Cybersecurity

Emerging Trends in IAM Part 4: Going Passwordless with the FIDO Use Case

Pierce ChakrabortyJeffrey McDonald
October 3, 2023
5 min read

The hybridization of the workforce and subsequent challenges within the IAM world has resulted in many organizations beginning (or reimagining) their journey towards building a mature identity program. Protiviti has observed several new trends in the IAM space, as discussed in several previous posts, Emerging Trends in IAM: Simplified Engineering, Using the Sunlit Approach to Simplify RBAC and Machine Identity Management. This series evaluates those key trends that organizations will focus on over the next few years. In this post, we highlight why and how organizations might want to consider a passwordless approach to protecting their IT environments.

Are passwords going away?

An emerging trend that many organizations are moving toward in 2023 and beyond is the elimination of passwords and migration toward passwordless authentication. Moving away from passwords to different authentication methods such as something a user has (i.e., smart card) or something a user is (i.e., biometrics) can be a great way to not only increase security across the enterprise but improve the user’s experience. Common password-based attacks, such as man in the middle, brute force or credential stuffing can all be more effectively protected against using correctly implemented passwordless capabilities.

What is FIDO?

The Fast Identity Online standard (FIDO) is an authentication protocol created by the FIDO Alliance that can be used to support an organization’s transition to a passwordless security model. Many data breaches are the result of hackers gaining access to and compromising a user’s active credentials. The FIDO authentication protocol works to eliminate this problem by removing passwords entirely and enabling users to login using a physical authenticator (most likely a USB, SIM card, YubiKey, etc.) which can support different password types such as password, pin, biometric or voice.

How does FIDO work?

At a high level, FIDO authentication works by using public and private key cryptography and challenge/response authentication. At a more detailed level, a private key is stored on the authenticator device while the public key pair is placed on the server of the associated application. When a user seeks to authenticate to the specified application, they will verify their identity with the authenticator device using their password or biometric information, unlocking the private key on the authenticator device. The application server will then generate and send a random string of numbers as a challenge to the authenticator which will then use the unlocked private key to encrypt and return the generated numbers. The application server receives this response from the authenticator, decrypts the message using the public key and allows the user access to the application.

This form of authentication is secure because the randomly generated number string is never repeated, and the application will only authenticate users who are able to correctly encrypt the challenge using the private key. Hackers may be able to intercept the randomly generated number as the challenge or decrypt with the public key, but as this data is only valuable as a challenge, it is of little use to the attacker. Add the additional security layer of only being able to unlock the private key through a user’s biometric information, and attackers will struggle to gain access to the application.

Passwordless benefits and when to use FIDO

  • By using FIDO, managing secrets becomes simpler as only public keys are stored on application servers. Should the public key be compromised, it is of no use to the hackers as they lack the private key to successfully respond to the authentication challenge.
  • Removing passwords solves the problem of users forgetting their passwords, especially when replaced with a biometric authentication method.
  • When considering passwordless authentication, security professionals should weigh the needs of the business against the overall business benefit. For large organizations with tens of thousands of employees, investing in complete passwordless may not be feasible due to the large numbers of authenticators that would need to be purchased. Another circumstance where passwordless capabilities may not make sense is if legacy environmental conditions add significant complexity to a point where greater upkeep exceeds ROI. Companies should identify use cases, such as privileged access or for specific IT personnel where passwordless capabilities should be deployed.

FIDO’s future

Although FIDO and other encryption technologies have beneficial use cases, it is important to consider the inherent risk on the horizon for every asymmetric encryption algorithm, quantum computing. Modern public key infrastructures (PKIs) are under threat as advancements into quantum computing are made. Does this mean FIDO’s useful life is coming to an end? Probably not. The FIDO alliance is currently working to ensure FIDO2 (the most current FIDO standard) remains secure in a post-quantum world. This endeavor has many facets, but one of its main drivers is to create a hybrid encryption protocol which provides security in a post-quantum world while still being able to fit older security standards.

Quantum computing does represent a key turning point in the way cybersecurity is handled worldwide and will affect how organizations need to protect sensitive data and resources. This may be daunting, but there are certainly technologies that have a more recent expiration date than FIDO, as the standard will continue to evolve and remain a worthwhile investment. Passwordless architectures can provide massive benefits to authentication usability and security, but it will always be up to each organization to decide if this technology is the right fit for their specific needs.

Read the other blogs in this series: Emerging Trends in IAM Part 1: Simplified Engineering, Emerging Trends in IAM – Part 2: Using the Sunlit Approach to Simplify RBAC, and Emerging Trends in IAM Part 3: Machine Identity Management.

Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.

To learn more about our cybersecurity solutions, contact us.

Pierce Chakraborty

Director
Security and Privacy

View all posts

Jeffrey McDonald

Senior Manager
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More