A recent report from IBM notes that the most popular attack vector for hackers is the use of compromised credentials. On average, businesses lost 4.5 million dollars because of data breaches resulting from stolen IDs and passwords. The need to better protect information led to the development of Fast Identity Online (FIDO) specifications. For those who still have questions about “what is FIDO passwordless?” we created this guide to offer more clarity.
The password problem
Passwords have been in use as part of computer security since the 1960s. Passwords were created to provide a convenient way of allocating computer time on mainframe systems. Computer systems have evolved since then, unfortunately, passwords have not.Passwords are susceptible to several attack vectors like password reuse, simple passwords that are easy to guess, such as password123, and are targets for phishing. If a hacker can guess or phish a password, they now have access and an easy way into an organization's systems and data. 81% of hacking incidents used stolen, phished, or weak passwords.Remember, hackers don’t break-in, they log-in. Getting rid of passwords greatly increases security but how do organizations get rid of passwords?
Going passwordless with FIDO
FIDO represents the standards and is itself an open standard. The mission of the FIDO Alliance, the standards body behind FIDO, is to reduce the world’s reliance on passwords.The FIDO Alliance is supported by large tech companies such as Google, Microsoft, and Apple allowing for accelerated adoption of the FIDO standards. The introduction of FIDO passkeys has further accelerated the adoption of FIDO and made FIDO a viable option for consumer and enterprise use cases.
The FIDO standard supports passwordless authentication that is compliant with NIST’s MFA guidance of something you have (FIDO cryptographic key pair) and something you are (such as a biometric) or something you know (such as a PIN). Combining this guidance with asymmetric cryptography allows for passwordless authentication based on the FIDO standards.
Understanding Asymmetric Encryption
Passwordless authentication is based on a concept called asymmetric encryption. Unlike password authentication, which is based on a shared secret - both parties knowing the password, asymmetric encryption is based on a private/public key pair that is generated at the time of registration. The registration event triggers the exchange between the authenticator that holds the key pair and the service or website, sometimes referred to as a relying party, that it is being registered with. During authentication, this key pair will be used to send an encrypted authentication event that will be validated by the relying party. This method eliminates the weakness of shared secrets that is inherit with passwords.FIDO protocols are built to create a new key pair for each service and are strongly bound to a specific website or relying party. This prevents the reuse of a FIDO credential to reduce the attack surface and ensures that the key pair provided is the correct one for the service.
Reasons to Consider Moving to Passwordless Authentication
FIDO passkeys and passwordless authentication are becoming easier and easier for companies to adopt. The built-in platform support for the FIDO standards has been adopted by all major tech companies including Apple, Google, and Microsoft giving organizations the basic tools needed to plan for and adopt passwordless.FIDO passwordless authentication represents a convenient way to eliminate the risk that passwords pose to organizations worldwide. Passwordless is part of the security picture; however, consideration needs to be made for credential lifecycle management and support of different FIDO authenticators. Here, Axiad can help.
Strengthen Your Security Posture with Axiad
It’s more critical than ever for businesses to become proactive about turning away inside and outside security threats. Axiad offers solutions that help companies enable secure authentication policies. Contact us today to learn more about the benefits of our Axiad Cloud solution for credential management.