The FIDO Alliance, which includes members such as Google, Microsoft, ARM, Intel, and PayPal, as well as banks and many other companies, aims to get rid of passwords through new industry standards for biometric authentication and for two-factor authentication. The UK government recently announced that it will invest £1.9 billion ($2.3 billion USD) in cybersecurity over the next five years, and that includes adoption of devices capable of FIDO authentication.
Security By Default
The UK government’s new strategy for “defensive” cybersecurity is to ensure that future devices that arrive on the market are “secure by default.” The recent massive DDoS attacks due to all the insecure IoT devices that come to market may have been one of reasons why the UK government chose this strategy.
In its strategy document, the UK government said:
[We will] invest in technologies like Trusted Platform Modules (TPM) and emerging industry standards such as Fast IDentity Online (FIDO), which do not rely on passwords for user authentication, but use the machine and other devices in the user’s possession to authenticate. The Government will test innovative authentication mechanisms to demonstrate what they can offer, both in terms of security and overall user experience.
FIDO said that the UK government realized the same thing the group did--that passwords are an unsustainable method of authentication, something of which all the major data breaches in the past few years have reminded us.
Ending "Security Fatigue"
FIDO also noted that users want strong security to be accompanied by a positive user experience. As a recent NIST report concluded, users--especially in the enterprise environment--are starting to feel “security fatigue.” This is due to all the dozens of passwords they have to manage to get into the various applications that they need to use.
The FIDO authentication methods promise to enable easy access to devices and applications through fingerprints, selfies, or a single touch of a security key. Authentication through facial recognition has had a bad track record, so it remains to be seen if FIDO’s implementation will be more resilient to attacks than previous facial recognition solutions.
Fingerprints should offer reasonable security for most people, as long as governments don’t also decide to store everyone’s fingerprints in their hacking-prone databases, which could then expose everyone’s devices when a data breach happens.
The FIDO Alliance is also enabling strong two-factor authentication, so ideally the biometric authentication will almost always be accompanied by some form of second-factor authentication as well, to better protect FIDO-enabled devices.
The U.S. government has also been urging the move away from passwords, which it has called the “weakest link” in security.
