FIDO Alliance speak about a future without passwords

Security Solutions spoke to Andrew Shikiar, Executive Director at FIDO Alliance, about the acceleration of digital transformation and how this has led to a rise in cyber attacks and other threats.


Please start by giving us a very quick overview about FIDO Alliance. What is the organisation’s core value offering, who do you work with in Australia, what is your relationship with local partners?



The FIDO Alliance is an open industry association aimed at changing the nature of authentication with open standards to help reduce the world’s over-reliance on passwords. FIDO promotes the development and use of standards for authentication and device attestation. This includes addressing the lack of interoperability among various authentication technologies and promoting global standards that makes it easier for consumers to use, and easier for service providers to deploy and manage.


FIDO’s authentication standards are implemented by industry leaders such as Apple, Google, and Microsoft. For instance, the Face ID and Touch ID used on Apple’s Safari 14 for logins is built on the WebAuthn component of the FIDO2 standard, developed by the FIDO Alliance.


In Australia, FIDO’s standards are deployed as part of the Essential Eight Maturity Model stipulated by the Australian Cyber Security Centre (ACSC), where FIDO’s multifactor authentication (MFA) is one of 8 critical controls recommended. FIDO Alliance also enjoys a liaison relationship with the Australian Payments Network.


With the current pandemic business conditions, we are seeing a spike in cyber crime, phishing scams etc. What is your take on the effect this might have on organisations across our region, now and into the near future?


The pandemic saw businesses across the world accelerate their digital transformation journeys. Lockdowns and movement control measures forced businesses to adapt and ‘go digital’ to run more efficiently and effectively.


As more business gets conducted online, cybercriminals are also upping their game and preying on people’s anxieties and uncertainties. In fact, a survey by Risk Based Security revealed that 36 billion records were exposed by data breaches in the first three quarters of 2020. Also, according to a Deloitte study, phishing remains a popular tool in a cybercriminal’s arsenal, with phishing emails revealed to be behind 91 percent of all cyberattacks.


As such attacks become more common (and severe), it’s time to rethink our reliance on passwords. What used to be the definition of secure in the past, passwords — a “shared secret” that sits on a server — have become a prime target for dark actors. This raises the importance of enhanced, secure online authentication mechanisms that do not rely on passwords or other server-side credentials.


As businesses rebuild and recover from the impact, leaders must also bear in mind that scalable and secure authentication is essential to business continuity and resilience. It is thus imperative that organisations put in place processes and systems for preventing and recovering from potential threats. By maintaining such plans, businesses ensure that assets are protected, and that operations will continue in the event of disaster.


Are we seeing new cyber threats emerge at present, or just a ramping up of existing attack vectors? How much of this is related to new remote work conditions? Will we continue to see raised threat levels in the future as people go back to work, or at least move to hybrid working models?


Cybercriminals have no doubt been planning and launching their attacks with intensity, especially with the prevailing uncertainty given the pandemic situation. In fact, cybercrime is up 600 percent as a result of the COVID-19 pandemic in 2020. In Asia Pacific alone, the region experienced a 168 percent year on year increase in cyberattacks in May 2021, as compared to May 2020.


These attacks are also becoming increasingly sophisticated. Phishing attacks, for instance, have been prevalent. It accounts for 90 percent of data breaches, and has seen no signs of stopping.


Cybercriminals have long been capitalising on the anxiety and fear to intensify cyberattacks and phishing activities during crisis situations, but the disappearing of boundaries in the current digital landscape has certainly played a part in this rise.


With the pandemic, businesses have been forced to rapidly shift to a remote workforce, without the luxury of time to prepare and build proper and adequate cyber defences. As a result, it has exposed just how unprepared organisations are for a digital journey, and cybercriminals have been quick to exploit the wider attack surface of decentralised environments to their advantage. This is especially as more employees are connecting to the corporate network using multiple devices — including desktop and laptop computers, mobile phones, tablets — with more accounts to deal with.


That means poor cyber hygiene — including password reuse — now poses a bigger threat than ever. In fact, a survey conducted by Google revealed that as many as 65 percent of people reuse the same password for multiple or all accounts — and it surely doesn’t help to know that most data breaches are the result of weak or compromised passwords.


The changes the pandemic has brought to our digital lives, including remote working, are here to stay. If that’s the case, then corporations must secure their employees, applications and data further — by providing better authentication methods with cybersecurity at the forefront of these considerations.


To what extent are password and associated breaches coming from ‘insider attacks’? What is the usual cause of this, within an organisation? Disgruntled employees, or something more sinister such as extortion, organised crime?


The 2021 Verizon Data Breach Investigations Report cites that breaches from insiders are growing in volume, but comprise roughly one-fifth of all breaches — whereas weak login credentials in general were at the root of over 60% of incidents.  But I would suggest that the biggest “insider” threat remains employees falling victim to phishing or social engineering attacks, which have a remarkably high success rate for hackers.


A report from Cisco showed that 86 percent of organisations had at least one employee try to connect to a nefarious site from clicking on a malicious link from a phishing email — an attack that continues to be popular due to its simplicity and effectiveness.


To counter this, businesses have traditionally relied heavily on educating end users on how to detect phishing attacks. But even these methods have their limits — because while end users do become more sophisticated with training, all it takes is one slip up from a single employee to open up the entire IT system to these threats. With hackers employing more sophisticated techniques, including the creation of fake calendar events with video conferencing links and using seemingly legitimate sharing links like Dropbox and Google Drive, businesses simply cannot rely on employees to not fall for such malicious tactics.


If users cannot be trusted with their actions, then the only way forward is to evolve the way they are authenticated to make sure malicious actors are kept out. This includes having a coordinated and layered approach to security, and reducing the burden of authentication of the user in favour of relying on technology.


What should an organisation be doing to tighten up their security in these times?


It’s clear that good cyber hygiene alone simply won’t suffice with cyberattacks continuing to evolve. The onus is on organisations to embrace modern authentication standards and take the step towards change. User authentication on chat, email, business communication and collaboration as well as video conferencing tools that have been vital during the pandemic also need to be protected to ensure that people connecting to these tools are who they say they are – lest they birth new entry points for cybercriminals to attack.


Many companies have been taking steps to make passwords more secure by mandating complicated passwords and periodic resets, but this has led to difficult password management and even less security — especially if the users are making minor variations to the same password or using the same password across multiple accounts.


Such habits magnify the threat of an account takeover, as just one leaked password can put all other accounts at risk. It is practically impossible to expect employees to remember each unique password they create and there are other methods we can employ to maintain more security.


As a first step to reducing reliance on passwords and protecting themselves against phishing, businesses can look towards passwordless authentication methods that eliminate the problems that weak passwords bring and defend against various types of cyberattacks. This includes the use of a FIDO-based hardware security key, or biometric data like a fingerprint or facial scan which adds extra security on top of a password, rather than merely requesting a username and password. In essence, the vulnerability associated with passwords decreases if there are no credentials to steal or hack, improving overall cybersecurity.


But while it’s critical to tighten up their authentication security, businesses need to make sure they are not compromising on user experience in the process.


The good news is that most modern devices such as PCs and smartphones are coming equipped with technology to provide a good user experience while protecting businesses from phishing and other cyberattacks. FIDO, for instance, is based on public key cryptography, which safeguards login information by ensuring that it never leaves the device where it originates.


This industry standard allows users to log in with the same things they use to unlock their devices, like their fingerprints, face scans, or physical security keys, helping businesses strike the balance between security and usability. This means users have more control during login and don’t have to worry about account takeovers.


More importantly, FIDO provides support for “single gesture” authentication methods like looking at a camera, swiping a finger, or touching a security key, providing a seamless user experience where users no longer need to remember their passwords.


Do you have stats or an opinion about the use of passwords for authentication? Are we moving away from them, as a rule?


To maintain robust cybersecurity, we must move away from passwords. Bill Gates said way back in 2004 that passwords cannot meet the challenge of keeping critical information secure. He predicted the demise of traditional passwords, and the decreasing reliance on passwords then. Yet, passwords continue to be used even to this day, despite many industry experts agreeing that they should be replaced.


While we have made some progress in reducing the reliance on passwords, more still needs to be done. Cyber threats are rising, especially in the wake of the pandemic, but costs associated with implementing strong authentication are going down. As businesses look to accelerate the digital transformation journey, it is an opportune time for businesses to rethink their security processes, and implement a standards-based, cryptographically backed approach that provides simple yet strong security.


This future is already within reach, backed by leaders in their field, and supported by devices all over the world — now all we have to do is take the next step. The most recent evidence of this was Microsoft’s recent announcement that holders of Microsoft accounts can now ditch their passwords altogether.