Authenticate Conference Day 1: Continuing FIDO’s Audacious Mission

By: FIDO ALLIANCE STAFF

The inaugural Authenticate Conference got underway on Nov. 10, kicking off six days full of sessions on the future of authentication, including speakers talking about their organization’s experiences with FIDO and the route toward a passwordless future.

The opening day started with a series of keynotes, including: cryptography pioneer Dr. Whitfield Diffie; Joy Chik, corporate vice president of identity at Microsoft; Stina Ehversard, founder of Yubico, and Mark Risher, senior director of product management, security and private at Google. Setting the tone and the direction for the event as a whole, Andrew Shikiar, executive director and chief marketing officer for the FIDO Alliance outlined in his keynote address why FIDO exists, the ecosystem of certified vendors and the path forward.

“The FIDO Alliance has always had a truly audacious mission: to change the nature of authentication, to move the entire world away from usernames and passwords and traditional multi-factor authentication to a much simpler and stronger way to log in with FIDO,” Shikiar said. “Audacious, yes, but given the progress we’ve made in 7-8 years..  suddenly, this thing seems doable.”

Shikiar noted that over 2 billion devices support FIDO authentication standards today and more than 250 of the world’s leading organizations across a diverse set of industries are part of the FIDO Alliance. He went on to emphasize that all of FIDO’s specifications are built upon the same principles of usability, security and privacy preservation. He also touched on the impact of the pandemic on FIDO adoption.

“COVID has turned digital transformation from a buzzword with vague 5-year plans, to a massive imperative to get complete in 5 months,” Shikiar commented. “While COVID has thrown just about everyone’s development timelines out of whack, FIDO stands to provide banks and other businesses a strong and secure cornerstone for digital transformation.”

The Role of Cryptography in Enabling Privacy and Authentication

The FIDO Alliance and its specifications make use of public key cryptography to help enable user authentication and privacy. 

Whitfield Diffie, who helped to create the foundations of modern cryptography, delivered a keynote address at Authenticate where he outlined the history of cryptography and explained why it is effective. In his view, despite having some problems, cryptography has made amazing progress over the last 50 years.

“How do you protect information that isn’t under your control?” Diffie stated. “Cryptography seems to be the only tool that is of any use.”

Microsoft’s View of a Passwordless Future

There are many reasons to like FIDO standards and one of them is because passwords are widely disliked.

“At Microsoft we like to say that nobody likes passwords, except for the hackers,” said Joy Chik, corporate vice president of identity at Microsoft, during her keynote address.

Chik noted that passwords are the weak point in modern security. Microsoft handles over 30 billion authentication requests every day and what virtually every successful attack has in common is a weak or stolen password. She added that not only are passwords insecure, they are also a pain as millions of users forget their passwords, triggering reset requests that are one of the top help desk cost drivers.

“People need more secure and more convenient alternatives,” she said. “So it’s time to say goodbye to passwords.”

FIDO is a core component of Microsoft’s password strategy as it aims to provide users with a secure way to authenticate. She noted that over 150 million Microsoft customers have already gone passwordless for a more secure, and more convenient sign-in experience.

“We built FIDO support into Windows 10, so that you can use Windows Hello authentication without any relying party,” Chik said. “And we have enabled WebAuthn in the Microsoft Edge browser, so that you can sign into your favorite web apps and services using FIDO credentials.”

FIDO: A Seat Belt for Digital Security

During her keynote address, Yubico CEO and Founder Stina Ehrensvärd detailed how the introduction of seat belts in the automobile industry 60 years ago is like authentication security today.

“Just like cars, the internet was not designed for security,” she said.

Ehrensvärd noted that in 1959 Volvo engineer Nils Bohlin invented the first three-point safety belt for automobiles. What had happened is that in the 1950’s there were more cars than ever before on the roads and those cars were going faster, which unfortunately led to fatalities.

“Today we all use seatbelts and the good news is that while there are 10 times more cars than in the 50s, there is a smaller total number of fatal accidents,” Ehrensvärd said.

She added that the same steps that led to the introduction and adoption of seat belts can be used to help advance the state of authentication security and FIDO adoption, starting with acknowledging the problem at hand. The other key steps include: simplifying the user experience, driving open standards, measuring results, educating stakeholders, building trust with transparency and continuing to innovate.

Googling the Future of (Digital) Identity

As life and work have increasingly gone online during the pandemic era, there is little distinction anymore between a user’s identity and digital identity, according to Mark Risher, senior director of product management, security and privacy at Google.

In a keynote address, Risher explained that the foundation of digital identity is authentication technology. In Risher’s view, there are three key trends that are driving the future of digital identity: the need for protection, the ability to connect with multiple services and the desire for personalization. When it comes to security, like Microsoft, Google is seeing a threat from phishing attacks that steal user credentials.

“We have an antidote for that, and the antidote is the Security Key technology that FIDO has been driving from the beginning,” Risher said. 

He noted that Google deployed FIDO Security Keys in 2017 for its employee base and has not had any successful phishing attacks since then. That technology has increasingly been made available to Google’s users in recent years to help protect high-risk individuals and organizations.

“Our digital identities, which increasingly are our real world identities, and authentication with FIDO standards are right at the heart of it,” Risher said.

More to Come on Day Two

Beyond the keynotes, the first day of Authenticate had other great sessions including one on how FIDO authentication can be used for the US government as an alternative to Common Access Card (CAC) or Personal Identity Verification (PIV) cards. IBM explained how it is deploying FIDO across its organization, and during a lunch and learn session attendees learned the basics of FIDO.

Day Two of Authenticate gets underway on Thursday November 12 with another packed day of content including identity verification, FIDO & IoT, best practices for deployment and more!