The Expert's View with Michael Novinson

Encryption & Key Management , Identity & Access Management , Multi-factor & Risk-based Authentication

Authenticate 2022: Experts Share Path to Passwordless Future

Keynotes for FIDO, Google and Yubico Discuss Remaking MFA, Next Steps for Passkeys
Authenticate 2022: Experts Share Path to Passwordless Future

Multifactor authentication was supposed to be the standard in security, but the sharp rise in highly successful MFA bypass attacks shows how far the industry still needs to go in verifying identities. Keynote speakers at Authenticate 2022, a three-day FIDO Alliance conference in Seattle this week, said the future of passwordless technology could answer this latest threat.

This year's spate of MFA compromises was driven by legacy two-factor authentication systems and not modern multifactor authentication, which is designed to be completely secure from phishing, or "unphishable," said FIDO Alliance Executive Director Andrew Shikiar on Monday, the opening day of the conference aimed at weaning the industry off passwords and the many risks they pose.

"Our vision is for people to understand the difference and build the tools and products that allow them to implement a better way of doing MFA," Shikiar said.

The 2022 annual conference was the first since Google, Apple and Microsoft announced partnerships with the FIDO Alliance earlier this year to support Passkeys - credentials for passwordless authentication using cryptographic keys from end-user devices such as smartphones or PCs (see: Apple, Google, Microsoft Unite to Make Passwordless Easier).

Shikiar urged attendees to embrace passkeys, especially when combined with private security keys that deliver the gold standard for multifactor FIDO authentication. The adoption of passkeys gives service providers common language to use and helps them reinforce positive behavior around moving to passwordless.

"The passkeys are not an endpoint," Shikiar said. "If anything, it's just another beginning. We'll continue to iterate on it."

PayPal has been an early adopter of passkeys, not only for its built-in spoofing- and phishing-resistant capabilities but also for its broad integrations with the likes of Apple, Google and Microsoft, according to Marcio Mello, head of product for PayPal's identity platform. Passkeys provide an amazing combination of convenience and security, making it easier for PayPal to scale and execute large global deployments.

"The journey is still long," Mello said during Shikiar's keynote. "We're not done at all. But the feeling that we are all in this together as an industry - knowing that the pain and complexity of creating and managing passwords will soon go away - is too good to hold back."

Usability is absolutely critical to deploying passwordless technology at scale, and the FIDO Alliance is attempting to take this issue on through a recently launched committee of design and usability experts, Shikiar says. Having those experts in the driver's seat is extremely rare in the standards world, he adds.

"I think we have an opportunity with authentication to be a bridge across the digital divide rather than a wedge," Shikiar said.

Google Pursues Data and Device Protection by Default

Another ongoing challenge in security is data protection, which is why Google wants to transform the processing of private data to offer dramatically more protection. The plan is to build security into multiple levels of the system so that users are safer by default, said Jonathan Bellack, Google's senior director of identity and counter-abuse technology. This starts with minimizing the data footprint as much as possible by limiting the passing of data around servers and across the network.

This can be accomplished by bringing more computing onto the device itself as well as ensuring that data isn't retained any longer than necessary, Bellack said during a keynote Monday. From there, he said, the focus shifts to making personal data harder to identify so that the information can still be used in the aggregate without having to worry about inadvertent safety and privacy lapses.

In scenarios where personal data really needs to be present, Bellack said Google is pursuing new ways to restrict access via traditional encryption as well as a secure enclave, which allows data to be operated on in an encrypted manner via the cloud. Bellack said a lot more work remains to be done by companies such as Google to help make personal devices such as smartphones safer for the individuals using them.

"Users want safety but they don't want to think about it," Bellack says. "Can we just build this in as a technical default so it's simply impossible to do the things that users are concerned about?"

But as users rely more on their smartphones to log in, verify their identity and store information, Bellack says mobile devices become an even juicier target for adversaries. As a result, he says, the company has pursued binary transparency so that users can ensure their Pixel smartphone is running with the code Google said it was supposed to have when it left the factory, with a chain for monitoring updates.

"You can tell if things have been verified or have been tampered with, even as modifications happen," Bellack said. "As those patches come in, you can be sure that it's a legitimate patch and that you're using something that's up to date."

Using Authentication Keys to Protect At-Risk Populations

Yubico has in recent years prioritized helping users and organizations dealing with sensitive information increase their security against advanced attackers, Yubico Chief Technology Officer Christopher Harrell said during a keynote Monday. When it comes to election security, he said, security keys are the top product campaigns purchase and deploy since they offer protection across multiple services.

The company has donated 20,000 security keys to support a variety of different government agencies in Ukraine, and Harrell said the biggest challenge is actually getting the keys to Ukraine because of Russia's war that's been raging since February (see: Ukraine Combating Cyberattacks on CNI With Security Keys).

"We do hope that war ends soon with as little bloodshed as possible," Harrell said. "But in the interim, we hope that we can help protect infrastructure from cyberattacks where you don't have to have quite as much skin in the game in order to have an outsized effect on population."

Yubico has given hundreds of its security keys to the Freedom of the Press foundation, which provides extensive security training to journalists covering significant events in the United States and abroad, Harrell said. The foundation walks journalists through setting up the YubiKeys in real time to ensure their accounts are protected, he said.

Another philanthropic arm of Yubico provides security keys to high-risk sexual assault survivors to protect their online accounts, ensuring that a user's current physical location isn't exposed and that GPS logs remain hidden to ensure abusers can't find the survivor's place of employment or the addresses of friends who are helping care for the survivor, Harrell says.

"That kind of protection is more than just information security protection. It's a peace of mind protection. Even if those accounts never get attacked, the fact that you have set up world-class security gives people the peace of mind they need to start to move on from the trauma they experienced," he said.

Going forward, Harrell said, authorities will be using YubiKeys to target and disrupt networks responsible for spreading nonconsensual pornography and child abuse sexual material. Specifically, the keys will help protect the secure systems authorities are using to track these malicious actors.

"I'm definitely not here to compare us to the very, very many people who are out there fighting for human rights or out there fighting for democracy in the world," Harrell said. "But I just hope that we're helping people, and these stories helped me understand that at least in some way, we are."



About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.