A day doesn’t go by without an information security incident in news about a large website being hacked and user 1000’s (if not millions) of accounts being compromised. The recent discovery of over 1 billion passwords in the hands of cybercriminals is a perfect case in point. Passwords are a nearly 60 year old authentication technology that is commonly failing us and the beg for a better solution. Passwords only offer you one factor (way or method) to authenticate verses many other less frequently deployed options. Thankfully, there are more secure alternatives such as multi-factor authentication. Multi-factor authentication goes well beyond the simple password by offer several more ways for us to authenticate while improving security. But before we continue let’s define multi-factor authentication:
Wikipedia defines multi-factor authentication as:
Multi-factor authentication (also MFA, two-factor authentication, two-step verification, TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inherence factor (“something only the user is”).
MFA of the Past
MFA has been around for a long time. The problem was there were expensive, difficult to deploy, non-standardized and based on closed source proprietary technology. Economics, lack of interoperability and openness made these MFA options a choice only for medium and large organizations with huge budgets to support it. No so anymore.
An industry consortium called the FIDO (Fast Identity Online) alliance is endeavoring to solve this issue by make web authentication easier, less expensive and more secure. Stronger, simpler authentication via an open industry standard with a myriad of devices. Among the members are: ARM, Bank of America, BlackBerry, Google, Lenovo, Mastercard, Microsoft, PayPal, RSA, Samsung, Visa, Yubico.
The FIDO alliance adeptly describes it self in its mission statement:
- Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
- Operating industry programs to help ensure successful worldwide adoption of the Specifications.
- Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.
Standards Based, Open, Interoperable, Many Options
These parties are attempting to envision a world where authentication is easier and more secure than past single factor drab, hackneyed password. To that end they are working with many different companies in the security space such as biometrics, tokens, TPM (Trusted Platform Modules, eSE (embedded security elements), smart cards, or even your smartphone.
Authentication for Tomorrow
The FIDO alliance represents an opportunity for market forces, open standards and inexpensive hardware/software to re-imagine authentication. Many FIDO MFA options are currently supported and many are on the way. Keep an eye out for support on your devices and ask those cloud providers and websites you work with everyday to support this promising technology. Together we hopefully see the move toward a simpler and more secure future. Learn more about FIDO at their website.