Monday 29th October marked the 49-year anniversary of the first ever internet transmission. As we head into the Internet’s 50th year, the problem of authentication has risen to the forefront of discussions about the state of the internet. With ubiquitous internet-based services like social media, mobile commerce, and increasingly, smart homes and connected cars, many are realising the current methods available for protecting the world’s data and the online infrastructure powering our daily lives are long past being adequate to defend against today’s sophisticated adversaries. Breaches can often be traced back to a single compromised credential; most commonly, a password.
Passwords have become synonymous with “login.” Each day, humans spend 1,300 years collectively entering passwords. Yet they have also become a key weakness of the connected world, with over 2.3 billion passwords stolen this past year. The expansion of internet-enabled services has arguably run ahead of our ability to adequately secure them, and recent security incidents prove that our infrastructure is lagging behind.
There is good news, however – we are currently seeing major organisations across the globe coming together in the FIDO Alliance to drive standards that enable the replacement of weak password-based authentication with stronger approaches that leverage on-device biometrics and/or external security keys where authentication credentials are stored securely and that have added measures to prevent phishing and account takeovers. The FIDO Alliance is a global public-private consortium of leading technology, payments and consumer service providers that are collaborating to solve the world's password problem through open technical standards for interoperable cryptographic authentication; these standards are being rapidly adopted across internet-connected devices, websites and applications.
New and improved methods of authentication based on FIDO Alliance standards are coming to market every day. FIDO authentication can leverage the biometric capabilities at our fingertips via mobile devices, or can be built into simple-to-use security keys that prevent phishing and account takeover. We’re even seeing support for FIDO in wearables, such as the recently updated Motiiv ring, All of these approaches provide a compelling proposition for banks and other financial services firms, due to their potential to greatly enhance security while also improving the user’s authentication experience – which in sum will only boost brand affinity.
When using a FIDO-enabled device, in practice, a user swipes a finger, speaks a phrase, looks at a camera on a device, or touches the button on a hardware authenticator to login, pay for an item, or use another online service. The device-based verification is used as an initial factor to then unlock a second, more secure factor: a private cryptographic key that works “behind the scenes” to authenticate a user to the service. Since biometrics and cryptographic keys are stored on local devices and never sent across the network – eliminating shared secrets – user credentials are secure even if service providers get hacked, thereby preventing scalable data breaches.
We’re already seeing traction at a government level – the UK Government is incorporating emerging industry standards such as FIDO in its future plans to replace passwords as cited in its National Cybersecurity Strategy. Likewise, we’ve seen governments embrace the FIDO approach in other countries around the globe – including strong endorsements and/or supporting regulations in the Netherlands, the United State, Korea, Hong Kong and more.
We’re also making an impact in the financial services industry. For example, the FIDO approach meets the European Banking Authority’s PSD2 requirements while also meeting organisational and consumer demand for transaction convenience by providing two-factor authentication in a single biometric device (providing both possession and inherence authentication factors). Indeed, around the world, regulations are emerging in line with the growing trend towards open banking. PSD2 is being closely watched by other markets as open banking gains momentum, and while it attracts concerns regarding the implications for user privacy and security.
Still, there is much to be done. Here’s hoping that the Internet’s 50th birthday will see meaningful adoption of modern, strong authentication just now becoming ratified web standards, leading to stronger methods of protection in today’s connected world.