Fixing the Password Problem (S1:E12)

April 11, 2022

Fixing the Password Problem The world remains addicted to passwords, regardless of the growing consensus to fix the password problem. David Turner, Director of Standards Development at FIDO Alliance, discusses how the nature of authentication is changing. The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords.

Full Transcript

Speaker 1 (00:01): You are listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow. Bringing together the brightest minds in and outside of our industry, we unpack what's new in physical access, identity verification, cybersecurity and IOT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species and dive into the emerging fidgetal experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Identiv's Logical Access Control technology identifies and verifies users, to safely and securely access data. Remote and multifactor authentication and embedded application solutions protect data on-the-go, in the office or at home. Leigh Dow, VP of global marketing at Identiv, will be talking with David Turner today, director of standards development at FIDO Alliance. The FIDO Alliance is an open industry association with a focused mission. Authentication standards to help reduce the world's over-reliance on passwords. The FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device at a station. Leigh Dow (01:23): The world remains addicted to passwords, regardless of the growing consensus to fix the password problem. We need to reduce their use or flat out replace them. I'm excited to have David with us today, so we can learn more about how FIDO Alliance is changing the nature of authentication. Thanks so much for joining us. David Turner (01:40): Thank you for having me. Leigh Dow (01:42): Let's start with the basics. What does FIDO stand for, and how is the Alliance working towards fulfilling its mission? David Turner (01:47): Well, FIDO stands for Fast Identity Online, and we've been around for about 10 years now. Our goal is to produce industry standards and certification programs that reduce the use of independence on passwords for secure, stronger authentication. Leigh Dow (02:04): Can you tell us about the three sets of specifications published by FIDO, for more simple, stronger authentication? David Turner (02:11): Sure. The initial specs that we produced were called U2F, for Universal Two-factor Framework. The other was the UAF, Universal Authentication Framework. The main difference between the two is U2F was specifically targeting two-factor authentication models and the UAF was targeting the use of biometrics on mobile devices for authentication. Three years or so ago, in collaboration with W3C, we created FIDO2, which is intended to certainly supersede the U2F specification, but is now, I would say, mostly replacing UAF as well. But, they're still both operational. The goal of FIDO2 is to provide the same kind of simple, strong authentication, but not just in built-in applications, but also in browsers. FIDO2 is currently supported across all major platforms and in all major browsers. Leigh Dow (03:16): I was reading Wired the other or day and, for the first time ever, I saw an advertorial that talked about FIDO. It was from another company. Which was really interesting to me that that language and that information about the technology is becoming more mainstream. David Turner (03:35): Yeah, that's been part of our big push. In addition to producing the specifications themselves, which of course, are sort of the starting point, we've also put a lot of energy into certification programs. Which makes the devices that are used and the systems much more, not just reliable, but increases people's confidence in the security of the model. We've also done quite a bit of outreach, both with governments, as well as in the industry. To help teach them about the importance of, first, two-factor authentication. But then, in particular, things like FIDO, which are phishing resistant, unlike some of the other alternatives. So, we have an active outreach program to highlight the active work being done in the organization. Leigh Dow (04:23): We'd love to hear a bit about your own background. Looking at your history, it seems like standardization is definitely the red thread in your career? David Turner (04:31): Yeah. The short version is, I fell into it accidentally. I was working for a much larger company some years ago and we were involved in the W3C, the World Wide Web Consortium. I started making comments about our engagement and what I thought we needed to do. The next thing I knew, I was responsible for doing it.I discovered I actually had a natural interest in working in standards, because it's a great intersection between technology, business policy and even user experience. Leigh Dow (05:08): In your opinion, why do we need open standards that are more secure than passwords? David Turner (05:14): Well, it doesn't take much to see why passwords are a problem when you look at the news these days. You hear about all the breaches and hacks. The reality is that the bad guys aren't hacking into most accounts, they're logging in. It's generally the easiest way to break into an account, is just to take advantage of stolen passwords and being able to stuff known passwords. There's a variety of other attack mechanisms out there that are pretty easily to implement when you're only using passwords. The problem is that, if everyone implemented their own way of adding strength, or even replacing passwords, we wouldn't get very far. Because the adoption would be limited, because one company would use one mechanism, another would use another mechanism. We wouldn't get the scale that we really need. By standardizing how we do this, this has enabled Google, Microsoft, Apple, Facebook, Visa, MasterCard. Banks and insurance companies all to be able to implement the same underlying technology that they know is going to work across all platforms, all browsers. That gives them scale, it gives them more assurance that the technology is sound and actually secure, because of the support it gets across the industry. So, the standardization makes it easier for them to implement and builds a stronger ecosystem. Leigh Dow (06:42): Well, and passwords are a problem too. If they're logging in instead of hacking in, I don't know about most, but a lot of people use their same password for all their accounts. David Turner (06:55): Yeah, and that's a serious problem. That, using either the same password in many places or using very simple passwords, is what is essentially the low-hanging fruit for the hackers. Because if there's a data breach in one place and they get someone's username and password, they just start using that same username. It's usually an email and password at all sorts of other sites. The chances of getting one right are high enough that it's worthwhile. As far as the easy passwords go, again, they'll take an email that they get and they'll just start beating on sites where there may be money or other interesting things. Just start testing all sorts of common passwords. Again, they tend to get very high hit rates, because people still do both of those things. They reuse passwords and they use passwords that really aren't that strong. Leigh Dow (07:46): Do you think our future can actually be passwordless? Do you see that adoption happening? Any kind of inflection point? David Turner (07:53): We're already headed that way. I mean, it's not massive scale yet, but Microsoft, with their Windows Hello and such, has already moved in that direction. They're actively turning off the use of password in many of the systems. Even some of the consumer accounts. DoCoMo in Japan, the mobile operator, they now have passwordless systems in place for their services. It is coming. Again, it's one of these things where the infrastructure needs to get built out, as well as trust and user adoption. It's a slightly new model and it's going to take a little time to help educate users on how to log in in this new way. Leigh Dow (08:39): When you look at specific industries, like finance or government customers, what are the standards that are taking place at FIDO now? How can we support those customers using FIDO? David Turner (08:54): Well, again, the benefit of using a standard like FIDO is that those agencies can get the level of assurance they want. FIDO is ranked according to NIST's 863-2 spec on authentication. It's ranked at authentic assurance level two, which is a very high bar for most applications. Which means that if a financial service or government service wants to provide a high level of protection and a secure login experience, FIDO provides that. The benefit to the relying party that's building it is that they can now get off-the-shelf components to help them build those solutions. There are companies out there, like Identiv, that provide ways of doing this that make it easier to implement. Therefore, again, improve adoption and improve security. Leigh Dow (09:52): We talked a little bit about adoption earlier. What are the major barriers to widespread adoption? David Turner (09:58): Well, more people have to start deploying it. It's still slow. Part of that's not anything to do with FIDO itself. Unfortunately, there are still a lot of businesses and organizations that don't understand the importance of security. There are far too many sites that don't use any kind of two-factor authentication. While FIDO is actually better than most other options, like SMS and one-time passcodes, using some kind of two factor is better than nothing. A big part of the education and growth of adoption is going to come from getting companies just to take that first step into two-factor authentication. Once they've adopted that, then they're in position to start moving more towards password-free-based solutions. Leigh Dow (10:51): Can you tell us a little bit about how people can get involved in FIDO Alliance? David Turner (10:55): Well, the FIDO Alliance has a number of levels of membership. There's a associate membership, which tends to be for those people who are building products and are probably going to go through the certification process. We have sponsor level, which is the level that companies who want to actually get engaged in the development are typically interested in. This will allow them to participate in all of our technical working groups and help write and develop the specifications. Then, the top level is our board-level membership. This is targeting companies that actually want to influence the strategic direction of the organization, not just the technical development of the specifications. Leigh Dow (11:39): Many ways to be involved. Well, thank you so much for joining us today, and we really appreciate the conversation. David Turner (11:44): Thank you. Thanks for having me. Speaker 1 (11:48): Eliminate the risk of data breaches, phishing, password theft and replay attacks with hardened multifactor authentication, cybersecurity. Passwordless logins are simple and secure with uTrust FIDO2 NFC Security Keys. Insert the device, tap the button and get secure access. It really is that easy. Learn more at Physical security, identity verification, the IOT. The hyperconnectivity of our lives will only grow more pervasive as technology becomes more automated and experiences more augmented. It's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge?