Q&A: Andrew Shikiar, executive director of FIDO Alliance

With many more people using apps and websites on a daily basis since the pandemic took hold, it has never been more crucial to make sure consumers are safe when logging in to use products and services.

With that in mind, National Technology News editor Peter Walker had a chat to Andrew Shikiar, the executive director and chief marketing officer of FIDO Alliance about the work that’s being done to unite companies and industries around one common standard for cyber security.

For the uninitiated, can you explain what FIDO Alliance is and what it's trying to do?

We are an industry consortium of companies collaborating to address the data breach problem, which continues to be enormously damaging, threatening the integrity of the network economy.

The tip of the spear in this effort is passwords, so that was our first big task. Over 80 per cent of data breaches are caused by passwords. Credentials are spilled onto the dark web and stuffed into accounts. They’re an outdated mechanism – not fit for purpose in today’s marketplace.

The core weakness of passwords is that they are shared secrets that sit on a server. So we’re fundamentally trying to move authentication away from centralised to decentralised, with possession-based authentication, by leveraging the device in their hands. This gets rid of the big breaches and credential spills, as it's harder to target individuals.

• What's the current state of passwords and authentication across industries like - and what are the major challenges you're currently trying to overcome?

FIDO publicly launched in February 2013, so we’ve been at this for several years – and I think we’ve made great progress. We’ve always been tightly focused in our efforts, developing initial specifications for biometric authentication for password replacement (Universal Authentication Framework or UAF) and for second factor authentication (Universal Second Factor or U2F), which were both released at the end of 2014. There was strong initial take-up pf both, but to gain scale - to make FIDO authentication as ubiquitous as HTTP - we had to do more.

So we submitted our technical specifications to the World Wide Web Consortium (W3C) to form the web authentication working group which created the WebAuthn API, which then became part of FIDO2. With FIDO2 we have now see support across a full set of web browsers (Edge, Chrome, Safari and Firefox) and it’s natively supported in Android and Windows 10. Earlier this year, Apple joined our board of directors and have expanded their browser and operating system support, which is great because the first question any service provider will ask is how many customers can be addressed.

Now we’re working inside of the alliance on breaking down any other impediments to implementing FIDO, so we’ve got different working groups tackling technology, business and policy challenges – and helping to educate the market.

• What's changed in the last few months due to the Coronavirus crisis?

It’s really accelerated digital transformation – from being just a buzzword to truly reshaping business and working models from the ground up. However, it’s also a massive opportunity for hackers, who see this newly vulnerable workforce as a prime target. It has really upped the imperative for businesses to protect them.

FIDO Security Keys, or tokens, which employees can use to login to applications, are a crucial form of protection – and the good news is that they’re accessible to most companies. G Suite for instance, which many small businesses run on, features Google Advance Protection to protect employees from phishing. The core of that program is FIDO security keys. This has been validated by Google themselves, which rolled out FIDO Security Keys to their own employees – and not one has been phished successfully.

• Given we're all spending a lot more time logging into websites and apps, what can be done to improve the safety of our personal information?

For the average consumer, it’s about password hygiene and following best practices. Many password managers support FIDO. Other than that, people should be asking their service provider to support FIDO – that’s why we launched our consumer-facing website loginwithfido.com.

• I know FIDO is all about proposing a password-less framework, but how realistic is that in the short-term and what has to happen for it to become a widespread reality?

We’re seeing companies deploying FIDO already. One big step is getting users less dependent on passwords though, before getting passwords off the network altogether.

I’m confident that by 2025 most consumer-facing internet services will offer their customers a password-less option to login to their products and services - but the bigger step is getting rid of passwords altogether.

It’s important to clarify that when TouchID or FaceID is used without FIDO there’s still a password behind it – there’s much greater user convenience and experience, but a password remains on the server for login. We really need to get passwords off the servers and replace them with FIDO public keys. It’s viable, and we’ve seen some companies do this already. For example, NTT DOCOMO - a leading mobile operator in Japan - is doing so for their customers.

• In Europe, one of the biggest drivers towards two-factor security is the implementation of Strong Customer Authentication (SCA), but delays have been down to many merchants complaining about readiness and voicing concerns over loss of sales due to the added checkout friction of these methods – how do you strike that balance between security and seamless transactions?

FIDO presents an excellent solution to SCA, and we’ve already engaged with EU regulators on this. In short, we feel that - and EBA has stated - that FIDO biometrics meet SCA requirements by providing two factors in a single gesture. As biometrics on most mobiles can meet the requirements, so that’s a neat way to address this.

You’re absolutely correct that we need to find the right balance between friction and security – and that this has been a key issue for implementation of SCA in general. In FIDO we have many banking and payments members, such as Visa and Mastercard, which have been keen to see FIDO be part of a strong solution in this regard – and not just to address PSD2 in Europe.

In India for instance, the government began requiring SMS OTPs to verify transactions over a certain amount, and Mastercard was seeing that up to 20 per cent of transactions were unable to be completed due to messages not getting delivered or related issues. As a result, they’ve released a FIDO-based solution, so people can now use a local pin or biometrics on their device, which gives better security, throughput and usability – approaches like this need to come to the fore to see secure transactions adopted at scale.

Fundamentally, I think we want to avoid pop-up windows, redirects and navigating between devices when paying for things. The industry needs to get to a point where vendors and merchants are confident at deploying solutions.

People are used to passwords, whether they like them or not, so there needs to be some consumer education for them to get used to these changes in the login paradigm. People have rapidly adopted biometrics on phones as the functionality has expanded and improved – the key bridge is for them to realise that ‘what I do to unlock’ has now become ‘what I do to login’.

• Can you explain some of the technical aspects behind your proposal - things like public-key cryptography?

A key premise for FIDO is that the average user shouldn’t need to be able to say, let alone understand 'asymmetric public key cryptography' to reap its benefit – which is why we’ve focused on user friendliness. At the core of what we’re doing is moving away from the old model of logging in where passwords or other reusable ‘shared secrets’ are stored on a server, to one that is more decentralised in nature, focused on user possession. This will stop the scalable attacks that impact millions or billions of users in a single swoop.

The problem with the old model is that anything on a server can, and eventually will, be stolen – which means that passwords or other knowledge-based secrets aren’t secret anymore. The essence of public key cryptography is that for each account there is a unique keypair – and all that sits on the server is a public key, which cannot be re-used and as such has no material value to hackers. The corresponding private key is stored safely on user’s device, which is encrypted and can only be unlocked when the user verifies themselves to the device through a simple gesture that they must make. This is what we mean by possession-based authentication.

• How do you see the next few years playing out - given all we've spoken about - and what are your biggest goals over that timeframe?

Adoption is the key focus for us now. The foundation is set, as our specifications are supported by the vast majority of devices on market and ready for wide rollout, so now it’s about eliminating other impediments – which is something we’re actively working on inside the alliance. Our hope is to see more and more companies deploying FIDO in consumer, government and enterprise settings, and we’re aware of many such deployments already underway; the NHS would be one such example.

We’ve also got complementary initiatives in the areas of identify verification and the Internet of Things. In terms of the latter, we really need to take the password out of these connected devices, as many come with passwords hardwired, which are easy to hack.

As stated earlier, my hope is that by 2025 we’ll see the vast majority of online services offering users passwordless login options – with the bulk of those using FIDO standards to make this possible.

    Share Story:

Recent Stories