Despite well-documented weaknesses, passwords continue to be the most popular way people sign in to nearly everything they do online. Passwords are deeply entrenched in the vast majority of web experiences due to the ease of use for end users and simplicity of operations for organizations.

Of course, there are accepted alternatives to passwords, such as biometric authentication and public key infrastructure (PKI) authentication, but they are not widely adopted due to their operational costs. Techniques to supplement passwords, such as two-factor authentication (2FA), are widely available, but the vast majority of people don’t use them. Years of warnings about the risks of using easily guessed passwords and employing the same password across multiple sites have been largely ignored, primarily due to friction to the users.

IBM Embraces FIDO Certification Across Offerings

At IBM Security, we’re striving to minimize the reliance on passwords. Our mission is to balance security and convenience, providing a simplified user experience while safeguarding transactions through risk-based authentication mechanisms.

As part of our strategy to advance the adoption of strong but simple-to-use authentication, we are delighted to announce that IBM recently received the Fast IDentity Online (FIDO) Alliance’s FIDO2 certification. FIDO2’s mission is to bring frictionless, strong authentication services to users with privacy as a key consideration. As we embrace FIDO authentication across our offerings, we hope to move the industry one step closer to a standardized approach to authentication and the eventual end of passwords.

How FIDO2 Helps Prevent Cybercrime With Individual Private Keys

The FIDO2 standards are based on PKI, a proven and strong authentication technique. Instead of relying on a shared secret such as a password, PKI relies on asymmetric cryptography. The user is in possession of a private key, which is not revealed to the server, and a public key that is not a secret is distributed to the server to be associated with the user’s account. Any time the server wants to authenticate the user, the server asks the user to digitally sign a server-generated challenge with their private key, and the server is able to validate that signature using the associated public key. The FIDO standards and architecture simplify the technology such that there’s no need for users to remember their private keys, or even to be aware that they have one. The result is a login process that is fast, secure and transparent for users.

Consumer PKI as implemented in FIDO2 prevents the most common forms of cybercrime that plague internet users. We’ve all heard about massive thefts of files containing billions of passwords — or reversible password hashes — over the past few years. These disclosures not only threaten individual user accounts but can lead to larger identity theft problems because people tend to use the same password across multiple online services. FIDO2 mitigates this risk with authentication that is tied to individual private keys possessed only by the user. The public keys on a website are useless to threat actors.

Site-Specific Key Pairs Deter Phishing Attacks and Fraud

FIDO also helps us in a number of other focus areas. Phishing attacks, which have reached epidemic proportions, are reduced because users cannot inadvertently provide a rogue site with their password for the real site. FIDO ensures that a different private/public key pair is used for every site the user visits. The risk of online fraud is also greatly reduced due to stronger ways of validating the user. Consumer privacy is safeguarded since malicious sites can’t gather personally identifiable information (PII) on visitors across different websites due to the use of site-specific key pairs that ensure there is no way to correlate identities across sites.

From an end user perspective, people can choose authenticators (bring-your-own-authentication) with user verification techniques ranging from gestures to personal identification numbers (PINs) to biometrics. The need to remember a password that conforms to the server’s policy is replaced by either a short PIN, a fingerprint, facial recognition or any other human-to-device authentication technique — similar to how many individuals unlock their mobile devices today.

It’s Time to Say Goodbye to Passwords

FIDO2 compliance isn’t simple to achieve. Applicants must go through a rigorous self-validation process and interoperability testing to verify that their solution is compatible with all others. Results of those tests then need to be submitted to the FIDO consortium for verification. In addition to vendors like Microsoft and IBM, top internet browsers are also supporting this endeavor in hopes of alleviating the heavy use of passwords today. We expect our clients will soon begin the process of weaning their users off passwords as well.

For more information about this effort and the opportunity to try the technology, please read this article from Shane Weeden, one of our leading experts on authentication.

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…