Authenticate Day 5 Highlights Best Practices for Account Recovery and Password-less Deployment

By: FIDO ALLIANCE STAFF

The penultimate day for FIDO Alliance’s Authenticate conference brought with it more insightful content to help attendees and their organizations benefit from the opportunities of strong authentication.

Among the organizations that presented on the fifth day of the conference was online auction site eBay, which outlined how it has embraced strong authentication and is moving toward enabling a password-less future. A key challenge that many organizations face is how to deal with the issue of account recovery, which was addressed in a morning session. The role of FIDO standards in the smart card world was the topic of a session as attendees learned about how strong authentication is making an impact in that sector. Standards were once again a key topic of discussion during the day, with a lunch and learn session that included speakers from the W3C, EMVCo and FIDO detailing how the different groups can work together.

The day’s session began with an overview of how the government of the Netherlands provides strong authentication to its services. Among the agencies in the Netherlands is SURFconext, which provides a  national identity federation for research and higher education.

“Especially since the COVID crisis began, we’ve seen a lot of phishing campaigns launched against our users and we see FIDO2 as an excellent way to mitigate this threat,” commented Joost van Dijk, Technical Product Manager at SURF.

Raising the Authentication Bar at eBay

Among the most popular websites in the world today is online auction site eBay which has approximately 180 million active users.

Ashish Jain, Head of Identity at eBay noted that for the most part, users need to be able to have an account, either as a seller, or a buyer to be able to transact at eBay. Jain explained that eBay has now implemented FIDO2 WebAuthn to help improve the authentication experience for its users.

“At the end of the day, identity, authentication and sign-in, are means to an end,” Jain said. “We have to make sure that whatever experience we pick is not going to hamper the eventual experience that we want to give to the end user.”

Dealing with the Challenge of Account Recovery

When users lose or forget their password, a common approach is to have an email based recovery option. That approach however is not secure and negates many of the benefits that a strong authentication model from FIDO provides.

Hidehito Gomi, Senior Chief Researcher at Yahoo Japan Corporation explained that when a user loses their authentication credentials there needs to be an alternate method available to recover the account. To that end, he noted that the FIDO Alliance has written several white papers, providing guidance on what organizations can do. Among the options, is enabling users to set up multiple authenticators when the account is created.

Christiaan Brand, Product Manager of Identity and Security at Google noted that the overall issue of account recovery is a really hard problem to solve. That said, in Brand’s view there is a real opportunity for FIDO to help solve the challenge.

“Imagine the following, say the user loses their FIDO authenticator and they have that registered with 40 different relying parties, wouldn’t it be much easier if they had to perform that account recovery process only once, and get access to everything, versus having to do that forty times?” Brand said.

The Intersection of FIDO, EMVco and W3C

The W3C is a web standards body, EMVCo is a technical body that handles EMV payment standards and FIDO, of course, is focused on strong authentication standards and certifications.

The three organizations can and do work together, according to a panel of experts at the Authenticate conference. Christina Hulka,  Executive Director and Chief Operating Officer of the FIDO Alliance noted that representatives of the three groups have a special interest group to see how each respective specification can work with the other and to identify potential gaps.

Ian Jacobs,Web Payments Lead at the W3C explained that his organization started working in the payment space approximately five years ago with an effort to improve and streamline ecommerce. That effort is manifest in the Payment Request API which provides a specification to help enable payment methods.

“A lot of the work in W3C is about  adding capabilities to browsers and then web developers can use these building blocks in different ways to build different payment flows or different user experiences,” Jacobs said. “All along the way we’re trying to ensure that these building blocks provide for security, privacy, accessibility and internationalization and they fit with other blocks in the web architecture.”

As to how the three organizations all fit together to help end users, Nick Telford-Reed Managing Director, Stormglass Consulting Ltd, who moderated the panel session, provided a visual description.

“So this is like a venn diagram where there’s an intersection between the payments expertise of EMVCo,  the authentication experiences and capability of the FIDO Alliance and then the web technologies piece at the W3C,” commented Telford-Reed. “We’re in that sweet spot of privacy and authentication and security for making payments on the web.”

The Path to Passwordless

According to J. Wolfgang Goerlich Advisory CISO at Cisco’s Duo Security division, often more is asked of people than machines, when it comes to passwords and authentication. For example, it is up to the user to choose a password and update it. What’s needed is to have an environment where machines do more and are relied on to protect and authenticate users, which is what the password-less journey is all about.

Chris Demundo, product manager, authentication at Cisco Duo outlined the key steps that organizations need to take on the journey to passwordless.

“The first step is really around ensuring you have strong multi-factor in place already, and really strategizing and identifying use cases that exist in your environment where you can start with passwordless, because there are a ton of them,” Demundo said.

The second key step is to consolidate authentication workflows, with things like Single Sign On (SSO) and federation as a way to reduce the number of passwords that are needed. The third step is to increase trust in password-less authentication across the organization so users feel confident about its use.

“Making systems easier to use and actually aligning with human behavior, so we’re not offloading risk from one system to additional things that we want our users to do, is a critical step for both password-less and zero trust in general,” Demundo said.

Final Day is Up Next!

After five full days of content, the sixth and final day of the Authenticate Conference is up next on Nov. 19 with another great lineup of sessions.

A key theme for Day Six, is the future of authentication. Among the topics is a session about the future PKI and FIDO2.  A panel of experts will discuss whether the future of authentication is decentralized and what the implications are for FIDO and the organizations that use it. And of course, there are user stories, with Microsoft sharing lessons learned from the experience of being an early adopter of FIDO2 WebAuthn standards.