Interview: Andrew Shikiar on the Potential for a Passwordless Future

It’s no secret that compromised credentials make up a significant proportion of all successful cyber-attacks. Recently, Verizon’s 2021 Data Breach Investigations Report attributed 61% of breaches to leveraged credentials. It is unsurprising that attackers see this approach as a fruitful way to target businesses and individuals, given the scale of bad password behaviors and practices that persist. For example, a study earlier this year detailed the discovery of nearly 1.5 billion breached log-in combinations circulating online in 2020. This found that for users with more than one password stolen, 60% of credentials were reused across multiple accounts, exposing them to credential stuffing and other brute-force tactics.

Many security experts have concluded that rather than just trying to improve how we use passwords, it would be far more beneficial to move towards a different form of authentication – passwordless. This concept underpins the Fast Identity Online FIDO Alliance, an open-industry association set up to develop authentication standards that help reduce the world’s reliance on passwords. Its members include tech giants Amazon, Apple, Facebook and Google, among many others.

Following a recent meeting between the Biden administration and a number of tech firms about combatting rising cyber-attacks, a series of new cybersecurity commitments were made. These included a pledge by Amazon to make MFA devices available to all AWS customers. On the back of this announcement, Infosecurity spoke to FIDO’s executive director and CMO, Andrew Shikiar, about how efforts to reduce reliance on passwords is progressing.

Andrew Shikiar, executive director and CMO, FIDO Alliance
Andrew Shikiar, executive director and CMO, FIDO Alliance

Shikiar began by reiterating the FIDO Alliance’s fundamental purpose – “shifting the world and market away from an outdated way of authenticating users based on knowledge.” This primarily refers to the use of usernames and passwords, but Shikiar emphasized it can also apply to many standard multi-factor authentication (MFA) methods, such as one-time passwords (OTPs). “The problem is anything on a server can be manipulated, accounts stolen, resold on the dark web and stuffed – that’s the fundamental problem with knowledge-based authentication,” he explained.

The answer, in Shikiar’s view, is public-key cryptography, or asymmetric cryptography. Essentially, this involves two mathematically related but not identical keys, a public one and a private one. Each performs a unique function to enable a user to log in to their account. The crucial difference with this approach compared with traditional knowledge-based authentication is that possession has to be proved. “It needs to be that user on that device at that time,” he explained. “It’s an encrypted metadata exchange between the private key and public key, and no knowledge information or attributes for the user is sent over the network, which is why this is highly secure, entirely unphishable. It really is the best way to do strong MFA.”

This is why Shikiar was so pleased to see FIDO member Amazon’s announcement regarding MFA: “There’s no way to fake possession unless someone uses brute-force, such as threatening your life. That’s what gets rid of human error and why I think it’s so important that Amazon’s doing this to help companies protect themselves.”

FIDO’s approach to this area aims to make public-key cryptography as simple and usable as possible. “One thing we’ve seen through the decades is that for MFA to be adopted and sustained, it needs to be easy to use. With FIDO, it doesn’t really require any new security keys, it will be one thing, and you don’t need any ad hoc readers or anything like that,” Shikiar stated. “It’s a single gesture, user-friendly, public-key cryptography. That gesture could be touching a security key, it could be unlocking your phone – it’s that easy.”

Shikiar added that FIDO’s keys are very practical for organizations and consumers alike, especially as most cloud services support FIDO security keys. “With FIDO, one key can be used across services, so I think that’s another really important factor in how this is being deployed at scale,” he noted.

The need for stronger authentication methods that negate the risk of human error has grown significantly during the COVID-19 pandemic and resultant digital shift. Shikiar cited research from Google, which found that well-designed phishing attacks have a 45% success rate. “If you multiply that success rate across a newly distributed workforce, it is more and more critical to make sure these people are not victims to phishing scams. Any worker can create a weak link in the chain, and the whole enterprise is susceptible.”

"Any worker can create a weak link in the chain, and the whole enterprise is susceptible"

Many consumers also adopted behaviors like e-commerce and online banking for the first time in the pandemic, and it became essential to find quick and easy methods to protect them from attacks like phishing, as they are particularly susceptible to being duped.

Shikiar also hopes that Amazon’s pledge around MFA for AWS customers “sets a powerful example to other cloud service providers (CSPs).” In his view, the use of public-key cryptography should apply to two main areas of CSPs. One is for those providing network admin support for customers, who “should be using security keys to log in.”

The other is in respect of how CSPs are protecting their own infrastructure and thereby the resources of their customers. In fact, Shikiar would like to see customers require their CSPs use security keys. He cited the social engineering attack on Twitter last year, which led to the compromise of a group of employee credentials. Those credentials were then used to gain unauthorized access to an administrative tool to take over end-user accounts. Even though two-factor authentication was in place via their phones, these codes were manipulated as well. Shikiar noted: “That shows how a single incident of someone taking advantage of human good nature can lead to massive failure. Why couldn’t that happen to a CSP protecting hundreds of companies’ assets?”

On a positive note, Shikiar believes we are now on an “inextricable” path towards passwordless authentication. He pointed out that most major tech providers support passwordless strategies, providing enterprises with the opportunity to adopt this model. For example, “Microsoft, through Azure and Azure AD, has FIDO support built-in.”

Likewise, on the consumer side, the infrastructure needed for passwordless is starting to fall into place. “Every meaningful device has FIDO built in – this is a relatively new phenomenon, the last 18 months or so, which is really great,” said Shikiar.

Nevertheless, he acknowledged there is still a long way to go before society is weaned off its reliance on usernames and passwords. After all, the use of traditional passwords has become engrained in users, meaning there will be significant challenges in ensuring new approaches are properly embraced. Shikiar commented: “We need to retrain user behavior on the consumer side; while going passwordless is easier, we’ve become used to looking for that log-in box through decades of training.” To help with this education process, FIDO has released usability guidelines for its authentication protocols.

The need to reduce reliance on traditional usernames and passwords has grown amid rapid digitization during the COVID-19 pandemic. With credential theft at the heart of such a high proportion of successful cyber-attacks, it’s something all organizations – large and small – cannot ignore in the quest to create a more secure digital landscape.

What’s Hot on Infosecurity Magazine?