US Commission on Enhancing National Cybersecurity Calls for an End to Password-based Breaches by 2021, Highlights the Importance of FIDO Standards
Brett McDowell, Executive Director, FIDO Alliance
With a new President about to take office in the U.S., it is still unclear what specific actions his administration will take to improve cybersecurity. According to a new report published late last week by a prestigious, non-partisan commission of experts, authentication needs to be at the top of his list.
The U.S. Commission on Enhancing National Cybersecurity – created by the White House in February 2016 to craft recommendations for the next President – issued its comprehensive Report on Securing and Growing the Digital Economy, which lays out 16 key recommendations for the incoming Trump administration. Among them: a recommendation that the government “should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity management.”
To that end, the Commission lays out an ambitious goal that will require the development and broad adoption of innovative identity authentication technologies:
“An ambitious but important goal for the next administration should be to see no major breaches by 2021 in which identity—especially the use of passwords—is the primary vector of attack.”
The Commission wisely noted that achieving this goal was not just about security, pointing out that success “…will require identity solutions that are secure, privacy-enhancing, efficient, usable, and interoperable. Ultimately, these solutions need to be easy to use by individuals who are accessing digital devices and networks; otherwise identity management will remain a vector for attack.”
The Commission not only knows what they need to execute on this national priority, but also where to get it. They specifically noted the role the FIDO Alliance plays in achieving this goal, stating:
“Other important work that must be undertaken to overcome identity authentication challenges includes the development of open-source standards and specifications like those developed by the Fast IDentity Online (FIDO) Alliance,” highlighting how FIDO enables “delivery [of] multifactor authentication to the masses, all based on industry standard public key cryptography.”
I am thrilled to see the Commission recognize the gravity of the password problem and the important role that the FIDO Alliance plays in addressing it. With more than 250 members from across the world – including technology companies, device manufacturers, major banks and health firms, all major payment card networks, several governments and dozens of security and biometrics vendors – the FIDO Alliance has emerged as the critical force for change in creating a foundation for simpler, stronger authentication.
As the Commission noted, “a review of the major breaches over the past six years reveals that compromised identity characteristics have consistently been the main point of entry.” They recognize, as we have since the FIDO Alliance was formed in 2012, that solving this issue and closing off identity as an easily exploited vector of attack is a clear priority.
The Commission called for several key action items around authentication, including:
- Requiring that all citizen-facing digital government services require strong authentication – not only to protect citizens, but also because “the most important action that government can take to catalyze private-sector adoption of the right kind of solutions for consumers is to use these solutions in its own citizen-facing applications.”
- Calling for “private-sector organizations, including top online retailers, large health insurers, social media companies, and major financial institutions, [to] use strong authentication solutions as the default for major online applications.”
- Requiring all federal agencies to require the use of strong authentication by their employees and contractors, with a call for “updated policies and guidance that continue to focus on increased adoption of strong authentication solutions, including but, importantly, not limited to personal identity verification (PIV) credentials.” This last statement, if implemented as policy by the next administration, opens the door to a wider array of solutions to be used to protect government resources, with a focus on performance rather than form factor or legacy infrastructure.
Note that this is the second time in the last 30 days that FIDO has been called out by a government as being critical to solving national cybersecurity challenges – just a month ago, the U.K. government, in its new UK National Cyber Security Strategy, laid out its specific plans to invest in FIDO authentication to move their country beyond the password.
A common theme in both countries has been the need to balance security with usability, privacy and interoperability – both the U.S. and U.K. have made clear that solutions designed with nothing but security in mind may in fact fail due to lack of adoption.
It’s also worth noting that the Commission’s 90-page report contains several other important recommendations that have nothing to do with authentication. In addition to highly constructive recommendations on remote identity proofing and security for the Internet of Things (IoT), I was pleased to see the Commission highlight the value of partnerships between government and the private sector as “a powerful tool for encouraging the technology, policies and practices we need to secure and grow the digital economy.” The FIDO Alliance launched a government membership program last year to ensure leading governments from around the world were included in our multi-stakeholder collaborative development process. It is probably not a coincidence that our first two FIDO Alliance government members – the U.K. and U.S. – are also now the first two countries to publish significant cybersecurity strategies naming FIDO authentication standards as a key enabling technology.
There is a lot of work in the days ahead, as the new administration chooses people for key positions and lays out its cybersecurity agenda. As the Commission’s report makes clear, improving the reliability of online identity infrastructure is an essential component of improving cybersecurity, and starts with reducing the reliance on passwords with innovative technologies like FIDO authentication. Through continued partnership between industry and government – and by following the Commission’s recommendations around identity and authentication – I am confident the new U.S. administration, with the help of global consortia like the FIDO Alliance, can make meaningful progress toward that five-year goal of eliminating identity-related data breaches.
MORE Building the Business Case