“Authentication is not our only problem … but authentication is our biggest problem,” Brett McDowell, executive director of Fast Identity Online (FIDO) Alliance, said in his keynote presentation at Tuesday’s Cybersecurity Education Summit.
Up to 81 percent of all data breaches are due to credential compromise, according to McDowell.
“We’ve been talking about phishing attacks since the '90s. This is the best, easiest, fastest, most economic way for the attackers to get into your system,” McDowell said.
Passwords can be stolen through phishing or servers, and one-time passcodes can be captured over a network.
“The move to mobile and so many companies going mobile-first has heightened the need for a solution,” McDowell said.
Relying on “cryptographically based security keys as a second authentication factor” or public key cryptography, which is the basis for encryption security, can solve this, he said.
The three components of multiple authentication are:
- What you have — a device or USB key
- What you are — a biometric measure
- What you know — a password or PIN
Once this is done, access to all connected apps is available.
The need for multi-authentication has been recognized nationally.
A use case has been developed for this FIDO-based technology by the National Cybersecurity Center of Excellence, under NIST, National Institute of Standards and Technology.
The NCCOE, in collaboration with private vendors, has leveraged a single-sign-on system for first responders.
As long as apps are hosted within one Web domain, a single, multi-authentication sign-on is active for 24 hours. This is meant to save time for first responders during an emergency and provide security assurance.
