Despite well-documented weaknesses, passwords continue to be the most popular way people sign in to nearly everything they do online. Passwords are deeply entrenched in the vast majority of web experiences due to the ease of use for end users and simplicity of operations for organizations.

Of course, there are accepted alternatives to passwords, such as biometric authentication and public key infrastructure (PKI) authentication, but they are not widely adopted due to their operational costs. Techniques to supplement passwords, such as two-factor authentication (2FA), are widely available, but the vast majority of people don’t use them. Years of warnings about the risks of using easily guessed passwords and employing the same password across multiple sites have been largely ignored, primarily due to friction to the users.

IBM Embraces FIDO Certification Across Offerings

At IBM Security, we’re striving to minimize the reliance on passwords. Our mission is to balance security and convenience, providing a simplified user experience while safeguarding transactions through risk-based authentication mechanisms.

As part of our strategy to advance the adoption of strong but simple-to-use authentication, we are delighted to announce that IBM recently received the Fast IDentity Online (FIDO) Alliance’s FIDO2 certification. FIDO2’s mission is to bring frictionless, strong authentication services to users with privacy as a key consideration. As we embrace FIDO authentication across our offerings, we hope to move the industry one step closer to a standardized approach to authentication and the eventual end of passwords.

How FIDO2 Helps Prevent Cybercrime With Individual Private Keys

The FIDO2 standards are based on PKI, a proven and strong authentication technique. Instead of relying on a shared secret such as a password, PKI relies on asymmetric cryptography. The user is in possession of a private key, which is not revealed to the server, and a public key that is not a secret is distributed to the server to be associated with the user’s account. Any time the server wants to authenticate the user, the server asks the user to digitally sign a server-generated challenge with their private key, and the server is able to validate that signature using the associated public key. The FIDO standards and architecture simplify the technology such that there’s no need for users to remember their private keys, or even to be aware that they have one. The result is a login process that is fast, secure and transparent for users.

Consumer PKI as implemented in FIDO2 prevents the most common forms of cybercrime that plague internet users. We’ve all heard about massive thefts of files containing billions of passwords — or reversible password hashes — over the past few years. These disclosures not only threaten individual user accounts but can lead to larger identity theft problems because people tend to use the same password across multiple online services. FIDO2 mitigates this risk with authentication that is tied to individual private keys possessed only by the user. The public keys on a website are useless to threat actors.

Site-Specific Key Pairs Deter Phishing Attacks and Fraud

FIDO also helps us in a number of other focus areas. Phishing attacks, which have reached epidemic proportions, are reduced because users cannot inadvertently provide a rogue site with their password for the real site. FIDO ensures that a different private/public key pair is used for every site the user visits. The risk of online fraud is also greatly reduced due to stronger ways of validating the user. Consumer privacy is safeguarded since malicious sites can’t gather personally identifiable information (PII) on visitors across different websites due to the use of site-specific key pairs that ensure there is no way to correlate identities across sites.

From an end user perspective, people can choose authenticators (bring-your-own-authentication) with user verification techniques ranging from gestures to personal identification numbers (PINs) to biometrics. The need to remember a password that conforms to the server’s policy is replaced by either a short PIN, a fingerprint, facial recognition or any other human-to-device authentication technique — similar to how many individuals unlock their mobile devices today.

It’s Time to Say Goodbye to Passwords

FIDO2 compliance isn’t simple to achieve. Applicants must go through a rigorous self-validation process and interoperability testing to verify that their solution is compatible with all others. Results of those tests then need to be submitted to the FIDO consortium for verification. In addition to vendors like Microsoft and IBM, top internet browsers are also supporting this endeavor in hopes of alleviating the heavy use of passwords today. We expect our clients will soon begin the process of weaning their users off passwords as well.

For more information about this effort and the opportunity to try the technology, please read this article from Shane Weeden, one of our leading experts on authentication.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read