Day three of the Authenticate 2021 conference provided a great conclusion to the live event with insights on how FIDO is being used and direction on what’s coming next, as the journey to the passwordless future continues.
In a morning session, Christiaan Brand, Senior Product Manager at Google, outlined how the FIDO specifications have evolved in recent years from U2F to FIDO2 WebAuthn. Brand said that while U2F was originally considered mostly as a second factor authentication approach, with FIDO2 the scope has expanded to being a technology that can replace passwords.
A FIDO2 approach known as Discoverable Credential Support was highlighted by Brand as a way to help enable the passwordless future. With Discoverable Credentials, the FIDO security key or authenticator will remember all of the user’s credentials and it will present them, almost like a password manager whenever the user needs to sign in.
Another effort that is in development is the cloud-assisted BLE (Bluetooth Low Energy) pairing initiative also known as caBLE, which is intended to make it easier for authenticators to be used with different sources.
“The idea is that every platform implements this caBLE protocol natively And then when an authentication event triggers, you can use this protocol to get data sent from the device,” Brand said.
The Challenge of Account Recovery
A key challenge for user accounts is the issue of secure recovery. No matter how secure the authentication is to access an account, if there is a weak recovery system in place, an attacker will be able to bypass security.
“Account recovery is really just another form of authentication,” Dean Saxe, Sr. Security Engineer at Amazon Web Services stated.
In a session, Saxe detailed what he referred to as the Iron Triangle of Account Recovery, which includes the concerns of access continuity, security and privacy. Saxe noted that the account recovery mechanism itself should be reasonably secure, preferably as secure as the primary authentication.
“What we don’t want to create is a gate that you can walk around, or walk through because we haven’t secured the gate with a fence all the way around the thing that we’re trying to protect,” Saxe. “So the recommendation is to register multiple authenticators, so you have a backup.”
User Stories Cambridge Housing Authority and National Guard
Among the users that spoke on Day 3 of Authenticate 2021 was Jay Leslie, CIO of the Cambridge Housing Authority.
Leslie recounted that his organization was the victim of spear phishing attack and he was looking for a way to help provide a more secure approach to user account authentication.
Leslie said he looked at a number of different approaches including virtual smart cards and ended up discovering FIDO via peers that were using the technology.
What Leslie quickly realized was that FIDO would be easily supported within his environment with a lot of the organization’s existing processes and infrastructure.
“The other thing I love about FIDO is that there are many different authentication methods that you can do,” Leslie said. “There are keys like YubiKey and Solokey and there is also Windows Hello where you can just type in a PIN, and for us, I think that provides us an easy glide path.”
Enabling an easy flight path for remote workers is also top of mind for Major Liaquat Ali, the RPA Cyber Space Operations Officer at the 107th Operations Support Squadron (ACC) Niagara Falls ARS, New York, Air National Guard.
Major Ali said that this organization was able to recognize significant cost savings by implementing a FIDO based authentication approach that makes use of YubiKey and the ID.me identity proofing service.
Of interest, Major Ali noted that 70% of his users reported that they were also using their FIDO security keys to help provide secure access for personal accounts.
The Intersection of Zero Trust and Authentication
Megan Shamas, Director of Marketing at the FIDO Alliance, moderated an afternoon panel on Zero Trust, which is often closely associated with Identity and Access Management (IAM) activities.
A core question that the panel discussed is what the top obstacle is to implementing strong authentication. Christine Owen, Director at Guidehouse, said that in her view people are often the issue.
“Part of it is because when you are changing processes, you need to have good communication with your stakeholders and with your customers to understand why it is you’re changing what you’re changing, and how their life is going to be different and better,” Owen said.
Jamie Danker, Senior Director of Cybersecurity Services at Venable, commented that ironically trust is the biggest obstacle. Users are often worried about the privacy implications of authentication and security mechanisms.
“You need to consider how information is used for just that authentication purpose and not used for other purposes,” Danker said. “Think about things like how you can minimize the data, and how you are going to inform your users about the use of the data.”
Improving Trust in Authentication
The idea of improving trust in users was the topic of an afternoon session from Kayla Shapiro, Production Engineer at Facebook. Shapiro helps to lead a team that works on improving the internal security and access to employee facing systems.
“We use technologies and build software that enables us to make use of digital identities that let us start to trust that person or machine is who they say they are,” Shapiro said.
Shapiro detailed the intricate approach that Facebook uses to ensure that credentials are stored safely. One of the technologies is something that Facebook developed internally known as Secure Key Storage (SKS), which makes use of Secure Enclave on Apple and TPM on Windows systems to store private key information. Facebook also makes use of FIDO based strong encryption for user authentication to help limit risk.
“Trusting a user means trusting your source of truth,” Shapiro said. “It’s not enough to have the strongest authenticated authentication methods in the world, if you can’t say with confidence that the data that backs those methods isn’t stored securely.”
Towards Usernameless Authentication with FIDO
Dmitri Tyles, Sr. Director of Engineering at Deltek, used his time on stage to explain how his company, which builds ERP software, is using FIDO in the technology it sells.
One of the interesting uses that Tyles described is an approach known as usernameless authentication. With that approach not only is the authentication passwordless, it also doesn’t include a username either.
“It means that a user doesn’t have to provide a user ID on the login screen as identity is stored on the device itself, as we’re using the capabilities that FIDO provides,” Tyles explained.
Deltek is also using FIDO as a means to digitally sign a transaction. Tyles noted that while authentication is the primary focus for FIDO2, it also provided a powerful approach to digital sign things.
The Future of FIDO
During the final panel for the live Authenticate 2021 conference, speakers praised the event and the progress that FIDO has made to date.
Google’s Brand noted that he’s cautiously optimistic that basic challenges of authentication are now technically solved by the FIDO2 specifications.
“Now it’s up to us to do a bunch of implementation and that’s happening sometimes a little bit slower than we like but in general, things are moving forward,” Brand said.
Microsoft’s Dingle agreed and noted that with FIDO2 in place the industry is now in an amazingly luxurious position to try to tackle second order problems. “It’s great that we’re now able to look at nuances and subtleties in the specifications that we never could before,” she said.
Rounding out the conference, FIDO Alliance Executive Director Andrew Shikiar noted that seeing users talking about implementation over the course of the Authenticate 2021 event was a rewarding experience.
“It’s really rewarding and amazing to see so many people sharing their successes, since just a couple of years ago we couldn’t find anyone because they really were just at the pilot phase,” Shikiar said. “The data is coming in and it’s all pretty positive. FIDO works and FIDO works well.”
That’s a wrap for the Authenticate 2021 event, we look forward to seeing everyone in person at the 2022 event scheduled for Oct 17-20 in Seattle.