Page 26 - GS220401
P. 26
CoverStory
Credentials come in myriad form factors, which could be a Multi-device credential
physical token, biometric data, knowledge, a shared secret
or combination of these things. "We use presented creden- Authenticating from personal devices has become the
tials to authenticate users – meaning if the credentials are norm for consumers around the world, but what happens
valid, we are satisfied that both parties are who they say when the user replaces a phone or laptop that serves as a
they are," Deignan said. login credential? A March 2022 white paper by the FIDO
Alliance, How FIDO Addresses a Full Range of Use Cases,
Multi-factor authentication, zero trust access introduced a multi-device authentication capability that
facilitates secure logins across multiple channels. With
Jeremiah Mason, senior vice president, head of product, this solution, users with new devices would no longer
authID.ai, has seen large and small businesses step up se- have to buy a security key or fall back to a less secure,
curity measures and increase their use of multi-factor au- non-FIDO authentication method, researchers proposed.
thentication, which requires individuals to use two differ-
ent credentials when logging in to a website, mobile app "We believe that the syncing of FIDO credentials, together
or connected resource. "Since the onset of the pandemic, with the Bluetooth alternative, allows FIDO authentication
and spurred by a recent White House mandate, enterpris- to not only be a suitable alternative for existing two-factor
es and federal agencies are abandoning legacy-based cy- deployments, but for the first time, be a viable solution for
bersecurity tools and protocols in favor of more advanced, use cases where deployments of two-factor authentication
proactive cyber-defense alternatives," he said. methods have proven difficult, and where consequently
consumers are stuck with passwords," FIDO researchers
Mason maintained that organizations could harden secu- wrote. "This approach reflects an evolutionary step
rity by replacing inherent trust with a zero trust access in the FIDO ecosystem, delivering phishing-resistant
(ZTA) approach. ZTA assumes all traffic is hostile and authentication at a scale that rivals that of password-based
grants access on a need-to-know basis, which creates an authentication deployments."
immutable audit trail of authorized user access and helps
reduce risks and threats across an enterprise, he stated. The FIDO Alliance was established in 2012 to drive
simpler, stronger authentication methods through an
"Additionally, in the midst of heightened geopolitical open, scalable, interoperable framework that reduces
conflict and nation-state sponsored cyberattacks, we are reliance on passwords. The organization has made
seeing companies either thinking about implementing significant progress over the past decade toward its goal
or implementing MFA on a broader basis by removing of creating stronger, private, easier ways to securely access
passwords from MFA workflows to reduce the risk of a online services, FIDO representatives stated.
compromise," Mason said. "The movement towards pass-
wordless MFA, which removes a shared secret from the Passwordless journey
workflow, also supports ZTA."
The passwordless journey can be challenging for global
Device integrity brands tasked with implementing advanced technologies
across multiple regions and regulatory landscapes while
From Mason's perspective, authenticating individual us- striving to deliver a consistent customer experience. This
ers as they log in to websites and apps is not enough; their topic was explored at FIDO's March 2022 Authenticate
devices must also be authenticated. Fortunately, decision- Summit, a virtual event featuring leading ecommerce and
makers realize this and are propelling the market forward security experts.
to more secure cyber standards and practices, he noted.
Manish Gupta, director of global security at Starbucks,
Deignan agreed, stating the device that is used to conduct described authentication as a platform that offers
a transaction must be authenticated so that a relying party unlimited potential through its deep connection with end-
can recognize if a clone or altered device has been inserted users.
into the mix to harvest payment data or redirect it to unau-
thorized parties. "Terminals these days come in all shapes "You could combine authentication with other technologies
and sizes," he said. "Even a tablet or a mobile phone can be to make it an enabler for ecommerce or for socioeconomic
a payment device. This variety makes authentication even efforts, or as a protector when viewed from a cybersecurity
more difficult but necessary." lens, or a key component of digital transformation," Gupta
said. "The possibilities seem endless when you think of
Payment transactions require a combination of security what we can do. Let's continue to maintain the right balance
measures, Deignan added, stating it's not enough to just of usability, communication, branding, and security; and
approve a payment, nor is it sufficient to just encrypt pay- let's extend our thinking to the full end-user experience
ment data. "Encryption scrambles valid data and counter- and not just pigeonhole ourselves to authentication."
feit or fraudulent data equally well," he said. "And tokens
are great, but not a silver bullet, because if you can't au- Agreeing that the FIDO Alliance has made significant
thenticate a transaction, even if it's 'approved,' you can't progress in driving standardization, interoperability and
trust it."
26
