Early evidence has demonstrated that a number of factors set the stage for the recent Target payment card data breach, and one of them no doubt was poor authentication practices.
Unfortunately, that's no surprise; many security researchers have been predicting an authentication epidemic for more than a decade. This leaves most wondering if it's finally time to rethink common online authentication practices.
In this tip, we'll review the fundamental problem that exists with enterprise authentication, and we'll take an early look at one industry consortium that has a plan to transform authentication.
If passwords don't work, what's next?
One of the main problems seems to be with the imperfect mechanisms we use to safeguard our most precious data. Consider the password, so maligned over the last year, so often found on the Pastbin website, posted by black hats as trophies of their conquests. A Pittsburgh HVAC vendor recently confirmed that attackers used its compromised credentials to gain access to Target's network; that means a security team has to worry about any entity with remote access to the organization, in addition to its own users.
Time after time, authentication failures -- mostly related to weak passwords -- bring even the largest enterprises to their knees. While there are dozens of products available to store and autocreate complex passwords in order to meet organizational security requirements, organizations commonly don't stop staff from using terrible passwords like 123456 and qwerty -- two of the most commonly used passwords in Splashdata's annual list of the worst passwords.
Enter the latest hero in that sacred quest for secure authentication: the FIDO (for fast identity online) Alliance. It is promoting a new set of standards to meet the need for improved privacy and authentication. A nonprofit organization dedicated to the destruction of the password, its members include such industry heavyweights as Google, PayPal and Microsoft, companies with a large stake in improving methods for managing identity.
The FIDO Alliance is seeking to advance a common set of protocols that rely on public key cryptography in conjunction with biometrics, PINs and other second-factors to provide strong client authentication. Essentially FIDO offers two options to enhance identity management. The first, the Universal Authentication Framework is called the passwordless experience, and allows a user to register and utilize a device with a UAF stack. That stack relies on biometrics or a PIN to confirm identity on a FIDO-enabled site, eliminating the need for a password. For example, the user would depend on a fingerprint, voice print or PIN for authentication. The second option, U2F, or Second Factor Experience, allows websites to enhance the security of their sites by adding two-factor authentication through a U2F-enabled device. This could be a Near Field Communication mobile device or a USB key with one-time-password capabilities. The FIDO Alliance strives to simplify authentication, while creating a standard software stack for authenticators.
While there were plenty of FIDO-ready devices at the Consumer Electronics Show 2014 from vendors such as Agnitio, FingerQ, Nok Nok Labs, Synaptics and Yubico, there was little discussion regarding detailed UAF testing requirements and what it will mean for those of us attempting to deploy and integrate products to achieve better security.
Since then, the FIDO Alliance has announced not only the first consumer implementation on Samsung Galaxy S5 smartphones, but also its first set of draft specifications. The alliance's specifications don't go through standards bodies, such as the Institute of Electrical and Electronics Engineers Inc., or IEEE, or the Internet Engineering Task Force, or IETF; they're really an attempt by vendors to agree on a set of testing standards. The FIDO Alliance is an association of companies that understands that it's in everyone's best interest to make compatible products. In this sense, it's similar to the Wi-Fi Alliance, which seeks to ensure that major players in the wireless market try to align their product roadmaps with consumer needs.
FIDO Alliance and the enterprise
In the past, information security struggled to agree on authentication standards, but recent events like the Target breach may finally provide the impetus necessary to improve how we protect users. The FIDO alliance could represent a metamorphosis in how the security industry addresses the problem of identity management, but this is only a first step.
What does this mean for an enterprise currently trying to solve its authentication problems? Is the alliance just rearranging the deck chairs on the Titanic or is this the long-awaited revolution in identity management? Should everyone start stocking up on those FIDO-ready products for the enterprise?
The FIDO Alliance potentially offers a light at the end of the tunnel, with vendors finally jumping into the authentication miasma to help ease the pain of organizations trying to safeguard their user credentials. Although the alliance may be more about evolution than revolution, with many in the IT industry taking a "wait and see" stance, technologists must and should demand more. In order to make progress with this initiative, organizations need to start asking about FIDO-ready products and start integrating support into applications. Ultimately, there's no magic bullet for protecting user credentials, but the end game is clearly to make two-factor authentication mainstream and seamless, both for the end users who are doing the authenticating and the enterprises supporting the process.
According to Risk Based Security's recent Data Breach Quick View report for 2013, passwords were the most commonly exposed data type. Therefore, better solutions must be forthcoming from the industry, but only time will tell how successful this initiative will be in finally destroying information security's whipping boy: the password.
About the author:
Michele Chubirka, aka Mrs. Y, writes, speaks and teaches on enterprise security architecture best practices, and is SearchSecurity's expert on identity and access management. Chubirka has more than 15 years of information security experience, with an emphasis on the design, implementation and support of enterprise application and network security products, including the maintenance and administration of multiple vendor technologies.