Despite well-documented weaknesses, passwords continue to be the most popular way people sign in to nearly everything they do online. Passwords are deeply entrenched in the vast majority of web experiences due to the ease of use for end users and simplicity of operations for organizations.

Of course, there are accepted alternatives to passwords, such as biometric authentication and public key infrastructure (PKI) authentication, but they are not widely adopted due to their operational costs. Techniques to supplement passwords, such as two-factor authentication (2FA), are widely available, but the vast majority of people don’t use them. Years of warnings about the risks of using easily guessed passwords and employing the same password across multiple sites have been largely ignored, primarily due to friction to the users.

IBM Embraces FIDO Certification Across Offerings

At IBM Security, we’re striving to minimize the reliance on passwords. Our mission is to balance security and convenience, providing a simplified user experience while safeguarding transactions through risk-based authentication mechanisms.

As part of our strategy to advance the adoption of strong but simple-to-use authentication, we are delighted to announce that IBM recently received the Fast IDentity Online (FIDO) Alliance’s FIDO2 certification. FIDO2’s mission is to bring frictionless, strong authentication services to users with privacy as a key consideration. As we embrace FIDO authentication across our offerings, we hope to move the industry one step closer to a standardized approach to authentication and the eventual end of passwords.

How FIDO2 Helps Prevent Cybercrime With Individual Private Keys

The FIDO2 standards are based on PKI, a proven and strong authentication technique. Instead of relying on a shared secret such as a password, PKI relies on asymmetric cryptography. The user is in possession of a private key, which is not revealed to the server, and a public key that is not a secret is distributed to the server to be associated with the user’s account. Any time the server wants to authenticate the user, the server asks the user to digitally sign a server-generated challenge with their private key, and the server is able to validate that signature using the associated public key. The FIDO standards and architecture simplify the technology such that there’s no need for users to remember their private keys, or even to be aware that they have one. The result is a login process that is fast, secure and transparent for users.

Consumer PKI as implemented in FIDO2 prevents the most common forms of cybercrime that plague internet users. We’ve all heard about massive thefts of files containing billions of passwords — or reversible password hashes — over the past few years. These disclosures not only threaten individual user accounts but can lead to larger identity theft problems because people tend to use the same password across multiple online services. FIDO2 mitigates this risk with authentication that is tied to individual private keys possessed only by the user. The public keys on a website are useless to threat actors.

Site-Specific Key Pairs Deter Phishing Attacks and Fraud

FIDO also helps us in a number of other focus areas. Phishing attacks, which have reached epidemic proportions, are reduced because users cannot inadvertently provide a rogue site with their password for the real site. FIDO ensures that a different private/public key pair is used for every site the user visits. The risk of online fraud is also greatly reduced due to stronger ways of validating the user. Consumer privacy is safeguarded since malicious sites can’t gather personally identifiable information (PII) on visitors across different websites due to the use of site-specific key pairs that ensure there is no way to correlate identities across sites.

From an end user perspective, people can choose authenticators (bring-your-own-authentication) with user verification techniques ranging from gestures to personal identification numbers (PINs) to biometrics. The need to remember a password that conforms to the server’s policy is replaced by either a short PIN, a fingerprint, facial recognition or any other human-to-device authentication technique — similar to how many individuals unlock their mobile devices today.

It’s Time to Say Goodbye to Passwords

FIDO2 compliance isn’t simple to achieve. Applicants must go through a rigorous self-validation process and interoperability testing to verify that their solution is compatible with all others. Results of those tests then need to be submitted to the FIDO consortium for verification. In addition to vendors like Microsoft and IBM, top internet browsers are also supporting this endeavor in hopes of alleviating the heavy use of passwords today. We expect our clients will soon begin the process of weaning their users off passwords as well.

For more information about this effort and the opportunity to try the technology, please read this article from Shane Weeden, one of our leading experts on authentication.

More from Identity & Access

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today