5 Myths About MFA Prompt Bombing: How Companies Can Protect Themselves
In 1966, Marie Van Brittan Brown, a certified nurse, created what is considered the first-ever security system. Together with her husband, an electrician by trade, she devised a clever contraption consisting of peepholes, microphones, a camera, and a sliding lever that would allow her to determine who wanted to gain entrance to her home before she opened her front door. Should she decide that the person posed a threat, she could use the built-in alarm to alert the authorities. Marie’s invention received a patent in 1969 and was noted in 32 subsequent patents. It is considered to be the predecessor to CCTV.
Nowadays, security systems have gotten much more elaborate and are also significantly more automated. But even more importantly, they have to protect far more than just our homes. Today, some of our most valuable possessions aren’t relegated to buildings that can be locked and shuttered with keys and padlocks. Much of our most important property is located in databases, on hard drives and in the Cloud. This distribution of our private information requires a more circuitous and less straightforward security standard than a lock and key.
Some things, however, have remained the same: it remains as important as ever to ensure that access is limited to only those authorised; we still need keys to provide access, and a system of alarms and warnings for attempted illegal access is crucial.
The Fallibility of Password Protection
For years we have relied on a simple username and password system to limit access to data and computing systems. This now outdated method of security is akin to Marie’s invention. It laid the framework for how we can protect our data, but it has proven cumbersome and also lacks the ease of an automated process. It also leaves ample room for error and frustration. Every time a user forgets a password, a tedious process of resetting the password turns tasks such as accessing online accounts, making purchases and transferring money into a nuisance.
As a result, users have become lazy and sloppy. They started creating overly simplistic passwords that hackers could easily crack. They reused passwords across different service providers, meaning that one compromised password could leave all their accounts vulnerable to potential cyberattacks.
Though it has taken some time, service providers have finally realised that their own businesses, assets and reputations were also on the line. A more fool-proof verification and authentication system is needed to ensure the safety and security of both users and internal systems.
The FIDO Alliance
The notion that passwords were a bit outdated is by no means new. Back in 2009, some of the early founders of the FIDO Alliance were already considering the use of biometric factors for authentication. This idea gave birth to the FIDO Alliance in 2012. In the past decade, that Alliance has grown and now includes some of the top players in the tech industry as well as global government agencies. Together they work on new solutions for eliminating our dependence on password security, with a focus on open, scalable and interoperable mechanisms.
Companies that apply FIDO protocols base their security practices on a tried and tested standard that uses public-key cryptography. As a result, any user that registers with an online service or creates an account with a service that is a member of the FIDO Alliance will be ensured a standardised method of security.
But how exactly do FIDO protocols work?
FIDO Protocols
Let’s say you create an account or register with an online service that relies on FIDO protocols for authentication or identity verification. During the registration process – e.g. on your desktop computer or mobile phone – your device will create two keys: one public and one private. The public key will automatically be registered with your service provider, while the private key will be stored safely on your device. From here on in, every time you attempt to log in, make a transaction or exchange data with your service, platform, website, etc., your public key will authenticate you by ensuring that you are the owner of the private key.
Since the creation of public and private keys, the decryption and encryption of data and the verification of key ownership all happen without user intervention (the ‘middle-man’), thereby eliminating the weakest link in the security chain. That means you! As previously mentioned, users are often unintentionally careless when it comes to security. With the password selection step eliminated, the threats posed by using weak or recycled passwords are also eliminated.
There are currently three different FIDO protocols in use:
- FIDO Universal Second Factor (FIDO U2F)
- FIDO Universal Authentication Framework (FIDO UAF)
- FIDO2
FIDO U2F
This early FIDO protocol relies on an actual, physical key (e.g. a YubiKey) for verification. In this case, a key is plugged into (or tapped against, if your device is near-field communication compatible) your computer or mobile device. When the service makes a signature request to verify your identity, the key provides the necessary authentication. This basically serves as a second form of authentication (2FA, two-factor authentication) to boost the security of a simple username and password login.
FIDO UAF
The FIDO Alliance also wanted to press forward with its goal of creating a password-less login experience. FIDO UAF makes it possible for users to register a specific device with an online service (at which point public and private keys are generated) and then use multi-factor authentication – generally in the form of biometric features like a fingerprint or face scan – or also a PIN, etc. to verify their identity. This eliminates the need for a tangible key but provides a very high level of security since it still relies on public-key cryptography.
FIDO2
This newest FIDO protocol takes advantage of the widespread availability of biometric authentication. When logging into a service that relies on FIDO2, users can use a fingerprint, face scan, or even voice recognition to prove possession of the private key and, therefore, the right to access data, make transactions, etc. The major difference with FIDO2 is that your device (e.g. your mobile phone) can be used as your authenticator. For example, if you want to log in to a website that has implemented FIDO2 security protocols, the Web Authentication API (WebAuthn) installed by the service provider on their website will initiate the interaction between the respective website and your authenticator (e.g. your mobile phone or key, etc.). Your authenticator, perhaps unlocked by a fingerprint or face scan, verifies your identity and grants you access to the service, website, platform, etc.
Benefits of FIDO
The primary benefit of FIDO is its nearly impenetrable level of security thanks to its dependence on verification methods that cannot be intercepted (like one-time passwords, OTP) or easily cracked (like simple or reused passwords). Beyond that, there are a number of other advantages to using FIDO.
- Simplified access: Thanks to the elimination of passwords, users can log in to services with just the tap of a finger, a quick glance at a screen, or the click of a button on a physical authenticator key. There is also no need for users to install extra software or mobile apps for authentication purposes.
- Cost savings: The use of passwords comes with hidden expenses. Secure password resets sometimes require the assistance of trained customer representatives. Furthermore, the cost of reputational damage resulting from security breaches is often incalculable.
- Localised security: Since the private key always remains on the user's device (either the physical key or the device being used as an authenticator), hackers cannot intercept and steal a transaction.
- Widespread use and support: FIDO protocols are used by several different companies across various industries. They can also be used on all major web browsers.
Drawbacks of FIDO
Like any security measure, FIDO has some disadvantages. Its primary drawback is its large number of moving parts, especially with regard to FIDO2, which relies on the seamless communication between authenticators (private keys), the platform being queried (e.g. the online service) and the browser being used. Not all browsers work with all authenticators, and some older iOS versions do not support FIDO2 at all. Some Android devices have FIDO2 protocols installed, whereas Apple devices rely on their own internal security system. This lack of consistent availability can lead to confusion and an unsatisfactory user experience.
Furthermore, registration is device-specific. This is excellent when it comes to security. However, it requires additional effort for users who must enrol each device they want to use to access the service, platform, etc., separately. Again, these added steps and additional complexity could diminish the overall user experience.
Regardless of what security approach your company decides to adopt, one thing is absolutely certain: passwords alone are no longer an option. With some of our most personal information stored in the Cloud and on external databases, we need secure security measures, not outdated mechanisms that hold users responsible for keeping data safe. Choosing FIDO not only means opting for a global standard that has been devised by some of the biggest players in the tech industry, but it also means trusting a standard that is being constantly re-envisioned and improved upon as new threats arise and technology advances.
