Podcast

Why FIDO is the future of authentication

Hear OneSpan's Field CTO Will LaSala speak with Expert Insights about why businesses should switch to FIDO as a stronger, more intuitive authentication method.

Why FIDO is the future of authentication

Audio file

This podcast was first published in July 2024 on Expert Insights

Transcript

Expert Insights: I want to start off by talking about the way that organizations are doing things at the moment. What is wrong with the authentication methods that are currently popular?

Will LaSala: Thank you so much, Kaitlyn, for having me. And this is a great conversation as we get into security in general.

I think when you look at what's happening in the world today when it comes to authentication and what users are doing, we're still in that mode of thinking it can't happen to us. We see all these breaches every day and PII being stolen. There's all these attacks. We're still using things like static password and SMS authentication and knowledge-base (KBA) questions and answers. Those are all very insecure methods, and they come with a whole host of problems.

With static passwords, we think about the problem of, “Okay, people can just steal it because I don't change it all the time.” But when I do change it, oftentimes, they're super complex. I need exclamation points and all these special characters and letters and capital numbers. It needs to be 15 characters long now, and how am I going to remember that? These lead to a really bad user experience, and often that leads to an insecure world around that.

We can also talk a little bit about SMS, too. SMS, you think about, “Okay, now I don't remember a password”, so it's not as complex. It's just numbers. But that SMS comes through a network that's insecure and that in itself allows attackers to gain automatic access. So a lot of people think, “Oh, well, it just means that I can't read it to someone over the phone.” Certainly, that's bad to read the security code over the phone. But people don't realize that behind the scenes, the network itself is insecure. That data that's coming from the back-end server isn't encrypted in any way. That means that anyone can listen to it and they can steal it without you even knowing that they stole it. You have the whole SIM swapping issue and all these other things. These type of authentication methods are really insecure and really need to be graduated into something more secure.

 

Expert Insights: Why does all of this matter? Why do organizations need to be investing in stronger authentication methods?

Will LaSala: The why is always the interesting part. First off, why you need to do this is certainly to protect yourself from these attacks. We know that the cost of these type of attacks, I think IBM reported last year that was $4.5 million in breach costs. That's a staggering amount, and I think it's just getting bigger. You're seeing that the types of attacks that are coming, the areas that they're getting into are more and more sensitive. 

I think in the beginning, the attacks were, “Okay, you're stealing my usernames and passwords.” Well, that's bad, but they're going to login and do bad things with it. Those attacks were against banks, so you were stealing money from them directly. Organizations were losing money just because they were getting attacked that way. But we also now see that the attacks are on healthcare systems and infrastructure systems. Now, those types of attacks are even more sensitive and can cause bigger problems where you're actually no longer able to get access to electricity or access basic services because of an attacker coming in and stealing that information and because the authentication itself is insecure.

We have to watch out for that. In addition, when we look at the breaches themselves, most of the time the breaches are happening because of a human element. What I mean by that is, we've picked a weak password, or we wrote it down somewhere, or we thought we'd just put it in a password manager, and the password manager would be secure forever, and we wouldn't have any problems with that. We've seen over the last year that password manager is not so secure. 

And that human element leads to other types of attacks where attackers users can call in and trick the user and pretend to be the bank or pretend to be other people and trick the user because we are accepting. We want to converse with people. We're social beings, and we want to talk with people. We end up giving too much information, which ends up causing these breaches and causing problems. So these are all problems that organizations want to fix and want to make better, and often to encourage users to use their system more often. So if you're not using the system the way they want, that also leads to all kinds of costs internally for organizations as they're looking at what can we do, how can we improve the systems so that we can make customers want to do business with us.

 

Expert Insights: You make some really important points there, particularly that every organization is at risk, but also every user within that organization is at risk. I think previously there's been some hope that certain sectors are off limits to cyberattacks like health care or education, but that's certainly not the case anymore. So despite these risks, many organizations are still struggling to implement strong user authentication. What are some of the reasons for that and some of the challenges that they're typically facing?

Will LaSala: Yeah, there's a lot. And what you're seeing is, originally it was looking at, if we're going to the consumer market, so if we're dealing with retail banking and you're going to the consumer market, some of the big challenges there were usability. 

Organizations believe, as they put these authentication methods out there, that users need to be able to understand what they're doing and put those solutions in a way that makes it very easy for people to interact with. 

The thought process is that static passwords are easy, when in fact they're not. We know they're not an easy solution. 

So you look at things like SMS. Okay, well, sending a quick text message from me to you, yeah, that's easy. And you to me, I can read it. That's really easy, too. But when you turn that into an authentication solution, where you're now sending things from a server and expecting it to be secure, that becomes a bit more challenging. And these challenges open up the door for the attacker. 

The usability and the security around these solutions lead to the problems that organizations face when they choose and implement solutions.

What we need to also look at, and what often gets overlooked, is the cost. And the cost of these solutions isn't just about saying, “Okay, how much does this authentication solution cost me to purchase?” It's also about the cost of education. Educating the end user on how to use it, getting the help desk support in place, making certain that the groups understand where they need to go in case of other problems. If I can't access my phone anymore, how do I get that user and allow that user to still authenticate and get in there? These are different challenges that the organizations have to face. The good news is there are solutions for these challenges, and they're coming.

 

Expert Insights: Could you give us an overview of OneSpan's DIGIPASS FX1 BIO solution and how it addresses some of the challenges in the authentication space?

Will LaSala: Absolutely. At OneSpan, we've been in the authentication space for many years. And what we've seen is that the graduation of these technologies have always been a cat-and-mouse game. So we're always trying to keep in front of whatever that latest attack is or try to give the appropriate solution to the appropriate problem. The FX1 BIO starts to do that. 

The FX1 BIO is focused on FIDO authentication, which is Fast Identity Online Authentication. FIDO itself is an anti-phishing and strong authentication method. Essentially, with the FX1 BIO, what the device does is allow you to exchange secrets between your device, your computer, your web browser, and your server. It does it all seamlessly. 

To an end user, it's as simple as looking on the screen. Maybe they just click a button on a web page or on a mobile application to use their passkey or login. You say yes, on the device itself, you provide a fingerprint, and then that allows you to login. Very easy, seamless method.

There's no typing anything, so you're not able to give information over the phone. So, if you've got a social engineer that's calling you up, a hacker that's calling you up and saying, read me the password, there's no password to be given. 

Also, the device itself supports many modalities. So, you know, if we're thinking about how you use your different authentication methods. So, sometimes you're on a laptop, like I'm on a laptop today, and you have access to USB ports, so you can plug it into USB-C. That's great, but what if I'm on my phone and I need to access through my phone, and then I need to use something like NFC or Bluetooth? And so, the FX1 BIO makes this very easy for our customers by combining all of these different communication channels and really allowing you to use this technology, use this anti-phishing, this strong authentication technology across many different applications very seamlessly and easy for your users.

 

Expert Insights: Absolutely, and as you mentioned there, the solution supports FIDO authentication, and OneSpan is a board member of the FIDO Alliance, which aims to standardize and strengthen the authentication industry. What are some of the benefits of using FIDO technologies over traditional authentication tools?

Will LaSala: FIDO itself is really the next generation of authentication solutions. And so, you know, from a OneSpan world, we've embraced FIDO very early on, and the technology itself allows for really strong authentication to take our applications to the next level. It does this by basically allowing us to have the user manage their own authentication. What I mean by that is that the device itself actually creates the credentials that are used for your different applications.

So it's not the same credentials for every single site. If I'm logging into my bank site, my healthcare site, my insurance site, or my government site, the credentials are actually unique for each one, but they're all on the same device. So, you don't have multiple devices that you need to carry around. You don't need to go and, you know, use different types of authentication for all these different locations. 

The way that works is actually as you come into the site, whether it's your healthcare or government site, it will ask you to basically register. And registering is as simple as putting your fingerprint onto the DIGIPASS device itself. That causes some interactions between the back-end server and the device where it's exchanging this key between them. 

So, you have to think back to the old days of PKI, which is certificate-based authentication. This is very similar, except that it's much faster to perform. 
You're using the fingerprint as a second factor of authentication, unlocking the device so that it can generate the access token that's used to communicate between the two of them. But it's really all about anti-phishing and really about protecting the user from the attacker so that the user isn't able to give out any information, they're not typing in passwords, they're not waiting for SMSs on an insecure network. The network itself is already secure because of the FIDO technology itself.

 

Expert Insights: Definitely. So as well as streamlining the user experience, it's also eliminating that element of human risk you mentioned earlier. If the user doesn't know the credential, they can't share it.

Will LaSala: Exactly.

 

Expert Insights: Where do you see the future of FIDO going?

Will LaSala: FIDO itself is still in its adoption phase, but it has graduated already. So we're on FIDO 2 already of the protocol and the specification. So FIDO 1 adopted two separate protocols, one for mobile, one for hardware. FIDO 2 combines those solutions and gives us a simple way of leveraging these.

And as we look at what applications are doing with passkeys, which is a FIDO technology, that allows more applications to leverage this. And we're seeing passkeys roll out everywhere. So that's what's happening now. 

In the future, we see that FIDO will start to graduate into transactions. What I mean by that is today, most of the time it's authenticating the user, right? So I'm going in and logging in with FIDO or logging into a portal or something like that. In the future, when we actually go to create those transactions (so we create that payment transaction or insurance claim or in healthcare, we're filing a form for a doctor), those transactions need to be protected themselves. And what I mean by that is the data inside those transactions need to be protected. 

So, authentication solutions in the past have already done that. OneSpan offers authentication solutions that already protect the transaction. FIDO takes this to the next level. And we’ve already seen specs for FIDO to start to introduce transaction authentication solutions. And really trying to strengthen the authentication of transactions themselves.

 

Expert Insights: Do you have any words of advice for organizations looking to improve their user authentication – either from a security or usability perspective? 

Will LaSala: I think the main thing that organizations need to look at when choosing an authentication solution is, when you’re worried about usability and how accepting are your users going to be about this, understand that it’s not just about the acceptance of the user – but also about the security of the solution. So if you roll out an SMS or a password-based authentication solution, you’re immediately opening yourself to attack. Attackers are looking for those applications. It’s very easy for them to prey on those applications. So you should always be at least a step above all of that. FIDO takes you to another level. So you are way above the competition. You should certainly be looking at how you can add FIDO. FIDO has been adopted by just about every major software security provider out there, from Microsoft to Google to Apple to everybody else, so leveraging FIDO is just part of the solution that you’re adding. 

Another part of the solution is educating your end users on what to do when they’re using the application. I’ve seen solutions rolled out to customers that simply haven’t worked because they just rolled it out and said “Here you go!” You have to educate your users on what you’re doing, what this means to them, how secure this is, and really what security means in general for them. A lot of organizations take that for granted. They believe that customers know what security means and most customers don’t. They don’t understand what this new device is or how to use it. So take that time to really look at that. 

From a usability perspective, those devices are very simple. Passkeys, FIDO technology, will make the next generation of authentication and transaction security much easier for customers. So we’re really excited to see how they embrace that and the different applications it will open up to you. What happens is organizations tend to hold back, they tend to look at what’s the risk to deploy an application with new features and functions and oftentimes don’t allow those new risky functions because they’re worried about attacks. FIDO and strong authentication allow more functionality where businesses can deploy these more risky transactions so that they can do more business with their customers. So these are all really important things to look at when you’re considering new security options and how you implement them.