Despite well-documented weaknesses, passwords continue to be the most popular way people sign in to nearly everything they do online. Passwords are deeply entrenched in the vast majority of web experiences due to the ease of use for end users and simplicity of operations for organizations.

Of course, there are accepted alternatives to passwords, such as biometric authentication and public key infrastructure (PKI) authentication, but they are not widely adopted due to their operational costs. Techniques to supplement passwords, such as two-factor authentication (2FA), are widely available, but the vast majority of people don’t use them. Years of warnings about the risks of using easily guessed passwords and employing the same password across multiple sites have been largely ignored, primarily due to friction to the users.

IBM Embraces FIDO Certification Across Offerings

At IBM Security, we’re striving to minimize the reliance on passwords. Our mission is to balance security and convenience, providing a simplified user experience while safeguarding transactions through risk-based authentication mechanisms.

As part of our strategy to advance the adoption of strong but simple-to-use authentication, we are delighted to announce that IBM recently received the Fast IDentity Online (FIDO) Alliance’s FIDO2 certification. FIDO2’s mission is to bring frictionless, strong authentication services to users with privacy as a key consideration. As we embrace FIDO authentication across our offerings, we hope to move the industry one step closer to a standardized approach to authentication and the eventual end of passwords.

How FIDO2 Helps Prevent Cybercrime With Individual Private Keys

The FIDO2 standards are based on PKI, a proven and strong authentication technique. Instead of relying on a shared secret such as a password, PKI relies on asymmetric cryptography. The user is in possession of a private key, which is not revealed to the server, and a public key that is not a secret is distributed to the server to be associated with the user’s account. Any time the server wants to authenticate the user, the server asks the user to digitally sign a server-generated challenge with their private key, and the server is able to validate that signature using the associated public key. The FIDO standards and architecture simplify the technology such that there’s no need for users to remember their private keys, or even to be aware that they have one. The result is a login process that is fast, secure and transparent for users.

Consumer PKI as implemented in FIDO2 prevents the most common forms of cybercrime that plague internet users. We’ve all heard about massive thefts of files containing billions of passwords — or reversible password hashes — over the past few years. These disclosures not only threaten individual user accounts but can lead to larger identity theft problems because people tend to use the same password across multiple online services. FIDO2 mitigates this risk with authentication that is tied to individual private keys possessed only by the user. The public keys on a website are useless to threat actors.

Site-Specific Key Pairs Deter Phishing Attacks and Fraud

FIDO also helps us in a number of other focus areas. Phishing attacks, which have reached epidemic proportions, are reduced because users cannot inadvertently provide a rogue site with their password for the real site. FIDO ensures that a different private/public key pair is used for every site the user visits. The risk of online fraud is also greatly reduced due to stronger ways of validating the user. Consumer privacy is safeguarded since malicious sites can’t gather personally identifiable information (PII) on visitors across different websites due to the use of site-specific key pairs that ensure there is no way to correlate identities across sites.

From an end user perspective, people can choose authenticators (bring-your-own-authentication) with user verification techniques ranging from gestures to personal identification numbers (PINs) to biometrics. The need to remember a password that conforms to the server’s policy is replaced by either a short PIN, a fingerprint, facial recognition or any other human-to-device authentication technique — similar to how many individuals unlock their mobile devices today.

It’s Time to Say Goodbye to Passwords

FIDO2 compliance isn’t simple to achieve. Applicants must go through a rigorous self-validation process and interoperability testing to verify that their solution is compatible with all others. Results of those tests then need to be submitted to the FIDO consortium for verification. In addition to vendors like Microsoft and IBM, top internet browsers are also supporting this endeavor in hopes of alleviating the heavy use of passwords today. We expect our clients will soon begin the process of weaning their users off passwords as well.

For more information about this effort and the opportunity to try the technology, please read this article from Shane Weeden, one of our leading experts on authentication.

More from Endpoint

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …