As data breaches become more common and cyber-criminals become more adept at stealing personal data, there’s a need to develop better ways to protect people’s identities online. Brett McDowell is the Executive Director of the FIDO Alliance, an organization that develops strong authentication standards to better protect individuals’ digital identities. McDowell spoke with The Cipher Brief about the problems with passwords, and how biometrics, used in conjunction with FIDO standards, can be used to augment and improve authentication.
The Cipher Brief: Most people and organizations use passwords to protect their information online. What are some of the deficiencies with relying solely on passwords to protect data?
Brett McDowell: First let me put the password topic into context. The vast majority of online services must remotely enroll new users with something we call “credentials” that will be required in the future to gain access to that user's account or to transact on that user’s behalf. Authentication is what we call the process of the online service challenging the user for their credentials, checking the credentials against their own records, and then providing the user with access to that account. The password is part of a username+password “credential” that most people and organizations still rely upon to protect their information online. To understand the deficiencies of passwords-as-credentials, you need to look at the password’s fundamental security and usability characteristics.
From a security perspective, the password is what we call a “shared symmetric secret,” which means both parties in a password authentication system – and only those two parties – must know the secret. This requires online applications to store these secrets on their servers, which means a data breach of one online server results in an increased risk to the rest of the ecosystem, because the attacker now has credential “secrets” to use against other servers. This has happened so often in the past few years that we literally know of over a billion stolen passwords that are in circulation, making these credentials not very “secret” anymore.
The data breach is the most widely reported vulnerability of password-based security systems, but there are many other vulnerabilities. For instance, a user can be tricked by “social engineering” into revealing his/her password through phishing attacks that spoof the online service’s identity, installing malware on the user’s device to record their keystrokes, or simply brute force “guessing” attacks to get into accounts protected by very weak passwords. The recent Verizon Data Breach Report showed 23 percent of recipients now open phishing messages and 11 percent click on the attachments. These vulnerabilities exist because of the inherent properties of passwords being human-readable shared secrets.
From a usability perspective, the password puts users into a no-win situation, where they either create different, complex passwords for all of their accounts – in which case they cannot remember them when they need them, or they have to store them (typically somewhere that is not safe) – or they create only one or very few simple passwords that are easy to remember, which puts them at greater risk of having a single stolen or broken password result in many account takeovers, identity theft, and fraud. The usability problem has only gotten worse in recent years through the ubiquity of smaller keyboards (mobile devices), more complex requirements for “password strength” at many sites, and the introduction of one-time-passcodes as a second factor “secret” that forces the users to type not one, but two passcodes every time they authenticate.
This is not only a problem for online services in the consumer market. When password-based credentialing extends among an enterprise, its partners, and contractors, the attack surface increases, allowing attackers to infiltrate at the weakest point in the chain and work their way into and among organizations.
In summary, passwords are quickly evolving into an untenable credentialing system because of their fundamental security and usability characteristics. That evolution is being accelerated by the global shift to mobile computing and the ever-rising tide of data breaches. We need a fundamentally new credentialing technology, one that is based on open standards so it can become as ubiquitous as passwords, and one that does not share the security or usability flaws of shared secrets.
TCB: What would be a more efficient way to protect information? What needs to be done to help improve individual’s ability to keep their information safe? How is the FIDO Alliance working to help in this area?
BM: The FIDO (Fast IDentity Online) Alliance was launched in 2013 to revolutionize online authentication by developing open, interoperable industry standards that leverage proven public key cryptography for stronger security and device-based user verification for better usability. FIDO Alliance was created to specifically solve the authentication problem in the larger context of identity and access management, without duplicating effort or reinventing the wheel. FIDO standards are therefore complementary to other industry standards efforts in this area.
The Alliance is developing standards in the form of the current FIDO 1.0 protocols, which offer a passwordless experience that leverages on-device biometric data for user verification, or a second factor experience that can compliment existing password systems and leverages the presentation of a secure device. All FIDO specifications provide an open standard way to vastly improve the security and usability of authentication. For example, the user need only touch something (fingerprint sensor or present a “security key” device), look at something (iris or facial recognition), or say something (voice authentication), which is a vast improvement over the usability of typing passwords or one-time-passcodes.
These simpler user experiences are secured by FIDO’s use of long-proven asymmetric public key cryptography, where the private key is the only “secret,” and it is stored on the user’s device. Only the public key is ever shared with the online service, resulting in no credential secrets ever being shared with servers, which renders the threat of credential theft from a data breach moot. The only way to attack a FIDO credential/private key is to attack the user’s personal device. When that device leverages modern technology for the protection of the private key, such as secure elements and/or trusted execution environments (which is the trend with consumer electronics today, especially mobile devices), the attacker must actually gain physical possession of that user’s device to even attempt an exploit. This type of attack does not scale and is not economical from a cyber crime perspective. In summary, FIDO standards are a game changer from both a security and usability perspective.
Privacy is another core tenet of FIDO protocols. The protocols do not provide information that can be used by different online services to correlate and track a user across their services. As required by our Privacy Principles and Certification Program, biometric information, if used, never leaves the user’s device. FIDO standards were designed with end-user privacy in mind.
TCB: Biometrics are being hailed as the next step in information security, but some critics have pointed out that biometric data can also be stolen or faked. For example, over 5 million federal employees’ fingerprints were stolen as part of the OPM hack. What would you say to allay these concerns?
BM: First, let me put the biometrics topic into context. The strength of authentication is often measured by how many “factors” are used, especially when those factors come from multiple categories (“multi-factor authentication”). These factors are “something you know” (like a password), “something you have” (like a personal device), or “something you are” (a biometric, which is a measurement of some uniquely defining attribute you have such as your fingerprint, iris, voice, face, etc.). Biometrics, when used for online authentication, are generally used in one of two architectures; local-match and remote-match. In a remote-match architecture, the biometric must be stored on the server, just like passwords. Therefore, like passwords, remote-match biometric authentication systems are vulnerable to data breaches like what you saw with OPM. FIDO does not use remote-match biometric architectures. In fact, our Privacy Principles prohibit the sharing of biometric data beyond the user’s personal device.
The FIDO biometric model uses a two-step process, with the user authenticating first to the device using a local-match architecture. This biometric data never leaves the device. In the second step, the device authenticates to a server on behalf of the user by invoking a cryptographic key process based on FIDO protocols. If step one is successful, then the “private key” on the device simply “signs” the authentication challenge sent by the server, and the user is authenticated to the online service when the server verifies the “signature” used to sign the challenge. The server can do this because it has the “public key” that it stored when the FIDO credential “key pair” was first registered to that account. This two-step process results in a strong multi-factor authentication event because of the combination of the device-protected-private-key (“something you have”) and the local-match biometric verification (“something you are”).
To answer your question about biometrics being “faked” I need to go back to the idea of “secrets” being used as credentials for authentication, because biometric information isn’t really “secret” in the traditional sense. For example, if we look at fingerprints, those are left behind every time you touch a smooth surface. The biometrics industry has done a good job of evolving defenses against “presentation attacks” or what you might call “spoof” attacks. That being said, it is a constant arms race between attackers and biometric sensor manufacturers, and successful spoof attacks will continue to be a reality for the foreseeable future. What is important to recognize, is that spoof attacks are not a major concern in a FIDO authentication system because they don’t scale. Recall that FIDO’s use of biometrics is exclusively local-match, and the FIDO credential is the private key that is stored only on the user’s personal device, which means a biometric spoof attack against a FIDO credential can only be attempted if the attacker has physical possession of the user’s device. The attack cannot be performed by social engineering, phishing, or malware. Not even a data breach that harvests FIDO “public keys” is of any use to the attacker. The attacker must steal the phone or computer to even attempt an attack. As I pointed out before, this doesn’t scale and is not viable for financially-motivated attackers. In other words, biometric spoofs will happen—and that’s okay.
TCB: How can the government and industry work together to create better identity solutions?
BM: Government plays a significant role in standards adoption and best practices as it generally services a large and diverse population. The National Strategy for Trusted Identities in Cyberspace (NSTIC) in the U.S. is one example of government and industry working together to improve security, authentication and online identity. Currently, FIDO Alliance members are part of this effort. The FIDO Alliance also launched a government membership program in June, with the U.S. and UK governments as the initial members. The program now includes the German Federal Office for Information Security and CAICT, a research organization under the Chinese Government. This is but one area where FIDO is bringing together entities with like-minded ideas toward better security and authentication. The FIDO Alliance has also launched a new Cooperation & Liaison Program that fosters collaboration among global not-for-profit associations. These organizations serve a range of industry-specific or region-specific requirements for technology, especially online privacy and security. We now have 13 partners in this program, including the W3C, National Cyber Security Alliance, Electronic Transactions Association, Global Platform, the National Healthcare ISAC, Open Mobile Alliance, IBIA and Biometrics Institute, among others. So yes, government and industry can work together to create better identity solutions, and I am pleased to say the FIDO Alliance is a leading example of how to do that successfully.
