By Andrew Shikiar, Executive Director & CMO, FIDO Alliance
Leaders from Amazon, Apple, Google, Microsoft and IBM met with President Joe Biden at the White House last week to discuss strategies the government and private sector can use together to improve the nation’s cybersecurity.
Following the meeting, Amazon announced that it will provide eligible AWS customers with access to free FIDO Security Keys. Not only will this protect the burgeoning number of businesses that run on AWS, but it will help instill better authentication practices as these keys can be used across many other business (e.g., G Suite, Github, Dropbox, Stripe) and consumer (Facebook, Twitter, Coinbase, Bank of America) services.
Amazon has been a leading stakeholder in FIDO Alliance for several years now – it is wonderful to see their leadership extended to the market at large. As more businesses move to the cloud, it is absolutely critical that cloud service providers follow suit to protect this critical infrastructure. Threats and attackers are growing in sophistication, and the impacts are non-trivial. Hundreds of millions of personal records are being stolen and resold on the dark web on an alarmingly regular basis. This is a clear and present threat to our economy, our national security and our society.
It’s difficult to name a breach from the past five years that wasn’t tied to stolen credentials.
The latest prominent attack, which was carried out on Colonial Pipeline, used a single stolen password to essentially cripple the U.S eastern seaboard.
It is important that all businesses take steps to educate and protect their employees and customers from such threats. “Traditional” means of multi-factor authentication (such as OTPs) simply aren’t fit-for-purpose to protect against these attacks, which can financially cripple a company or organization.
Ultimately, credential-based breaches (like Colonial Pipeline’s) wouldn’t be possible if accounts were protected with FIDO Authentication, which requires local possession of a device with no knowledge-based authentication credentials passed over the network.
The FIDO Alliance has come a long way since our inception. What started as a whiteboard concept has evolved into technology that is becoming part of the web’s DNA. Virtually every platform and device can now support FIDO Authentication, and there are public SDKs and tools, plus a rich ecosystem of FIDO Certified vendor products and services that can help companies implement FIDO for their sites and apps.
Amazon’s move to provide free FIDO Security Keys sets a strong – and important – example. We encourage all other cloud service providers to urgently consider following suit by at a minimum enabling FIDO authenticators for admin access to networks.