It’s almost becoming a daily occurrence — reading about the latest company, chain store or financial institution that’s become a victim of a serious hacking attack. The yearly cost for online identity fraud is estimated to be more than a trillion dollars. And costs related only to the Target holiday data theft have now exceeded $200 million for financial institutions, according to data collected by the Consumer Bankers Association and the Credit Union National Association. And data continues to show that financial transactions and banking are the top targets for online criminals. One hijacked password can wreak havoc on the organization – while equally destroying an end user’s online identity.
To keep accounts safe, a user name and password simply isn’t enough protection. Additional layers of security, for both internal employees and external users, must be deployed to ensure access to accounts remains protected. This is where multi-factor authentication comes into play – combining a PIN or password, “something only the user knows” or biometrics, such as a fingerprint or voice recognition “something only the user is” with an additional authentication factor device, “something only the user has.”
Unfortunately, the lack of open, interoperable and simplified technical standards have made strong multi-factor hardware authentication too costly and complicated to scale to the mass markets. To address this problem, a significant number of online services and financial institutions have joined the FIDO (Fast IDentity Online) Alliance open standards organization.
The first specifications of FIDO authentication standards are today available for online services to implement, as free open source server components, or as licensed enterprise server software. To login securely to an online service supporting FIDO login, the users requires a FIDO certified hardware device, available in various forms, including smart phones, laptops, or small key-chain tokens connecting with USB, NFC or Bluetooth. To ensure that the users are legitimate owner of the FIDO device, they will add an additional authentication factor, such as a PIN code or fingerprint. With this approach, the user experience of logging in with a FIDO device not only more secure and easier than logging in with a traditional username/password. Once FIDO standards are commonly deployed, users will only need one device and PIN or biometrics to login to any number of services.
When a user registers to use a FIDO device to an online service, for example an online bank, the device generates a new key-pair of encryption keys that are only used and known by this specific bank. The same FIDO device can then be used for logging in to another bank, or to an email or e-government service. As no secrets or user data is shared between the services, FIDO standards offer a high level of security and user privacy.
It is too early to predict if FIDO standards will make it as the new global authentication standard, supported by all leading online services. Other standard initiatives have come before and failed. But many have also succeed, and FIDO supported by the Internet thought leaders and the leading financial institutions, have gained enough power and momentum to make it happen. Also, by embracing several authentication technologies from multiple vendors, FIDO encourages innovation and a healthy competition among multiple device manufactures, and component- and software providers. And finally, an initiative like FIDO needs to happen.
Every day a security breach occurs and financial organizations that rely on hope that they aren’t the next headline is the opposite of a pro-active approach to security. The time for financial institutions to review their legacy security systems and explore the future of multi-factor authentication to keep their employees and users safe is now.
by Stina Ehrensvard, CEO and Founder, Yubico
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.