Your passwords are expired: Why the future is FIDO authentication

We all hate passwords. We hate remembering them. We hate changing them every 90 days. And we hate their complexity rules. Here’s the good news: Passwords are outdated. The future will use Fast Identity Online (FIDO).

ARTICLE | 6m read
October 8, 2020

Passwords have been core to access security for decades. They began as a way to share access to mainframe computers in the 1960s, and we’ve relied on passwords to protect sensitive data in essentially every online activity since. However, as a security mechanism, passwords have been showing their age. Malicious hackers and other bad actors have long known it’s much easier to steal passwords than break into networks or applications, which is why Verizon reported in 2019 that 80% of hacking-related breaches involve stolen or weak credentials.

It’s no secret we must address access security risks associated with passwords. This has led to a greater adoption of two-factor authentication and zero trust security. But as long as we rely on passwords to protect employee login credentials, we continue to expose our organizations to risks like ransomware, phishing, and social attacks. In this article, I’ll argue why it’s time for us to retire passwords forever, and how Fast Identity Online (FIDO) technology offers us a better way.

80%

Of hacking-related breaches involve stolen or weak credentials

Why passwords fail to protect sensitive data

The primary problem with passwords arises when users choose them for simplicity rather than security. Think about when you’re asked for a password: You have to remember the context it’s in and which password you used for which site. Perhaps you use a password manager or browser extension like LastPass to create long and complex passwords for each of your logins. In that case, you’re probably copying and pasting your password into the input field instead of manually typing it. If you deal with materially sensitive or classified information, you may also use a CAC card or multi-factor authentication to verify your identity, but users rarely adopt these additional access steps unless they’re required.

THE PRIMARY PROBLEM WITH PASSWORDS ARISE WHEN USERS CHOOSE THEM FOR SIMPLICITY RATHER THAN SECURITY.

Kurt Roemer
Chief Security StrategistCitrix 

In short, most users want the easiest way to get past the login screen and into the app or site they want to access. However, this often leads to users adopting simplistic, easy-to-guess passwords, then varying them by one number or letter across multiple logins. While these basic passwords are easy to remember, they’re also easy for today’s hackers to break—cloud-based technology can brute-force guess an eight-character password in as little as 12 minutes. It’s also easy for bad actors to use apps that can read text that users have copied to their computers’ clipboards, which introduces another flaw into using password managers.

We have tried to adjust our password strategy to strengthen our access security. But whether it’s enforcing password complexity rules, requiring regular credential changes, or using password managers, all our password strengthening methods have faced tradeoffs and issues. Employees forget which complex password they used for which site, or use simple variants of the same weak password every time they change credentials. A password manager that creates complex access credentials for multiple logins still can rely on a single user password to sign into the manager. Even physical security keys or two-factor authentication can be compromised if users' personal devices are lost or stolen. The simple truth? Passwords are not enough to protect us from modern cyberattacks.

Fast Identity Online (FIDO): The future of access security

Gartner predicts by 2022, 60 percent of large businesses and nearly all medium-sized organizations will have reduced their dependence on passwords by half. If passwords are the past of access security, Fast Identity Online is the future. Also known as FIDO authentication, this access security technology “enables password-only logins to be replaced with secure and fast login experiences.” Today, the FIDO2 web-based API makes it possible for users to authenticate to their login pages via biometrics, mobile devices, or specialized security tokens—replacing passwords with something a user always has with them and that can’t be stolen.

Here’s how FIDO authentication works:

  1. A user registers by choosing an approved FIDO authenticator for the online service that the user will login to.
  2. When a user needs to login somewhere, they can use a FIDO-approved device (like their phone) to verify their voice, fingerprint, face or any combination thereof. To protect user privacy, only FIDO sees the biometric authentication method—never the online service.
  3. The FIDO-approved device uses the user’s account identifier to select the correct security token for the online service. The service sees the approved token and logs in the user.

Relying on biometrics with FIDO2 authentication both simplifies the user experience and strengthens access security. In addition to enabling quick and secure access, this means the user does not have to remember and constantly update a series of complex passwords. Organizations in turn increases their access security and can require different forms of biometric authentication to protect sensitive data.\

Embrace FIDO authentication over outdated passwords

Passwords are the zombies of the internet—they will be around forever, but your organization need not be haunted by them. By embracing FIDO authentication, you can free your employees, partners, and third-party users from having to remember regularly-changed and complex passwords and strengthen your access security by authenticating users with biometrics.

NEWSLETTER

Get the latest research, insights, and stories from Fieldwork by Citrix.