FIDO Alliance takes aim at two new cybersecurity challenges. Why should your enterprise care?

By Jerome Becquart

Last month the FIDO Alliance announced the creation of two new working groups to combat major cybersecurity vulnerabilities:

1) the Identity Verification and Binding working group (IDWG) and

2) the IoT technical working group (IoTTWG). (https://fidoalliance.org/fido-alliance-announces-id-and-iot-initiatives/)

The first working group goal is “identity verification assurance to support better account recovery” and the goal of the second group is “to automate secure device onboarding to remove password use from IoT”.

I have written extensively on both of these issues over the years. At Axiad we welcome the industry’s recognition of these two important priorities. We agree that it’s time the industry makes more progress on both fronts if data and assets are going to be safeguarded in today’s digital workplace.

Let’s start with a look at the first issue. As enterprises move away from passwords and implement multi-factor authentication, account recovery has become the weakest link. Because of this, we can expect cyber attacks to increase. We need to be ready, but how?

The industry should be providing solutions that enable the end user to access enterprises resources even if his/her identity credentials are unavailable (Locked, lost, stolen etc..). Offering smart solutions that are easy to use but do not reduce the overall security of the platform is a challenge. However, we know it can be done because our experts at Axiad already employ a few approaches that balance these two needs. We plan to continue to contribute in this area.

Now let’s turn to the second issue - the recommended removal of passwords for IoT authentication. We have already seen increased interest within our customer base for device authentication, especially for non-person entities (devices, applications, systems etc..) Today authentication for NPE (non-person entities) represents over 30% of the identities on Axiad ID Cloud, and this percentage is growing. The need for standardization is critically important as more and more of these NPEs are connecting to corporate infrastructures. If you thought user authentication was challenging, wait until you start tackling machine authentication .....

We’re thrilled that the FIDO Alliance is shedding light on these two issues, but there is one more issue we feel strongly about -- transaction authentication, ie ensuring trust in every digital interaction. For a communication to be truly secure, three facets of vulnerability must be taken into consideration:

  • Confidentiality of data – what happens if the wrong (unauthorized) person gains access to privileged information?
  • Integrity of the interaction – what happens if somebody unauthorized modifies information in transit?
  • Availability – what happens when participants can’t access critical information?

Regardless of the industry you’re in, or the size of your company, today’s identity assurance focus must be comprehensive. It must balance the end user with security. It must go beyond user authentication to include machine and transaction authentication. Whatever specific policies come out of the working groups, the good news is that these points of vulnerability, which have already been high on our list, will now take center stage industry-wide.

About the Author

Jerome Becquart, COO, Jerome has over 20 years of experience in identity and access management solutions, including 15 years at ActivIdentity. Jerome’s management experience includes roles in operational management, sales management, professional services, product and solution marketing, engineering, and technical support. After the acquisition of ActivIdentity by HID Global in 2010, Jerome served as general manager of the HID Identity Assurance business unit. He chaired the Global Platform Government Task Force for three years, and served on the board of directors of this Industry organization.