Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/1/2019
02:00 PM
Bojan Simic
Bojan Simic
Commentary
Connect Directly
LinkedIn
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Demystifying New FIDO Standards & Innovations

Staying on top of the latest cybersecurity risks and preferred attack methods can feel impossible, but standards like FIDO2 are designed to help relieve the burden.

Weak or stolen passwords are responsible for more than 80% of hacking-related breaches, according to research from Verizon. In response to the undeniable password problem, the nonprofit standards body FIDO Alliance is addressing traditional authentication issues and providing organizations with a framework that protects them from chronic risks, such as credential stuffing, password reuse, and phishing attacks. This past March, FIDO launched a new set of standards, FIDO2: WebAuthn and CTAP, which enables organizations to move beyond a reliance on passwords and shared secrets, and instead leverage common devices to easily authenticate to online services in both mobile and desktop environments.

With a greater emphasis on browser-based authentication (versus solely mobile, as seen in previous standards), FIDO2 standards support all major browsers with Secure Sockets Layer certificates, including Chrome, Internet Explorer, Firefox, and Safari. By allowing users to log in to Internet accounts using their existing, preferred device, the WebAuthn component of FIDO2 enables easier, safer login experiences via biometrics, mobile devices, and/or FIDO security keys. The CTAP component allows for external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also serve as authenticators to desktop applications and Web services.

Standardized Biometrics Provide Particular Value
FIDO2 standards are already bolstering the cybersecurity landscape, particularly via its standardized biometric capabilities. The majority of mobile phones, laptops, and desktops available for purchase today also boast facial recognition features, but FIDO2 provides a way to leverage the power of biometrics in a standardized manner. For instance, previously, organizations had to write their own unique code entirely from scratch to use any biometric sensor. Significant language and a common interface were required so sensors could communicate with one another. With FIDO2, this process has been standardized and browser support is built in, making it much easier for organizations to implement and adopt biometric technology.

Best Practices for Adopting FIDO2
To best take advantage of FIDO2 and all the benefits the standards can provide, organizations and their IT and security teams should abide by the following three best practices:

  1. Follow a standardized approach. When implementing any component of FIDO2, it's critical to refrain from incorporating any proprietary or black-box technology, even if it promises to adhere to applicable requirements. Standards have been established for a reason — they're much easier to audit, more people can understand them, and they provide flexibility through interoperability. To achieve success and compliance over the long term, always opt for standards-based technologies. Additionally, make sure any previous versions of technology being used are interoperable so you don't have to start from scratch when introducing any additional authentication standards.
  2. Start with the highest-impact use cases. Rather than implementing too many changes too quickly and overwhelming security and IT teams (as well as end users), it's important to start small and look for areas within FIDO2 that stand to make the most impact on your organization. For example, because these latest standards were designed to help eliminate passwords and shared secrets, perhaps it makes sense to start by incorporating FIDO2 into corporate workstation access processes. Rather than continuing to offer employees password login and reset features (which can easily be tampered with or stolen via malware), FIDO2 can seamlessly provide employees with secure, password-less workstation access through any Web-based application.
  3. Evaluate current costs. To prepare for current standards like FIDO2 as well as the inevitable slew of additional, future standards, take the time to look at the hard costs associated with passwords and other shared secrets, because this is precisely where security standards can provide clear return on investment. For instance, any unnecessary expenses related to password resets and/or account lockouts should serve as a prime incentive for adopting standards like FIDO2 and beyond. Better yet, by pinpointing cost inefficiencies such as password resets, the time and resources required to incorporate new standards can be easily justified to all organizational stakeholders.

Long-Term Viability Requires Password-less Authentication 
Staying on top of all the latest cybersecurity risks and preferred attack methods can feel like an insurmountable task. In fact, even keeping abreast of all the latest security standards can be a challenge. What's most important is that organizations and their IT and security teams recognize that standards like FIDO2 are designed to help relieve the burden of cybersecurity. Passwords and shared secrets no longer suffice in our high-risk, fast-paced digital landscape, so it's paramount that organizations incorporate more secure methods of authentication. By adopting password-less standards like FIDO2 in a timely manner, organizations can confidently secure their most valuable assets, while also driving crucial initiatives like digital transformation projects by making their users immune to phishing attacks and account takeovers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Bojan Simic is the Chief Technology Officer and Co-Founder of HYPR. Previously, he served as an information security consultant for Fortune 500 enterprises in the financial and insurance verticals conducting security architecture reviews, threat modeling, and penetration ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1811
PUBLISHED: 2020-02-18
GaussDB 200 with version of 6.5.1 have a command injection vulnerability. Due to insufficient input validation, remote attackers with low permissions could exploit this vulnerability by sending crafted commands to the affected device. Successful exploit could allow an attacker to execute commands.
CVE-2020-1815
PUBLISHED: 2020-02-18
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a memory leak vulnerability. The software does not sufficiently track and release allocated memory while parse...
CVE-2020-1816
PUBLISHED: 2020-02-18
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a Denial of Service (DoS) vulnerability. Due to improper processing of specific IPSEC packets, remote attacker...
CVE-2020-1830
PUBLISHED: 2020-02-18
Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C00; Secospace USG6600 and USG9500 versions V500R001C30SPC200, V500R001C30SPC600, V500R001C60SPC500, and V500R005C00 have a vulnerability that a memory management error exists when IPSec Module handing a specific message. This cause...
CVE-2020-1882
PUBLISHED: 2020-02-18
Huawei mobile phones Ever-L29B versions earlier than 10.0.0.180(C185E6R3P3), earlier than 10.0.0.180(C432E6R1P7), earlier than 10.0.0.180(C636E5R2P3); HUAWEI Mate 20 RS versions earlier than 10.0.0.175(C786E70R3P8); HUAWEI Mate 20 X versions earlier than 10.0.0.176(C00E70R2P8); and Honor Magic2 vers...