FIDO Passwordless: Trust but Verify...then Verify Again
Updated: Dec 3, 2019
A little over 5 years ago the first round of FIDO standards were issued with the goal of getting to a future without the need for centrally-stored passwords. As we enter the fourth quarter of 2019, progress has been made, but passwords still abound.
At its core, FIDO is a set of open standards that defines the architecture and interoperability for decentralized identity proofing and assertion without the use of passwords. With FIDO, the device does the heavy-lifting of identity proofing using NFC and USB security keys, or biometrics stored beneath the operating system at the hardware-level. When requested to authenticate, the FIDO-based client app manages the process then sends back a validated assertion that the user is who they say they are.
Each application or service that uses a FIDO authenticator relies on the validity and strength of the client element, be it a hardware key, stored biometric, or even a PIN code. For many applications this is a significant improvement over passwords, but there still are risks. If a USB key is stolen, a PIN code is shoulder surfed, or a biometric is provided under duress, there is no other dimension other than a binary “yes/no”. For most organizations this is nowhere near enough security to surrender that much trust to something that can’t be independently verified.
There are many vendors that offer FIDO-based authentication. Many focus on basic passwordless login for customer web applications, and a handful, including Transmit Security, offer a broader range of services that can be considered for enterprise applications that include SSO and passwordless workstation login.
It’s important to remember that FIDO isn’t a product in and of itself. It’s just a set of protocols and processes for decentralized identity validation. FIDO adds many additional elements such as new device registration, authenticator registration/de-registration, and fallbacks should biometrics fail. These are the weakest links and the most important aspects of authentication when implementing a FIDO-based solution.
Transmit Security is a member of the FIDO alliance and employs FIDO as one of the many authentication protocols we directly support. We take FIDO and other authentication technologies and add the dimension of risk using historical user profiles.
Our cross-channel, continuous adaptive risk engine tracks user, device and system history to detect anomalies as they happen then deploy additional security measures to defend against threats in real-time. Even if a user is FIDO-authenticated, any abnormal behaviors that seem out of character will trigger additional security measures including additional authentication steps, system restrictions, and can even lock a remote device if needed.
With Transmit Security you can safely put your trust in FIDO to eliminate passwords. To learn more about our cross-channel continuous adaptive risk decisioning and password elimination offerings click here.