms.
The three operating system and browsing giants have put their weight behind a common passwordless sign-in standard created by the FIDO Alliance that stops remote adversaries from carrying out phishing or man-in-the-middle attacks, FIDO Alliance Executive Director Andrew Shikiar tells Information Security Media Group. The new approach means users no longer have to enroll each of their devices separately (see: FIDO Alliance Update: New Guidelines, Standards Enhancements).
“They’re doing it not out of altruism,” Shikiar says. “They’re really doing it because they understand that this is not a problem that any one company can solve. This really needs to be an industry solution built by the industry for the industry to allow us collectively to turn the tide on the data breaches and the account takeover attacks that continue to plague and threaten the integrity of our digital economy.”
Having each vendor take a proprietary approach to passwordless sign-in would be of little benefit since many consumers use operating systems and browsers from different software makers, says Venable managing director and ISMG contributor Jeremy Grant. Having the three companies that control the entire OS and browser market bring a uniform approach to the market will dramatically boost adoption.
“That is not an easy thing to do in a sector where often these companies are at each other’s throats in terms of being rivals and competitors,” Grant tells ISMG. “In most cases, you want to see companies competing with each other, but I think this is one area where the feedback from the market has been very clear. We need to see stronger collaboration here.”
Never Lose Your Keys
Password alternatives historically tied private keys to a specific device and required using a different key for each login instance while browsing the web, Grant says. But Shikiar says this presented challenges when users lost possession of an authenticator or got a new device, prompting the FIDO Alliance to come up with a new model that changes how private keys can be accessed.
Authentication vendors historically didn’t want to clone and export private keys since that was considered to be a potential vulnerability, Grant says. But over the past 18 months, the industry realized this assumption needed to be rethought since it would be nearly impossible to get mass deployment or phishing-resistant authentication without exporting keys to the cloud, where they can be adequately protected.
“By securely storing the private keys in the cloud and then syncing them across devices, it makes the idea of passwordless authentication exponentially more usable for consumers and businesses,” Grant says. “You’re basically taking out the single biggest challenge that has inhibited deployments over the years and eliminating it by managing this for consumers more easily.”
Google Chrome users can currently sign into certain websites such as eBay with a password, and the search engine giant always allows repeat logins without requiring a password, according to Sam Srinivas, Google’s product management director for authentication security and president of the FIDO Alliance. But Google today still requires a password when a user is attempting to sign in for the very first time on a device, he says.
Srinivas says Google has done 70% of the work needed so that customers can use FIDO authentication on a nearby mobile device to verify their identity during their very first sign-in, rather than a password. New capabilities allowing for more seamless and secure passwordless sign-ins are expected to become available across Apple, Google and Microsoft over the course of the coming year, the FIDO Alliance said.
If a user drops their phone in the toilet and has to purchase a new one, Srinivas says, Android can seamlessly restore the passkeys from a secure backup on the internet.
“As long as you can get your phone going, you’re always set,” he says. “You can just pick up from there and move on. You’ll never lose your keys because the cloud has your keys.”
Bringing Passwordless to the Masses
Large companies such as eBay, Best Buy and Wayfair have the technical infrastructure needed to support passwordless authentication on their own, but smaller or less sophisticated online retailers don’t have advanced security or authentication infrastructure in place and therefore end up having to default to passwords. He says service providers will be able to rely entirely on device makers for authentication.
“They don’t invest much in authentication, infrastructure today,” Srinivas says. “This is a much better way for them to authenticate their users by leveraging the proven security capabilities of these platforms. From a user standpoint, the user experience will be much more elegant. It’ll essentially be a password manager-like experience, but issuing FIDO key pairs rather than passwords.”
Just 22% of enterprises currently have multifactor authentication, and Srinivas says Apple, Google and Microsoft’s embrace of the FIDO Alliance standard should make it easier for people to adopt strong authentication. He says CISOs at consumer-facing organizations will be thrilled by the commitment from the big OS providers since it will make multifactor authentication more accessible to more people.
“I’ve talked to CISOs all the time at organizations that wanted to deploy FIDO but had some usability concerns, some scale concerns and some recovery concerns,” Srinivas says. “This addresses all those questions.”