Making Security Convenient with FIDO (S1:E21)
June 24, 2022
About 90% of people on the internet are concerned about having their passwords compromised, but most of us still seek the simplest solution to protect our information. The more connected we are, the greater the risk of exposure. John Guerrero, CEO of Identity Systems, returns to talk about making identity security more convenient with FIDO technology.
Speaker 1 (00:01):
You're listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cybersecurity, and IoT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging digital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Your host is Leigh Dow, VP of Global Marketing at Identiv.
Leigh Dow (00:43):
Thanks for tuning in. Today, John Guerrero, CEO of Identify Systems is on the line to talk all things FIDO. Glad to have you back, John.
John Guerrero (00:51):
Hi, Leigh. Thanks for having me back again.
Leigh Dow (00:53):
Can you tell our audience who might be new to the show or identity verification in general, what is FIDO and what are security keys?
John Guerrero (01:03):
Sure. FIDO stands for Fast Identity Online, and it's a technology developed on open standards that enables password-only logins to be replaced with secure, fast login experiences that prevent hackers from taking over your accounts. And that being said, there are a couple keywords in that answer that are important. First of all, secure. The technology provides government level of security. Fast, and given the level of security that FIDO technology provides, the login process is very user-friendly. And open standards, so this is important because there are standards available for organizations to implement FIDO technology, making it available to hundreds of applications for users.
Leigh Dow (01:46):
Can you tell our audience, what makes the everyday internet user susceptible to account takeovers?
John Guerrero (01:53):
Yeah, sure. Not a problem here. But unfortunately, what makes mom, dad, your neighbor, or any other daily internet user a target is simply we, as humans, can be lazy. It's been reported that 90% of the people on the internet are concerned about having their passwords compromised, but most people still seek the simplest solution to protect their information. And unfortunately, that is just using the username and password. It's also the reason why 23 million account holders used 123456 as their password last year and why 67% of that user base used the same password for different online accounts. It's this type of behavior that makes it easy for cyber criminals to gain access to your account.
Leigh Dow (02:40):
When they do, what do hackers do once they have compromised your password?
John Guerrero (02:46):
Well, once your password is compromised, excuse me, they use your information to take over your account. And in most cases, they're building a profile of sorts of the victim. So let's say your social media account is hacked. 50% of the people use the same password for different accounts. So now that they have your social media password, they'll use a program to replicate your social media login information on various other common applications, like banking, email, investment or medical accounts. And those are just to name a few. Once they're in, they can use your information and resources available to transfer bank funds or digital currency from your account to theirs. They're able to also purchase items from online retailers like amazon.com and have them shipped wherever they want them to.
And in the event you are one of the few that change your passwords on your various accounts, there's still a large probability that you may be using an easily remembered password for other applications. Maybe a birthday, common phrase, or maybe even your loved one's names. This information can easily be deduced from other accounts that they have breached. So how many times have you emailed your address or your birth date to a friend, or maybe someone on your social media account wished you a happy birthday, or maybe just sent you a private message saying happy birthday. So now they have your name and your birth date to go around with any other information they may have gathered. Once they have this information, they'll begin to try to gain access to more valuable accounts. Once the cyber criminals are through with your information, they'll take the information or the profile that they've put together, and then they sell it on the dark web to cyber criminals who then start that process all over again.
Leigh Dow (04:33):
I think most people walk around thinking, "Well, that wouldn't happen to me." So what are the chances that they target me for an account takeover? What's the likelihood of that?
John Guerrero (04:45):
It's more common than you might think. It's been reported that 20% of all social media accounts will be hacked. And if that's not compelling enough, let's look at the LinkedIn breach in 2021. It impacted 756 million LinkedIn users. Hackers gained access to full names, email addresses, phone numbers, social media account details, and much more. Now the hackers have information that can be used to build a very solid profile for targeting those impacted. If you were one of those 756 million users and you're using a vulnerable password to access an online bank account, you should be feeling a little exposed right now.
Leigh Dow (05:27):
For a person who uses social media or pays their bills online, which is pretty much everyone I know, what do they have to be concerned with cybersecurity? I mean, shouldn't the platforms themselves, like Facebook, Bank of America, other applications do that for them?
John Guerrero (05:44):
Well, most, if not all organizations that have an online presence understand the threats associated with cyber criminals. Each organization has to decide for themselves how they want to protect the data that they collect. They're also very cognitive of the user experience for customers. They want their customers or subscribers to have a seamless and easy user experience while accessing their sites. This correlates directly with what was said earlier about people being lazy. Make shopping online difficult and people will go elsewhere.
So typically, companies, excuse me, will offer multi-factor authentication or what we call MFA to help protect their customers from cyber criminals. Even though you might not be sure of what MFA is, you've likely been able to take advantage of it or are using it through many applications. MFA is simply using more than one method to verify what that it's you that's accessing your account. Most sites offer other ways you can authenticate to your account, like SMF authentication apps, biometrics, or FIDO security keys.
Leigh Dow (06:53):
Well, it's always a challenge to create a pretty frictionless customer experience, but also have a highly secure environment.
John Guerrero (07:03):
Yeah. And that's the challenge in a nutshell is making security convenient. And once that's done, then people just really have to adjust to a new form of how they're authenticating or verifying that it's them that's accessing the information. And once it's done over and over again, then it becomes second hat, just like passwords, only more secure.
Leigh Dow (07:24):
What's the safest way to protect account information?
John Guerrero (07:28):
Well, getting away from passwords is definitely the way to go. And as we just discussed, enabling MFA is a recommended way to secure your accounts. And of those various authentication methods that are available, using a FIDO security key has proven to be the most secure way to protect your data.
Leigh Dow (07:45):
Why is that?
John Guerrero (07:46):
Well, I'm going to get a little bit techy here.
Leigh Dow (07:49):
Go for it.
John Guerrero (07:50):
First, if we look at just the secure login process using a FIDO security key, it's a USB security key that you're required to be in possession of in order to log in to your account. This means a hacker sitting in Russia or China or anywhere else probably would not have access to your key, at least I hope not. And then next, you have the fact that FIDO security keys have never been hacked, meaning no one has been able to decrypt that key pair string that makes it so secure during the login process. So combining the cryptographic keys on a USB security key device that you must have in your possession, this is the reason why the US government has given FIDO security keys the highest level of security assurance available. There are some additional security benefits that come with using a FIDO security key, but those two reasons I mentioned above are the two most compelling.
Leigh Dow (08:46):
What happens if you lose a security key?
John Guerrero (08:49):
So that's a great question. We all know that at some point, everyone's lost or misplaced their car keys. So losing a FIDO key isn't out of the question. But that's why it's recommended that you have two keys, one is a primary key and one you use as a backup. So now let's say you lose a key while you're traveling and you don't have access to your backup, or you don't have a backup at all. There's really no need to worry because there are always backup methods that can be used to allow access to your accounts that are offered through your application, like Bank of America or any cryptographic wallet or something to that effect.
Leigh Dow (09:26):
Why would we recommend Identiv's uTrust FIDO2 Security Keys? Why would someone choose those?
John Guerrero (09:32):
Well, from a technology standpoint, FIDO keys are very similar from manufacturer to manufacturer. But there are some compelling reasons that I would use the Identiv keys. And those are that the Identiv keys, they're assembled here in the US. And to me, that's very valuable. And the price point for the keys is extremely competitive to any key on the market, even those made in overseas like in China or other places.
Leigh Dow (09:58):
Yeah, they're really not very expensive.
John Guerrero (10:01):
No, no. We're talking about a very reasonable cost item that gives you high, high security. And the last reason is I'm familiar with Identiv, and I've been in the industry for about 25 years. And Identiv has a longstanding history of being the number one supplier of certain authentication devices to the US military and the federal government. This carries a lot of weight to me. They're so well trusted to be their primary provider of things like smart card readers for their common access card or their PIV cards that I just have a builtin trust to them associated with the government.
Leigh Dow (10:40):
One question we ask everyone, any closing thoughts on living in our technology-centric, hyperconnected world?
John Guerrero (10:49):
Well, technology-centric and hyperconnected, they're great terms that everyone needs to know. Not just tech people, but everyone. Being hyperconnected enables us, as a society, to do things that we once thought were unimaginable. However, there are always bad apples out there. And the more connected you are, the greater risk of exposure you have. We need to understand that everyone has to do their part when it comes to protecting our information. And today's technology allows us to do that and so much more.
Leigh Dow (11:20):
Well, it was so great to have you on today and thanks for calling in again. I always enjoy our conversations.
John Guerrero (11:26):
Again, I appreciate you having me back. And look forward to some of the upcoming podcasts that you guys have coming out.
Leigh Dow (11:33):
Absolutely. Thanks, John.
John Guerrero (11:34):
Thank you, Leigh. Take care.
Speaker 1 (11:36):
Eliminate the risk of data breaches, phishing, password theft, and replay attacks with hardened multi-factor authentication cybersecurity. Passwordless logins are simple and secure with uTrust FIDO2 NFC Plus Security Keys. Insert the device, tap the button, and get secure access. It really is that easy. Learn more at identiv.com. Physical security, identity verification, the IoT, the hyperconnectivity of our lives will only grow more pervasive. As technology becomes more automated and experiences more augmented, it's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge?