Supporting the Shift to Passwordless Authentication With FIDO

Despite well-documented weaknesses, passwords continue to be the most popular way people sign in to nearly everything they do online. Passwords are deeply entrenched in the vast majority of web experiences due to the ease of use for end users and simplicity of operations for organizations.

Of course, there are accepted alternatives to passwords, such as biometric authentication and public key infrastructure (PKI) authentication, but they are not widely adopted due to their operational costs. Techniques to supplement passwords, such as two-factor authentication (2FA), are widely available, but the vast majority of people don’t use them. Years of warnings about the risks of using easily guessed passwords and employing the same password across multiple sites have been largely ignored, primarily due to friction to the users.

IBM Embraces FIDO Certification Across Offerings

At IBM Security, we’re striving to minimize the reliance on passwords. Our mission is to balance security and convenience, providing a simplified user experience while safeguarding transactions through risk-based authentication mechanisms.

As part of our strategy to advance the adoption of strong but simple-to-use authentication, we are delighted to announce that IBM recently received the Fast IDentity Online (FIDO) Alliance’s FIDO2 certification. FIDO2’s mission is to bring frictionless, strong authentication services to users with privacy as a key consideration. As we embrace FIDO authentication across our offerings, we hope to move the industry one step closer to a standardized approach to authentication and the eventual end of passwords.

How FIDO2 Helps Prevent Cybercrime With Individual Private Keys

The FIDO2 standards are based on PKI, a proven and strong authentication technique. Instead of relying on a shared secret such as a password, PKI relies on asymmetric cryptography. The user is in possession of a private key, which is not revealed to the server, and a public key that is not a secret is distributed to the server to be associated with the user’s account. Any time the server wants to authenticate the user, the server asks the user to digitally sign a server-generated challenge with their private key, and the server is able to validate that signature using the associated public key. The FIDO standards and architecture simplify the technology such that there’s no need for users to remember their private keys, or even to be aware that they have one. The result is a login process that is fast, secure and transparent for users.

Consumer PKI as implemented in FIDO2 prevents the most common forms of cybercrime that plague internet users. We’ve all heard about massive thefts of files containing billions of passwords — or reversible password hashes — over the past few years. These disclosures not only threaten individual user accounts but can lead to larger identity theft problems because people tend to use the same password across multiple online services. FIDO2 mitigates this risk with authentication that is tied to individual private keys possessed only by the user. The public keys on a website are useless to threat actors.

Site-Specific Key Pairs Deter Phishing Attacks and Fraud

FIDO also helps us in a number of other focus areas. Phishing attacks, which have reached epidemic proportions, are reduced because users cannot inadvertently provide a rogue site with their password for the real site. FIDO ensures that a different private/public key pair is used for every site the user visits. The risk of online fraud is also greatly reduced due to stronger ways of validating the user. Consumer privacy is safeguarded since malicious sites can’t gather personally identifiable information (PII) on visitors across different websites due to the use of site-specific key pairs that ensure there is no way to correlate identities across sites.

From an end user perspective, people can choose authenticators (bring-your-own-authentication) with user verification techniques ranging from gestures to personal identification numbers (PINs) to biometrics. The need to remember a password that conforms to the server’s policy is replaced by either a short PIN, a fingerprint, facial recognition or any other human-to-device authentication technique — similar to how many individuals unlock their mobile devices today.

It’s Time to Say Goodbye to Passwords

FIDO2 compliance isn’t simple to achieve. Applicants must go through a rigorous self-validation process and interoperability testing to verify that their solution is compatible with all others. Results of those tests then need to be submitted to the FIDO consortium for verification. In addition to vendors like Microsoft and IBM, top internet browsers are also supporting this endeavor in hopes of alleviating the heavy use of passwords today. We expect our clients will soon begin the process of weaning their users off passwords as well.

For more information about this effort and the opportunity to try the technology, please read this article from Shane Weeden, one of our leading experts on authentication.

Sridhar Muppidi

IBM Fellow, VP & CTO IBM Security

Dr. Sridhar Muppidi is an IBM Fellow and Chief Technology Officer in IBM Security Systems. He leads the technical...