Why You Should Consider FIDO Universal 2-Factor Authentication

RequestInformation
jcarpenter's picture

Most IT and cybersecurity professionals have at least occasional anxiety about when the next major virus, ransomware or swarm bot will hit. With the bulk of data breaches occurring at the network perimeter—as users get their emails and go online—user authentication software is a primary concern.

The fight against stolen credentials has led to the growing adoption of two-factor authentication (2FA) or multifactor authentication (MFA). Forward-thinking companies are going beyond the username/password combo (“what you know”) and adding a second authentication factor (“what you have” or “who you are”). This additional layer of security could be the key to protecting your business, employees and customers.

But it’s still early in the game. In fact, a Google engineer recently revealed that 90% of active Gmail accounts don’t use 2FA. With email and websites being primary hacking targets, why the hesitation with 2FA? Two reasons that frequently come up include:

  • Usability: Fear that additional login steps may cause employees to take shortcuts, such as sharing passwords. For revenue-producing sites, companies requiring added steps may drive away customers.
  • Lack of Interoperability: Security tokens (hardware devices that plug into a USB port) have been quickly evolving for 2FA. However, spotty interoperability between web browsers and hardware security devices has caused doubts about their effectiveness.

New FIDO U2F Standards Move 2FA/MFA and Tokens Forward

Enter the Fast IDentity Online (FIDO) alliance and World Wide Web Consortium (W3C). These organizations share common ground in addressing poor interoperability among strong authentication devices and the failings of username/password security. Together, they have developed Universal Second Factor (U2F) specifications.

A recently released set of improved U2F standards dubbed FIDO2 is a milestone. It consists of the W3C Web Authentication specification, WebAuthn Application Programming Interface (API), the Client to Authentication Protocol (CTAP) and an external authenticator (Security Key by Yubico).

Service providers—including Google Chrome, Microsoft, Mozilla Firefox and Dropbox—are committed to supporting FIDO2 standards. This is a huge step forward in ending dependency on passwords and fueling the growing adoption of FIDO authentication for websites and applications.

Tokens are a Smart Move for 2FA Adopters

With U2F, security tokens are becoming a relevant 2FA tool in the fight against data breaches. Why tokens?

First, the attacker needs the physical token to access an account. Second, the token’s private key is cryptographically tied to the FIDO2 supported website, such as Gmail, making it phishing-resistant. Third, the token securely stores multiple login credentials, so users only need to remember a single password. In short, tokens provide advanced security along with convenience.

Keep in mind, however, that U2F is still in the early stages of adoption and not everyone is on board. Some vendors use workarounds that can decrease the effectiveness of the tokens. Also, companies often block operations with USB ports on corporate computers. Of course, perhaps the most obvious problem is that tokens can get lost, stolen or left in machines.

FIDO2 Makes U2F a Reality

FIDO2 universal authentication specifications and FIDO certifications make an even stronger argument for 2FA. From tokens to mobile to biometric authentication factors, FIDO2 adoption makes 2FA a more viable solution for protecting networks from malicious websites and vulnerable apps.

HID Global advanced authentication solutions support FIDO2 U2F. Explore more.

Get the latest blogs on identity and access management delivered straight to your inbox.

Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with several top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) designations.