The Next Level Network Blog

IT Management, Security, Compliance for Regulated Firms

Standardized Multi-factor Authentication Just Became a Reality

Tech Group The FIDO Alliance Is Leading Us to a Password-free Internet, Greater Security

What Is It?

One of the greatest fears today is that hackers will steal the passwords we use to access social, banking and other sites where we must register to take advantage of their features and offerings and steal our data. The threat for businesses – especially regulated entities – is that employees will fall for password-centric schemes, like phishing, that can compromise a company’s entire IT network. Better days are here – and even better ones are ahead.

Since 2012, a technology industry group, The FIDO Alliance (for Fast ID Online) has been working to create a password-free multi-factor authentication protocol. Today, FIDO is comprised of a who’s who of Internet providers including Google, Facebook, PayPal (a founder), Bank of America, Samsung, Microsoft and many more – all committed to vastly improving cyber security.

According to its website, FIDO describes its membership as, “…hundreds of global tech leaders across enterprise, payments, telecom, government and healthcare that have come together in support of the organization’s mission to reduce the world’s reliance on passwords.”

Since its founding, FIDO has developed three specifications, the Universal 2nd Factor (U2F) authentication standard, FIDO2, which includes the World Wide Web Consortium’s (W3C’s) Web Authentication (WebAuthn) specification and the FIDO Client to Authenticator Protocol (CTAP). The specifications are open and free for global use.

As of February 2019, U2F can be made available on any website via a supported browser and operating system. The browser list includes all of the most widely-used ones – Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge and others. Operating systems include Windows, Mac OS X, Linux, Android or Chrome OS. FIDO ensures compliance and interoperability with its specifications through its FIDO Certified Program. 

How Does U2F Work?

U2F is considered an asymmetrical authenticator, which means that it uses two encryption keys, a public key that resides on the server of a website where a user registers (like Facebook), and a private key that resides on the user’s device. Comparatively, password access is considered symmetrical authentication and uses only a public key – the password.

With U2F, at registration the user selects an authenticator, which can be a traditional method like entering a pin, inserting a second–factor device or pressing a button; or it can be a biometric method – like a finger swipe or a verbal command. The public and private keys and what’s called a ‘challenge’ key are issued at registration. Subsequently, when a user logs on, a dialogue commences between the public key, which sends a challenge to the user device. The challenge is then addressed/unlocked by the private key.

The fact that access is controlled by encrypted keys, one of which is never shared, shuts down phishing, malware, ransomware and other password-dependent threats.

Does U2F Signal the End of Cyber Threats?

The answer is, “No.” The risk of clicking and downloading evil code still exists and we can be certain that new threats will evolve as technology is developed to thwart existing ones. U2F will help as it spreads across the globe. But it’s important to understand that even though some of the biggest tech players are enabling U2F and other FIDO protocols and certifications, it’s a new capability in the broader sense.

There are hundreds of thousands of websites – maybe millions – that are still completely unaware of the FIDO Alliance and its advances. We believe that U2F will ultimately provide us with greater cyber security defenses. It will also provide companies with greater efficiencies in addition to network protection as awareness grows. But it will take some time.

Here’s a U2F benefit that we believe will help with adoption by business. One of the problems with two-factor authentication (2FA) is that after users log in to their accounts, they have other steps to take before they can access their data.

An email or text is sent to the user’s device with an authentication code that they must then type in to a field on the log-in page. This inconvenience can lead to user non-compliance, as well as to companies failing to adopt two-factor authentication at all because of employee inconvenience and loss of productivity when viewed across an enterprise. U2F can help these companies make better cyber security decisions.

It’s worth exploring how you might implement U2F in your company. We’ll be happy to help. If you’d like to speak with Soundshore Technology Group’s cyber security experts, send an email to sales@soundshore.net. While you’re here, please take a look at our full array of cyber security services.

You might also be interested in our on-demand Cyber Security Training Webinar. Replay it to learn how you can easily implement training software and ensure your company’s data is safe and secure.

Key topics covered:

  • How the SEC evaluates cyber security policies
  • The characteristics of a robust cyber security training program
  • How to successfully implement an employee training program to cyber security

Watch it here.

Topics: Security, cyber security, U2F, multi-factor authentication