FIDO approach reveals identity and access confusion

The Fast Identity Online (FIDO) Alliance – a group of technology companies including Apple, Google and Microsoft – recently announced its commitment to supporting passwordless authentication across its products. FIDO’s plans have been in place for nearly a decade and work started long ago on a system that lets users log in to their online accounts without a password but instead with a PIN, biometric, iris scan or with voice recognition.

FIDO’s approach is expected to be implemented across Apple, Google and Microsoft platforms later this year and FIDO believes this will provide better protection over legacy multi-factor authentication and better protection against malicious phishing attacks.

Instead of having users remember passwords, FIDO proposes that passwords are stored on devices or the operating system’s associated cloud sync service. A device such as a phone becomes the access point, and access is authenticated via inputting your phone’s PIN or by using fingerprint or face identification.

In theory, this would reduce the reliance on passwords and give users a way of keeping their credentials to hand as they move from device to device. In practice, the longing for convenience and ease of access has pushed security to the side and could leave users’ vital data vulnerable to threat actors.

Identity versus Access

FIDO’s approach to passwords, while convenient, first reveals a dangerous confusion between access and identity. Contrary to popular belief, the two are not interchangeable. Identities are fixed while access keys are changeable. In the physical world, we use them for different needs.

Your identity is used to identify yourself, for example when you cross a country border, when you need to prove you have the legal rights to live in a country or to live in a house. Your legal identity is fixed and doesn’t change when you change job or country. Your identity is unique.

Access, on the other hand, is granted by an authority such as a company or a landlord, to allow certain people to enter certain places. Access is usually granted by giving someone a key, keys don’t depend on people’s identity. For example, when you go home, your door doesn’t look at you, recognize you and open for you. If you have the keys, you can open the doors.

Contrary to your unique identity, you can have as many keys as you have doors, which means if you lose your car key for example, it doesn’t affect your house or your office. You can simply change your keys.

Now imagine that you use your identity biometrics to access everything you own. Biometrics are simply a unique combination of 0s and 1s. We know from recent data breaches that large databases of identity biometrics can and have been stolen. If your biometrics are stolen, not only can you immediately lose everything you have, but you also can’t go back and delete them. Biometric theft is permanent, which means you will always face the risk of someone using your identity illegally. Does convenience justify taking such high risks?

Who, except a locksmith, makes their own keys?

Another point of confusion concerns access keys. People have long believed that they need to create passwords and remember them. But passwords are just keys, digital keys. Who – except locksmiths- ever designed and cut their own keys to open their house, their car, their safe? People simply retrieve the right key and use it.

To prevent people stealing your keys in the digital world, since there are no physical obstacles, one simple defense is to use encrypted passwords. If you don’t know or see your passwords, you can’t inadvertently give them away. There are different ways to manage encrypted passwords for different needs, the safest of which is to keep them in a fortress with multiple levels security for different passwords that only the owner can access.

According to Verizon’s Data Breach Investigations Report 2022, 82% of all data breaches involve a human element such as social attacks, phishing and password misuse. In the business world, companies can protect themselves from this human element by distributing end-to-end encrypted passwords for every system to all of their employees, digitally handing individual access keys to people they can use without ever seeing them.

End-to-end encryption means passwords are out of reach from creation, distribution, storage, use to expiry. That way, employees can’t know the passwords so they cannot give them away in phishing attacks, which represent 83% of cyberattacks according to the Office of National Statistics in 2021. Not knowing passwords also means not forgetting passwords, which saves organizations money on password resets and productivity.

All your data behind a single point of access

A third point of confusion concerns the use of single access. In the physical world, it’s unsafe to have a single key for your house, car and office. That’s because losing that key means losing everything you have. But in the digital world, in return for convenience, people have been advised to use a single master password, biometric or PIN, as in the proposal of FIDO, to access all their digital assets. For people who follow that advice, it means one attack could cause the loss of all of their accounts and data at once.

A warning spike in physical assaults

The list of issues that ensues from FIDO’s proposal is endless, but none has more chilling implications than the risk of turning everyone who owns a portable device like a smartphone into an obvious target for physical crime. When every device essentially holds the keys to all your wealth, you become a walking wallet with an easy target on your back. There have already been many cases of people being physically assaulted in the city of London to give their fingerprint and face ID to open their devices for criminals to steal all their cryptocurrency.

Time and time again, new technology has been implemented without proper security assessment and ended up proving more harmful to people. Before accepting FIDO’s proposal, people should remember the old adage : be careful what you wish for.

Julia OToole

Julia O’Toole is the founder and CEO of MyCena Security Solutions, a breakthrough solution to manage, distribute and secure digital access. An inventor and author of several patents, Julia uses maths, neuroscience and technology to research and design simple yet innovative solutions for complex problems. Julia’s areas of research and expertise include cybersecurity, collaboration and search. Julia founded MyCena in 2016, which has since become a market leader in segmented access management and safe password distribution. With its ground-breaking patented security system, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...

Automated Testing Tools and Their Impact on Software Quality

Natalia Yanchii • 09th October 2024

Test automation refers to using specialized software tools and frameworks to automate the execution of test cases, thereby reducing the time and effort required for manual testing. This approach ensures that automation tests run quickly and consistently, allowing development teams to identify and resolve defects more effectively. Test automation provides greater accuracy by eliminating human...

Custom Software Development

Natalia Yanchii • 04th October 2024

There is a wide performance gap between industry-leading companies and other market players. What helps these top businesses outperform their competitors? McKinsey & Company researchers are confident that these are digital technologies and custom software solutions. Nearly 70% of the top performers develop their proprietary products to differentiate themselves from competitors and drive growth. As...

The Impact of Test Automation on Software Quality

Natalia Yanchii • 04th October 2024

Software systems have become highly complex now, with multiple interconnected components, diverse user interfaces, and business logic. To ensure quality, QA engineers thoroughly test these systems through either automated or manual testing. At Testlum, we met many software development teams who were pressured to deliver new features and updates at a faster pace. The manual...