Shortly after buying some new couches for their home, my neighbors got saddled with dog-sitting duty by a relative. In an effort to protect their investment from the scratches and claw marks of the 50-pound Belgian Shepard that sent their previous sofa set to the furniture graveyard, they started online shopping for furniture covers. They found some adequate couch covers on Amazon with relative ease and added it to their shopping cart, but after clicking the “Proceed to checkout” button, their efforts were stymied by Amazon’s sign-in page that required their password. My neighbors – not a terribly tech-savvy couple – spent the next several minutes trying to remember which of them set the password originally and which of them last changed it.
Having spent the last decade of my career in the Identity & Access Management space – many of the earlier years focused on password management implementations – I felt compelled to weigh in on the situation, and so before my brain could remind my mouth that I had the wrong audience for my feedback, I said “don’t worry guys, FIDO will fix this!”
Confused, one of them responded, “The dog’s name is Sable.”
The next day, they bought their couch covers at a brick-and-mortar Target.
There’s nothing unique about this anecdote. According to the FIDO (“Fast Identity Online”) Alliance, a staggering one-third of online purchases are abandoned due to forgotten passwords. The statistic becomes understandable though when you consider the average internet user has over 90 online accounts, and the number of passwords each of us must remember (and forget!) only goes up from there when you take into account the fact that the industry’s preferred password policies require users to change them periodically. Password synchronization is a pipe dream when you take into account the different password policies in terms of minimum length, special characters requirements, and whether dictionary words are allowed in a substring of the password. Further, even if password synchronization were a realistic goal, most experts discourage synchronization because if one of your passwords becomes compromised, then all of them are. A universally-accepted password policy was never adopted by the industry, because well, it shouldn’t have been. It makes sense after all, that the password used to access your bank account should be held to more stringent conditions than the password used to access your fantasy baseball league roster.
Still, if the burden that passwords place on the account owner is what made them such a universally unpopular entity, the risk that the organizations responsible for protecting these passwords face en masse is objectively far more harrowing. When an organization is hacked, it’s not a few accounts that are compromised; it’s up to and including all of them. For Target, that was 100 million people. For Marriott, it was 500 million customers, and for Yahoo!, it was 3 billion user accounts. Passwords are the root cause of over 80% of data breaches.
FIDO2 is poised to become the answer to the problems posed by passwords.
Launched in 2013, the FIDO Alliance is an open industry association whose stated goal is to create and promote authentication standards that reduce the world’s reliance on passwords. However, while the FIDO Alliance has been around for several years, like most technological advancements, it didn’t catch fire overnight. Who, after all, had a personal computer in 1980, a cell phone in 1990, or a Facebook account in 2004? That said, the FIDO Alliance may be on the brink of realizing its moment if it hasn’t already, achieving an aggressive series of milestones across each year, the most recent of which came in March when the World Wide Web Consortium (W3C) announced the Web Authentication (WebAuthn) – a core component of the FIDO2 protocol – as an official web standard.
By leveraging simple built-in biometric-type methods on smartphones such as fingerprint readers and facial recognition functionality, the FIDO2 set of specifications reduce the online community’s reliance on passwords. Further, by ensuring cryptographic login credentials are unique and never leave a user’s device, the FIDO2 security model effectively eliminates the risk of phishing attacks and password theft.
Interested in learning more about a world beyond passwords? Reach out to IDMWORKS today to learn more about how FIDO2 can work in your Ping Identity or Okta implementation!