Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/1/2019
02:00 PM
Bojan Simic
Bojan Simic
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Demystifying New FIDO Standards & Innovations

Staying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.

Weak or stolen passwords are responsible for more than 80% of hacking-related breaches, according to research from Verizon. In response to the undeniable password problem, the nonprofit standards body FIDO Alliance is addressing traditional authentication issues and providing organizations with a framework that protects them from chronic risks, such as credential stuffing, password reuse, and phishing attacks. This past March, FIDO launched a new set of standards, FIDO2: WebAuthn and CTAP, which enables organizations to move beyond a reliance on passwords and shared secrets, and instead leverage common devices to easily authenticate to online services in both mobile and desktop environments.

With a greater emphasis on browser-based authentication (versus solely mobile, as seen in previous standards), FIDO2 standards support all major browsers with Secure Sockets Layer certificates, including Chrome, Internet Explorer, Firefox, and Safari. By allowing users to log in to Internet accounts using their existing, preferred device, the WebAuthn component of FIDO2 enables easier, safer login experiences via biometrics, mobile devices, and/or FIDO security keys. The CTAP component allows for external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also serve as authenticators to desktop applications and Web services.

Standardized Biometrics Provide Particular Value
FIDO2 standards are already bolstering the cybersecurity landscape, particularly via its standardized biometric capabilities. The majority of mobile phones, laptops, and desktops available for purchase today also boast facial recognition features, but FIDO2 provides a way to leverage the power of biometrics in a standardized manner. For instance, previously, organizations had to write their own unique code entirely from scratch to use any biometric sensor. Significant language and a common interface were required so sensors could communicate with one another. With FIDO2, this process has been standardized and browser support is built in, making it much easier for organizations to implement and adopt biometric technology.

Best Practices for Adopting FIDO2
To best take advantage of FIDO2 and all the benefits the standards can provide, organizations and their IT and security teams should abide by the following three best practices:

  1. Follow a standardized approach. When implementing any component of FIDO2, it's critical to refrain from incorporating any proprietary or black-box technology, even if it promises to adhere to applicable requirements. Standards have been established for a reason — they're much easier to audit, more people can understand them, and they provide flexibility through interoperability. To achieve success and compliance over the long term, always opt for standards-based technologies. Additionally, make sure any previous versions of technology being used are interoperable so you don't have to start from scratch when introducing any additional authentication standards.
  2. Start with the highest-impact use cases. Rather than implementing too many changes too quickly and overwhelming security and IT teams (as well as end users), it's important to start small and look for areas within FIDO2 that stand to make the most impact on your organization. For example, because these latest standards were designed to help eliminate passwords and shared secrets, perhaps it makes sense to start by incorporating FIDO2 into corporate workstation access processes. Rather than continuing to offer employees password login and reset features (which can easily be tampered with or stolen via malware), FIDO2 can seamlessly provide employees with secure, password-less workstation access through any Web-based application.
  3. Evaluate current costs. To prepare for current standards like FIDO2 as well as the inevitable slew of additional, future standards, take the time to look at the hard costs associated with passwords and other shared secrets, because this is precisely where security standards can provide clear return on investment. For instance, any unnecessary expenses related to password resets and/or account lockouts should serve as a prime incentive for adopting standards like FIDO2 and beyond. Better yet, by pinpointing cost inefficiencies such as password resets, the time and resources required to incorporate new standards can be easily justified to all organizational stakeholders.

Long-Term Viability Requires Password-less Authentication 
Staying on top of all the latest cybersecurity risks and preferred attack methods can feel like an insurmountable task. In fact, even keeping abreast of all the latest security standards can be a challenge. What's most important is that organizations and their IT and security teams recognize that standards like FIDO2 are designed to help relieve the burden of cybersecurity. Passwords and shared secrets no longer suffice in our high-risk, fast-paced digital landscape, so it's paramount that organizations incorporate more secure methods of authentication. By adopting password-less standards like FIDO2 in a timely manner, organizations can confidently secure their most valuable assets, while also driving crucial initiatives like digital transformation projects by making their users immune to phishing attacks and account takeovers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...