Why FIDO’s proposal to use identification for cyber access opens more security vulnerabilities for threat actors to exploit
By Julia O’Toole, Founder and CEO of MyCena Security Solutions
In recent months, the Fast Identity Online (FIDO) Alliance has announced its commitment to supporting passwordless authentication across all of its products. The group – consisting of technology companies such as Apple, Google and Microsoft – has been planning this approach for nearly a decade and is expecting to implement it across platforms later this year.
FIDO initially began work on a system that lets users log in to their online accounts without using a password – instead utilising a PIN, biometric, iris scan or voice recognition. Now, FIDO believes it can provide better protection over legacy multi-factor authentication and better protection against malicious phishing attacks.
Rather than relying on users to remember their passwords directly, they would instead be stored on the user’s device or cloud sync service associated with their operating system. Their phone becomes the access point to their work domain – access authenticated via inputting their PIN, or by using fingerprint or face identification.
FIDO hopes to reduce the reliance on passwords and give users a way of keeping their credentials to hand, as they move between devices. However, this overriding regard for convenience above security could potentially be leaving vital data vulnerable to threat actors.
Why identity and access are not the same
FIDO’s approach exposes a misguided confusion between identity and access. In essence, someone’s identity is composed of fixed non-changing properties such as legal identity, work or studies credentials and biometrics. Your legal identity gives you certain legal rights such as the right to live in a country, to receive benefits and to travel to certain places, while your work and studies credentials give you the right to work in certain regulated professions such as doctors or lawyers. Biometrics, such as your face, iris and fingerprint are hardcoded visible – therefore non-secret – characteristics that you can’t change.
None of the data connected to these attributes is hard to get, from leaked databases such as the entire 45 million Argentinian digital ID database to photographs such as this benevolent hacker recreating the fingerprint of the current president of the EU Commission. What makes using identity particularly dangerous is the permanence of the theft. Once stolen, data cannot be unstolen. You can change a password, but you cannot change who you are.
On the other hand, people have long invented the concept of keys to grant access to certain places. The concept is simple: as long as you have the right key, you can open a certain door. It is completely independent of your identity, as keys can be transferred, shared or changed. In the physical world, you can have as many keys as you have doors to lock, ensuring that losing one key only requires changing one lock.
Don’t use a single key for everything
In the physical world, people do not use a single key for all their doors. It would be extremely unsafe to have one single key to access everything from their house to their car to their office… since losing it would mean losing everything in one swoop. But in the digital world, people have been advised to use a single master password, biometric or PIN to access their digital assets. FIDO’s proposal is another illustration of the push to trade resilience for convenience. If people follow that advice, it means one attack could cause the loss of all of their accounts and data at once.
A lifetime of risk for a moment of convenience
When you start mixing biometrics and single access things get worse. Imagine that you use your identity biometrics to access everything you own. Biometrics are a unique combination of 1s and 0s, which by the nature of digital information can be stolen. Not only would a thief be able to access every account you have, but the unique biometrics data is permanently stolen – since you can’t change who you are. That means you will never be able to fully control your “digital identity” ever again. Any time in the future, that data you innocently gave away for access may be used without you ever knowing it, putting you in potentially illegal situations without your knowledge.
Never make your own keys – physical or digital
When it comes to managing access keys in the real world, it is a straightforward process.
Companies give keys to employees, landlords to tenants, car dealers to car buyers. No one thinks they need to become a locksmith and start to cut out their own keys – keys are just received and used. The misconception starts when we moved to the digital world and people believed they had to make their own keys. It is both inefficient and unnecessary. As much as you don’t need to make and cut out your keys, you don’t need to create or remember passwords. After all, a password is just a digital key.
The only difference between a physical and a digital key is the absence of physical obstacles to stealing a digital key. In the physical world, a thief needs to be in reach of the key to steal it. But in the digital world, a thief can be located anywhere in the world and phish or guess your digital keys or passwords. So the question should be how to ensure those keys aren’t stolen. The answer lies in history: make them secret.
Solution: encrypt all digital keys!
As narrated in The Code Book: The Secrets Behind Codebreaking by Simon Singh, people throughout history have used cryptography to keep secrets. For digital keys, the best way to keep passwords secret from anyone, including the user, is to encrypt them from creation, distribution, storage, use, to expiry – since you cannot leak what you don’t know.
Passwords keep the same properties as keys: they are flexible, changeable, discardable and can work for anything. By encrypting all digital keys, you remove the threat of human errors over credentials, which represent 82% of all data breaches according to Verizon’s Data Breach Investigations Report 2022. Not only would it remove the risks of weak and reused passwords, but it would also prevent hackers from stealing or buying credentials from current and former employees as well, as was recently the case at two dozen major natural gas suppliers and exporters.
There are different ways to manage encrypted passwords for different needs. In the business world, companies can distribute end-to-end encrypted passwords for every system to all of their employees into a digital fortress with multiple levels of security. By utilising end-to-end encryption, they remove passwords from the control of employees, who can only use them as keys to open doors without the need to know or see them. Not knowing passwords means employees cannot give them away in a phishing attack – which represents 83% of cyber-attacks according to the Office of National Statistics in 2021. Not knowing passwords also means employees not forgetting passwords, which saves organisations money on password resets and productivity.
Not your keys, not your data
In reverse, when companies let employees create and control the keys to their data, they do not control the keys to the data. Not controlling the keys to the data means not being able to control and protect the data. Hackers know that and how easy it is to get to any employee to phish or guess their keys, which explains why data breaches are so common. Only companies that encrypt their access can fulfil their legal obligation of custody, possession and control of their data, since only they have full control of the keys to that data.
Increased physical risks
Of the issues stemming from FIDO’s proposal, none has more chilling implications than the risks that spill over to the physical world, which makes anyone with a portable device become an obvious target for criminals. Many cases of physical assaults in the city of London have been reported where people were threatened with knives to give their fingerprint and face ID to open their devices. Should everyone use their identity on their mobile device to open all their accounts, anyone walking in the street becomes a target wallet for criminals.
As we have learned from the last decades, a lot of new technology that seems convenient at first often hides oversized, unforeseen and uncalculated risks. FIDO’s proposal of using identity for access can directly affect people’s security and well-being. Fortunately, we have now accumulated enough experience and data to know better and do proper risk assessments before blindly going all in for the next shiny new object. If we have learned anything from our early mistakes with the internet, it is that convenience often hides a flipside you discover when it is too late. Let’s not make the same mistake when there is so much at stake.
About the Author
Julia O’Toole, Founder and CEO of MyCena Security Solutions, a breakthrough solution to manage, distribute and secure digital access. An inventor and author of several patents, Julia uses maths, neuroscience and technology to research and design simple yet innovative solutions for complex problems. Julia’s areas of research and expertise include cybersecurity, collaboration and search. Julia founded MyCena in 2016, which has since become a market leader in segmented access management and safe password distribution. With its ground-breaking patented security system, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.