by Ramesh Kesanupalli, FIDO Alliance Vice President
When President Obama came to Silicon Valley earlier this month to host a cybersecurity summit, the press dutifully wrote about the executive order he signed in the morning, but they were conspicuously absent in the afternoon when a panel convened to discuss strong authentication and life beyond passwords.
When President Obama came to Silicon Valley earlier this month to host a cybersecurity summit, the press dutifully wrote about the executive order he signed in the morning, but they were conspicuously absent in the afternoon when a panel convened to discuss strong authentication and life beyond passwords. That’s unfortunate, because in the wake of recent and unprecedented hacks, strong authentication has emerged as a security theme and the best first punch the Internet can throw at hackers.
President Obama was aware. Strong authentication was one of five foundational topics of the Summit where the President poked fun at himself and his previous weak passwords.
The FIDO Alliance recognizes the leadership of the Obama administration for convening the Cybersecurity and Consumer Protection summit, and for including the FIDO Alliance and FIDO authentication, while recognizing the urgent need to move beyond password dependencies. FIDO Alliance member companies spoke openly about our collective responsibility to replace password security with open standards for simpler, stronger authentication as defined by industry leaders from around the world working collaboratively in the FIDO Alliance.
The afternoon panel included Stina Ehrensvard, the CEO of FIDO board member Yubico. She, along with fellow panelists, concluded that there is no need to hesitate any longer because real-world deployments for open, secure, easy-to-use, affordable, and high-privacy online identity protection already exist. Much of that technology is based on FIDO specifications. Yet, hesitation has limited adoption of strong authentication. For a decade, administrations have advised federal regulators on the weakness in user names and passwords for accessing customer data and transferring money, yet the government of the United States has never mandated strong authentication.
Smaller governments may act faster!
Benjamin Lawsky, superintendent of the New York State Department of Financial Services, recently told Time magazine. “We really need everyone to go to a system of multi-factor verification. It is just too easy, whether through basic hacking or through phishing or stealing basic information, for hackers to get a password and a user name and then to get into a system.” Lawsky added strong authentication to the annual examinations of IT systems for banks and financial institutions operating in his state. As the fourth largest state in the union, and with a number of high-profile banks, Lawsky’s efforts could have widespread influence and serve as a model for other government actions.
It is going to take a collective mindset to stem the increasingly aggressive cyberattacks that have occurred in the past 14-16 months. Both government and industry leaders are experiencing the damage from exploitation of vulnerabilities found in simple password-based authentication systems. As FIDO Alliance executive director Brett McDowell stated when we published FIDO 1.0 standards on December 9, “The members of FIDO Alliance, now more than 170 companies strong and growing, have been hard at work these past two years producing the world’s first set of secure, interoperable standards for simpler, stronger authentication, and we invite the ecosystem stakeholders to take action to improve their authentication infrastructure by adding FIDO capabilities now, before more consumers fall victim to phishing or breach.”