Gemini is a cryptocurrency exchange and custodian, founded by Tyler and Cameron Winklevoss in 2014. Gemini enables its users to transact both via a website as well as mobile apps to buy, sell and store cryptocurrency assets.
The Challenge/ Use Case
As a financial services vendor in a space that is highly targeted by criminals, the need for strong authentication is paramount.
Gemini’s security efforts are led by Chief Security Officer Dave Damato who is no stranger to the security industry and previously worked at security incident response firm Mandiant.
“So much of my career has been really focused on preventing and responding to incidents and strong two factor authentication is at the core preventing most of those attacks,” Damato said (in a session at the Authenticate Financial Services Summit). “It’s also why I’m so very enthusiastic about FIDO.”
How Gemini Uses FIDO To Secure Its Users
Gemini wanted to provide its users with the strongest level of security authentication to help minimize risk.
While using an SMS based two factor approach can be better than just a username and password, given the high value of a Gemini account, attackers might well go through the steps necessary to bypass SMS two factor. Beginning in 2019, Gemini began offering its customers the highest level of security possible and it did this by starting to support the FIDO2 authentication standard.
“FIDO2 is designed to overcome challenges and dramatically increase the cost for an attacker,” Damato said. “There’s no password that can be shared by our customers and that’s why FIDO2 is phishing resistant.”
For Gemini, the use of FIDO2 provides a series of tangible risk mitigation benefits that helps to reduce the attack surface. Instead of needing to rely on a One-Time Password (OTP), SMS or backup codes, Gemini users can benefit from a more user-friendly FIDO2 powered experience.
Among the most common types of attack is credential stuffing, where an attacker makes use of passwords lost or stolen from one site, to re-use or ‘stuff’ into another. With FIDO, that risk is minimized for Gemini. Since FIDO strong authentication is based on cryptography and not a shared secret, even if a user reuses a password, the deployment of FIDO will minimize the risk significantly.
“The benefit to me as a company is that I don’t actually have to store, manage credentials or worry about other breaches, where credentials have been stolen,” Damato said.