The first in-person Authenticate event got underway on Oct. 18, with both live and remote attendees watching the proceedings from the Motif Hotel in Seattle, WA.
The first day had a mix of industry leader keynotes and adoption stories about the role of strong authentication and the FIDO Alliance in helping to secure and enable the modern digital economy.
Andrew Shikiar, FIDO’s Executive Director and CMO, kicked off the Authenticate event announcing a series of new initiatives including the Online Authentication Barometer and the FIDO Certified Professional Program.
“The goal with the Online Authentication Barometer is to track what are the latest consumer habits, trends and adoption points of modern authentication technologies across the globe,” Shikiar said.
Shikiar noted that the research was what he referred to as a ‘mixed bag’ with many users still clinging to passwords. That being said, he noted that the research shows some positive trends in that people are aware that they need to do more, yet they’re not quite taking the right approach.
As part of the effort to help advance FIDO deployments, Shikiar explained that the new FIDO Certified Professional Program is all about helping to train professionals who wish to improve and showcase their FIDO deployment skills.
“We think this will help address the implementation skill gap, and also get these professionals a chance to showcase skills which will help them be more marketable for future jobs and employment,” he said.
There are Two Types of MFA: FIDO and Legacy
In an engaging keynote, Bob Lord, former Chief Security Officer for the Democratic National Committee (DNC), outlined his views on strong authentication and detailed how the DNC was able to rapidly scale up and deploy it during the last election cycle.
Lord emphasized early in his keynote that there are two types of MFA today: FIDO security and Legacy 2FA that needs to be replaced. Simply put, non-FIDO forms of MFA can be phished and that’s a risk that really worries Lord.
“I call it legacy because I want to put into your mind the idea that this is something that you need to eradicate,” Lord said of non-FIDO MFA. “If you’re an IT person working on the inside of an enterprise you need to eradicate this, if you are a service provider offering services to either enterprises or consumers, you need to think about eradicating it as well, whether it’s SMS or an authenticator app, as the situation is likely to become super urgent seemingly out of nowhere, seemingly overnight.”
To help protect the DNC, Lord – who joined the DNC in 2018 – began a push to adopt FIDO. During the election cycle, he noted that more than 3,200 people joined the campaign effort and they all needed security keys. As part of the onboarding process for the campaign every person had to get a security briefing where they were educated on the importance and usage of security keys. Going a step further, if a new person missed the security briefing they were kicked out of the rest of the onboarding process by human resources until the security piece was completed.
“It’s fine of the security team to say security is important to people, they expect that,” Lord said. “What’s critical is for different parts of the organization, the management chain to say, it’s actually a core value.”
Dave Kleidermacher, Google’s VP of Engineering for Android Security outlined what he sees as big challenges of digital safety during his keynote. Those challenges include the need to have simple, strong access control over digital and physical spaces and identity. That’s where he sees digital wallets that benefit from FIDO specifications as being a big help.
Kleidermacher explained that Android devices now offer a digital wallet with a built-in security key.
“We’ve worked with the FIDO Alliance to build standard protocols and API’s for developers to incorporate what’s really a miracle of unphishable authentication to any service,” Kleidermacher said.
The legacy of past authentication methods was also the topic of Derek Hanson’s keynote. Hanson is VP of Business Development at Yubico, and in his talk he detailed the painful history of past authentication devices, where users had to carry a separate unique key for each service.
“With FIDO2, what we saw was solutions to all of the lessons and the pains of the past, actually being
incorporated into solutions that we could go build,” Hanson said.
FIDO for 5G
Among the big telco adopters of FIDO is Verizon which is using strong authentication for a number of different services.
Josna Kachroo, Sr. Manager for Device Technology at Verizon, commented in a session that password phishing continues to be a major problem. She noted that Verizon has adopted FIDO standards to enable a best in class authentication solution and one that is able to scale across many different use cases. Bjorn Hjelm, Distinguished Member of Technical Staff at Verizon, outlined a number of use cases including the ZenKey app that is a joint development across AT&T, T-Mobile and Verizon to enable access to services.
The need for strong authentication and FIDO is also important for 5G wireless. Hjelm explained that 5G enables operators to do network slicing. With network slicing, an operator can virtually reserve network resources for a specific purpose. One such specific purpose can be for first responders, where there is a need also for strong user authentication in order to grant access to the service.
“We are positioning FIDO as part of the user authentication for first responders,” Hjelm said.
The Challenge for Developers
The challenges and opportunities that developers face with FIDO was the topic of an engaging panel session at Authenticate. Moderator Vittorio Bertocci, Principal Architect at Auth0, asked panelists where the biggest blockers were with FIDO deployment for developers.
Nick Steele, Principal Security Research Engineer at Gemini Trust, sees terminology as being a big blocker.
“There’s a lot of terminology that can trip people up, and it can sort of confuse developers that are coming in with basic or even zero knowledge about what FIDO is about,” Steele said.
Steele suggested that there is a need for more developer education and materials to help show how FIDO technology is built. Simon Law, co-founder and CEO of LoginID, commented that while there are many robust libraries to help developers implement FIDO, it’s not always a plug-and-play deployment for most use cases at this point.
“Really you need the attestation and it’s still confusing now,” Law said.
Managing Risk with an Enterprise Plan for FIDO Deployment
The path to implementing FIDO and strong authentication is all about managing risk, according to a pair of speakers from Capital One.
Vaibhav Gupta, Cyber CTO and Product Manager for IAM and Capital One, noted that many organizations grow via mergers and acquisitions, ac
cumulating technical debt and a confusing array of authentication schemes. While there is complexity, with the right plan in place, it’s possible to eliminate some of that technical debt in the journey toward FIDO.
Kiran Mantripragada, Senior Manager, Identity and Access Management at Capital One, explained that the first step in the journey to passwordless is for the organization to get control over its applications by creating an accurate inventory of what’s in use and how each application does authentication.
She suggests that once the inventory is understood, it makes sense to group related applications together with Federation and a Single Sign On (SSO) approach. The next step is to start introducing MFA and passwordless approaches. Mantripragada cautioned that there can be resistance from application teams to rolling out MFA and passwordless so she suggests taking a risk based approach to deployment.
“Identify opportunities where by applying MFA and modern authentication will reduce the risk profile and get you the biggest bank for the buck,” she said.
More coming on Day 2 of Authenticate
What a great start with Day 1 and there is much more to come. On Day 2 of Authenticate, are keynotes from Microsoft and Visa. We also have multiple panels tackling hot topics including document authentication and mobile driver’s licenses (mDLs), also known as digital driver’s licenses.
There’s also no shortage of insight into FIDO with sessions on the value of certification and understanding the importance of user experience.