GUEST OPINION: In today's digital landscape where security is of vital importance, reliance on outdated password-based authentication exposes businesses to a multitude of threats.
This legacy approach, rooted in the early days of the internet, leaves organisations vulnerable to sophisticated cyberattacks. Despite relentless efforts by cybersecurity professionals in areas like network security, advanced authentication, and employee training, a single breach can still cripple an entire organisation.
The rise of artificial intelligence (AI) has compounded the challenge by significantly enhancing the accuracy and scale of phishing attacks. While past tactics relied on mass emails with poor grammar, contemporary attacks combine AI-crafted messaging with SMS notifications and other seemingly benign behaviours.
This approach also lowers the barrier to entry for cybercriminals, allowing them to leverage powerful technology without needing in-depth technical expertise. Employees tricked into clicking "change password" links, responding to seemingly harmless texts, or entering credentials are essentially handing over access to their organisation's key digital assets.
Once inside, attackers can wield AI once again to extract information and escalate permissions by crafting targeted messages. This evolution in phishing attacks represents a significant operational risk for businesses.
Indeed, Verizon's 2023 Data Breach Investigations Report (DBIR) revealed a very concerning statistic: 86% of cyberbreaches involve stolen credentials. This shows the extent of the need for better protective measures.
The benefits of FIDO 2.0
The urgent need to modernise login credentials alongside other technologies has been acknowledged by leading technology giants such as Google, Microsoft, Amazon, and Apple. It is also supported by the FIDO (Fast Identity Online) Alliance which has a mission to address the challenge.
As part of its work to plug security gaps and prevent credential-based attacks, the FIDO Alliance established new standards that leverage existing on-chip security for robust authentication of both users and devices.
Examples of devices compliant with FIDO 2.0 include those requiring biometric or token authentication such as facial recognition, fingerprint scanners, or physical device tokens like cards or NFC wands.
The strength of FIDO 2.0 lies in its symmetrical approach to user device and software authentication. Similar to advanced smartphone authentication, FIDO 2.0 mandates reciprocal verification by organisations based on established approvals and credentials. This additional layer of protection elevates the overall security posture and makes it significantly more difficult for cybercriminals to gain access.
Properly deployed, FIDO 2.0 addresses a range of different security vulnerabilities. It achieves this by eliminating the risk of events such as SIM swap attacks, Man-in-the-Middle (MITM) phishing attacks, and lost or reused credentials.
Under the hood
To overcome the inherent weaknesses around using username/password authentication, FIDO 2.0 relies on a stronger authentication process. To begin, each device or hardware token must be individually enrolled to allow FIDO 2.0 authentication, and this is done by creating a public/private key pair.
The public key portion is then saved into the web service and assigned to the user identity. On the user device side, the private key is stored within the phone or laptop’s secure enclave. Upon user authentication to their enrolled web services, the web service prompts for the user for the ‘Passkey’.
The user will then be prompted to unlock the device’s secure enclave allowing the private key to be used to complete the challenge/response part of the authentication process. The private key never leaves the device and is much more secure than a traditional username/password combination.
Even though usernames and passwords will be used alongside FIDO 2.0 authentication for some time yet, in a FIDO 2.0 implementation they cannot be used without the private key challenge/response piece of the authentication process. This means that if the username/password is lost or stolen, it is of little value as it can’t alone be used for authentication.
Security in the era of remote working
The security challenges overcome by FIDO 2.0 are particularly acute at a time when many staff continue to work remotely or in a hybrid environment. Some choose to use personal devices and home networks to connect to corporate digital resources, potentially creating new vulnerabilities that can be exploited by cybercriminals.
Also, single sign-on (SSO) has gained popularity and this means that a compromised user can open up access across all connected tools and data sources. Even with secure SSO environments, a username, password, and alphanumeric authentication at the front door leave organisations exposed.
The integration of FIDO 2.0 isn't just a technological upgrade. It's a strategic imperative fortifying digital defences in today's increasingly interconnected world.