Brett McDowell, executive director, FIDO Alliance
The U.K. government is taking cyber defense seriously, announcing last week that it will invest £1.9 billion ($2.3 billion) in cybersecurity over the next five years. In the 84-page UK National Cyber Security Strategy, the U.K. government lays out its plan, which is built on three core pillars: defend cyberspace, deter adversaries, and develop capabilities.
A critical component of the U.K.’s “defend” strategy is to better secure their internet-dependent systems and infrastructure by “ensuring that future online products and services coming into use are ‘secure by default’” and empowering consumers to “choose products and services that have built-in security as a default setting.” One of the ways the U.K. government plans to ensure this is by investing in FIDO authentication to move beyond passwords. Per the government’s strategy:
“[we will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.”
With this, the U.K. government is demonstrating leadership by acknowledging two critical aspects of improving authentication — both of which the FIDO authentication specifications were created to address.
One, that passwords are an unsustainable form of authentication, and we need to stop relying on them to secure internet-connected applications. The many recent data breaches and resulting password credential leaks make this extremely clear.
Two, that we need a positive user experience to go along with strong security. Users should no longer need to type in a one-time code and/or deal with extra screens; rather, modern authentication can leverage increasingly-available devices being shipped with built-in FIDO “single gesture, multi-factor” authentication technology, e.g., swipe a fingerprint, take a selfie, touch a security key. These new solutions are “secure by default” and provide a user experience that is highly secure and extremely easy to use.
This announcement expands the U.K. government’s investments in FIDO authentication — the U.K. government is a FIDO Alliance member and the GOV.UK Verify program focused on citizen services already supports FIDO authentication.
In addition to the U.K., there are signs that other governments are beginning to understand the importance of authentication reform in overall cybersecurity policy. The U.S., for example, has shown understanding of the need to move beyond passwords for years.
Former Secretary of Homeland Security Michael Chertoff said last month, “the password is by far the weakest link in cybersecurity today.” In terms of action, the White House Cybersecurity National Action Plan (CNAP) has a focus on securing accounts with strong authentication. And NIST – also a FIDO Alliance member – recently made updates to Special Publication (SP) 800-63-3 that recommend strong authentication for all assurance levels.
Although FIDO authentication already has significant support from large global organizations in the private sector, governments can and should play an important role in accelerating widespread adoption of FIDO authentication. They are in a unique position to provide guidance, update aging regulations, and lead by example in deploying emerging standards like the U.K. government is doing with FIDO specifications.
The U.K.’s updated strategy is part of a growing trend that started in the U.S. with the National Strategy for Trusted Identities in Cyberspace (NSTIC). Given the clear value, I believe that other governments around the world would benefit from following the U.K.’s lead by investing in initiatives that will accelerate the evolution of their internet-dependent economies from highly vulnerable password-based security to hardened FIDO-based security based on public key cryptography, often with on-device biometrics or convenient second factors that facilitate ease-of-use. I foresee a bright future that begins with the ubiquitous adoption of FIDO authentication by both developed and developing economies worldwide.