By: FIDO Staff

The Internet of Things (IoT) is an increasingly critical and difficult area for IT devices that need to be secured.

At the Authenticate Virtual Summit: The FIDO Fit in IoT held on Dec. 7, a series of experts outlined FIDO Alliance efforts to help device manufacturers and developers better secure IoT. A key theme of the event was all about understanding how the FIDO Device Onboarding (FDO) specifications can help improve IoT security.

David Turner, director of standards development at FIDO Alliance, kicked off the event by noting that passwords remain a large problem across the IT industry. The challenge of passwords is compounded with IoT devices, which scale into the millions and potentially billions of devices. Challenges with passwords for IoT include password re-use, which can be a huge problem with IoT. If a system ships with a default password, it can be trivially easy for attackers to exploit.

“Hackers don’t break into IoT, they log into it,” Turner said.

One way to help secure IoT is with the FIDO Alliance’s FDO standard. Turner explained that FDO is an open standard that allows organizations to quickly and securely onboard IoT devices.

Small things, big impact: The path to FDO

Rolf Lindemann, director of product at Nok Nok and one of the leaders of the FIDO Alliance IoT Technical Working Group, explained that FIDO authentication standards are applicable to users as well as device authentication.

Lindermann said that there is a clear need to have a strong foundation to help secure IoT. The first step is to have hardened hardware elements at the CPU level including things like TPMs, TrustZone and SGX which are provided by the silicon vendors. The next critical step is to add device level attestation to help with supply chain integrity that also helps to reduce the complexity for device onboarding. The third step is to have strong authentication, that ensures only legitimate entries get access.

“To make the IoT ecosystem more secure, you need strong authentication that’s the front door providing fishing resistance and being still practical for daily large scale use,” Lindermann said. 

How FDO tackles the onboarding challenge

The challenge of onboarding is where the FDO specifications come into play.

Richard Kerslake, general manager of industrial controls and robotics, IoT business unit at Intel, explained that onboarding is the process by which a device can establish a trusted connection with a service or platform.

“We have an IoT device, it’s going to connect to a platform or service and we just need to be sure that everyone in that equation is who they say they are,” Kerslake explained. “Is the device talking to the platform that it thinks it is talking to, and is the platform talking to the device that it thinks it is talking to. So we really need to make sure that both sides of that equation are true.”

Onboarding today is often a very manual process. The promise of FDO is an automated approach that benefits from strong authentication. Kerslake explained that in December 2019 the decision was made to base the FDO specification on Intel’s Secure Device Onboard technology. The FDO 1.0 specification was released in March 2021 and updated to version 1.1 in April 2022.

Going a step further beyond just the specifications FIDO has worked with the Linux Foundation’s LF Edge project which has an open source implementation of FDO.

Going for a deep dive with FDO

There is a fair amount of nuance and details that go into the FDO specification.

In a deep dive session, Geoffrey Cooper, principal engineer, IoTG at Intel, explained the workflow, technical specification and procedures that enable FDO implementations.

Cooper explained that for example if a device is drop-shipped to a location and the device gets powered up and connected to the network, the goal with FDO is to enable that device to figure out who it’s supposed to connect to with proper authentication, sets everything up, and then it goes right into service.

“The idea is we’re taking something that was a very heavy touch kind of operation that we’re turning it into a zero touch operation,” Cooper said.

Enabling that zero-touch approach with FDO involves a series of protocols that are part of the specification. The protocols include device initialization and onboarding components. There is also a concept known as the FDO Service Info Module (FSIM) that provides an extension mechanism to help support devices.

During a robust Q&A session during the Authenticate virtual event, attendees asked a wide variety of questions.

Among the questions was one about what’s needed to help spur adoption for FDO.  Kerslake said there are companies today in different industry verticals including the energy sector, where operators are saying they will not proceed with bringing in new devices without an automated secure onboarding solution.

There are also a growing number of industry solutions that support FDO. Megan Shamas, senior director of marketing at the FIDO Alliance, said that by developing FDO in an industry standards body there are lots of opportunities for collaboration and promotion as well.

“We are in the midst of creating an implementer showcase, which should be live on the website soon,” Shamas said.

The path toward FDO certification

Looking beyond just the FDO specification there is also a need for certification, which is something the FIDO Alliance is now working on.

Paul Heim, director of certification at FIDO Alliance, said that  product certification ensures standardization and interoperability of products within an industry. He added that one of the most important factors about certification is that it helps to ensure consumer enterprise, and industrial protection. The lifecycle for FDO certification includes both functional and security certification.

“The FIDO device onboard certification program is intended to certify IoT devices and onboarding services certification that will be available for both FIDO members, and non-members,” Heim said.

The certification effort is still in development with a program launch set for the first quarter of 2023.

By: FIDO Staff

The final day of the Authenticate 2022 conference was packed with user stories, thought leadership and panel discussions about the challenges and opportunities for FIDO strong authentication today and in the years to come.

The first user story of the day was from global science and technology company EMD Group / Merck KGaA which is now using FIDO to help improve its own authentication system. Dennis Kniep, domain architecture for Identity and access management at the company explained that his team’s mission is to help secure the company where he sees FIDO as playing a major role.

A challenge that EMD Group / Merck KGaA faced with its implementation of FIDO is that there were a number of legacy applications and services that did not support modern web standards.

“We developed the detach authentication mechanism,” Kniep explained. “With that mechanism the users are able to authenticate with FIDO in a phishing resistant way, even if the user needs access to apps with legacy backends, meaning we can enforce FIDO.”

Equity and inclusion matter

A recurring theme through the Authenticate 2022 conference is the need for equity and inclusion.

One panel on the topic specifically looking at the issue of inclusiveness in authentication and identity systems. Jamie Danker, senior director of cybersecurity services at Venable LLP, commented that when solving a problem, the makeup of the people trying to solve a given problem will have an impact on the solution.

Danker noted that a recent equity and inclusion study completed by the U.S. government’s  General Services Administration (GSA) provides some real empirical data on how remote identity proofing solutions will actually operate. 

Danker also mentioned the NIST digital identity guidelines, which are currently being updated to revision 4. She noted that NIST has been very clear that equity considerations are going to be part of that.

Security is more than just the web interface

FIDO strong authentication helps to provide authentication into many different types of systems, but it’s not a ubiquitous option for all types of access.

“Everybody’s talking about web and mobile, and nobody’s talking about the contact center,” John Poirier, Lead Director – EIS at CVS Health said.

Poirier explained that when a password doesn’t work, or a user can’t get access, they will call into a contact center for help. He emphasized that there is a need to make sure there are security policies, procedures and technology in place at contact centers, that secure access, without introducing too much friction.

The idea of extending strong authentication to all types of devices was also discussed by Chad Spensky, CEO of Allthenticate and his co-founder and COO, Rita Mounir.

“The FIDO protocol right now only talks to websites and computers,” Spensky said.

Spensky wants to help bring strong authentication to all types of devices and access ranging from cars, to office doors and everything in between.

Navigating the authentication landscape

In a thematic presentation, Pamela Dingle, director of identity standards at Microsoft, spoke like a pirate and warned about passengers falling off the boat. 

The analogy of the boat is that of helping passengers safely get to their destination, which isn’t always an easy task. Dingle said that Microsoft blocks more than 1000 Password attacks every second, and outlined the multiple reasons why passwords are a weak link. She emphasized that users should wear a life jacket, which in the real world translates into user multi-factor authentication (MFA).

While there are risks with MFA, Dingle said it’s the right first step for many, until they are able to move to phishing resistant strong authentication with FIDO.

“Out of 10,000 compromised accounts, only one will be an MFA credential attack,” she said. “It’s really important to understand the difference in risk between being vulnerable to a password attack, and being vulnerable to an MFA bypass attack.”

That said, she noted that what makes phishing resistant credentials so great, is that they are not susceptible to exactly the same predictable behaviors that make MFA vulnerable. Dingle also noted that she’s very optimistic about the potential for passkeys.

“If we get it right. passkeys become the seat cushion that becomes a flotation device for our passengers,” she said.

Earning Trust in Identity at Scale

With one of the largest ecommerce and cloud platforms in existence Amazon has a real need for strong authentication and it is increasingly relying on FIDO for those needs.

Sarah Cecchetti, head of product for Amazon Cognito explained that identity is handled by the platform team within Amazon Web Services. She noted that identity needs to have a consistent security and usability bar for every service at AWS. To that end, AWS has built out a modular, but centralized approach that uses FIDO.

Arynn Crow, Senior Manager, User Authentication Product at AWS, said that her company has invested really heavily into FIDO2.

“We continue to invest because fundamentally we believe that FIDO supports greater flexibility,” Crow said. “We have fewer trade-offs between our user’s experience and their security.”

Usability is the key to strong authentication adoption

In a panel session on usability, a key theme that emerged is the foundational need for good usability in order for FIDO adoption to grow.

Judy Clare, vice president, product manager, digital authentication at JP Morgan Chase commented that it’s critical to put strong authentication messages and workflow in the right tone. 

“The right wording and to make it clear, simple and understandable for the average user is very important so that you’re not ostracizing anybody by using all technical jargon,” Clare said.

The need for clear language was echoed by Sierre Wolfkostin, senior product designer at Duo Security. Wolfkostin said that it’s hard to adopt what you can’t understand. 

“Getting to simple human language is really important,” Wolfkostin said.

Usability is also about making sure there is a vibrant ecosystem of vendors and technologies that can help businesses small and large to actually implement FIDO strong authentication in the first place. 

In the closing panel of the event, Christiaan Brand, product manager at Google commented that while well staffed organizations might be able to implement strong authentication and passkey options on their own, many other organizations will need help. It’s a situation much like any other enterprise technology where organizations make use of consultants and service providers to implement complex technology.

Bob Lord, senior technical advisor at CISA argued that the best thing to do is to just start with FIDO. He emphasized the organization should focus on what they can do, not what they can’t.

“I think there’s a lot of hesitation at starting,” Lord said. “I think a lot of misconceptions out there would go away if they were to just start the journey, they would find their misconceptions are wrong.”

Next year in San Diego

In the closing session, Andrew Shikiar, executive director of the FIDO Alliance highlighted the key themes of the event.

Those themes are that deployments are real and organization can and should start today. Usability was another strong recurring theme, as a key to helping to ensure adoption. The concept of security by community also resonated at the conference, with users learning from each other about lessons learned.

In the final analysis the Authenticate 2022 was a stellar success with 90 sessions, spread across three tracks and three days of content.

For next year’s event, Authenticate 2023 will be moving to San Diego.

By: FIDO Staff

The second day of the Authenticate 2022 conference had a mix of topics and speakers that spanned multiple facets of the authentication world including payment security, biometrics, national identity and design systems.

The day got started with a keynote from Doug Fisher, senior director at Visa, who discussed the current state of the global payments system and the challenges it faces. Fisher noted that while ecommerce fraud remains a pervasive risk, strong online authentication is helpful to help reduce that fraud.  

A challenge for stronger forms of authentication for ecommerce is often that it introduces more friction into the consumer buying process, which can lead to shopping cart abandonment. To help solve that issue, Fisher explained that the FIDO Alliance, EMVCo and the W3C have been working together to help improve interoperability in a bid to reduce payment authentication friction. The joint effort had led to the Secure Payment Confirmation (SPC) standard that is currently in development

“SPC is a web standard currently in development that is built on WebAuthn to support streamlined authentication during a payment transaction,” Fisher said. “SPC and FIDO go together like peanut butter and jelly.”

The perils of MFA

Not all multi-factor authentication (MFA) technologies are equal was the primary message in a session led by Roger Grimes, data-driven defense evangelist at KnowBe4.

Grimes outlined a litany of MFA bypass techniques that could potentially enable attackers to exploit vulnerable users. He emphasized however that FIDO based strong authentication is unlike MFA in that it can help to eliminate many of the man-in-the-middle attacks that enable bypassing techniques.

“MFA attacks have been around for decades but it certainly is going mainstream this year,” Grimes said.

The risks of non-FIDO MFA is top of mind for Heikki Palm Henriksen, CTO of BankID.

Henriksen’s organization provides a digital identification that is widely used in Norway. BankID started to look at FIDO in 2020 and discovered the insightful white papers produced by the alliance which helped Henriksen and his team to choose FIDO and begin implementation.

“We realized that FIDO2 was the best solution to modernize BankID to reach our goals,” Henriksen said.

Biometric considerations for FIDO

Strong authentication can make use of biometrics such as a fingerprint reader or facial recognition system, as an authenticator.

Biometric systems however are not universally without fault or bias, which is an issue that was discussed by Stephanie Schuckers, director, Center for Identification Technology Research (CITeR) at Clarkson University.

“When we talk about bias related to biometrics, what we’re really talking about is variability in performance due to demographics or demographic differentials,” she said.

Shuckers emphasized that bias relates to the specific technology implementation being used, not the whole field of biometric recognition. Through testing and certification, it is possible to better understand and reduce the risk of potential bias.

Greg Cannon, principal AI/ML standards at Amazon joined Schuckers for a panel session, emphasizing that the goal is to help eliminate passwords and biometrics is a great technology for doing that.

To help illustrate the point that biometrics spoofing is a concern that testing can help to solve, Shuckers brought some props on stage, including a mask of her own face, which apparently did not fool the facial detection system on her phone.

Consumer authentication habits

Understanding how users view authentication is an important aspect of understanding what needs to be done to help improve adoption.

The FIDO Alliance conducts an annual survey that looks at consumer habits for trends and adoption of authentication technologies. Megan Shamas, senior director of marketing at FIDO Alliance, said that the 2022 survey shows users are in some respects entering their passwords less than prior years, though the data is far from being definitive.

Perception of biometrics is also re-assuring as a potential way to help eliminate the use of passwords.

“We have actually been very pleased with consumer sentiment towards biometrics,” Shamas said. “In fact, a lot of consumers that we surveyed find it to be the most secure way to log in.”

Helping to reduce remote authentication fraud

Marianne Crowe, vice president, secure payments innovation and research at Federal Reserve Bank of Boston, used her time on stage to ask for more cooperation across the authentication ecosystem to help secure against fraud.

Crowe noted that there is consumer fatigue with passwords and many users will just reuse the same passwords on multiple sites which is an unsafe practice. MFA is helpful, but she noted that it is often inconsistent today in how it is presented to consumers.

“We’ve got to try to increase implementation and adoption of MFA even in industries and businesses that aren’t required to do it,” Crowe said.

Design system comes to FIDO

One of the ways consistency can come to authentication and specifically to FIDO based strong authentication is with the use of a design system. 

Organizations can now benefit from the FIDO design system at fidoalliance.org/design-system that provides principles, patterns and reusable components.

“Our intention for putting all this together is to make FIDO deployments simpler and faster for product designers, for project managers, product managers and engineers,” Kevin Goldman, chief experience officer at Trusona, said. “Our intention is to fill the gaps that they might have around authentication in their own design systems.”

The final day of Authenticate 2022 is looking to be another day loaded with useful content, thoughtful discussion, more user stories and best practices to help organizations move to the passwordless future.Want to attend the final day of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

By: FIDO Staff

The Authenticate 2022 conference got underway on Oct. 17 with a stellar lineup of speakers that included enterprises, service providers and government agencies, all gathered to talk about the current and future state of strong authentication.

The opening session was led by FIDO Alliance Executive Director and CMO Andrew Shikiar who detailed the progress that has been made this past year. Among the highlights mentioned by Shikiar was the launch of passkeys. 

The FIDO Certified Professional program also got underway in 2022 providing a way for professionals to validate skills. There has also been work done to help with usability as well as adoption with initiatives designed to help accelerate broad deployment of FIDO strong authentication.

“Our mission is to reduce industry’s reliance on passwords and legacy multi factor authentication,” Shikiar said. “From day-one we’ve had this audacious goal of shifting away from centrally stored shared secrets to a model that is more possession based in nature and relies on common end user devices, that has been our guiding principle.”

Marcio Mello, head of product, PayPal identity platform, talked about how the online payment plans to leverage passkeys as a way to realize the promise of passwordless. Mello demonstrated workflows using passkeys showing how easy it is for a user to authenticate.

“I would say this is an inflection point in our decade-long commitment as an industry, to a passwordless world,” Mello said about passkeys.

NTT DOCOMO has been a leader both within and outside FIDO Alliance beginning with its Board appointment in 2015. DOCOMO has helped shape FIDO specifications and is the first mobile operator to deploy FIDO authentication at scale. Shikiar welcomed Koichi Moriyama, a Chief Security Architect at NTT DOCOMO, to the keynote stage where he announced DOCOMO’s intention to support passkeys for its millions of d ACCOUNT users. Moriyama said support would begin in early 2023.

U.S Government sees FIDO as the gold standard for MFA

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) is taking a very active interest in strong authentication.

“We’ve known for decades that passwords are a weak link in cybersecurity and that the extra layer of protection provided by multi factor authentication prevents cyber attacks,” CISA Director, Jen Easterly said. “Yet only a small percentage of people are using it.”

Easterly emphasized that CISA is aggressively pursuing multiple initiatives to help spur adoption of multi-factor authentication (MFA) and more specifically FIDO standards-based strong authentication.

“We’re using this opportunity to shine the spotlight on FIDO as the gold standard for MFA and the only widely available phishing resistant authentication method.”

Bob Lord, senior technical advisor, cybersecurity division at CISA, told the Authenticate 2022 audience that it is a weird thing that the technology industry has normalized the idea that the burden of staying safe is placed on those organizations that are least able to understand things like threat landscapes.

“We see far too many organizations failing in part because they have no idea they need to do this,” Lord said about strong authentication and FIDO adoption. “And that’s because they don’t have something that is nudging them in the right direction.”

Both Lord and Easterly advocated for technology vendors to make it easier for users to have strong authentication and provide security by default.

“Security features our customer rights, they’re not luxury goods,” Lord said.

FIDO Authentication has social impact

Jonathan Bellack, senior director, identity and counter-abuse technology at Google outlined some of the challenges that Google has seen for users adopting MFA and passwordless security.

“Our user research has shown at least from a consumer point of view, users don’t draw a distinction between any of the words we use in the industry like security, privacy, abuse as it all just kind of fits into this great amorphous blob of safety,” Bellack said.

He noted that consumers have very little time and they just want to know if they can do whatever task they want or need to complete online. To that end, Bellack detailed multiple efforts that Google has underway to embed security in a way that doesn’t introduce friction.

Christopher Harrell, CTO at Yubico, explained during his session how the use of FIDO authentication is being used by organizations around the world to help protect freedom and privacy. Yubico is working with the Freedom of the Press Foundation and Operation Safe Escape among other organizations. The company has donated over 20,000 keys to support many different government agencies in Ukraine. 

“We do hope that the war ends soon but in the interim, we hope that we can help protect infrastructure from cyber attacks,” Harrell said.

FIDO users detail adoption challenges and opportunities

A key part of the program for Authenticate 2022 are user stories and there were plenty to be told on the first day of the conference.

Ian Glazer, SVP product management at Salesforce, described the highs and the lows of his company’s MFA adoption efforts. Salesforce decided in the fall of 2019 that it wanted to achieve 100% adoption of MFA across its services and it’s a journey the company has been on ever since.

Salesforce’s path toward 100% MFA adoption involved both technical considerations as well as a massive effort to engage with users, which led to solid results. Glazer noted that at the end of Salesforce’s fiscal year approximately 80% of its monthly active users were using MFA or SSO. While 80% is a noticeable achievement, it’s not the 100% goal that Salesforce has set. Glazer emphasized that the pursuit of the 100% adoption figure forces his team to continue to innovate and find ways to push adoption.

Salesforce has noticed multiple benefits from MFA adoption so far, including cost reduction and security improvements.

“Because we adopted MFA, we have seen a dramatic reduction in account takeovers,” Glazer said.

Microsoft is also pushing hard for broad adoption as it aims to enable a passwordless experience for its users. Scott Bingham, Senior Program Manager in Identity, and Emily Houlihan, Senior Product Manager at Microsoft, explained in their session what lessons have learned so far on their passwordless journey.

Bingham said that Microsoft has spent years rolling out support for temporary one time passwords, security keys, authenticator apps and Windows Hello as different password replacement offerings. Microsoft is increasingly moving toward eliminating passwords entirely.

“People want passwordless,” Bingham said. “Security is important, but user experience is critical and helps to drive demand.”

USAA, which provides financial services to members of the U.S. military and veterans, is also adopting FIDO and MFA to help secure its users. Dereck Henson, technical security architect at USAA, provided a series of key lessons learned during his session.

His first lesson learned is that it’s a good idea to default to strong authentication from the start. 

“We found that it’s a whole lot easier to start someone in an MFA, highly secured program, rather than to convince them to change their mind later,” Henson said.

Another key lesson that USAA has learned is that when it comes to a passwordless approach, being entirely passive and not showing users that authentication in place, is not a winning scenario. Henson said that USAA members were calling in saying they had been members for decades and couldn’t believe they could just log in with a fingerprint. To that end, USAA has had to add some interstitial screens to its authentication workflow that tell users their access is being secured.

“So not only do you have to be secure, you have to actually look secure,” he said.

Financial service giant Citi has also embraced the FIDO strong authentication approach. Matthew Nunn, Director, Secure Authentication Architecture & Technology Engineering at Citi, did not mince words in his session about why there is a need to move away from passwords.

Nunn said that there really isn’t a meaningful way to make passwords more secure.

“The reason you’re doing passwords and we’ve been doing it for so long is because we are held hostage to the keyboard being the interface to use in order to interact with the system,” Nunn said.

He added that with passwordless, users are no longer held hostage and there is the ability to take advantage of capabilities in devices to authenticate, instead of users needing to regurgitate a password.

Day 2 of Authenticate 2022 is looking to be another packed day full of insightful content and discussion, with sessions on biometrics, consumer authentication habits, FIDO initiatives and more user sessions.Want to attend the next two days of Authenticate 2022? Registration for virtual attendance is still available, and all registrants have access to past sessions on demand. To register, visit www.authenticatecon.com.

By: FIDO Alliance Staff

Few if any industries are as critical as healthcare where literal life and death decisions hang in the balance.

At the Authenticate Virtual Summit: Modernizing Healthcare with Strong Authentication broadcast on June 16, experts outlined how FIDO can fit into healthcare to improve user experience and help secure provider authentication approaches.

Megan Shamas, senior director of marketing at FIDO Alliance, started the event by noting that healthcare is one of the most targeted industries with phishing and ransomware being highly prevalent and highly successful. She noted that passwords are not fit for purpose in healthcare and can be phished by attackers.

Looking at the FIDO imperative for healthcare, Shamas said that FIDO-based technology can help with secure login for patients, as well as supporting authentication in complex medical environments. For example, if a medical professional is wearing gloves, FIDO-based technology can also support local PIN, face recognition or FIDO security keys. She added that FIDO authentication also helps healthcare organizations to comply with regulatory and privacy requirements.

“Our goal at the FIDO Alliance from day-one was to transform the market away from a dependence on centrally stored shared secrets and knowledge based authentication to a model that is possession based and uses public key cryptography,” Shamas said. “It allows consumers, patients and employees to authenticate through devices that they literally have at their fingertips, every single day and it’s just simpler and it’s stronger.”

FIDO Reduces Friction, Complies with eIDAS

Rolf Lindemann, VP of Product at Nok Nok Labs, noted that IT should help to simplify healthcare operations and not contribute additional friction for practitioners and patients.

“Patients want assurance that their sensitive health data cannot be stolen,” Lindemann said.

Lindemann said that health insurance cards are widely used in Europe but are not practical to use as an authentication mechanism on mobile devices. Additionally,  he noted that in Europe, the eIDAS (electronic IDentification, Authentication and trust Services) identification standard needs to be complied with by providers.

“Passwords are insecure, and legacy two- factor methods like OTPs (one time passwords) are inconvenient, and they still don’t protect against phishing,” Lindermann said.

That’s where he sees FIDO as fitting in, providing a strong authentication approach that can help healthcare providers to secure user access as well as being compliant with regulations like eIDAS.

Abbie Barbir, FIDO board member and co-founder of ADIA, detailed security challenges of passwords in his session at Authenticate.  

“Passwords are shared secrets and shared secrets can be stolen, copied, used and shared, and as such passwords are a security risk,” Barbir said. “They should not be relied upon if you really need to secure your accounts and your users, ideally, the best way going forward is to actually not use passwords.”

In Barbir’s view, good risk-based authentication introduces friction for hackers and is transparent to the end user.

Timy Kim, senior solutions engineer at Daon, commented that due to the increase of online services rendering different modalities of care, hackers and fraudsters will look for a weak point to penetrate. The weak point more often than not is a password that can easily be phished.

“Patient authentication can be your face, finger, or even your voice,” Kim said. “This will save you from needing to remember lengthy or complex passwords, which sometimes become a frustration point when trying to access your patient portal.”

Healthcare Organizations detail FIDO Uses

Merck KGaA, Darmstadt is a Germany-based science and technology conglomerate with operations across multiple sectors including healthcare.

Andreas Pellengahr, Head of IAM at Merck Merck KGaA, Darmstadt, Germany, said that his organization has approximately 80,000 users that need secure access. To help enable that, Merck relies on FIDO authentication.

Pellengahr said that they could not use a SaaS service to enable FIDO as the company needs to control its own authentication and credentials. Dennis Kniep, domain architect of IAM at Merck KGaA, Darmstadt, Germany,  explained that the core of the authentication infrastructure is a locally-hosted open source FIDO server.

Kniep noted that the authentication service is certified by the FIDO Alliance, which ensures interoperability with other FIDO products. 

“We are running multiple servers in a cluster, which are hosted across different data centers,” Kniep explained. “The responsibility of the FIDO server is to securely store the registered FIDO credentials in our self hosted environment, so that we really have full control over these credentials.”

The United Kingdom’s National Health Service (NHS) is also using FIDO authentication to help secure its users. 

Priyanka Mittal, senior technical architect at NHS Digital, explained that the NHS Login service is an authentication and identity verification service, which enables people to access healthcare apps and websites securely. She noted that over the last 18 months, NHS has seen a dramatic increase in its user base for NHS Login, which now supports 25 million users. The NHS App is a mobile application that brings a variety of healthcare services to users and also provides COVID-19 passport functionality.

Sean Devlin, tech lead for NHS App, explained that his organization’s journey to FIDO began two years ago. NHS required that users have two factor authentication for every login, but that approach introduced some friction and there was a desire to make the process more seamless. That’s why the NHS started to look at passwordless approaches, and settled on FIDO.

NHS Digital decided to build its own FIDO server and client, based on existing open source projects from eBay, which is also a large FIDO user. Devlin explained that his group converted the eBay open source FIDO server to the Python programming language and implemented a serverless approach to run on the AWS Lambda service.

The overall approach for the NHS App of enabling FIDO has helped to save the NHS a good deal of money as well.

“11 million users that have registered with NHS logon have also registered a FIDO device and  that sort of equates to about 500,000 FIDO logins per day,” Devlin said.

Devlin noted that the NHS was paying 1.6 pence per text message to send out two factor authentication code on 500,000 logins per day. 

“That equates to about 8,000 Pound Sterling, that we are saving on SMS by using FIDO,” Devlin said.

Modernizing Healthcare Identity and Authentication Regulations

The regulatory environment around healthcare has been evolving in recent years. 

Among the most impactful, yet least well known regulations is the 21st Century Cures Act which mandated the implementation of application programming interfaces (APIs) in healthcare. In a panel session, Jeremy Grant, managing director of technology business strategy at Venable; Christine Owen, director at Guidehouse, and Ryan Howells, principal at Leavitt Partners, discussed the impact of healthcare regulations and where FIDO fits in.

Howells explained that his organization helped to create the CARIN Alliance which aims to improve the state of identity and authentication in healthcare. Using APIs to help connect information, as mandated by the 21st Century Cures Act, also requires authentication.

“Approximately 84% of all the major health plans in the country have actually implemented an API based architecture now,” Howells said. “They’re all asking very similar questions that we’re asking other industries, which is how do you identify and authenticate an individual securely across systems.”

That’s an area where FIDO fits in.

Owen said that adding FIDO is an obvious choice for healthcare providers and plans that want to make sure that there is a strong credential behind users.

“The reason why FIDO is really important is because it helps healthcare organizations to meet HIPAA and other regulatory requirements,” she said. “FIDO in my mind equates to frictionless authentication, so the user has less to do to be able to show a very strong credential and because of that, it’s actually perfect for healthcare.”

To engage with the FIDO Alliance on FIDO authentication for healthcare, visit www.fidoalliance.org or get in touch at [email protected]. 

The next Authenticate event will be the flagship conference, Authenticate 2022, being held in Seattle, WA and virtually on October 17-19. For more details or to register, visit www.authenticatecon.com. 

By: FIDO Staff

Where does FIDO fit in commerce?

That question was the primary theme tackled during the Authenticate Virtual Summit broadcast March 30 and 31, 2022, and including sessions led by experts and practitioners from North America and Europe.

In the opening session of the event, Andrew Shikiar, executive director and CMO of the FIDO Alliance, stated candidly that financial services and payments have always been a target for hackers. With the pandemic the past few years, there has been a further acceleration of attacks.

“The core issue, of course, is that we depend on passwords,” Shikiar said. “The real problem is that they’re easy to phish, harvest and replay and that’s really where the internet breaks down, that’s what causes data breaches and that’s what the FIDO Alliance is trying to solve.”

This is true for legacy MFA – such as SMS and OTP – as well. They are equally as vulnerable to common attacks like phishing. “MFA bypass attacks using legacy MFA will be a recurring theme for 2022,” Shikiar said.

Looking specifically at financial services, Shikiar said that FIDO standards can help protect online accounts with strong authentication. He added that FIDO also helps companies comply with regulations and  make open banking a reality.

“We think that FIDO provides a very elegant, simple solution that will allow for customers to have secure commerce flows, while also helping merchants and banks comply with emerging and current regulations,” Shikiar said.

The Challenges Facing FIDO in Retail and Hospitality

In a session, Suzie Squier, President at RH-ISAC (Retail and Hospitality Information Sharing and Analysis Center), explained that her organization is all about sharing threat intelligence across its membership which includes retailers and hotels across the United States, United Kingdom and Canada.

Squier noted that the growth of ecommerce has not gone unnoticed by threat actors as the retail and hospitality industries have been hit hard with credential stuffing attacks. Those attacks are typically due to poor password hygiene, the pervasiveness of passwords available for sale on the dark web, and how easily weak passwords can be brute forced, or even guessed.

“The problem with passwords doesn’t just end with credential stuffing, account takeovers and fraud, as problematic as they are, the reliance on passwords can also lead to frustration and lost sales due to lost and forgotten passwords,” she added.

The problem with passwords is well understood across the RH-ISAC membership with more than 67% of respondents to a survey stating that they see real value in moving away from passwords. However, the majority of those moving toward passwordless do not yet have FIDO as part of their plans due to concerns around inconsistent user experience across platforms, challenges for users with lost authenticators and lack of global acceptance.

“There are major challenges and user frustration with the current passwordless authentication model,” Squier said. “When we’re talking about the consumer space, there is little tolerance for friction.”

There is some help on the way from FIDO to help reduce friction, Squier said. She noted that FIDO recently announced multi-device credentials, known as “passkeys.” She explained that the basic idea with multi-device credentials is to allow the phone itself to act as a roaming authenticator across multiple devices, which could help solve for consistency and account recovery with authentication.

Looking forward, in Squier’s view what’s needed to drive passwordless forward is more  adoption.

“We need to see broader adoption across more industries, so that this becomes more ubiquitous and familiar to the consumer world,” she said.

FIDO Supporting Digital Transformation

While FIDO is all about secure authentication, using FIDO-based technologies can enable much more according to Rolf Lindemann, VP of Products at Nok Nok.

Lindemann said that by using FIDO standards organizations can enable digital transformation. That transformation supports customer experience optimization, operational flexibility and innovation

“When using digital services, the first step in that customer experience is authentication, that is the front door,” Lindemann said. “That first authentication step is important because most digital services rely on your ability to know who’s at the other end of your services, while at the same time providing the best customer experience.”

Strong authentication is a great start but Jason Beloncik, Director of Solutions Americas at Daon suggested that organizations will sometimes need more to support the best possible user experience. Beloncik said that his company takes a hybrid approach it calls FIDO Plus. The “plus” is integrating other capabilities in the identity ecosystem to support organizations.

Gal Steinberg, VP of Product at Keyless, commented in a session that a challenge he often sees is that the world is trying to solve the fraud problem by adding friction. The challenge is that adding friction in the form of multi-factor authentication, for example, creates user churn in the consumer space. There is a balance that needs to be achieved with authentication, between introducing friction to mitigate fraud and usability.

Considerations for Standards-based Authentication in the Blockchain

Blockchain and so-called Web 3.0 distributed applications are an emerging area of technology and commerce, but it could well be that strong authentication has not played as strong a role as it should.

“A lot of the crypto exchanges typically do provide authentication methods that are far stronger than basic methods, but most people typically don’t use them because it’s not familiar to them,” Bojan Simic, CEO and CTO at HYPR said. “I think that some of the stuff will need to change.”

Nick Steele, Lead Researcher at Super Lunar, emphasized that it really is crucial for crypto exchanges to support multi-factor authentication. He noted that one of the most common forms of attacks is leveraging weak passwords to get into exchanges and steal large amounts of money.

“Exchanges are really trying to do the best they can to get users on to FIDO2 because that’s going to give us the highest grade of authentication security in the space,” Steele said.

Pushing FIDO Forward in Europe

FIDO is seeing particular success in Europe, from a number of perspectives. Petra Silsbee, Fraud Prevention/Dispute Management at PLUSCARD, explained how her organization has been able to use FIDO to support PSD2 (Payment Services Directive 2) requirements in Germany. PLUSCARD is a credit card issuing processor and its customers are individual savings banks.

PLUSCARD needed to support users that have smartphones as well as those that don’t regularly use one. To that end, Uwe Hartel, Country Manager Central Europe for technology provider Entersekt, explained that his company worked with PLUSCARD to support a FIDO hardware authenticator-based solution for PSD2 support that also enables 3DSecure based payment.

“We identified the need for a hardware token to satisfy a segment of users which do not either have a smartphone or which are kind of reluctant to use their app for, for money transactions for payment transactions,” Hartel said. “That was the start of the idea to actually define a FIDO hardware token as a solution to provide strong customer authentication.”

In a keynote session, Alan Goode, CEO and Chief Analyst of Goode Intelligence, outlined the current state of regulations for strong customer authentication (SCA) requirements across Europe and the United Kingdom.

Goode noted that there have been documented issues with the deployment of SCA technologies. Those issues include an increase in transaction failure rates, payment attrition, rejected transactions and abandonment in the payment process because of increased friction for consumers. He added that there has been criticism of SCA from European Trade bodies for too much focus on compliance versus implementation, and the need for convenient and easy-to-use transaction authorization.

“I believe that there is an opportunity to leverage a standards based authentication solution that works for both web and mobile commerce channels,” Goode said. “By adopting FIDO certified authentication solutions that are also SCA compliant, the problems of security and usability could be mitigated.”

FIDO is also set to play a critical role in the eIDAS 2.0 rollout in Europe.

Rayissa Armata, head of regulatory affairs at IDnow, explained that eIDAS 2.0 is a new initiative that introduces a digital identity stored on a digital wallet. This technology is aimed at  all European citizens and residents. eiDAS stands for electronic IDentification, Authentication and trust Services.

“This is an exciting initiative and it’s an ambitious one,”Armata said. “There are a lot of different players in this ecosystem, from relying parties to integrators to considering the tech standards that are going to be part of this wallet, and also for the Trust Services.”

“FIDO is delighted and pleased to be part of this initiative,” she added.

Best Practices for FIDO in Commerce

There are any number of good reasons for an organization to adopt FIDO standards.

For Tola Dalton, Director of Identity Software Development at eBay, the 2014 data breach at his company was a primary motivator. Dalton said that the data breach painfully highlighted the risks of password data. While using strong authentication and using FIDO to help enable a passwordless authentication workflow is important, that’s not the only benefit it brings.

“Using passwordless, and particularly multi-factor authentication, are shown to have much lower account takeover rates and that’s a big consideration for eBay as it would be for any e-commerce company,” Dalton said. “But the great thing about passwordless is that it’s also an incredibly seamless login method.”

Dalton said that in order to motivate customers to use passwordless and strong authentication, the experience has to be easy and intuitive. That’s a sentiment that Manish Gupta, Director of Global Cybersecurity Services, Starbucks strongly agrees with.

Gupta noted that there are many different ways to enable multi-factor authentication. What’s needed is standardization and that’s what FIDO provides.

“I think that the work that FIDO Alliance is doing to establish a global standard is commendable,” Gupta said. “The standard is solid, there’s buy in, but now it’s about how do we take it a step further, such that it becomes muscle memory for people, just like user ID and Password login has been for years.”

The webcast is now available on demand. To watch the recording, visit the event page.

For more discussions on moving past passwords to modern strong authentication, attend upcoming FIDO Alliance events, including the Authenticate 2022 Conference.

What’s going on in APAC with FIDO? A whole lot.

Over the course of three days from Dec. 8 – 10, FIDO Alliance hosted the Authenticate Virtual Summit: APAC Innovation providing content, insight and user stories from across the Asia Pacific region. Each day provided different blocks of content, including region specific sections for China, India, Korea, Japan, Taiwan and ASEAN / ANZ.

The first day of the APAC Innovation virtual event got started with a keynote from Andrew Shikiar, Executive Director of the FIDO Alliance, who outlined the challenges and opportunities that FIDO provides.

“Asia Pacific has long been a hub of innovation for the FIDO Alliance,” Shikiar said. “Some of our longest members, some of our earliest deployments, and some of our most exciting futures, come deployments throughout Asia Pacific.”

Shikiar noted that the key drivers for FIDO adoption in Asia Pacific are largely the same as they are for FIDO adoption around the world. The first key driver is government recognition of FIDO and the need for strong authentication. The second driver is market demand, which is particularly strong in APAC. Finally a common driver around the world is the ongoing threats against user identity and authentication.

“We’re seeing enterprises and companies throughout Asia Pacific and globally deploy FIDO, to help combat these threats,” Shikiar said. “To summarize, FIDO is very much the future of user and device authentication.”

Region: India

India is an active area for FIDO Alliance members and adoption. During the APAC Innovation event speakers outlined multiple use cases where FIDO is making a difference in India.

“We have been making meaningful strides in India, whether it be adoption or be in policy change,” commented Deb Joyti Ghosh, FIDO Alliance India Working Group Chair / Director, Data Product Development at Visa. 

In a session, Shankar Ramaswamy, FIDO Alliance India Working Group Co-Vice Chair, explained how Aadhaar and FIDO Authentication can co-exist, which is a big topic in India. Aadhar provides a 12-digit unique identity number that is issued by the Unique Identification Authority of India (UIDAI) to citizens and residents. One of the challenges with Aadhaar is the need for authentication, which is where FIDO could well play a strong role. One of the ways Aadhaar authentication is enabled today is with SMS based 2FA, which can be spoofed and isn’t always delivered reliably.

“FIDO offers a very fast and convenient form of authentication and it reduces the reliance on the passwords,” Ramaswamy said.

In a user case study session, Srikanth Appana, Executive Vice President Technology at Bharat Financial Inclusion Limited, noted that his organization had a business requirement for an application that requires strong authentication and tried out FIDO.

“I can definitely say the FIDO experience was fantastic, we have lab tested it and we are looking forward to a large rollout across our enterprise,” Appana said.

Amit Mathur, FIDO Alliance India Working Group Co-Vice Chair and COO at Ensurity, also outlined his experiences helping his organization’s clients move to FIDO. For Mathur, the FIDO experience has been very positive.

“One of the learnings is that everyone out there is wanting to remove passwords, so they are all sick and tired of passwords and they are looking for an opportunity and a good solution which is scalable to remove the passwords,” Mathur said. “That is where the FIDO authentication plays a very very important role.”

Region: China

FIDO is also very active in China. During the regional spotlight on China Henry (Haixin) Chai, FCWG Co-Chair/CEO of Uni-ID Technology at Lenovo, provided an overview of FIDO deployment and opportunities in China. 

Adding to the China block of content, Nick Hu, FIDO Product Manager at FEITIAN Technologies, outlined the opportunities in the region. Rounding out the China block, Yi Chen, Country Manager for China at FIME, detailed how FIDO helps to enable biometric authentication in payment systems.

Day 2: Overview

Stephen Wilson, Managing Director for Lockstep Technologies, delivered the opening keynote for the second day of APAC Innovation providing some insights into the state of digital identity in APAC.

While there are some holdouts around APAC, he emphasized that 100% of Southeast South Asian nations have digital IDs and national IDs. Wilson said that the key trend in identity that he has been speaking about for several years is the global trend from “who?” to “what?” 

Defining who you are as identity is relative and vague in Wilson’s view. By looking for the “what,” it’s possible to be more precise.

For example, What are you? Are you a citizen of Korea? Are you a licensed driver? Are you over 21 years of age?

“The precise facts and figures that we need to know about people is the strongest trend and FIDO has been a huge part of this trend,” Wilson said. “FIDO at many levels has legitimized the transition from who to what as FIDO has prioritized one to one authentication over general purpose identification.”

Region: Korea 

FIDO is also seeing strong adoption in Korea.

In the Korea block, Stephen Oh, CEO of TrustKey Solutions, explained that the Korean National Institute of Security (NIS) released national security requirements in September 2021 which strongly recommends the use of FIDO for multi-factor authentication.

“The Korean Government has now recognized the importance of FIDO authentication,” Oh said.

Beyond just recognition, Oh outlined how his organization has been able to help Korean government agencies as well as private corporations with a FIDO based solution for strong authentication.

Region: ASEAN / ANZ

During the ASEAN / ANZ block of content, Chong Seak Sea, Chief Technology Officer at Signing Cloud Shd Bhd, outlined the Malaysian government’s efforts to create a simpler and stronger online authentication ecosystem. At the end of his presentation he was joined by Muhammad Fendi Osman from the Ministry of Finance Malaysia who emphasized his Ministry’s confidence in FIDO as an approach to enable strong authentication.

Khanit Phatong from the Electronic Transactions Development Agency (ETDA) provided insight in his session into the Digital ID Outlook in Thailand. Phatong noted that the FIDO UAF standard is now being used as part of a national digital ID framework, with plans to move to FIDO2 in the future.

Rounding out the case studies for ASEAN / ANZ was a session on FIDO in Australia, that was delivered by Chris Hockings CTO Security, IBM A/NZ and Shane Weeden Senior Technical Staff Member, IBM. Hockings noted that FIDO adoption has been recommended by multiple agencies in Australia including the Australian Signals Directorate (ASD/ACSC) for strong authentication.

Day 3 / Region Japan

The final day of the APAC Innovation virtual summit included regional sessions for Japan and Taiwan.

Among the users presenting in the Japan block of content was Yuya Ito, Vice President, ID Solution Division at Yahoo! JAPAN. During his session, Ito detailed the implementation and Expansion of Passwordless options powered by FIDO that are running in Yahoo! JAPAN.

Another interesting use case was presented by Osamu Sugimoto, Professor, Faculty of Management at Josai University. Sugimoto used his session to detail an implementation of a FIDO2 server and passwordless network using campus ID type security keys.

Region: Taiwan

In Taiwan, FIDO is set to play a starring role in a major development effort to enable a national identity system for financial services.

Brenda Hu, Director General of the Financial Supervisory Commission in Taiwan, explained that her organization is the sole regulator for financial markets and services in Taiwan and it’s taking a big step forward with FIDO.

Hu observed that usually people have many bank accounts, ATM cards, electronic payment accounts and other financial service accounts.

“In other words, people have to spend time and effort to remember and keep their account names and passwords secure,” Hu said. “As friends of the FIDO Alliance, you know the negative side of passwords and usernames, this is a time consuming process not only for customers, but also for financial institutions.”

To help improve the experience for both consumers and financial institutions, Hu’s agency in Taiwan is leading an effort that aims to help provide an interoperable and unified approach for user identity and authentication for financial services.

“The standard mechanism for mobile ID verification includes many aspects, but incorporating FIDO authentication is our first and a critical part in the mechanism,” Hu said.

The Authenticate APAC Innovation virtual summit was the last Authenticate event for 2021 and capped off a year of insightful content on strong authentication and identity. 

In March, the Authenticate Virtual Summit: Modern Authentication for Financial Services event brought experts and users from the financial community together to talk about FIDO. In June, the Authenticate Virtual Summit Focus on Europe was hosted by the FIDO Alliance,providing visibility into how strong authentication and identity is being deployed in Europe.

Then in September, the FIDO Alliance hosted an Authenticate Virtual Summit on the Imperative for Strong Authentication for Government Services where details on government deployments were detailed. More recently, in October, Authenticate 2021 provided a live and online event with three days of sessions (catch the Day 1, Day 2 and Day 3 recaps here).

There’s much more to come from the FIDO Alliance in 2022!

Day three of the Authenticate 2021 conference provided a great conclusion to the live event with insights on how FIDO is being used and direction on what’s coming next, as the journey to the passwordless future continues.

In a morning session, Christiaan Brand, Senior Product Manager at Google, outlined how the FIDO specifications have evolved in recent years from U2F to FIDO2 WebAuthn. Brand said that while U2F was originally considered mostly as a second factor authentication approach, with FIDO2 the scope has expanded to being a technology that can replace passwords.

A FIDO2 approach known as Discoverable Credential Support was highlighted by Brand as a way to help enable the passwordless future. With Discoverable Credentials, the FIDO security key or authenticator will remember all of the user’s credentials and it will present them, almost like a password manager whenever the user needs to sign in.

Another effort that is in development is the cloud-assisted BLE (Bluetooth Low Energy) pairing initiative also known as caBLE, which is intended to make it easier for authenticators to be used with different sources.

“The idea is that every platform implements this caBLE protocol natively And then when an authentication event triggers, you can use this protocol to get data sent from the device,” Brand said. 

The Challenge of Account Recovery

A key challenge for user accounts is the issue of secure recovery. No matter how secure the authentication is to access an account, if there is a weak recovery system in place, an attacker will be able to bypass security.

“Account recovery is really just another form of authentication,” Dean Saxe, Sr. Security Engineer at Amazon Web Services stated.

In a session, Saxe detailed what he referred to as the Iron Triangle of Account Recovery, which includes the concerns of access continuity, security and privacy. Saxe noted that the account recovery mechanism itself should be reasonably secure, preferably as secure as the primary authentication. 

“What we don’t want to create is a gate that you can walk around, or walk through because we haven’t secured the gate with a fence all the way around the thing that we’re trying to protect,” Saxe. “So the recommendation is to register multiple authenticators, so you have a backup.”

User Stories Cambridge Housing Authority and National Guard

Among the users that spoke on Day 3 of Authenticate 2021 was Jay Leslie, CIO of the Cambridge Housing Authority. 

Leslie recounted that his organization was the victim of spear phishing attack and he was looking for a way to help provide a more secure approach to user account authentication.

Leslie said he looked at a number of different approaches including virtual smart cards and ended up discovering FIDO via peers that were using the technology. 

What Leslie quickly realized was that FIDO would be easily supported within his environment with a lot of the organization’s existing processes and infrastructure.

“The other thing I love about FIDO is that there are many different authentication methods that you can do,” Leslie said. “There are keys like YubiKey and Solokey and there is also Windows Hello where you can just type in a PIN, and for us, I think that provides us an easy glide path.”

Enabling an easy flight path for remote workers is also top of mind for Major Liaquat Ali,  the RPA Cyber Space Operations Officer at the 107th Operations Support Squadron (ACC) Niagara Falls ARS, New York, Air National Guard.  

Major Ali said that this organization was able to recognize significant cost savings by implementing a FIDO based authentication approach that makes use of YubiKey and the ID.me identity proofing service.

Of interest, Major Ali noted that 70% of his users reported that they were also using their FIDO security keys to help provide secure access for personal accounts.

The Intersection of Zero Trust and Authentication

Megan Shamas, Director of Marketing at the FIDO Alliance, moderated an afternoon panel on Zero Trust, which is often closely associated with Identity and Access Management (IAM) activities.

A core question that the panel discussed is what the top obstacle is to implementing strong authentication. Christine Owen, Director at Guidehouse, said that in her view people are often the issue.

“Part of it is because when you are changing processes, you need to have good communication with your stakeholders and with your customers to understand why it is you’re changing what you’re changing, and how their life is going to be different and better,” Owen said.

Jamie Danker, Senior Director of Cybersecurity Services at Venable, commented that ironically trust is the biggest obstacle. Users are often worried about the privacy implications of authentication and security mechanisms.

“You need to consider how information is used for just that authentication purpose and not used for other purposes,” Danker said. “Think about things like how you can minimize the data, and how you are going to inform your users about the use of the data.”

Improving Trust in Authentication

The idea of improving trust in users was the topic of an afternoon session from Kayla Shapiro, Production Engineer at Facebook. Shapiro helps to lead a team that works on improving the internal security and access to employee facing systems.

“We use technologies and build software that enables us to make use of digital identities that let us start to trust that person or machine is who they say they are,” Shapiro said.

Shapiro detailed the intricate approach that Facebook uses to ensure that credentials are stored safely. One of the technologies is something that Facebook developed internally known as Secure Key Storage (SKS), which makes use of Secure Enclave on Apple and TPM on Windows systems to store private key information. Facebook also makes use of FIDO based strong encryption for user authentication to help limit risk.

“Trusting a user means trusting your source of truth,” Shapiro said. “It’s not enough to have the strongest authenticated authentication methods in the world, if you can’t say with confidence that the data that backs those methods isn’t stored securely.”

Towards Usernameless Authentication with FIDO

Dmitri Tyles, Sr. Director of Engineering at Deltek, used his time on stage to explain how his company, which builds ERP software, is using FIDO in the technology it sells.

One of the interesting uses that Tyles described is an approach known as usernameless authentication. With that approach not only is the authentication passwordless, it also doesn’t include a username either.

“It means that a user doesn’t have to provide a user ID on the login screen as identity is stored on the device itself, as we’re using the capabilities that FIDO provides,” Tyles explained.

Deltek is also using FIDO as a means to digitally sign a transaction. Tyles noted that while authentication is the primary focus for FIDO2, it also provided a powerful approach to digital sign things.

The Future of FIDO

During the final panel for the live Authenticate 2021 conference, speakers praised the event and the progress that FIDO has made to date.

Google’s Brand noted that he’s cautiously optimistic that basic challenges of authentication are now technically solved by the FIDO2 specifications.

“Now it’s up to us to do a bunch of implementation and that’s happening sometimes a little bit slower than we like but in general, things are moving forward,” Brand said.

Microsoft’s Dingle agreed and noted that with FIDO2 in place the industry is now in an amazingly luxurious position to try to tackle second order problems. “It’s great that we’re now able to look at nuances and subtleties in the specifications that we never could before,” she said.

Rounding out the conference, FIDO Alliance Executive Director Andrew Shikiar noted that seeing users talking about implementation over the course of the Authenticate 2021 event was a rewarding experience.

“It’s really rewarding and amazing to see so many people sharing their successes, since just  a couple of years ago we couldn’t find anyone because they really were just at the pilot phase,” Shikiar said. “The data is coming in and it’s all pretty positive. FIDO works and FIDO works well.”

That’s a wrap for the Authenticate 2021 event, we look forward to seeing everyone in person at the 2022 event scheduled for Oct 17-20 in Seattle.

The second day of Authenticate 2021 was a full day of keynotes, sessions and panels about the continuing progress and opportunities for FIDO authentication, digital identity and a passwordless future.

The day started with a rousing keynote from Microsoft outlining how the tech giant is looking to end passwords.

“About a month ago, we actually announced in our consumer practice that you can now delete passwords all together from your account, and only use strong authentication,” Pamela Dingle, Director of Identity Standards at Microsoft said. “In doing that you’re deleting the risks and frustrations that come with passwords.”

The risks that come from passwords is a topic that Microsoft has researched at great length in its latest Microsoft Digital Defense Report. Dana Huang, Director of Engineering for Enterprise and Security at Microsoft Azure, noted that according to the report, phishing attacks are responsible for 70% of the breaches that Microsoft is seeing. On the more positive front, Microsoft has also observed a huge increase in adoption of strong authentication over the past year of 220%.

While some organizations and users might think they aren’t at risk from a phishing password related attack, Dingle emphasized that every account matters.

“Now you may have to take a triage type of approach to strong authentication, you may have to start with your administrators,” Dingle said. “But the truth is that any account that can be compromised can become a wedge by which an attacker can move laterally across your enterprise.”

Visa’s Passwordless Strategy

Moving to a world without passwords is also a key strategy for David Henstock, Head of Product, Identity and Authentication at Visa.

“When it comes to authentication, what we want to do is pretty simple, we want you to forget about passwords,” Henstock said. “We want to get passwords out of our ecosystem.”

Henstock added that countless studies have proven that knowledge based authentications don’t work and it’s nearly impossible for the consumers to juggle password managers.

“We just need a better way, and FIDO, we believe is that way,” Henstock stated emphatically.

Hacking MFA

Not all Multi-factor authentication (MFA) technologies are the same and in fact most non-FIDO methods are potentially hackable, according to Roger Grimes, defense evangelist at KnowBe4.

Grimes noted that attackers are not necessarily directly attacking MFA solutions, but rather are often phishing the human that is using MFA, in an attempt to bypass the normal execution of MFA.

“With an MFA attack the really common approach is to convince the victim to visit a fake website through an email or social media,” Grimes said. “So the victim thinks that they’re going to a site that they intend to go to that they’re going to log on to using multi factor authentication, and what the attacker does is trick them into going to some man in the middle proxy website.”

Somewhat ironically, Grimes emphasized that the whole reason many organizations are going to MFA is to try and limit the risk of social engineering phishing attacks. In his view it is incumbent on organizations to choose the right strong authentication approach to limit phishing risk.

Certification is a Hot Topic at Authenticate 2021

Certification was the topic of a number of sessions on day two of Authenticate 2021. Dr. Rae Rivera, Certification Director for the FIDO Alliance, outlined the value of certification in an afternoon session.

Rivera also discussed a number of new certification efforts including the FIDO Certified Professional and the Document Authenticity Certification. She explained that the FIDO Certified Professional is about helping organizations that want to deploy FIDO so they can hire professionals that are knowledgeable.

The Document Authenticity Certification is a bit of a different type of effort for FIDO, which is generally more concerned about authentication, though in recent years identity and authentication have become increasingly intertwined. What has also become apparent is the need for standards based certification efforts for documents that are used to help authenticate and verify user identity.

During a panel session about the document authentication certification effort, Stephanie Schuckers, Professor at Clarkson University, explained the constituent components of the initiative. There’s the document authentication component and then there’s the face verification piece .

“Essentially what the goal is is when you take a photograph of a document, you’re trying to determine, is this a legitimate document and you’re trying to gather information from the document,” Schuckers explained.

With the face verification piece, which can involve a selfie image, the document authentication certification effort will attempt to verify how well the selfie image matches the face, gathered from the document. Additionally, she noted the certification will require a liveness piece to make sure the selfie image is of a real live person, and not just a reproduction or fake.

The topic of having a digitally verified form of identity was also part of a panel discussion on mobile driver’s licenses (mDLs). David Kelts, Director of Product Development for Mobile ID at GET Group, commented that today there are already tens of thousands of mDL holders in pilot or pre-production and hundreds of thousands in pilots expected in 2022.

While mDLs are for motor vehicle operation, Kristina Yasuda, Standards Architect at Microsoft, observed that  just like the physical form of driver’s licenses, they will also be useful for other types of identity use-cases, including age verification.

User Experience is Key to FIDO Success

No matter how good FIDO based technology is, it’s no good if users don’t adopt it. That’s an area that goes beyond just technology, to understanding and optimizing the user experience, which was the topic of several sessions.

Kevin Goldman, Chief Experience Officer at Trusona, observed during a session that for designers and application teams, it’s often viewed as being easier to just have a username and a password, as that’s what they have always done and the tooling and workflows are long established.

“So, there’s friction, not only in the end user experience that we need to solve for, there’s also friction in the experience of the makers,” Goldman said.

The FIDO Alliance recognized that user experience (UX) matters and established a task force in 2020 to create guidance on how it can be optimized to be easier for both end users and the makers. The guidance is now publicly available at: fidoalliance.org/ux-guidelines

“As an anecdote of all the work I’ve done at FIDO this project was probably the coolest thing,” Andrew Shikiar, Executive Director and CMO of FIDO said. “We have a lot of security and authentication identity experts but actually working with capital D designers and UX people is really important.”

Bringing FDO to the Internet of Things

FIDO Authentication helps to enable users to authenticate services and a new effort is now going to help enable authentication for onboarding of Internet of Things devices and sensors.

David Turner, Director of Standards Development at the FIDO Alliance, explained that the FIDO Alliance launched the IoT Technical Working Group (IoT) TWG in June 2019 to help solve the challenge of device onboarding. Intel contributed their Secure Device Onboard specification which served as a starting point for what is now known as the FIDO Device Onboard Specification (FDO) specification.

“We’re basically looking at drop shipping a product, having someone receive it and physically put it wherever it’s going to go, turn it on and have it connect automatically with no other human interaction required,” Turner said.

User Stories: Target and Wayfair

Among the users that spoke on day two were Target and Wayfair.

Tom Sheffield, Senior Director of Cybersecurity at Target, explained that his company has been on a FIDO adoption journey for several years as the retailer looks to enhance security.

“We recognize the inherent weaknesses in passwords, the need for strong authentication capabilities and we want to improve user experience,” Sheffield said. “We want to increase productivity, while also enabling our team members to do their job securely, and in a compliant way as secure by default is our design pattern.”

One of the areas where Target is deploying FIDO is for its own operations. With a deployment of biometric, fingerprint authentication devices, Target has been enabling FIDO based strong authentication across its internal applications. Sheffield said that over 99% of his users have been able to register for, and leverage fingerprint ID, without needing to engage any help desk support.

A key thing for Target’s deployment was making it understandable and attractive to users. To that end, Sheffield emphasized that words matter.

“We didn’t say password less, because we’re not getting rid of passwords, at least yet,” Sheffield said. “Nor did we say Fido, because it is a dog’s name, and it’s an unknown term outside of the identity community.”

For Mike Virginio, Senior Manager, Corporate Security Engineering at Wayfair, words also matter. Like Target, Wayfair is using FIDO to help secure its operations, including corporate headquarters,  call centers as well as warehouses. Wayfair stated on its FIDO journey in 2019, not to be passwordless, but rather to just use less passwords in its operations, to help reduce the risk and operational hassles.

One thing that Virginio experienced that he wasn’t quite expecting was that there were people within Wayfair that actually liked using passwords.

“It was shocking because my whole life I’ve heard that passwords stink, and they’re hard to use and remember and so on,” Virginio said. “But it is something that’s very familiar, people understand how it works and there are recognized support mechanisms for them that have been used for a long time.”

To help get past that resistance he suggested that implementers be transparent about the technology that is being rolled out and create articles, user guides and diagrams that explain what FIDO strong authentication is all about.

“Coming to the table prepared and having those diagrams and so on, ahead of time is really helpful,” Virginio said.

Day Three is Loaded with Content

Day Three of Authenticate 2021 gets underway on Oct. 20 with sessions from Google and Amazon Web Services kicking off the day. User stories are also plentiful with sessions from the Cambridge Housing Authority and the New York Air National Guard among others.

There is also a not to be missed panel on the intersection of Zero Trust and authentication. And of course there’s the party!