Planning and Preparation Are Key to Successfully Adopting FIDO Standards for “Simpler, Stronger Authentication”
At a time when the number of compromised credentials has reached billions, the prospect of someday not having to rely on usernames and passwords for access is certainly appealing. That day appears to be closer than ever now. Microsoft announced last month that the next major update of its Windows operating system will enable passwordless sign-in. Earlier in the year, the World Wide Web Consortium (W3C) ratified the WebAuthn API, which enables website logins without passwords, as an official standard. And Google certified Android devices for password-free logins. Those are just a few examples of the buzz around passwordless authentication lately – and they all have one thing in common: the FIDO Alliance, an open industry association that’s on a self-described mission to deliver “simpler, stronger authentication,” in the form of authentication standards that will help reduce reliance on passwords.
More and more, I’m seeing organizations that welcome the idea of a passwordless future based on FIDO standards, but aren’t entirely sure what steps to take next. And while organizations may be eager to move past legacy identity solutions, careful planning and preparation is key for successful implementation. As CTOs, CISOs, CSOs and security professionals start to reimagine their identity and access management postures, a mindful, deliberate approach to FIDO authentication is the best course of action.
First Things First: Why FIDO, and Why Now?
The CISO of a global entertainment business recently told me about what he called “a user revolution” among employees clamoring to move beyond the company’s longtime password-centric approach and adopt a simpler way to authenticate. In the era of digital transformation, the workforce is becoming more dynamic, diverse and remote – while also demanding simple, frictionless ways to access resources. Simultaneously, the workforce is seeing new and unprecedented identity and digital risks as identities become more scattered than ever, creating multiple points of access that organizations must secure. It’s no wonder so many organizations are looking to FIDO authentication to deliver simple and strong authentication that removes the burden of security from end users. However, to adopt FIDO authentication, organizations need infrastructure, devices and applications that support FIDO standards. If your organization is contemplating a move in the direction of FIDO authentication, there are three important considerations to keep in mind to ensure a smooth, successful transition.
1. Timing Is Everything: Technology Support for Open Standards
The FIDO Alliance is an open-standards organization, and technology providers are quickly adopting its open authentication standards. The caveat, however, is that organizations are adopting the technologies that support FIDO on different timelines. For example, last May, Windows Hello became a FIDO2-certified authenticator, meaning the authentication mechanism supports the latest set of FIDO specifications. And by the end of last year, all the major web browsers offered FIDO2 support in some form. But OS and browser updates or even hardware updates (desktop/laptops) to support FIDO will do an organization no good until they have been rolled out to end users. That’s why it’s important to consider FIDO authentication within the context of the organization’s technology roadmap.
Any organization contemplating FIDO standards must make decisions based on the degree to which it supports the technology and standards required to truly go passwordless. This issue also extends to the “last mile” of back-end applications. If an application a user depends on doesn’t support FIDO, it won’t matter that the infrastructure does. Let’s say you have a browser update that supports FIDO authentication; that’s fine, but if it just takes the user to the application’s standard username/password screen, it defeats the purpose. There are certainly technologies that can be put in front of these applications to handle the role of being the FIDO server, so consider how these technologies can be employed to help bridge this last mile and provide a unified FIDO server approach for your organization.
2. One Alliance Supporting Many Authenticators (and More to Come)
I often hear people referring to various types of authenticators as “FIDO devices,” but it’s important to make the distinction between FIDO standards and the actual devices they support. The FIDO Alliance supports hundreds of FIDO-certified devices, and it continues to grow as more companies introduce authenticators that conform to FIDO authentication standards. Certified devices can take the form of anything from mobile authenticators to wearables to hardware devices (and everything in between). For this reason, adopting the FIDO approach involves thinking strategically about authenticator options. That means looking at your user population, how and where they need access, and what kinds of authenticators make the most sense for them. For example, FIDO-certified USB security keys may be great for users in a call center where employees use desktop computers, and mobile devices aren’t permitted. But a mobile-specific FIDO authenticator will be a more appropriate choice for remote environments where users depend on mobile phones and tablets that don’t have USB ports. (Next month, I’ll explore how to choose the right authentication methods and devices for your organization from the growing number of options available).
3. The Bottom Line: Be Prepared
The FIDO Alliance has laid a solid foundation for moving into a passwordless world, and that’s exciting. But organizations must think beyond “FIDO is the answer” to make the most of its benefits. As more and more technology providers start to support FIDO standards, and as more types of FIDO-compliant authenticators become available, your organization will have more considerations to take into account for strategically adopting FIDO authentication. So, no matter how eager you are to make the leap, spend some time planning and preparing to begin the transition from password-based to passwordless authentication.
If you want to succeed with FIDO, you have to be ready. Now is the time to assess your organization’s authentication needs, how they are evolving, and the dynamics of your user population. A phased rollout of FIDO-certified authenticators and FIDO-enabled applications, along with training for both users and help desk personnel, can help ensure a positive experience and transition. Things are happening fast with this shift in the authentication landscape, and if you want to make the most of it, you have to pay attention, be patient and think strategically.