By: FIDO Staff
The final day of the Authenticate 2022 conference was packed with user stories, thought leadership and panel discussions about the challenges and opportunities for FIDO strong authentication today and in the years to come.
The first user story of the day was from global science and technology company EMD Group / Merck KGaA which is now using FIDO to help improve its own authentication system. Dennis Kniep, domain architecture for Identity and access management at the company explained that his team’s mission is to help secure the company where he sees FIDO as playing a major role.
A challenge that EMD Group / Merck KGaA faced with its implementation of FIDO is that there were a number of legacy applications and services that did not support modern web standards.
“We developed the detach authentication mechanism,” Kniep explained. “With that mechanism the users are able to authenticate with FIDO in a phishing resistant way, even if the user needs access to apps with legacy backends, meaning we can enforce FIDO.”
Equity and inclusion matter
A recurring theme through the Authenticate 2022 conference is the need for equity and inclusion.
One panel on the topic specifically looking at the issue of inclusiveness in authentication and identity systems. Jamie Danker, senior director of cybersecurity services at Venable LLP, commented that when solving a problem, the makeup of the people trying to solve a given problem will have an impact on the solution.
Danker noted that a recent equity and inclusion study completed by the U.S. government’s General Services Administration (GSA) provides some real empirical data on how remote identity proofing solutions will actually operate.
Danker also mentioned the NIST digital identity guidelines, which are currently being updated to revision 4. She noted that NIST has been very clear that equity considerations are going to be part of that.
Security is more than just the web interface
FIDO strong authentication helps to provide authentication into many different types of systems, but it’s not a ubiquitous option for all types of access.
“Everybody’s talking about web and mobile, and nobody’s talking about the contact center,” John Poirier, Lead Director – EIS at CVS Health said.
Poirier explained that when a password doesn’t work, or a user can’t get access, they will call into a contact center for help. He emphasized that there is a need to make sure there are security policies, procedures and technology in place at contact centers, that secure access, without introducing too much friction.
The idea of extending strong authentication to all types of devices was also discussed by Chad Spensky, CEO of Allthenticate and his co-founder and COO, Rita Mounir.
“The FIDO protocol right now only talks to websites and computers,” Spensky said.
Spensky wants to help bring strong authentication to all types of devices and access ranging from cars, to office doors and everything in between.
Navigating the authentication landscape
In a thematic presentation, Pamela Dingle, director of identity standards at Microsoft, spoke like a pirate and warned about passengers falling off the boat.
The analogy of the boat is that of helping passengers safely get to their destination, which isn’t always an easy task. Dingle said that Microsoft blocks more than 1000 Password attacks every second, and outlined the multiple reasons why passwords are a weak link. She emphasized that users should wear a life jacket, which in the real world translates into user multi-factor authentication (MFA).
While there are risks with MFA, Dingle said it’s the right first step for many, until they are able to move to phishing resistant strong authentication with FIDO.
“Out of 10,000 compromised accounts, only one will be an MFA credential attack,” she said. “It’s really important to understand the difference in risk between being vulnerable to a password attack, and being vulnerable to an MFA bypass attack.”
That said, she noted that what makes phishing resistant credentials so great, is that they are not susceptible to exactly the same predictable behaviors that make MFA vulnerable. Dingle also noted that she’s very optimistic about the potential for passkeys.
“If we get it right. passkeys become the seat cushion that becomes a flotation device for our passengers,” she said.
Earning Trust in Identity at Scale
With one of the largest ecommerce and cloud platforms in existence Amazon has a real need for strong authentication and it is increasingly relying on FIDO for those needs.
Sarah Cecchetti, head of product for Amazon Cognito explained that identity is handled by the platform team within Amazon Web Services. She noted that identity needs to have a consistent security and usability bar for every service at AWS. To that end, AWS has built out a modular, but centralized approach that uses FIDO.
Arynn Crow, Senior Manager, User Authentication Product at AWS, said that her company has invested really heavily into FIDO2.
“We continue to invest because fundamentally we believe that FIDO supports greater flexibility,” Crow said. “We have fewer trade-offs between our user’s experience and their security.”
Usability is the key to strong authentication adoption
In a panel session on usability, a key theme that emerged is the foundational need for good usability in order for FIDO adoption to grow.
Judy Clare, vice president, product manager, digital authentication at JP Morgan Chase commented that it’s critical to put strong authentication messages and workflow in the right tone.
“The right wording and to make it clear, simple and understandable for the average user is very important so that you’re not ostracizing anybody by using all technical jargon,” Clare said.
The need for clear language was echoed by Sierre Wolfkostin, senior product designer at Duo Security. Wolfkostin said that it’s hard to adopt what you can’t understand.
“Getting to simple human language is really important,” Wolfkostin said.
Usability is also about making sure there is a vibrant ecosystem of vendors and technologies that can help businesses small and large to actually implement FIDO strong authentication in the first place.
In the closing panel of the event, Christiaan Brand, product manager at Google commented that while well staffed organizations might be able to implement strong authentication and passkey options on their own, many other organizations will need help. It’s a situation much like any other enterprise technology where organizations make use of consultants and service providers to implement complex technology.
Bob Lord, senior technical advisor at CISA argued that the best thing to do is to just start with FIDO. He emphasized the organization should focus on what they can do, not what they can’t.
“I think there’s a lot of hesitation at starting,” Lord said. “I think a lot of misconceptions out there would go away if they were to just start the journey, they would find their misconceptions are wrong.”
Next year in San Diego
In the closing session, Andrew Shikiar, executive director of the FIDO Alliance highlighted the key themes of the event.
Those themes are that deployments are real and organization can and should start today. Usability was another strong recurring theme, as a key to helping to ensure adoption. The concept of security by community also resonated at the conference, with users learning from each other about lessons learned.
In the final analysis the Authenticate 2022 was a stellar success with 90 sessions, spread across three tracks and three days of content.
For next year’s event, Authenticate 2023 will be moving to San Diego.
