FIDO for All (S1:E18)

June 2, 2022

Jonny Adams, Product Manager for Logical Access at Identiv, and John Guerrero, CEO at Identify Systems, return to chat about making FIDO accessible for all: businesses, governments, and consumers alike. The FIDO ecosystem eliminates the risk of data breaches, phishing, password theft, and replay attacks with hardened multi-factor authentication. The tech is transforming the cybersecurity experience. 

Full Transcript

Speaker 1 (00:01): You're listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cybersecurity, and IoT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging digital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Your host is Leigh Dow, VP of global marketing at Identiv. Leigh Dow (00:43): Thanks for tuning in. I'm joined by Johnny Adams, product manager extraordinaire for logical access at Identiv, and John Guerrero, business consultant extraordinaire for Identiv. It's always a pleasure to chat with you guys. Johnny Adams (00:56): Thank you. John Guerro (00:56): Thank you for having us. Leigh Dow (00:57): Of course. Today, we're going to be discussing cybersecurity, specifically focusing on Identiv's FIDO2 ecosystem, uTrust FIDO2 NFC plus security keys, uTrust key manager software, and the significance of our FIDO For All campaign. And I have to tell you guys that every time I think about FIDO For All, I want to say, "FIDO For All." I think it's going to be... Johnny Adams (01:22): It's sketchy. Leigh Dow (01:22): Yeah, a really fun rollout. Our UTrust FIDO2 NFC Plus security keys pair with the UTrust Key Manager software tool to provide authentication for Windows 10 on standalone devices and to support PIV, HOTP, and TOTP. The ecosystem eliminates the risk of data breaches, phishing, password theft, and replay attacks with hardened multifactor authentication cybersecurity. At Identiv, we're working to convert the cybersecurity experience by replacing passwords with a secure, fast, scalable, and cost-effective login solution. John, I know you've covered this before, but can you give a quick rundown on the basics of FIDO and FIDO2? John Guerro (02:03): Sure, happy to help here. So FIDO and FIDO2 are interoperable technical standards, the focus of which is to change the way authentication takes place, making it more secure and convenient. So when registering to use FIDO or FIDO2 as an authentication device, the system generates a set of cryptographic keys so that the private key is kept in the hardware of the device and the public key is saved on in the online service. And if we look at the FIDO protocol, also known as FIDO U2F, or universal second factor, it was designed just as that, a second-factor authentication method to increase the security of the username- and password-based logins. The FIDO2 protocol, it's an extension of FIDO that was designed to cover and address additional use cases, where passwords want to be eliminated altogether to create a true, highly secure authentication process. Leigh Dow (03:03): I feel like FIDO's having a moment. Why is the tech so significant right now? John Guerro (03:10): There's a couple things, I think, make the tech very relevant to today. I think, personally, it has to do with a lot of the... or the historical growth of the cyber attacks going on worldwide, from cyber hackers attempting to disrupt our voting system here in the US or stealing all of our personal, private financial information from banking while we're online. The threats are literally everywhere as long as you're on the internet. To simplify this, the FIDO standards, really, they just encrypt the data so that it is highly secure. They leave no footprint when you log in, so there's nothing left behind for hackers to grab as far as information to obtain your login data. And when using our UTrust FIDO2 key, a hacker cannot log in without having the key in his possession. And it's pretty hard to do for... It's pretty hard for a cyber hacker to authenticate using your key when he's on the other end of the computer, either overseas or the next town over. Leigh Dow (04:14): Johnny, can you walk us through the process of how to use our security keys with the Key Manager Tool? Johnny Adams (04:21): Sure. Yeah, it's really pretty straightforward. Once you launch the UTrust Security Key Manager, you'll be prompted to insert your key, and when you do so, you'll see some information about your key. You'll see the model. You'll see an image of what your key should look like. You'll also see your serial number, which it could be pretty useful if you're using it for personal use and then also wanting to self-enroll if that's an option with your work. In addition to that, on that homepage, you'll see some support links. So if you've got questions about your security key or about the key manager, then you can click on those links. You'll have a wealth of support there at your fingertips. And again, we've tried to keep this simple and user-friendly. So there's an applications' dropdown menu, and you'll see those three applets that were discussed: the OTP, the PIV, and the FIDO. So first, if you click on OTP, you'll see one option, and that's to enter your shared secret. So for those that don't know, OTP is One Time Password that can be hardware-based or time-based. So if you go to a site and it allows you to use OTP, or registration authentication, then there'll be an option to generate your shared secret there. You'll copy that, paste it into the field on the key manager, and save that. And from then on, you'll be able to use your FIDO key with that site, just a tap of the button, and you populate the OTP field, which that's great. If you're an OTP user looking to migrate into sites that are using FIDO, then this is a good solution for you, or if you're just going to stay in a hybrid situation where certain sites use OTP, other sites use FIDO, then you've got both solutions literally at your fingertip. And then FIDO... So, again, click on the applications menu, choose FIDO. You'll see a couple of options. If you've yet to set a pin, then you can set your pin there. If you've already set a pin... Let's say you've used the key already to access a website or registered with Google or Dropbox or whatever, you may have already set a pin. Here you can change that pin. And then your other option is to reset. And now the reset, it will get rid of your pin, and it will also unbind or unpair the certificate pairs that you've created with any websites, which is great. If you're going to give your key to someone else or for business purpose, if you're recycling keys, then this clears those, and you don't have any issues with there already being paired certificates from the previous user. And then the final piece is, again, applications, click on PIV, and here, if you're a smart card user or you've worked with certificates and you want to continue to work with those, here, you can manage those certificates, create them, import them, delete them, and then you also have the ability to manage your pin and manage your puck, which is essentially the master key over your pin. Leigh Dow (07:52): How would you describe the core benefits of this process? Johnny Adams (07:57): I believe the benefits are just, one, it's super simple. It's accessible for not just a network admin, but the everyday user, somebody who's just trying to secure their Twitter account. They don't want to get hacked. They've got the key, which makes it secure. They've got the tool that is just super easy to use. You don't it have to be a programmer. You don't have to know any command line tools. It's not a big configuration tool. It's just very simple and adds that extra layer of security on top of already having a security key. Leigh Dow (08:39): Do you feel like making it more simple to use will definitely help adoption? Johnny Adams (08:46): Yeah, I really believe it does. And that's something that we had in mind as we were developing this tool. We wanted the user experience to be just, like I said, accessible. There's nothing complicated. If you can click and if you can copy and paste, then you're going to be able to use this tool. There's no learning curve. It's super simple. Leigh Dow (09:14): Yeah, so you don't have to be an IT professional to understand how to use it. Johnny Adams (09:17): Not at all. It's made for the common just general web user. Leigh Dow (09:26): John, what type of services or applications do you see as the biggest market for our FIDO2 products? John Guerro (09:34): So, basically, any organization or consumer that's looking to provide the highest level of security on the market to protect their data will want to use this. When I look at it vertically-specific, I would have to say that I think healthcare and the finance industry, both neck and neck there, would benefit the most. And the reason being is you're guarding a lot of personal data, whether it be social security numbers, banking information, health information, prescription information, anything you can think of from that end that's personal to the consumer or user, we'll call them, because they may be within that organization that they're protecting, they'll benefit the most. Unfortunately, currently not all application are FIDO2-enabled. However, we are seeing more and more applications utilizing this technology every day, everybody from Bank of America, Google, Facebook, Dropbox, the list just goes on and on of the high-tech companies, as well as the everyday user consumer companies that are starting to use FIDO to protect their brand. Leigh Dow (10:38): You mentioned of few industries in there. What other industries do you think will benefit the most from this technology? John Guerro (10:44): So, personally, I feel that the high-tech industry has the most to gain. Along with protecting and securing their internal information, like data, IP, employee information, being a high-tech company, they also have to make that they are providing a highly secure login method to protect their consumer information or their customer information, excuse me. A breach in customer data can do irreparable damage to their brand and cost them literally hundreds of million dollars to remedy. Leigh Dow (11:18): Johnny, until now, we've been really laser focused on enterprises and organizations when it comes to this particular product family. What does FIDO For All mean for the everyday consumer? John Guerro (11:30): Again, it's all about the accessibility. FIDO For All is cybersecurity for everyone, from your systems administrator, who's wanting to steer their sales force for an entire company to my mom, who's already had her Facebook hijacked a couple of times, we're looking to make this a solution for everyone who we know that usernames and passwords are going to be susceptible to being phished or hijacked, even complex passwords. A lot of people or even businesses report that they spend a lot of time recovering passwords because people generate a difficult password and it's hard to remember. FIDO removes those issues, and not just are we making it accessible to all and providing security for everyone, from complex solutions to social media or whatever your case may be. We're also making it affordable. So FIDO For All is a product that will put security back into the hands of each and every individual. Leigh Dow (12:50): I'm going to have to get hats made or something FIDO For All. John Guerro (12:56): I'll take one. Sign me up for one. Leigh Dow (12:57): Yeah, I think about... Whenever I hear that, I think about the... Have you seen the meme, the all the things meme? John Guerro (12:57): Yes. Johnny Adams (13:03): Oh yes. Leigh Dow (13:05): That's what I always think about when I think about FIDO For All. It's like all the things. Any closing thoughts from either of you on how we humans can continue to fit into our technology centric, hyper-connected more than ever world? John Guerro (13:21): So I think that the thing to remember here is that everyone is enthralled, entranced, and used to using username and passwords. And they really have to understand that that's not a secure method. By simplifying things with our FIDO key and the FIDO standards and technology that are available, it is a learning curve to get adjusted to how to use the key and go through a different authentication process. But as we've stated so many times, it's a simple process. And like with everything else, once you get used to it, it becomes second nature. And if you can do something that's protecting your information as highly secure as it is, easy to use, and as Johnny alluded to, extremely affordable, why wouldn't you stay connected like this? Leigh Dow (14:12): For sure. What about you? Johnny Adams (14:15): Yeah. I would just back what John's saying here. Don't just be okay with username and password and the fact that it's going to be susceptible to an attack or you losing your password. With something so simple to use, literally plug it in, and tap the key, and then, again, affordable, there's no reason that you should not be absolutely secure, be un-phishable, be unhackable, and just get a security key. Leigh Dow (14:49): We've talked with other guests so much just recently about the role of the evolving metaverse and the need to have much stronger ways and easier ways to verify your identity, that your physical and digital identities match up, and that you have easier and easier ways as a consumer to protect your identity. So I think that the FIDO technology is really interesting in that space. It's definitely part of the token economy. So for me, I think that FIDO's just such a great enabler to allowing us to secure ourselves in this more and more hyper-connected technology centric world. John Guerro (15:39): Agreed 100%. Johnny Adams (15:40): Yeah, absolutely. Leigh Dow (15:42): Thank you both for taking the time. Always a pleasure to talk with both of you and really appreciate you calling in today. John Guerro (15:48): Thank you. Thanks for having us. Johnny Adams (15:49): Thank you, Leigh. Leigh Dow (15:50): Thank you. Speaker 1 (15:51): Eliminate the risk of data breaches, phishing, password theft, and replay attacks with hardened multifactor authentication, cybersecurity. Password-less logins are simple and secure with uTrust FIDO2 NFC Plus Security Keys. Insert the device, tap the button, and get secure access. It really is that easy. Learn more at identiv.com. Physical security, identity verification, the IoT, the hyper-connectivity of our lives will only grow more pervasive as technology becomes more automated and experiences more augmented, it's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge?