FIDO: Security without Passwords

First, a test question:  What is the word FIDO generally thought to be?

1. Name of a family dog
2. Name of a zombie movie
3. An acronym standing for Fast Identity Online
4. All of the above

You have 30-seconds and there is no prize for a correct answer.  OK, times up and “d” is the correct answer; however, I don’t recommend the movie. For the purpose of this article, the third answer is our focus.

It is an acronym that stands for Fast Identification Online, but I don’t want to jump ahead.  So first we’ll review the problem of vulnerable security on the internet.  Passwords may be the issue and here are the indicators why:¹

1. Passwords are the root cause of over 80% of data breaches
2. Users have more than 90 online accounts
3. Up to 51% of passwords are reused
4. 1/3 of online purchases are abandoned due to forgotten passwords
5. $70: average help desk labor cost for a single password reset

What is a password?  A very general definition states that a password is a secret word or phrase used to gain admission to something. We know from history that the Roman Army used passwords, also known as watchwords, and had a protocol on how to disseminate them throughout a unit.  Skipping forward, in 1961 MIT used a computer system that requested a password when a “Login” command was issued. In the early 1970’s, password storage security was improved when stored passwords were hashed.  Passwords have been around a very long time.

Many of us have seen the annual worst password lists.  Splashdata reports the top 25 yearly. In 2018 the top 10 were:²

1. 123456 (Rank unchanged from last year)
2. password (Unchanged)
3. 123456789 (Up 3)
4. 12345678 (Down 1)
5. 12345 (Unchanged)
6. 111111 (New)
7. 1234567 (Up 1)
8. sunshine (New)
9. qwerty (Down 5)
10. iloveyou (Unchanged)

It is sad to note that similar failing approaches to passwords are used over and over again.  So, is it really true to say passwords are the problem or is the mentally lax manner in which we generate passwords the problem?  The fact that this problem continues year after year tells us that we, the computer users, are not going to invest the mental energy to fix this issue.  This historical trend line has spawned an industry working group called the FIDO Alliance.

The FIDO Alliance is comprised of industry leaders from IT, finance and authentication/encryption fields.  There are many members of the FIDO Alliance.  Here are a few, but not all, of the more well-known Board Level Member³:

Note:  While Apple is not currently involved in the FIDO effort, the Apple browser does include FIDO code.

The FIDO Alliance overview states, “The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords.”

To use FIDO to authenticate, you must first register.  The following is a brief description of the process taken directly from the FIDO web site.  This is the short version and, although a few technical terms are used, it is generally non-technical and easy to follow.

Registration⁴:

• User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
• User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
• User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
• Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.

Login⁴:

• Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
• User unlocks the FIDO authenticator using the same method as at Registration time.
• Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
• Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

It is important to understand that, “The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.”

So where is this going in the future?  The FIDO Alliance has not finished their work.  They have developed FIDO2.  Again, from the FIDO Alliance web site:

“The FIDO2 Project is a set of interlocking initiatives that together create a FIDO Authentication standard for the web and greatly expands the FIDO ecosystem. FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthn) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP), which collectively will enable users to leverage common devices to easily authenticate to online services — in both mobile and desktop environments.”⁵

Notice the continuing approach across hardware platforms. The FIDO approach crosses browser platforms to include Edge, Chrome, Firefox and Safari.  Due to the reliance on Public Key Encryption, Internet Explorer is not included and you can expect it to lose mainstream status as well as Microsoft support in the future.

As the old saying goes, “Times, they are a changing.”  How we authenticate into computers, applications and web sites will change.  We will continue to monitor the FIDO Alliance and keep you informed.  Are you ready to make the change away from passwords?

For general reading – https://fidoalliance.org/

¹https://fidoalliance.org/what-is-fido/
²https://www.teamsid.com/splashdatas-top-100-worst-passwords-of-2018/
³https://fidoalliance.org/members/
⁴https://fidoalliance.org/how-fido-works/
⁵https://fidoalliance.org/fido2/

Since 1981, Automated Systems, Inc. has been a leader in providing innovative core banking, digital banking, and data processing solutions to community banks nationwide. An array of integrated applications provide partnered banks with tailored, cost-effective, competitive choices. ASI delivers industry-leading technology backed by unparalleled in-house conversion, training and support teams; paving the way for progressive, top-notch customer service. ASI corporate headquarters are located at 1201 Libra Drive, Lincoln, NE 68512, 1.800.279.7312. For more information about banking solutions from ASI, visit www.asiweb.com.

IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology. IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning. Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing. These operations experts allow partnered banks to focus on their most important asset, their customers. For more information visit www.insitedataservices.com.