Most IT and cybersecurity professionals have at least occasional anxiety about when the next major virus, ransomware or swarm bot will hit. With the bulk of data breaches occurring at the network perimeter—as users get their emails and go online—user authentication software is a primary concern.
The fight against stolen credentials has led to the growing adoption of two-factor authentication (2FA) or multifactor authentication (MFA). Forward-thinking companies are going beyond the username/password combo (“what you know”) and adding a second authentication factor (“what you have” or “who you are”). This additional layer of security could be the key to protecting your business, employees and customers.
But it’s still early in the game. In fact, a Google engineer recently revealed that 90 percent of active Gmail accounts don’t use 2FA. With email and websites being primary hacking targets, why the hesitation with 2FA? Two reasons that frequently come up include:
- Usability: Fear that additional login steps may cause employees to take shortcuts, such as sharing passwords. For revenue-producing sites, companies that added steps may drive away customers.
- Lack of Interoperability: Security tokens (hardware devices that plug into a USB port) have been quickly evolving for 2FA. However, spotty interoperability between web browsers and hardware security devices has caused doubts about their effectiveness.
New FIDO U2F standards move 2FA/MFA and tokens forward
Enter the FIDO (“Fast IDentity Online”) alliance and W3C (World Wide Web Consortium). These organizations share common ground in addressing poor interoperability among strong authentication devices and the failings of username/password security. Together, they have developed “Universal Second Factor” (U2F) specifications.
A recently released set of improved U2F standards dubbed FIDO2 is a milestone. It consists of the W3C Web Authentication specification, WebAuthn API (Application Programming Interface), the Client to Authentication Protocol (CTAP) and an external authenticator (Security Key by Yubico).
Service providers—including Google Chrome, Microsoft, Mozilla Firefox and Dropbox—are committed to supporting FIDO2 standards. This is a huge step forward in ending dependency on passwords and fueling the growing adoption of FIDO authentication for websites and applications.
Tokens are a smart move for 2FA adopters
With U2F, security tokens are becoming a relevant 2FA tool in the fight against data breaches. Why tokens?
First, the attacker needs the physical token to access an account. Second, the token’s private key is cryptographically tied to the FIDO2 supported website, such as Gmail, making it phishing-resistant. Third, the token securely stores multiple login credentials, so users only need to remember a single password. In short, tokens provide advanced security along with convenience.
Keep in mind; however, U2F is still in the early stages of adoption and not everyone is onboard. Some vendors use workarounds that can decrease the effectiveness of the tokens. Also, companies often block operations with USB ports on corporate computers. Perhaps an obvious problem is that tokens can get lost, stolen or left in computers.
FIDO2 makes U2F a reality
FIDO2 universal authentication specifications and FIDO certifications make an even stronger argument for 2FA. From tokens to mobile to biometric authentication factors, FIDO2 adoption makes 2FA a more viable solution for protecting networks from malicious websites and vulnerable apps.
Organizations seeking 2FA solutions should seek vendors that support FIDO2. With the release of DigitalPersona v3.0 with FIDO-approved U2F capabilities, it’s the perfect time to explore it.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.