In-Depth

FIDO Authenticate Keynote Talk Calls for 'Radical' Industry Transparency on Multifactor Authentication Use

The Authenticate 2022 keynote talk highlighted passwordless efforts by the FIDO Alliance and called for increased multifactor authentication transparency by industry sectors.

• By Kurt Mackie
• 10/20/2022

The FIDO Alliance's Authenticate 2022 opening keynote talk this week marked progress toward a world of unphishable multifactor authentication (MFA) use, but it also included strong industry appeals to help advance such efforts.

Monday's talk featured industry reps implementing the FIDO Alliance's latest Passkeys effort, which aims to jumpstart consumer use of passwordless technologies. It also included a general appeal to industry, as promulgated by the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA).

Typically, CISA advises U.S. government agencies. However, keynote speaker Jen Easterly, CISA's director, pointed to efforts that industry and CEOs should take to move away from so-called "legacy" MFA. Much of Easterly's portion of the keynote talk is summed up in this Tuesday CISA announcement.

Essentially, legacy MFA can't protect against password guessing and the use of phished credentials. The public key-private key approach advocated in FIDO standards, though, offers a way to avoid such abuses. The FIDO Alliance is a 10-year-old industry coalition that formulates and promotes such standards.

The FIDO Gold Standard
Legacy MFA use and MFA using "SMS texts, authenticator apps or push notifications" have resulted in "several high-profile compromises over the past couple of years," Easterly noted during the talk. She added that "there are widely available 'MFA bypass toolkits' that reduce the cost of attacks" for attackers.

Organizations, led by CEOs, should switch to FIDO authentication, instead of legacy MFA, as "FIDO is the gold standard," Easterly indicated. "Go FIDO," she concluded.

Radical Transparency
The CISA portion of the Authenticate keynote talk by Easterly also included Bob Lord, senior technical advisor of the cybersecurity division at CISA. He strongly emphasized that industry generally needs to do a lot more to address the problem of phishable MFA.

Industry needs to be "radically" transparent about the use of MFA, or lack thereof, CISA emphasized. Industry and service providers are the best sources for obtaining and publicizing such data. While various surveys get conducted by industry to chronicle MFA use, such surveys are being done "because they don't have the data" that software and service providers have, Lord noted.

Lord directly praised Microsoft in that respect, saying that "Microsoft is one of the few companies that's actually published information so that we can start to take a look at the problem."

No Price Barriers
CISA also exhorted that security protections and phishing-resistant MFA use should not be encumbered by price barriers.

Here's how Lord phrased that contention:

And so we also want to make sure that there are no pricing barriers. Have you heard about the single sign-on tax? And there are other pricing schemes where you have to pay more for logs, you pay more for security features. Security features are customer rights. They're not luxury goods. And so we need to normalize the idea that they're built-in and that you don't have to know to go get them, and you don't have to pay more for them.

That CISA message might not be too welcome among the software industry, though. Lord didn't mention Microsoft in that context, but much of Microsoft's security products for businesses are not built-in. They typically get offered separately at top prices.

The analogy used during CISA portion of the Authenticate keynote talk was the inclusion of seat belts in cars. It took the efforts of Ralph Nader in his 1965 book, "Unsafe at Any Speed," to make seatbelts a standard safety component in cars. Today's cybersecurity industry expects people to pay extra for security, and it also expects the most vulnerable organizations with the least knowledge about security to figure it out.

Nudge Users Toward MFA
Industry should "nudge" users toward the use of phishing-resistant MFA, CISA argued.

Easterly suggested that organizations should shift their cultures by establishing a "security program manager" position internally to "implement a strong cybersecurity program and ensure that employees comply by reporting MFA adoption metrics to senior leadership, especially for their sysadmin accounts."

Lord noted that just 20 percent of Azure Active Directory users and three percent of global administrators were using MFA, citing Microsoft stats. Industry needs to be radically transparent with such data so that meaningful improvements can be made, he emphasized.

FIDO Alliance Efforts and Passkeys
The bypassing of legacy MFA was something that was expected to happen, according to Andrew Shikiar, executive director and chief marketing officer at the FIDO Alliance, during the opening keynote talk:

We all know that credential phishing can be incredibly effective, so it's little wonder that phishing continues to grow in volume and sophistication. Smishing is also growing with great success as more people actually depend on this channel for two-FA notifications. Social engineering is incredibly effective as well. All these things are leading into the growth of MFA bypass attacks.

Some progress has been seen, such as the rapid growth of enterprise passwordless deployments and the advent of consumer-ready solutions on mobile platforms. The FIDO Alliance's major effort in that latter respect is Passkeys, a solution that lets consumers use a FIDO-secured mobile device to authenticate with various services.

Shikiar indicated that Passkeys are getting growing industry support:

Passkey is our password replacement that provides faster, easier, more secure sign-ins to Web sites and apps across user devices. As announced by FIDO Alliance in March, and with support from Apple, Google and Microsoft in May, Passkey has addressed some of the usability and deployability challenges that have held back widespread FIDO deployment.

Passkeys sync across cloud services so users don't have to re-enroll each device. Three major platforms now support Passkeys. "Apple is now live in iOS and in beta with Mac OS Ventura," Shikiar noted, "and just last week, Google announced their support for beta in Android and Chrome."

The FIDO Alliance has generally adopted a possession-based authentication approach to add phishing resistance to MFA, vs. the legacy knowledge-based authentication approach that involves passwords. See Shikiar's explanation of that concept in this February Redmond Q&A article.

Passkeys and Industry Adoption
The FIDO Alliance produced Passkeys because it hasn't previously had a consumer-ready solution and because "Task A for the [FIDO] standard is to take passwords out of play for hundreds of millions of consumers immediately, full stop," Shikiar said.

The keynote featured commentary from Marcio Mello, head of product for the PayPal identity platform. He outlined how PayPal conceives of using Passkeys in a demo. Mello said that Passkeys are offering the convenience and security that are required for large-scale worldwide consumer deployments.

Also featured during the talk was Koichi Moriyama, chief security architect at NTT Docomo, a Japanese mobile service provider. NTT Docomo plans to support Passkeys use for its customers, starting in early 2023.

More Authenticate highlights can be found summaries written by the FIDO Alliance, with a Day 1 recap available here.