Credential Stuffing in Full Swing During Black Friday & Cyber Monday
We all know what it’s like when you go online to quickly buy a certain product you’ve wanted for a long time. One that’s now finally available at an affordable price – but only in some online store that you’ve never visited before. If you plan to order from the site more than once, you might well choose not to order as a guest but instead create a new user account and set a password for your next log-in. And later, you want to check your purchase again – but realise you’ve already forgotten the password to access your own account details! Some people get around this problem by using the same easily memorable password for several different accounts. However, while this is convenient, it also increases the risk that cybercriminals might obtain confidential data from users and companies and misuse it for their own purposes.
What’s more, we’re now using our smartphones for shopping, banking and other transactions more than we’ve ever done before. And on a mobile device, it’s even more inconvenient to laboriously type out a complicated password than on a desktop PC. This can sometimes even stop us from visiting a site at all or else leave us so frustrated that we abandon certain purchases altogether.
For the first time, IT security and usability can be optimally combined
Now, however, smartphones are where we can finally find a solution to the dilemma described above – a solution that’s as clever as it is secure. This is because, by using mobile devices, we can now use biometric features such as facial recognition or fingerprint scanning to uniquely authenticate ourselves online. Both procedures are almost impossible to outsmart because the data they require never leaves the mobile device and cannot be tampered with. Not even the authentication software has access to it. If biometric features are used as part of a two-factor authentication (2FA) or multi-factor authentication (MFA) process, criminals have practically no chance of hacking into the corresponding user account.
What’s more, the open FIDO standard, which works on a global basis, will in the future increasingly save us the hassle of having to remember passwords when logging in...
The foundation of the FIDO Alliance: global transactions require global security standards
Now that the Internet has brought the world closer together than ever and we find ourselves completing transactions way beyond national borders – whether we’re shopping, entering our credit card details on foreign-based websites, or making cashless payments on holiday or on business trips – it has become necessary to develop international industry standards for worldwide online authentication. With this in mind, the FIDO Alliance (FIDO = Fast Identity Online) was set up as a not-for-profit organisation in 2012.
FIDO 1.0 lays the foundations for simple and secure password-free authentication
Back in December 2014, the Alliance published its first open standard: FIDO v1.0. The standard is based on two protocols:
- FIDO U2F (Universal Second Factor), which sets the hardware and software specifications for two-factor authentication, such as entering a user name or a PIN in combination with facial recognition or fingerprint scanning, and
- FIDO UAF (Universal Authentication Framework), which is a network protocol for password-free authentication
The FIDO standard was thereby intended to enable users worldwide to authenticate themselves quickly, conveniently and securely online without a password, for example, on their smartphone or laptop. One well-known application of the FIDO standard is the Windows 10 log-in process via the “Windows Hello” system, which uses facial or fingerprint recognition and a PIN to ensure that the user logs in securely.
FIDO2 – for even greater convenience and security
The FIDO2 standard, which the FIDO Alliance developed in cooperation with the W3C (World Wide Web Consortium), relies on the W3C Web Authentication Standard (WebAuthn) and the FIDO Alliance’s Client To Authenticator Protocol (CTAP). This utilises the specific benefits of the authentication technology offered by modern PCs and mobile devices. Theoretically, entering the user name or email address is sufficient. However, with the help of an external security key in a dongle or token or by using the crypto or TPM chip (Trusted Platform Module) built into the device, the system now determines whether users are actually authorised to access the online data they are looking for. The confidential security key in the token or on the TPM chip cannot be read, decrypted or copied and is, therefore, absolutely secure.
Nowadays, the widely used Windows, iOS and Android operating systems already support the FIDO2 standard by default (from Windows 10, iOS 13 and Android 7 onwards), as do the Chrome, Edge and Firefox web browsers.
For convenience and security, Nevis relies on FIDO
Nevis offers a password-free log-in experience to optimally combine online convenience and security. It does this by utilising the facial and fingerprint recognition technologies already available on most modern mobile devices. A user identification code is generated on the Nevis Authentication Cloud server during the log-in process. This authenticates the user in conjunction with his or her biometric identifiers. By coupling the private key on the crypto chip in the user's device with the public key on the server, Nevis can realise a passwordless login in the FIDO standard.
The upshot – a permanently changed log-in experience with FIDO
Passwords are definitely a thing of the past. Not only are they impractical and inconvenient, but they are also rather insecure. The FIDO standards offer a welcome solution combining maximum user-friendliness with maximum security. They make it almost impossible for cybercriminals to gain unauthorised access to sensitive data. Users worldwide can therefore breathe a sigh of relief as they no longer have to remember passwords.
