The end user is the most vulnerable point in any network security setup. Think about it: End users create weak passwords. They write their passwords on sticky notes, and they adhere the notes to the walls of their cubicles so any passersby can see their passwords. They lose smartphones that contain company data after failing to passcode-lock their devices. They eagerly answer phishing emails by providing their passwords to attackers.
Companies like Microsoft, Google and PayPal want to eliminate the human element from business cyber security protection setups by eliminating that all-too-human password. These companies along with other organizations have banded together to create the Fast IDentity Online (FIDO) Alliance. The FIDO Alliance is developing an authentication procedure that will not require the traditional password. Their solution focuses on three requirements: ease of use, security and privacy, and standardization of authentication services.
The FIDO Method
Authentication according to FIDO’s method would require users to authenticate themselves by using a registered device. For example, if a businesswoman signed up for a credit monitoring service, she would register an approved device, like a mobile device or dongle, and the device would create a new key pair. The public key would be registered with the website while the private key remained on the woman’s authentication device. When she logged in to the credit monitoring site again, she would unlock her private key on the registered device by entering a PIN, providing a biometric reading or delivering voice authentication. At no point during the process would she enter a password for the site.
FIDO would enhance authentication by standardizing encryption protocols between clients and online services by utilizing the public key encryption system in one of two ways. The universal authentication framework (UAF) stack could be installed on a client device, which the user must utilize for login. Alternatively, users could carry a Universal Second Factor (U2F) device that has built-in support for the client within a Web browser. In either case, the client is pre-installed on either the operating system or the Web browser of the registered device. Theoretically, Internet services could accept any authentication method from the device, and the authentication information would never leave the user’s device.
Effectiveness Meets Simplicity
Researchers have presented different paradigms to explain how people adopt new technology solutions. The most universally accepted model, the Technology Acceptance Model (TAM), states that people adopt technology according to their perceptions of both its usefulness and its ease-of-use. Building on that research, FIDO has worked to create a solution that meets both usefulness and ease-of-use standards.
FIDO standards would almost certainly prove useful for individuals, for businesses and for vendors. Individuals wouldn’t have to worry about passwords, and they would be able to use the Web without being tracked across sites or devices. Businesses could be assured that they had improved PKI-based security, and they could eliminate multiple stacks of clients and protocols to simplify network security. For vendors, standardization would eliminate the need for custom security solutions for each product. Standardization would allow vendors to better budget their costs and estimate their time-to-market, cutting costs for companies and lowering prices for consumers.
Standardization also creates ease-of-use. User devices can have any security protocol that the user prefers from biometric to PIN to voice authentication. Users can register the devices of their choice. The website can accept any protocol, which gives the user the freedom to choose his or her own preferred solution. The user’s perception of control, in turn, also drives the user’s perception of ease-of-use.
Could Passwords Actually Disappear?
Once FIDO’s approach is ready, the organization plans to demonstrate it to the Internet Engineering Task Force (IETF) or the World Wide Web Consortium (W3C). Once approved, it can be rolled out to different organizations, technology companies and device manufacturers. FIDO hasn’t provided a timeline for its plan, but the organization has said that its first focus is securing access to Web applications through Web browsers. Its second focus will be providing solutions for the Android ecosystem before rolling its protocol out to Windows and Apple devices.
Eliminating passwords could close many vulnerable backdoors in home, business and organizational networks. The human mind is a great tool for business innovation, but it’s not always the best tool for cybersecurity.