FIDO approach reveals identity and access confusion

An image of , News, FIDO approach reveals identity and access confusion

The Fast Identity Online (FIDO) Alliance – a group of technology companies including Apple, Google and Microsoft – recently announced its commitment to supporting passwordless authentication across its products. FIDO’s plans have been in place for nearly a decade and work started long ago on a system that lets users log in to their online accounts without a password but instead with a PIN, biometric, iris scan or with voice recognition.

FIDO’s approach is expected to be implemented across Apple, Google and Microsoft platforms later this year and FIDO believes this will provide better protection over legacy multi-factor authentication and better protection against malicious phishing attacks.

Instead of having users remember passwords, FIDO proposes that passwords are stored on devices or the operating system’s associated cloud sync service. A device such as a phone becomes the access point, and access is authenticated via inputting your phone’s PIN or by using fingerprint or face identification.

In theory, this would reduce the reliance on passwords and give users a way of keeping their credentials to hand as they move from device to device. In practice, the longing for convenience and ease of access has pushed security to the side and could leave users’ vital data vulnerable to threat actors.

Identity versus Access

FIDO’s approach to passwords, while convenient, first reveals a dangerous confusion between access and identity. Contrary to popular belief, the two are not interchangeable. Identities are fixed while access keys are changeable. In the physical world, we use them for different needs.

Your identity is used to identify yourself, for example when you cross a country border, when you need to prove you have the legal rights to live in a country or to live in a house. Your legal identity is fixed and doesn’t change when you change job or country. Your identity is unique.

Access, on the other hand, is granted by an authority such as a company or a landlord, to allow certain people to enter certain places. Access is usually granted by giving someone a key, keys don’t depend on people’s identity. For example, when you go home, your door doesn’t look at you, recognize you and open for you. If you have the keys, you can open the doors.

Contrary to your unique identity, you can have as many keys as you have doors, which means if you lose your car key for example, it doesn’t affect your house or your office. You can simply change your keys.

Now imagine that you use your identity biometrics to access everything you own. Biometrics are simply a unique combination of 0s and 1s. We know from recent data breaches that large databases of identity biometrics can and have been stolen. If your biometrics are stolen, not only can you immediately lose everything you have, but you also can’t go back and delete them. Biometric theft is permanent, which means you will always face the risk of someone using your identity illegally. Does convenience justify taking such high risks?

Who, except a locksmith, makes their own keys?

Another point of confusion concerns access keys. People have long believed that they need to create passwords and remember them. But passwords are just keys, digital keys. Who – except locksmiths- ever designed and cut their own keys to open their house, their car, their safe? People simply retrieve the right key and use it.

To prevent people stealing your keys in the digital world, since there are no physical obstacles, one simple defense is to use encrypted passwords. If you don’t know or see your passwords, you can’t inadvertently give them away. There are different ways to manage encrypted passwords for different needs, the safest of which is to keep them in a fortress with multiple levels security for different passwords that only the owner can access.

According to Verizon’s Data Breach Investigations Report 2022, 82% of all data breaches involve a human element such as social attacks, phishing and password misuse. In the business world, companies can protect themselves from this human element by distributing end-to-end encrypted passwords for every system to all of their employees, digitally handing individual access keys to people they can use without ever seeing them.

End-to-end encryption means passwords are out of reach from creation, distribution, storage, use to expiry. That way, employees can’t know the passwords so they cannot give them away in phishing attacks, which represent 83% of cyberattacks according to the Office of National Statistics in 2021. Not knowing passwords also means not forgetting passwords, which saves organizations money on password resets and productivity.

All your data behind a single point of access

A third point of confusion concerns the use of single access. In the physical world, it’s unsafe to have a single key for your house, car and office. That’s because losing that key means losing everything you have. But in the digital world, in return for convenience, people have been advised to use a single master password, biometric or PIN, as in the proposal of FIDO, to access all their digital assets. For people who follow that advice, it means one attack could cause the loss of all of their accounts and data at once.

A warning spike in physical assaults

The list of issues that ensues from FIDO’s proposal is endless, but none has more chilling implications than the risk of turning everyone who owns a portable device like a smartphone into an obvious target for physical crime. When every device essentially holds the keys to all your wealth, you become a walking wallet with an easy target on your back. There have already been many cases of people being physically assaulted in the city of London to give their fingerprint and face ID to open their devices for criminals to steal all their cryptocurrency.

Time and time again, new technology has been implemented without proper security assessment and ended up proving more harmful to people. Before accepting FIDO’s proposal, people should remember the old adage : be careful what you wish for.

An image of , News, FIDO approach reveals identity and access confusion

Julia OToole

Julia O’Toole is the founder and CEO of MyCena Security Solutions, a breakthrough solution to manage, distribute and secure digital access. An inventor and author of several patents, Julia uses maths, neuroscience and technology to research and design simple yet innovative solutions for complex problems. Julia’s areas of research and expertise include cybersecurity, collaboration and search. Julia founded MyCena in 2016, which has since become a market leader in segmented access management and safe password distribution. With its ground-breaking patented security system, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...