Team FIDO Alliance
The second and final day of the Identity, Authentication and the Road Ahead: Virtual Policy Forum event on Feb. 5 brought together government officials, tech experts and policy advocates in a packed agenda.
The two-day event was hosted by the FIDO Alliance together with the Better Identity Coalition and the ID Theft Resource Center (ITRC) and had over 1,000 registered attendees. The first day of the event saw sessions that outlined the clear and present need for the government and industry to make identity and strong authentication systems more pervasive, to help protect and serve individuals and businesses alike. The second day in contrast had a strong focus on the need for strong authentication and was highlighted by an expert panel that explained how FIDO authentication was able to help secure the 2020 U.S. election.
The day’s event kicked off with a keynote from Congressman John Katko (R-NY) who emphasized the critical need for secure digital identity.
“Our homeland security, national security, economic security and way of life are threatened in unprecedented ways by highly sophisticated adversaries and simply being vigilant is no longer enough,” Katko (pictured) said. “Today’s threat environment demands a posture of unwavering resilience. This is particularly true for ensuring the sanctity and resilience of our digital identities.”
How FIDO Helped to Secure the 2020 Election
The resilience of digital identity and strong authentication was called into question during the 2016 election cycle when hackers were able to infiltrate the email accounts of Democratic party staffers, notably the attack of Clinton campaign chair John Podesta’s gmail account.
The same type of event didn’t re-occur during the 2020 election cycle, in part thanks to FIDO standards and a concerted effort to make sure that both Democratic and Republican party officials had access to strong authentication. In a panel during the event, Michael Kaiser, President and CEO of Defending Digital Campaigns (pictured) explained that his organization was created to help solve the challenge of political campaigns not having the right cybersecurity resources to defend themselves. As companies cannot directly donate to campaigns, Defending Digital Campaigns was formed to act as an intermediary, that enables political campaigns to get cybersecurity services including FIDO based strong authentication resources, for free or low cost.
Kaiser explained that political campaigns are not like a typical organization in that they are short lived and don’t have long term thinking about a security maturity model. Despite that, political campaigns need to be protected as they sit on incredibly valuable and important information.
“I think we gave away more than 10,000 security keys in the political sector in the 2020 cycle,” Kaiser said. “That’s a lot of people and a lot of accounts as we gave away more than $1 million worth of products to 183 campaigns.”
Bob Lord (pictured), chief security officer of the Democratic National Committee (DNC) noted that after the events of the 2016 election, security was clearly under the microscope.
“Security is a real challenge and everybody really understands the importance of it, but the dollar figures really can get in the way,” Lord said. “Making sure that there was a reliable source for things like security keys was really instrumental in moving forward.”
Within the DNC and across campaigns, Lord and his team strictly implemented the use of FIDO based security keys to provide strong authentication capabilities and limit the risk of potential phishing attacks.
“Today 100% of the people at the DNC who need to get access to their email and access to their documents, they’re all using security keys – no exceptions, no executive privilege to opt out of this,” Lord said.
The DNC also benefited from Google’s Advanced Protection Program (APP) which provides additional levels of protection and assurance beyond what a basic gmail account enables.
“We’re big supporters and real big believers in the combination of FIDO security keys and the APP,” Lord said.
Why DNC Believes in FIDO
Lord noted that there are a number of reasons why he is a big supporter of FIDO standards. For one is the fact that FIDO standards are built into the Google Chrome browser. Lord explained that the DNC was pushing the use of Chromebooks to campaigns and the integrated FIDO capabilities made it easier to deploy strong authentication.
While there are multiple types of two-factor authentication available in the market, for Lord there are really only two categories.
“I think there are really two kinds of multi-factor that are available in the consumer space – I think there are FIDO security keys and then there’s everything else,” Lord stated emphatically. “When I refer to everything else, I refer to those other multi-factors systems as legacy and I do that because I want people to get the mental model that this is something to be contained, minimized and eventually moved out.”
Lord observed that other multi-factor approaches, while better than not using multi-factor at all, have shown weaknesses, which is why in his view as an industry it’s important to really be pushing people pretty aggressively to move down the path of FIDO strong authentication adoption.
While Lord is an advocate for adopting FIDO based strong authentication with security keys, he also noted that there were some usability challenges his team had to work through as well training that was needed to educate and onboard users. The learning from the DNC’s efforts are all now being publicly shared by Lord’s team at https://democrats.org/security/.
“It’s a non-partisan thing so there’s nothing red or blue about these best practices, but you’ll see in there that we really push pretty hard on security keys and the APP in particular,” he said.
Mark Risher, Senior Director of Security and Identity at Google (pictured) emphasized during the panel that in general adding a second factor does still objectively decrease the chances of a user becoming the victim of a phishing attack. That said, he noted that for an attacker, phishing a password, or just phishing a password plus a One Time Password (OTP) PIN code basically just requires basically one more line of code for an attacker.
“It does not require the funding of the nation state,” Rischer said about the ability to bypass OTP for phishing attacks. “So we need to get the world to understand the distinction, and to move into and start requiring these much more stringent hardware based strong authentication technologies and standards.”
How FIDO is Moving Forward to Enable Digital Transformation
The afternoon keynote at the event was delivered by Andrew Shikiar (pictured) the Executive Director of the FIDO Alliance. Shikiar noted that passwordless authentication is an important cornerstone for digital transformation.
“The security and authentication aspects of digital transformation came to the fore as everything was accelerated due to the pandemic,” Shikiar said.
Shikiar noted that social engineering had kind of a renaissance in 2020 as phishing continued to be successful.
“Simply put, the only way to break this cycle is to eliminate our dependence on server side credentials and password,” Shikiar said. “Anything on a server can and will eventually be stolen so they’re easy to phish, harvest and replay.”
The need to create stronger authentication is why FIDO was born. Shikiar explained that the FIDO Alliance’s mission is to create open standards for simpler, stronger authentication with public key cryptography and asymmetric public key cryptography, which is something that the average consumer should never have to pronounce, let alone know what it means.
Shikiar also outlined some of the FIDO Alliance’s highlights from 2020 including Apple joining the group. He added that Apple joining served as a powerful signal to the industry that really everyone is coalescing around the FIDO Alliance as the organization to collaborate on the standards based user friendly and strong authentication. Another key highlight from 2020 for FIDO was the level of support across operating system and browser combinations with different transport mechanisms for the authenticator.
“Over 4 billion devices can support FIDO authentication,” Shikiar said. “So in short, you know, we think FIDO is becoming part of the DNA of the web itself, which is a pretty audacious thing.”
“To summarize, FIDO is very much the present and the future of user authentication.”
The Solarwind #Solorigate Attack as an Identity Authentication Issue
A key topic that resonated throughout the second day of the policy forum was the impact of the recent Solarwinds attack which is also commonly referred to as Solorigate.
During a panel about what policies the Biden Administration should consider with regards to Identity, John Miller Senior Vice President of Policy and Senior Counsel at ITI, commented that the Solarwinds attack has been accurately described as a software supply chain attack but it really is also fairly characterized as an identity attack.
“Characterizing Solarwinds as an identity attack presents an opportunity to remind policy makers of how fundamental identity is to not only what we’re doing online as consumers but to, but an enterprise environment,” Miller said.
In the final keynote of the event, Alex Weinert (pictured) Partner Director of Identity Security, at Microsoft, outlined the gory authentication and identity details behind the Solorigate incident and why zero trust principles would help to mitigate many risks.
Weinert noted that the Solorigate attack was a fundamental attack on trust. He also emphasized the clear role that authentication played in the attacks and the need to move to strong authentication.
“What are we doing to encourage explicitly verifiable credentials, we all know passwords are crap, we know they’re incredibly vulnerable,” Weinert said. “Are we doing enough as an industry to push for the end of passwords?”
Today’s sessions (February 5) have been recorded and will be available soon.
